fix(native-integrations): delete integrations from details page

Merge pull request #3097 from Infisical/daniel/aws-arn-validate-fix
fix: improve arn validation regex
2025-07-29 22:37:44 +00:00 · 2025-02-11 05:18:14 +04:00 · 2025-02-10 18:55:13 +01:00 · 2025-02-10 21:47:07 +04:00 · 2025-02-08 02:02:12 +01:00 · 2025-02-07 16:58:11 -08:00
910 changed files with 34398 additions and 10825 deletions
--- a/.env.example
+++ b/.env.example
@@ -26,7 +26,8 @@ SITE_URL=http://localhost:8080
 # Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
-SMTP_NAME=
+SMTP_FROM_ADDRESS=
 SMTP_FROM_NAME=
 SMTP_USERNAME=
 SMTP_PASSWORD=
@@ -91,17 +92,24 @@ ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
 # App Connections
-# aws assume-role
+# aws assume-role connection
 INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
 INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
-# github oauth
+# github oauth connection
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
-#github app
+#github app connection
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
 INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
-INF_APP_CONNECTION_GITHUB_APP_ID=
+INF_APP_CONNECTION_GITHUB_APP_ID=
 #gcp app connection
 INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 # azure app connection
 INF_APP_CONNECTION_AZURE_CLIENT_ID=
 INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
--- a/.github/workflows/deployment-pipeline.yml
+++ b/.github/workflows/deployment-pipeline.yml
@@ -5,6 +5,10 @@ permissions:
  id-token: write
  contents: read
 concurrency: 
  group: "infisical-core-deployment"
  cancel-in-progress: true  
 jobs:
  infisical-tests:
    name: Integration tests
@@ -113,10 +117,6 @@ jobs:
    steps:
      - uses: twingate/github-action@v1
        with:
        # The Twingate Service Key used to connect Twingate to the proper service
        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
        #
        # Required
          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
      - name: Checkout code
        uses: actions/checkout@v2
@@ -159,6 +159,31 @@ jobs:
          service: infisical-core-platform
          cluster: infisical-core-platform
          wait-for-service-stability: true
      - name: Post slack message 
        uses: slackapi/slack-github-action@v2.0.0
        with:
          webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "*Deployment Status Update*: ${{ job.status }}"
            blocks:
              - type: "section"
                text:
                  type: "mrkdwn"
                  text: "*Deployment Status Update*: ${{ job.status }}"
              - type: "section"
                fields:
                  - type: "mrkdwn"
                    text: "*Application:*\nInfisical Core"
                  - type: "mrkdwn"
                    text: "*Instance Type:*\nShared Infisical Cloud"
              - type: "section"
                fields:
                  - type: "mrkdwn"
                    text: "*Region:*\nUS"
                  - type: "mrkdwn"
                    text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
  production-eu:
      name: EU production deploy
@@ -210,3 +235,28 @@ jobs:
            service: infisical-core-platform
            cluster: infisical-core-platform
            wait-for-service-stability: true
        - name: Post slack message 
          uses: slackapi/slack-github-action@v2.0.0
          with:
            webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
            webhook-type: incoming-webhook
            payload: |
              text: "*Deployment Status Update*: ${{ job.status }}"
              blocks:
                - type: "section"
                  text:
                    type: "mrkdwn"
                    text: "*Deployment Status Update*: ${{ job.status }}"
                - type: "section"
                  fields:
                    - type: "mrkdwn"
                      text: "*Application:*\nInfisical Core"
                    - type: "mrkdwn"
                      text: "*Instance Type:*\nShared Infisical Cloud"
                - type: "section"
                  fields:
                    - type: "mrkdwn"
                      text: "*Region:*\nEU"
                    - type: "mrkdwn"
                      text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
--- a/.github/workflows/helm-release-infisical-core.yml
+++ b/.github/workflows/helm-release-infisical-core.yml
@@ -1,4 +1,4 @@
-name: Release Helm Charts
+name: Release Infisical Core Helm chart
 on: [workflow_dispatch]
@@ -17,6 +17,6 @@ jobs:
      - name: Install Cloudsmith CLI
        run: pip install --upgrade cloudsmith-cli
      - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-to-cloudsmith.sh
+        run: cd helm-charts && sh upload-infisical-core-helm-cloudsmith.sh
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/release_docker_k8_operator.yaml
+++ b/.github/workflows/release_docker_k8_operator.yaml
@@ -1,4 +1,4 @@
-name: Release Docker image for K8 operator
+name: Release image + Helm chart K8s Operator
 on:
  push:
    tags:
@@ -35,3 +35,18 @@ jobs:
          tags: |
            infisical/kubernetes-operator:latest
            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
      - name: Checkout
        uses: actions/checkout@v2
      - name: Install Helm
        uses: azure/setup-helm@v3
        with:
          version: v3.10.0
      - name: Install python
        uses: actions/setup-python@v4
      - name: Install Cloudsmith CLI
        run: pip install --upgrade cloudsmith-cli
      - name: Build and push helm package to Cloudsmith
        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.infisicalignore
+++ b/.infisicalignore
@@ -7,3 +7,4 @@ docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
 docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
--- a/3
+++ b/3
@@ -30,3 +30,6 @@ reviewable-api:
 	npm run type:check
 reviewable: reviewable-ui reviewable-api
 up-dev-sso:
 	docker compose -f docker-compose.dev.yml --profile sso up --build
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.
-### Internal PKI:
+### Infisical (Internal) PKI:
 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@@ -64,12 +64,17 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.
-### Key Management (KMS):
+### Infisical Key Management System (KMS):
 - **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
 ### Infisical SSH
 - **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
 ### General Platform:
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.
@@ -120,7 +125,7 @@ Install pre commit hook to scan each commit before you push to your repository
 infisical scan install --pre-commit-hook
 ```
-Lean about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
+Learn about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
 ## Open-source vs. paid
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -80,6 +80,7 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
 import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
@@ -210,6 +211,7 @@ declare module "fastify" {
      projectTemplate: TProjectTemplateServiceFactory;
      totp: TTotpServiceFactory;
      appConnection: TAppConnectionServiceFactory;
      secretSync: TSecretSyncServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -372,6 +372,7 @@ import {
  TExternalGroupOrgRoleMappingsInsert,
  TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
 import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
  TSecretV2TagJunction,
  TSecretV2TagJunctionInsert,
@@ -900,5 +901,6 @@ declare module "knex/types/tables" {
      TAppConnectionsInsert,
      TAppConnectionsUpdate
    >;
    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
  }
 }
--- a/backend/src/db/migrations/20250115222458_groups-unique-name.ts
+++ b/backend/src/db/migrations/20250115222458_groups-unique-name.ts
@@ -0,0 +1,49 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  // find any duplicate group names within organizations
  const duplicates = await knex(TableName.Groups)
    .select("orgId", "name")
    .count("* as count")
    .groupBy("orgId", "name")
    .having(knex.raw("count(*) > 1"));
  // for each set of duplicates, update all but one with a numbered suffix
  for await (const duplicate of duplicates) {
    const groups = await knex(TableName.Groups)
      .select("id", "name")
      .where({
        orgId: duplicate.orgId,
        name: duplicate.name
      })
      .orderBy("createdAt", "asc"); // keep original name for oldest group
    // skip the first (oldest) group, rename others with numbered suffix
    for (let i = 1; i < groups.length; i += 1) {
      // eslint-disable-next-line no-await-in-loop
      await knex(TableName.Groups)
        .where("id", groups[i].id)
        .update({
          name: `${groups[i].name} (${i})`,
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore TS doesn't know about Knex's timestamp types
          updatedAt: new Date()
        });
    }
  }
  // add the unique constraint
  await knex.schema.alterTable(TableName.Groups, (t) => {
    t.unique(["orgId", "name"]);
  });
 }
 export async function down(knex: Knex): Promise<void> {
  // Remove the unique constraint
  await knex.schema.alterTable(TableName.Groups, (t) => {
    t.dropUnique(["orgId", "name"]);
  });
 }
--- a/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
+++ b/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
@@ -0,0 +1,33 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
  await knex.schema.alterTable(TableName.Project, (t) => {
    if (!hasEnforceCapitalizationCol) {
      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
    }
    if (hasAutoCapitalizationCol) {
      t.boolean("autoCapitalization").defaultTo(false).alter();
    }
  });
 }
 export async function down(knex: Knex): Promise<void> {
  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
  await knex.schema.alterTable(TableName.Project, (t) => {
    if (hasEnforceCapitalizationCol) {
      t.dropColumn("enforceCapitalization");
    }
    if (hasAutoCapitalizationCol) {
      t.boolean("autoCapitalization").defaultTo(true).alter();
    }
  });
 }
--- a/backend/src/db/migrations/20250122055102_secret-sync.ts
+++ b/backend/src/db/migrations/20250122055102_secret-sync.ts
@@ -0,0 +1,50 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
    await knex.schema.createTable(TableName.SecretSync, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("name", 32).notNullable();
      t.string("description");
      t.string("destination").notNullable();
      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
      t.integer("version").defaultTo(1).notNullable();
      t.jsonb("destinationConfig").notNullable();
      t.jsonb("syncOptions").notNullable();
      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
      // is deleted), to preserve sync configuration
      t.string("projectId").notNullable();
      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
      t.uuid("folderId");
      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
      t.uuid("connectionId").notNullable();
      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
      t.timestamps(true, true, true);
      // sync secrets to destination
      t.string("syncStatus");
      t.string("lastSyncJobId");
      t.string("lastSyncMessage");
      t.datetime("lastSyncedAt");
      // import secrets from destination
      t.string("importStatus");
      t.string("lastImportJobId");
      t.string("lastImportMessage");
      t.datetime("lastImportedAt");
      // remove secrets from destination
      t.string("removeStatus");
      t.string("lastRemoveJobId");
      t.string("lastRemoveMessage");
      t.datetime("lastRemovedAt");
    });
    await createOnUpdateTrigger(knex, TableName.SecretSync);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.SecretSync);
  await dropOnUpdateTrigger(knex, TableName.SecretSync);
 }
--- a/backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts
+++ b/backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts
@@ -0,0 +1,23 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
  await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
    if (!hasManageGroupMembershipsCol) {
      tb.boolean("manageGroupMemberships").notNullable().defaultTo(false);
    }
  });
 }
 export async function down(knex: Knex): Promise<void> {
  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
  await knex.schema.alterTable(TableName.OidcConfig, (t) => {
    if (hasManageGroupMembershipsCol) {
      t.dropColumn("manageGroupMemberships");
    }
  });
 }
--- a/backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts
+++ b/backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts
@@ -0,0 +1,23 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 export async function up(knex: Knex): Promise<void> {
  await knex.schema.alterTable(TableName.AppConnection, (t) => {
    t.unique(["orgId", "name"]);
  });
  await knex.schema.alterTable(TableName.SecretSync, (t) => {
    t.unique(["projectId", "name"]);
  });
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.alterTable(TableName.AppConnection, (t) => {
    t.dropUnique(["orgId", "name"]);
  });
  await knex.schema.alterTable(TableName.SecretSync, (t) => {
    t.dropUnique(["projectId", "name"]);
  });
 }
--- a/backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts
+++ b/backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts
@@ -0,0 +1,37 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
    TableName.IdentityGcpAuth,
    "allowedServiceAccounts"
  );
  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
  if (hasTable) {
    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
      if (hasAllowedProjectsColumn) t.string("allowedProjects", 2500).alter();
      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts", 5000).alter();
      if (hasAllowedZones) t.string("allowedZones", 2500).alter();
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
    TableName.IdentityGcpAuth,
    "allowedServiceAccounts"
  );
  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
  if (hasTable) {
    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
      if (hasAllowedProjectsColumn) t.string("allowedProjects").alter();
      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts").alter();
      if (hasAllowedZones) t.string("allowedZones").alter();
    });
  }
 }
--- a/backend/src/db/migrations/20250205220952_kms-keys-drop-slug-col.ts
+++ b/backend/src/db/migrations/20250205220952_kms-keys-drop-slug-col.ts
@@ -0,0 +1,27 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.KmsKey)) {
    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
    if (hasSlugCol) {
      await knex.schema.alterTable(TableName.KmsKey, (t) => {
        t.dropColumn("slug");
      });
    }
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.KmsKey)) {
    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
    if (!hasSlugCol) {
      await knex.schema.alterTable(TableName.KmsKey, (t) => {
        t.string("slug", 32);
      });
    }
  }
 }
--- a/backend/src/db/migrations/20250207002643_secret-syncs-increase-message-length.ts
+++ b/backend/src/db/migrations/20250207002643_secret-syncs-increase-message-length.ts
@@ -0,0 +1,31 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.SecretSync)) {
    const hasLastSyncMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastSyncMessage");
    const hasLastImportMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastImportMessage");
    const hasLastRemoveMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastRemoveMessage");
    await knex.schema.alterTable(TableName.SecretSync, (t) => {
      if (hasLastSyncMessage) t.string("lastSyncMessage", 1024).alter();
      if (hasLastImportMessage) t.string("lastImportMessage", 1024).alter();
      if (hasLastRemoveMessage) t.string("lastRemoveMessage", 1024).alter();
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.SecretSync)) {
    const hasLastSyncMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastSyncMessage");
    const hasLastImportMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastImportMessage");
    const hasLastRemoveMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastRemoveMessage");
    await knex.schema.alterTable(TableName.SecretSync, (t) => {
      if (hasLastSyncMessage) t.string("lastSyncMessage").alter();
      if (hasLastImportMessage) t.string("lastImportMessage").alter();
      if (hasLastRemoveMessage) t.string("lastRemoveMessage").alter();
    });
  }
 }
--- a/backend/src/db/schemas/identity-gcp-auths.ts
+++ b/backend/src/db/schemas/identity-gcp-auths.ts
@@ -17,9 +17,9 @@ export const IdentityGcpAuthsSchema = z.object({
  updatedAt: z.date(),
  identityId: z.string().uuid(),
  type: z.string(),
-  allowedServiceAccounts: z.string(),
+  allowedServiceAccounts: z.string().nullable().optional(),
-  allowedProjects: z.string(),
+  allowedProjects: z.string().nullable().optional(),
-  allowedZones: z.string()
+  allowedZones: z.string().nullable().optional()
 });
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
--- a/backend/src/db/schemas/kms-keys.ts
+++ b/backend/src/db/schemas/kms-keys.ts
@@ -16,8 +16,7 @@ export const KmsKeysSchema = z.object({
  name: z.string(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  projectId: z.string().nullable().optional(),
+  projectId: z.string().nullable().optional()
  slug: z.string().nullable().optional()
 });
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -131,7 +131,8 @@ export enum TableName {
  WorkflowIntegrations = "workflow_integrations",
  SlackIntegrations = "slack_integrations",
  ProjectSlackConfigs = "project_slack_configs",
-  AppConnection = "app_connections"
+  AppConnection = "app_connections",
  SecretSync = "secret_syncs"
 }
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@@ -215,3 +216,12 @@ export enum ProjectType {
  KMS = "kms",
  SSH = "ssh"
 }
 export enum ActionProjectType {
  SecretManager = ProjectType.SecretManager,
  CertificateManager = ProjectType.CertificateManager,
  KMS = ProjectType.KMS,
  SSH = ProjectType.SSH,
  // project operations that happen on all types
  Any = "any"
 }
--- a/backend/src/db/schemas/oidc-configs.ts
+++ b/backend/src/db/schemas/oidc-configs.ts
@@ -27,7 +27,8 @@ export const OidcConfigsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  orgId: z.string().uuid(),
-  lastUsed: z.date().nullable().optional()
+  lastUsed: z.date().nullable().optional(),
  manageGroupMemberships: z.boolean().default(false)
 });
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@@ -13,7 +13,7 @@ export const ProjectsSchema = z.object({
  id: z.string(),
  name: z.string(),
  slug: z.string(),
-  autoCapitalization: z.boolean().default(true).nullable().optional(),
+  autoCapitalization: z.boolean().default(false).nullable().optional(),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
@@ -25,7 +25,8 @@ export const ProjectsSchema = z.object({
  kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
  description: z.string().nullable().optional(),
-  type: z.string()
+  type: z.string(),
  enforceCapitalization: z.boolean().default(false)
 });
 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/secret-syncs.ts
+++ b/backend/src/db/schemas/secret-syncs.ts
@@ -0,0 +1,40 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const SecretSyncsSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
  description: z.string().nullable().optional(),
  destination: z.string(),
  isAutoSyncEnabled: z.boolean().default(true),
  version: z.number().default(1),
  destinationConfig: z.unknown(),
  syncOptions: z.unknown(),
  projectId: z.string(),
  folderId: z.string().uuid().nullable().optional(),
  connectionId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  syncStatus: z.string().nullable().optional(),
  lastSyncJobId: z.string().nullable().optional(),
  lastSyncMessage: z.string().nullable().optional(),
  lastSyncedAt: z.date().nullable().optional(),
  importStatus: z.string().nullable().optional(),
  lastImportJobId: z.string().nullable().optional(),
  lastImportMessage: z.string().nullable().optional(),
  lastImportedAt: z.date().nullable().optional(),
  removeStatus: z.string().nullable().optional(),
  lastRemoveJobId: z.string().nullable().optional(),
  lastRemoveMessage: z.string().nullable().optional(),
  lastRemovedAt: z.date().nullable().optional()
 });
 export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;
 export type TSecretSyncsInsert = Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>;
 export type TSecretSyncsUpdate = Partial<Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>>;
--- a/backend/src/ee/routes/v1/oidc-router.ts
+++ b/backend/src/ee/routes/v1/oidc-router.ts
@@ -153,7 +153,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          discoveryURL: true,
          isActive: true,
          orgId: true,
-          allowedEmailDomains: true
+          allowedEmailDomains: true,
          manageGroupMemberships: true
        }).extend({
          clientId: z.string(),
          clientSecret: z.string()
@@ -207,7 +208,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          userinfoEndpoint: z.string().trim(),
          clientId: z.string().trim(),
          clientSecret: z.string().trim(),
-          isActive: z.boolean()
+          isActive: z.boolean(),
          manageGroupMemberships: z.boolean().optional()
        })
        .partial()
        .merge(z.object({ orgSlug: z.string() })),
@@ -223,7 +225,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          userinfoEndpoint: true,
          orgId: true,
          allowedEmailDomains: true,
-          isActive: true
+          isActive: true,
          manageGroupMemberships: true
        })
      }
    },
@@ -272,7 +275,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          clientId: z.string().trim(),
          clientSecret: z.string().trim(),
          isActive: z.boolean(),
-          orgSlug: z.string().trim()
+          orgSlug: z.string().trim(),
          manageGroupMemberships: z.boolean().optional().default(false)
        })
        .superRefine((data, ctx) => {
          if (data.configurationType === OIDCConfigurationType.CUSTOM) {
@@ -334,7 +338,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
          userinfoEndpoint: true,
          orgId: true,
          isActive: true,
-          allowedEmailDomains: true
+          allowedEmailDomains: true,
          manageGroupMemberships: true
        })
      }
    },
@@ -350,4 +355,25 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
      return oidc;
    }
  });
  server.route({
    method: "GET",
    url: "/manage-group-memberships",
    schema: {
      querystring: z.object({
        orgId: z.string().trim().min(1, "Org ID is required")
      }),
      response: {
        200: z.object({
          isEnabled: z.boolean()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const isEnabled = await server.services.oidc.isOidcManageGroupMembershipsEnabled(req.query.orgId, req.permission);
      return { isEnabled };
    }
  });
 };
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@@ -24,6 +24,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        ),
        name: z.string().trim(),
        description: z.string().trim().nullish(),
        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array()
        permissions: z.any().array()
      }),
      response: {
@@ -96,6 +97,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          .optional(),
        name: z.string().trim().optional(),
        description: z.string().trim().nullish(),
        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array().optional()
        permissions: z.any().array().optional()
      }),
      response: {
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@@ -1,9 +1,13 @@
 import { z } from "zod";
 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
-import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
+import {
  SecretScanningResolvedStatus,
  SecretScanningRiskStatus
 } from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -97,6 +101,45 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    }
  });
  server.route({
    url: "/organization/:organizationId/risks/export",
    method: "GET",
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      querystring: z.object({
        repositoryNames: z
          .string()
          .optional()
          .nullable()
          .transform((val) => (val ? val.split(",") : undefined)),
        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
      }),
      response: {
        200: z.object({
          risks: SecretScanningGitRisksSchema.array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const risks = await server.services.secretScanning.getAllRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        filter: {
          repositoryNames: req.query.repositoryNames,
          resolvedStatus: req.query.resolvedStatus
        }
      });
      return { risks };
    }
  });
  server.route({
    url: "/organization/:organizationId/risks",
    method: "GET",
@@ -105,20 +148,46 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      querystring: z.object({
        offset: z.coerce.number().min(0).default(0),
        limit: z.coerce.number().min(1).max(20000).default(100),
        orderBy: z.enum(["createdAt", "name"]).default("createdAt"),
        orderDirection: z.nativeEnum(OrderByDirection).default(OrderByDirection.DESC),
        repositoryNames: z
          .string()
          .optional()
          .nullable()
          .transform((val) => (val ? val.split(",") : undefined)),
        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
      }),
      response: {
-        200: z.object({ risks: SecretScanningGitRisksSchema.array() })
+        200: z.object({
          risks: SecretScanningGitRisksSchema.array(),
          totalCount: z.number(),
          repos: z.array(z.string())
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
-      const { risks } = await server.services.secretScanning.getRisksByOrg({
+      const { risks, totalCount, repos } = await server.services.secretScanning.getRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId
+        orgId: req.params.organizationId,
        filter: {
          limit: req.query.limit,
          offset: req.query.offset,
          orderBy: req.query.orderBy,
          orderDirection: req.query.orderDirection,
          repositoryNames: req.query.repositoryNames,
          resolvedStatus: req.query.resolvedStatus
        }
      });
-      return { risks };
+      return { risks, totalCount, repos };
    }
  });
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -87,14 +87,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@@ -193,7 +193,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    // Anyone in the project should be able to get the policies.
-    await permissionService.getProjectPermission(actor, actorId, project.id, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: project.id,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
    return accessApprovalPolicies;
@@ -237,14 +244,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!accessApprovalPolicy) {
      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      accessApprovalPolicy.projectId,
+      projectId: accessApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -321,14 +328,14 @@ export const accessApprovalPolicyServiceFactory = ({
    const policy = await accessApprovalPolicyDAL.findById(policyId);
    if (!policy) throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      policy.projectId,
+      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretApproval
@@ -372,13 +379,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@@ -411,13 +419,14 @@ export const accessApprovalPolicyServiceFactory = ({
      });
    }
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      policy.projectId,
+      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -100,13 +100,14 @@ export const accessApprovalRequestServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    // Anyone can create an access approval request.
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@@ -273,13 +274,14 @@ export const accessApprovalRequestServiceFactory = ({
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@@ -318,13 +320,14 @@ export const accessApprovalRequestServiceFactory = ({
      });
    }
-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      accessApprovalRequest.projectId,
+      projectId: accessApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -422,13 +425,14 @@ export const accessApprovalRequestServiceFactory = ({
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@@ -93,7 +93,7 @@ export const auditLogStreamServiceFactory = ({
        }
      )
      .catch((err) => {
-        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
+        throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
      });
    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
    const logStream = await auditLogStreamDAL.create({
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@@ -39,11 +39,13 @@ export const auditLogDALFactory = (db: TDbClient) => {
      offset = 0,
      actorId,
      actorType,
      secretPath,
      eventType,
      eventMetadata
    }: Omit<TFindQuery, "actor" | "eventType"> & {
      actorId?: string;
      actorType?: ActorType;
      secretPath?: string;
      eventType?: EventType[];
      eventMetadata?: Record<string, string>;
    },
@@ -88,6 +90,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
        });
      }
      if (projectId && secretPath) {
        void sqlQuery.whereRaw(`"eventMetadata" @> jsonb_build_object('secretPath', ?::text)`, [secretPath]);
      }
      // Filter by actor type
      if (actorType) {
        void sqlQuery.where("actor", actorType);
@@ -100,10 +106,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
      // Filter by date range
      if (startDate) {
-        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
      }
      if (endDate) {
-        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
      }
      // we timeout long running queries to prevent DB resource issues (2 minutes)
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
@@ -26,13 +27,14 @@ export const auditLogServiceFactory = ({
  const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
    // Filter logs for specific project
    if (filter.projectId) {
-      const { permission } = await permissionService.getProjectPermission(
+      const { permission } = await permissionService.getProjectPermission({
        actor,
        actorId,
-        filter.projectId,
+        projectId: filter.projectId,
        actorAuthMethod,
-        actorOrgId
+        actorOrgId,
-      );
+        actionProjectType: ActionProjectType.Any
      });
      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    } else {
      // Organization-wide logs
@@ -44,10 +46,6 @@ export const auditLogServiceFactory = ({
        actorOrgId
      );
      /**
       * NOTE (dangtony98): Update this to organization-level audit log permission check once audit logs are moved
       * to the organization level ✅
       */
      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
    }
@@ -62,6 +60,7 @@ export const auditLogServiceFactory = ({
      actorId: filter.auditLogActorId,
      actorType: filter.actorType,
      eventMetadata: filter.eventMetadata,
      secretPath: filter.secretPath,
      ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
    });
@@ -79,7 +78,8 @@ export const auditLogServiceFactory = ({
    }
    // add all cases in which project id or org id cannot be added
    if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
-      if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
+      if (!data.projectId && !data.orgId)
        throw new BadRequestError({ message: "Must specify either project id or org id" });
    }
    return auditLogQueue.pushToLog(data);
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -13,6 +13,13 @@ import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
 import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
 import {
  TCreateSecretSyncDTO,
  TDeleteSecretSyncDTO,
  TSecretSyncRaw,
  TUpdateSecretSyncDTO
 } from "@app/services/secret-sync/secret-sync-types";
 export type TListProjectAuditLogDTO = {
  filter: {
@@ -25,13 +32,14 @@ export type TListProjectAuditLogDTO = {
    projectId?: string;
    auditLogActorId?: string;
    actorType?: ActorType;
    secretPath?: string;
    eventMetadata?: Record<string, string>;
  };
 } & Omit<TProjectPermission, "projectId">;
 export type TCreateAuditLogDTO = {
  event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
  orgId?: string;
  projectId?: string;
 } & BaseAuthData;
@@ -215,6 +223,7 @@ export enum EventType {
  UPDATE_CMEK = "update-cmek",
  DELETE_CMEK = "delete-cmek",
  GET_CMEKS = "get-cmeks",
  GET_CMEK = "get-cmek",
  CMEK_ENCRYPT = "cmek-encrypt",
  CMEK_DECRYPT = "cmek-decrypt",
  UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
@@ -226,10 +235,24 @@ export enum EventType {
  DELETE_PROJECT_TEMPLATE = "delete-project-template",
  APPLY_PROJECT_TEMPLATE = "apply-project-template",
  GET_APP_CONNECTIONS = "get-app-connections",
  GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
  GET_APP_CONNECTION = "get-app-connection",
  CREATE_APP_CONNECTION = "create-app-connection",
  UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection"
+  DELETE_APP_CONNECTION = "delete-app-connection",
  CREATE_SHARED_SECRET = "create-shared-secret",
  DELETE_SHARED_SECRET = "delete-shared-secret",
  READ_SHARED_SECRET = "read-shared-secret",
  GET_SECRET_SYNCS = "get-secret-syncs",
  GET_SECRET_SYNC = "get-secret-sync",
  CREATE_SECRET_SYNC = "create-secret-sync",
  UPDATE_SECRET_SYNC = "update-secret-sync",
  DELETE_SECRET_SYNC = "delete-secret-sync",
  SECRET_SYNC_SYNC_SECRETS = "secret-sync-sync-secrets",
  SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
  SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets",
  OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER = "oidc-group-membership-mapping-assign-user",
  OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER = "oidc-group-membership-mapping-remove-user"
 }
 interface UserActorMetadata {
@@ -252,6 +275,8 @@ interface ScimClientActorMetadata {}
 interface PlatformActorMetadata {}
 interface UnknownUserActorMetadata {}
 export interface UserActor {
  type: ActorType.USER;
  metadata: UserActorMetadata;
@@ -267,6 +292,11 @@ export interface PlatformActor {
  metadata: PlatformActorMetadata;
 }
 export interface UnknownUserActor {
  type: ActorType.UNKNOWN_USER;
  metadata: UnknownUserActorMetadata;
 }
 export interface IdentityActor {
  type: ActorType.IDENTITY;
  metadata: IdentityActorMetadata;
@@ -288,6 +318,8 @@ interface GetSecretsEvent {
  };
 }
 type TSecretMetadata = { key: string; value: string }[];
 interface GetSecretEvent {
  type: EventType.GET_SECRET;
  metadata: {
@@ -296,6 +328,7 @@ interface GetSecretEvent {
    secretId: string;
    secretKey: string;
    secretVersion: number;
    secretMetadata?: TSecretMetadata;
  };
 }
@@ -307,6 +340,7 @@ interface CreateSecretEvent {
    secretId: string;
    secretKey: string;
    secretVersion: number;
    secretMetadata?: TSecretMetadata;
  };
 }
@@ -315,7 +349,12 @@ interface CreateSecretBatchEvent {
  metadata: {
    environment: string;
    secretPath: string;
-    secrets: Array<{ secretId: string; secretKey: string; secretVersion: number }>;
+    secrets: Array<{
      secretId: string;
      secretKey: string;
      secretVersion: number;
      secretMetadata?: TSecretMetadata;
    }>;
  };
 }
@@ -327,6 +366,7 @@ interface UpdateSecretEvent {
    secretId: string;
    secretKey: string;
    secretVersion: number;
    secretMetadata?: TSecretMetadata;
  };
 }
@@ -335,7 +375,7 @@ interface UpdateSecretBatchEvent {
  metadata: {
    environment: string;
    secretPath: string;
-    secrets: Array<{ secretId: string; secretKey: string; secretVersion: number }>;
+    secrets: Array<{ secretId: string; secretKey: string; secretVersion: number; secretMetadata?: TSecretMetadata }>;
  };
 }
@@ -733,9 +773,9 @@ interface AddIdentityGcpAuthEvent {
  metadata: {
    identityId: string;
    type: string;
-    allowedServiceAccounts: string;
+    allowedServiceAccounts?: string | null;
-    allowedProjects: string;
+    allowedProjects?: string | null;
-    allowedZones: string;
+    allowedZones?: string | null;
    accessTokenTTL: number;
    accessTokenMaxTTL: number;
    accessTokenNumUsesLimit: number;
@@ -755,9 +795,9 @@ interface UpdateIdentityGcpAuthEvent {
  metadata: {
    identityId: string;
    type?: string;
-    allowedServiceAccounts?: string;
+    allowedServiceAccounts?: string | null;
-    allowedProjects?: string;
+    allowedProjects?: string | null;
-    allowedZones?: string;
+    allowedZones?: string | null;
    accessTokenTTL?: number;
    accessTokenMaxTTL?: number;
    accessTokenNumUsesLimit?: number;
@@ -1808,6 +1848,13 @@ interface GetCmeksEvent {
  };
 }
 interface GetCmekEvent {
  type: EventType.GET_CMEK;
  metadata: {
    keyId: string;
  };
 }
 interface CmekEncryptEvent {
  type: EventType.CMEK_ENCRYPT;
  metadata: {
@@ -1883,6 +1930,15 @@ interface GetAppConnectionsEvent {
  };
 }
 interface GetAvailableAppConnectionsDetailsEvent {
  type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS;
  metadata: {
    app?: AppConnection;
    count: number;
    connectionIds: string[];
  };
 }
 interface GetAppConnectionEvent {
  type: EventType.GET_APP_CONNECTION;
  metadata: {
@@ -1907,6 +1963,127 @@ interface DeleteAppConnectionEvent {
  };
 }
 interface CreateSharedSecretEvent {
  type: EventType.CREATE_SHARED_SECRET;
  metadata: {
    id: string;
    accessType: string;
    name?: string;
    expiresAfterViews?: number;
    usingPassword: boolean;
    expiresAt: string;
  };
 }
 interface DeleteSharedSecretEvent {
  type: EventType.DELETE_SHARED_SECRET;
  metadata: {
    id: string;
    name?: string;
  };
 }
 interface ReadSharedSecretEvent {
  type: EventType.READ_SHARED_SECRET;
  metadata: {
    id: string;
    name?: string;
    accessType: string;
  };
 }
 interface GetSecretSyncsEvent {
  type: EventType.GET_SECRET_SYNCS;
  metadata: {
    destination?: SecretSync;
    count: number;
    syncIds: string[];
  };
 }
 interface GetSecretSyncEvent {
  type: EventType.GET_SECRET_SYNC;
  metadata: {
    destination: SecretSync;
    syncId: string;
  };
 }
 interface CreateSecretSyncEvent {
  type: EventType.CREATE_SECRET_SYNC;
  metadata: Omit<TCreateSecretSyncDTO, "projectId"> & { syncId: string };
 }
 interface UpdateSecretSyncEvent {
  type: EventType.UPDATE_SECRET_SYNC;
  metadata: TUpdateSecretSyncDTO;
 }
 interface DeleteSecretSyncEvent {
  type: EventType.DELETE_SECRET_SYNC;
  metadata: TDeleteSecretSyncDTO;
 }
 interface SecretSyncSyncSecretsEvent {
  type: EventType.SECRET_SYNC_SYNC_SECRETS;
  metadata: Pick<
    TSecretSyncRaw,
    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "connectionId" | "folderId"
  > & {
    syncId: string;
    syncMessage: string | null;
    jobId: string;
    jobRanAt: Date;
  };
 }
 interface SecretSyncImportSecretsEvent {
  type: EventType.SECRET_SYNC_IMPORT_SECRETS;
  metadata: Pick<
    TSecretSyncRaw,
    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "connectionId" | "folderId"
  > & {
    syncId: string;
    importMessage: string | null;
    jobId: string;
    jobRanAt: Date;
    importBehavior: SecretSyncImportBehavior;
  };
 }
 interface SecretSyncRemoveSecretsEvent {
  type: EventType.SECRET_SYNC_REMOVE_SECRETS;
  metadata: Pick<
    TSecretSyncRaw,
    "syncOptions" | "destinationConfig" | "destination" | "removeStatus" | "connectionId" | "folderId"
  > & {
    syncId: string;
    removeMessage: string | null;
    jobId: string;
    jobRanAt: Date;
  };
 }
 interface OidcGroupMembershipMappingAssignUserEvent {
  type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER;
  metadata: {
    assignedToGroups: { id: string; name: string }[];
    userId: string;
    userEmail: string;
    userGroupsClaim: string[];
  };
 }
 interface OidcGroupMembershipMappingRemoveUserEvent {
  type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER;
  metadata: {
    removedFromGroups: { id: string; name: string }[];
    userId: string;
    userEmail: string;
    userGroupsClaim: string[];
  };
 }
 export type Event =
  | GetSecretsEvent
  | GetSecretEvent
@@ -2068,6 +2245,7 @@ export type Event =
  | CreateCmekEvent
  | UpdateCmekEvent
  | DeleteCmekEvent
  | GetCmekEvent
  | GetCmeksEvent
  | CmekEncryptEvent
  | CmekDecryptEvent
@@ -2080,7 +2258,21 @@ export type Event =
  | DeleteProjectTemplateEvent
  | ApplyProjectTemplateEvent
  | GetAppConnectionsEvent
  | GetAvailableAppConnectionsDetailsEvent
  | GetAppConnectionEvent
  | CreateAppConnectionEvent
  | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent;
+  | DeleteAppConnectionEvent
  | CreateSharedSecretEvent
  | DeleteSharedSecretEvent
  | ReadSharedSecretEvent
  | GetSecretSyncsEvent
  | GetSecretSyncEvent
  | CreateSecretSyncEvent
  | UpdateSecretSyncEvent
  | DeleteSecretSyncEvent
  | SecretSyncSyncSecretsEvent
  | SecretSyncImportSecretsEvent
  | SecretSyncRemoveSecretsEvent
  | OidcGroupMembershipMappingAssignUserEvent
  | OidcGroupMembershipMappingRemoveUserEvent;
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -66,13 +67,14 @@ export const certificateAuthorityCrlServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.CertificateManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import ms from "ms";
-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@@ -67,14 +67,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -147,14 +147,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -227,14 +227,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -297,13 +297,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -339,13 +340,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@@ -73,14 +73,14 @@ export const dynamicSecretServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.CreateRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -145,14 +145,14 @@ export const dynamicSecretServiceFactory = ({
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.EditRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -229,14 +229,14 @@ export const dynamicSecretServiceFactory = ({
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -290,13 +290,14 @@ export const dynamicSecretServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -340,13 +341,14 @@ export const dynamicSecretServiceFactory = ({
    isInternal
  }: TListDynamicSecretsMultiEnvDTO) => {
    if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission(
+      const { permission } = await permissionService.getProjectPermission({
        actor,
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId
+        actorOrgId,
-      );
+        actionProjectType: ActionProjectType.SecretManager
      });
      // verify user has access to each env in request
      environmentSlugs.forEach((environmentSlug) =>
@@ -383,13 +385,14 @@ export const dynamicSecretServiceFactory = ({
    search,
    projectId
  }: TGetDynamicSecretsCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -431,13 +434,14 @@ export const dynamicSecretServiceFactory = ({
      projectId = project.id;
    }
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -462,13 +466,14 @@ export const dynamicSecretServiceFactory = ({
    { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
    actor: OrgServiceActor
  ) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
-      actor.type,
+      actor: actor.type,
-      actor.id,
+      actorId: actor.id,
      projectId,
-      actor.authMethod,
+      actorAuthMethod: actor.authMethod,
-      actor.orgId
+      actorOrgId: actor.orgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
      permission.can(
@@ -507,13 +512,14 @@ export const dynamicSecretServiceFactory = ({
    ...params
  }: TListDynamicSecretsMultiEnvDTO) => {
    if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission(
+      const { permission } = await permissionService.getProjectPermission({
        actor,
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId
+        actorOrgId,
-      );
+        actionProjectType: ActionProjectType.SecretManager
      });
      // verify user has access to each env in request
      environmentSlugs.forEach((environmentSlug) =>
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@@ -34,6 +34,8 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
    const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
    const db = knex({
      client: providerInputs.client,
      connection: {
@@ -43,7 +45,16 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
        user: providerInputs.username,
        password: providerInputs.password,
        ssl,
-        pool: { min: 0, max: 1 }
+        pool: { min: 0, max: 1 },
        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
        options: isMsSQLClient
          ? {
              trustServerCertificate: !providerInputs.ca,
              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
            }
          : undefined
      },
      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
    });
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@@ -1,7 +1,9 @@
 import { KMSServiceException } from "@aws-sdk/client-kms";
 import { STSServiceException } from "@aws-sdk/client-sts";
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -71,7 +73,16 @@ export const externalKmsServiceFactory = ({
    switch (provider.type) {
      case KmsProviders.Aws:
        {
-          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs }).catch((error) => {
            if (error instanceof STSServiceException || error instanceof KMSServiceException) {
              throw new InternalServerError({
                message: error.message ? `AWS error: ${error.message}` : ""
              });
            }
            throw error;
          });
          // if missing kms key this generate a new kms key id and returns new provider input
          const newProviderInput = await externalKms.generateInputKmsKey();
          sanitizedProviderInput = JSON.stringify(newProviderInput);
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@@ -2,6 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -32,7 +33,7 @@ type TGroupServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
  groupDAL: Pick<
    TGroupDALFactory,
-    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
@@ -45,6 +46,7 @@ type TGroupServiceFactoryDep = {
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "findLatestProjectKey" | "insertMany">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne">;
 };
 export type TGroupServiceFactory = ReturnType<typeof groupServiceFactory>;
@@ -59,7 +61,8 @@ export const groupServiceFactory = ({
  projectBotDAL,
  projectKeyDAL,
  permissionService,
-  licenseService
+  licenseService,
  oidcConfigDAL
 }: TGroupServiceFactoryDep) => {
  const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
@@ -88,12 +91,26 @@ export const groupServiceFactory = ({
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
-    const group = await groupDAL.create({
+    const group = await groupDAL.transaction(async (tx) => {
-      name,
+      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-      slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
+      if (existingGroup) {
-      orgId: actorOrgId,
+        throw new BadRequestError({
-      role: isCustomRole ? OrgMembershipRole.Custom : role,
+          message: `Failed to create group with name '${name}'. Group with the same name already exists`
-      roleId: customRole?.id
+        });
      }
      const newGroup = await groupDAL.create(
        {
          name,
          slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
          orgId: actorOrgId,
          role: isCustomRole ? OrgMembershipRole.Custom : role,
          roleId: customRole?.id
        },
        tx
      );
      return newGroup;
    });
    return group;
@@ -145,21 +162,36 @@ export const groupServiceFactory = ({
      if (isCustomRole) customRole = customOrgRole;
    }
-    const [updatedGroup] = await groupDAL.update(
+    const updatedGroup = await groupDAL.transaction(async (tx) => {
-      {
+      if (name) {
-        id: group.id
+        const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-      },
+
-      {
+        if (existingGroup && existingGroup.id !== id) {
-        name,
+          throw new BadRequestError({
-        slug: slug ? slugify(slug) : undefined,
+            message: `Failed to update group with name '${name}'. Group with the same name already exists`
-        ...(role
+          });
-          ? {
+        }
              role: customRole ? OrgMembershipRole.Custom : role,
              roleId: customRole?.id ?? null
            }
          : {})
      }
-    );
+
      const [updated] = await groupDAL.update(
        {
          id: group.id
        },
        {
          name,
          slug: slug ? slugify(slug) : undefined,
          ...(role
            ? {
                role: customRole ? OrgMembershipRole.Custom : role,
                roleId: customRole?.id ?? null
              }
            : {})
        },
        tx
      );
      return updated;
    });
    return updatedGroup;
  };
@@ -282,6 +314,18 @@ export const groupServiceFactory = ({
        message: `Failed to find group with ID ${id}`
      });
    const oidcConfig = await oidcConfigDAL.findOne({
      orgId: group.orgId,
      isActive: true
    });
    if (oidcConfig?.manageGroupMemberships) {
      throw new BadRequestError({
        message:
          "Cannot add user to group: OIDC group membership mapping is enabled - user must be assigned to this group in your OIDC provider."
      });
    }
    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
    // check if user has broader or equal to privileges than group
@@ -337,6 +381,18 @@ export const groupServiceFactory = ({
        message: `Failed to find group with ID ${id}`
      });
    const oidcConfig = await oidcConfigDAL.findOne({
      orgId: group.orgId,
      isActive: true
    });
    if (oidcConfig?.manageGroupMemberships) {
      throw new BadRequestError({
        message:
          "Cannot remove user from group: OIDC group membership mapping is enabled - user must be removed from this group in your OIDC provider."
      });
    }
    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
    // check if user has broader or equal to privileges than group
--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 import ms from "ms";
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
@@ -55,24 +55,26 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityId,
+      actorId: identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -135,24 +137,26 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityProjectMembership.identityId,
+      actorId: identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -215,24 +219,26 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityProjectMembership.identityId,
+      actorId: identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
@@ -260,13 +266,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@@ -294,13 +301,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@@ -329,13 +337,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@@ -2,6 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability"
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
 import { ActionProjectType } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@@ -62,25 +63,27 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityId,
+      actorId: identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -143,26 +146,28 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityProjectMembership.identityId,
+      actorId: identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -242,25 +247,27 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityProjectMembership.identityId,
+      actorId: identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
@@ -299,13 +306,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId })
@@ -341,13 +349,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -476,14 +476,14 @@ export const ldapConfigServiceFactory = ({
      });
    } else {
      const plan = await licenseService.getPlan(orgId);
-      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
        throw new BadRequestError({
          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
        });
      }
-      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
        throw new BadRequestError({
          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
--- a/backend/src/ee/services/license/license-fns.ts
+++ b/backend/src/ee/services/license/license-fns.ts
@@ -50,8 +50,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  },
  pkiEst: false,
  enforceMfa: false,
-  projectTemplates: false,
+  projectTemplates: false
  appConnections: false
 });
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@@ -68,7 +68,6 @@ export type TFeatureSet = {
  pkiEst: boolean;
  enforceMfa: boolean;
  projectTemplates: false;
  appConnections: false; // TODO: remove once live
 };
 export type TOrgPlansTableDTO = {
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -5,6 +5,11 @@ import { Issuer, Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet }
 import { OrgMembershipStatus, SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { TOidcConfigsUpdate } from "@app/db/schemas/oidc-configs";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -18,13 +23,18 @@ import {
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, OidcAuthError } from "@app/lib/errors";
-import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { OrgServiceActor } from "@app/lib/types";
 import { ActorType, AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { LoginMethod } from "@app/services/super-admin/super-admin-types";
@@ -45,7 +55,14 @@ import {
 type TOidcConfigServiceFactoryDep = {
  userDAL: Pick<
    TUserDALFactory,
-    "create" | "findOne" | "transaction" | "updateById" | "findById" | "findUserEncKeyByUserId"
+    | "create"
    | "findOne"
    | "updateById"
    | "findById"
    | "findUserEncKeyByUserId"
    | "findUserEncKeyByUserIdsBatch"
    | "find"
    | "transaction"
  >;
  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
  orgDAL: Pick<
@@ -57,8 +74,23 @@ type TOidcConfigServiceFactoryDep = {
  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
  tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
  smtpService: Pick<TSmtpService, "sendMail" | "verify">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getUserOrgPermission">;
  oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne" | "update" | "create">;
  groupDAL: Pick<TGroupDALFactory, "findByOrgId">;
  userGroupMembershipDAL: Pick<
    TUserGroupMembershipDALFactory,
    | "find"
    | "transaction"
    | "insertMany"
    | "findGroupMembershipsByUserIdInOrg"
    | "delete"
    | "filterProjectsByUserMembership"
  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
  auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
 };
 export type TOidcConfigServiceFactory = ReturnType<typeof oidcConfigServiceFactory>;
@@ -73,7 +105,14 @@ export const oidcConfigServiceFactory = ({
  tokenService,
  orgBotDAL,
  smtpService,
-  oidcConfigDAL
+  oidcConfigDAL,
  userGroupMembershipDAL,
  groupDAL,
  groupProjectDAL,
  projectKeyDAL,
  projectDAL,
  projectBotDAL,
  auditLogService
 }: TOidcConfigServiceFactoryDep) => {
  const getOidc = async (dto: TGetOidcCfgDTO) => {
    const org = await orgDAL.findOne({ slug: dto.orgSlug });
@@ -156,11 +195,21 @@ export const oidcConfigServiceFactory = ({
      isActive: oidcCfg.isActive,
      allowedEmailDomains: oidcCfg.allowedEmailDomains,
      clientId,
-      clientSecret
+      clientSecret,
      manageGroupMemberships: oidcCfg.manageGroupMemberships
    };
  };
-  const oidcLogin = async ({ externalId, email, firstName, lastName, orgId, callbackPort }: TOidcLoginDTO) => {
+  const oidcLogin = async ({
    externalId,
    email,
    firstName,
    lastName,
    orgId,
    callbackPort,
    groups = [],
    manageGroupMemberships
  }: TOidcLoginDTO) => {
    const serverCfg = await getServerCfg();
    if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.OIDC)) {
@@ -315,6 +364,83 @@ export const oidcConfigServiceFactory = ({
      });
    }
    if (manageGroupMemberships) {
      const userGroups = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(user.id, orgId);
      const orgGroups = await groupDAL.findByOrgId(orgId);
      const userGroupsNames = userGroups.map((membership) => membership.groupName);
      const missingGroupsMemberships = groups.filter((groupName) => !userGroupsNames.includes(groupName));
      const groupsToAddUserTo = orgGroups.filter((group) => missingGroupsMemberships.includes(group.name));
      for await (const group of groupsToAddUserTo) {
        await addUsersToGroupByUserIds({
          userIds: [user.id],
          group,
          userDAL,
          userGroupMembershipDAL,
          orgDAL,
          groupProjectDAL,
          projectKeyDAL,
          projectDAL,
          projectBotDAL
        });
      }
      if (groupsToAddUserTo.length) {
        await auditLogService.createAuditLog({
          actor: {
            type: ActorType.PLATFORM,
            metadata: {}
          },
          orgId,
          event: {
            type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER,
            metadata: {
              userId: user.id,
              userEmail: user.email ?? user.username,
              assignedToGroups: groupsToAddUserTo.map(({ id, name }) => ({ id, name })),
              userGroupsClaim: groups
            }
          }
        });
      }
      const membershipsToRemove = userGroups
        .filter((membership) => !groups.includes(membership.groupName))
        .map((membership) => membership.groupId);
      const groupsToRemoveUserFrom = orgGroups.filter((group) => membershipsToRemove.includes(group.id));
      for await (const group of groupsToRemoveUserFrom) {
        await removeUsersFromGroupByUserIds({
          userIds: [user.id],
          group,
          userDAL,
          userGroupMembershipDAL,
          groupProjectDAL,
          projectKeyDAL
        });
      }
      if (groupsToRemoveUserFrom.length) {
        await auditLogService.createAuditLog({
          actor: {
            type: ActorType.PLATFORM,
            metadata: {}
          },
          orgId,
          event: {
            type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER,
            metadata: {
              userId: user.id,
              userEmail: user.email ?? user.username,
              removedFromGroups: groupsToRemoveUserFrom.map(({ id, name }) => ({ id, name })),
              userGroupsClaim: groups
            }
          }
        });
      }
    }
    await licenseService.updateSubscriptionOrgMemberCount(organization.id);
    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
@@ -385,7 +511,8 @@ export const oidcConfigServiceFactory = ({
    tokenEndpoint,
    userinfoEndpoint,
    clientId,
-    clientSecret
+    clientSecret,
    manageGroupMemberships
  }: TUpdateOidcCfgDTO) => {
    const org = await orgDAL.findOne({
      slug: orgSlug
@@ -448,7 +575,8 @@ export const oidcConfigServiceFactory = ({
      userinfoEndpoint,
      jwksUri,
      isActive,
-      lastUsed: null
+      lastUsed: null,
      manageGroupMemberships
    };
    if (clientId !== undefined) {
@@ -491,7 +619,8 @@ export const oidcConfigServiceFactory = ({
    tokenEndpoint,
    userinfoEndpoint,
    clientId,
-    clientSecret
+    clientSecret,
    manageGroupMemberships
  }: TCreateOidcCfgDTO) => {
    const org = await orgDAL.findOne({
      slug: orgSlug
@@ -589,7 +718,8 @@ export const oidcConfigServiceFactory = ({
      clientIdTag,
      encryptedClientSecret,
      clientSecretIV,
-      clientSecretTag
+      clientSecretTag,
      manageGroupMemberships
    });
    return oidcCfg;
@@ -683,7 +813,9 @@ export const oidcConfigServiceFactory = ({
          firstName: claims.given_name ?? "",
          lastName: claims.family_name ?? "",
          orgId: org.id,
-          callbackPort
+          groups: claims.groups as string[] | undefined,
          callbackPort,
          manageGroupMemberships: oidcCfg.manageGroupMemberships
        })
          .then(({ isUserCompleted, providerAuthToken }) => {
            cb(null, { isUserCompleted, providerAuthToken });
@@ -697,5 +829,16 @@ export const oidcConfigServiceFactory = ({
    return strategy;
  };
-  return { oidcLogin, getOrgAuthStrategy, getOidc, updateOidcCfg, createOidcCfg };
+  const isOidcManageGroupMembershipsEnabled = async (orgId: string, actor: OrgServiceActor) => {
    await permissionService.getUserOrgPermission(actor.id, orgId, actor.authMethod, actor.orgId);
    const oidcConfig = await oidcConfigDAL.findOne({
      orgId,
      isActive: true
    });
    return Boolean(oidcConfig?.manageGroupMemberships);
  };
  return { oidcLogin, getOrgAuthStrategy, getOidc, updateOidcCfg, createOidcCfg, isOidcManageGroupMembershipsEnabled };
 };
--- a/backend/src/ee/services/oidc/oidc-config-types.ts
+++ b/backend/src/ee/services/oidc/oidc-config-types.ts
@@ -12,6 +12,8 @@ export type TOidcLoginDTO = {
  lastName?: string;
  orgId: string;
  callbackPort?: string;
  groups?: string[];
  manageGroupMemberships?: boolean | null;
 };
 export type TGetOidcCfgDTO =
@@ -37,6 +39,7 @@ export type TCreateOidcCfgDTO = {
  clientSecret: string;
  isActive: boolean;
  orgSlug: string;
  manageGroupMemberships: boolean;
 } & TGenericPermission;
 export type TUpdateOidcCfgDTO = Partial<{
@@ -52,5 +55,6 @@ export type TUpdateOidcCfgDTO = Partial<{
  clientSecret: string;
  isActive: boolean;
  orgSlug: string;
  manageGroupMemberships: boolean;
 }> &
  TGenericPermission;
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@@ -1,4 +1,12 @@
-import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";
+import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 import {
  CASL_ACTION_SCHEMA_ENUM,
  CASL_ACTION_SCHEMA_NATIVE_ENUM
 } from "@app/ee/services/permission/permission-schemas";
 import { PermissionConditionSchema } from "@app/ee/services/permission/permission-types";
 import { PermissionConditionOperators } from "@app/lib/casl";
 export enum OrgPermissionActions {
  Read = "read",
@@ -7,6 +15,14 @@ export enum OrgPermissionActions {
  Delete = "delete"
 }
 export enum OrgPermissionAppConnectionActions {
  Read = "read",
  Create = "create",
  Edit = "edit",
  Delete = "delete",
  Connect = "connect"
 }
 export enum OrgPermissionAdminConsoleAction {
  AccessAllProjects = "access-all-projects"
 }
@@ -31,6 +47,10 @@ export enum OrgPermissionSubjects {
  AppConnections = "app-connections"
 }
 export type AppConnectionSubjectFields = {
  connectionId: string;
 };
 export type OrgPermissionSet =
  | [OrgPermissionActions.Create, OrgPermissionSubjects.Workspace]
  | [OrgPermissionActions, OrgPermissionSubjects.Role]
@@ -47,9 +67,109 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
-  | [OrgPermissionActions, OrgPermissionSubjects.AppConnections]
+  | [
      OrgPermissionAppConnectionActions,
      (
        | OrgPermissionSubjects.AppConnections
        | (ForcedSubject<OrgPermissionSubjects.AppConnections> & AppConnectionSubjectFields)
      )
    ]
  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 const AppConnectionConditionSchema = z
  .object({
    connectionId: z.union([
      z.string(),
      z
        .object({
          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
        })
        .partial()
    ])
  })
  .partial();
 export const OrgPermissionSchema = z.discriminatedUnion("subject", [
  z.object({
    subject: z.literal(OrgPermissionSubjects.Workspace).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_ENUM([OrgPermissionActions.Create]).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Role).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Member).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Settings).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.IncidentAccount).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Sso).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Scim).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Ldap).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Groups).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.SecretScanning).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Billing).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Identity).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Kms).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.AuditLogs).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.ProjectTemplates).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.AppConnections).describe("The entity this permission pertains to."),
    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAppConnectionActions).describe(
      "Describe what action an entity can take."
    ),
    conditions: AppConnectionConditionSchema.describe(
      "When specified, only matching conditions will be allowed to access given resource."
    ).optional()
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.AdminConsole).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAdminConsoleAction).describe(
      "Describe what action an entity can take."
    )
  })
 ]);
 const buildAdminPermission = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
  // ws permissions
@@ -125,10 +245,11 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Read, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Create, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Edit, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Delete, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
@@ -160,7 +281,7 @@ const buildMemberPermission = () => {
  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
  return rules;
 };
--- a/backend/src/ee/services/permission/permission-schemas.ts
+++ b/backend/src/ee/services/permission/permission-schemas.ts
@@ -0,0 +1,9 @@
 import { z } from "zod";
 export const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
  z
    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
    .transform((el) => (typeof el === "string" ? [el] : el));
 export const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
--- a/backend/src/ee/services/permission/permission-service-types.ts
+++ b/backend/src/ee/services/permission/permission-service-types.ts
@@ -1,3 +1,6 @@
 import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 export type TBuildProjectPermissionDTO = {
  permissions?: unknown;
  role: string;
@@ -7,3 +10,34 @@ export type TBuildOrgPermissionDTO = {
  permissions?: unknown;
  role: string;
 }[];
 export type TGetUserProjectPermissionArg = {
  userId: string;
  projectId: string;
  authMethod: ActorAuthMethod;
  actionProjectType: ActionProjectType;
  userOrgId?: string;
 };
 export type TGetIdentityProjectPermissionArg = {
  identityId: string;
  projectId: string;
  identityOrgId?: string;
  actionProjectType: ActionProjectType;
 };
 export type TGetServiceTokenProjectPermissionArg = {
  serviceTokenId: string;
  projectId: string;
  actorOrgId?: string;
  actionProjectType: ActionProjectType;
 };
 export type TGetProjectPermissionArg = {
  actor: ActorType;
  actorId: string;
  projectId: string;
  actorAuthMethod: ActorAuthMethod;
  actorOrgId?: string;
  actionProjectType: ActionProjectType;
 };
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -4,9 +4,9 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 import {
  ActionProjectType,
  OrgMembershipRole,
  ProjectMembershipRole,
  ProjectType,
  ServiceTokenScopes,
  TIdentityProjectMemberships,
  TProjectMemberships
@@ -23,7 +23,14 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
 import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
-import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
+import {
  TBuildOrgPermissionDTO,
  TBuildProjectPermissionDTO,
  TGetIdentityProjectPermissionArg,
  TGetProjectPermissionArg,
  TGetServiceTokenProjectPermissionArg,
  TGetUserProjectPermissionArg
 } from "./permission-service-types";
 import {
  buildServiceTokenProjectPermission,
  projectAdminPermissions,
@@ -193,12 +200,13 @@ export const permissionServiceFactory = ({
  };
  // user permission for a project in an organization
-  const getUserProjectPermission = async (
+  const getUserProjectPermission = async ({
-    userId: string,
+    userId,
-    projectId: string,
+    projectId,
-    authMethod: ActorAuthMethod,
+    authMethod,
-    userOrgId?: string
+    userOrgId,
-  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
+    actionProjectType
  }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
    if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
@@ -219,6 +227,12 @@ export const permissionServiceFactory = ({
    validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);
    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
      throw new BadRequestError({
        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
      });
    }
    // join two permissions and pass to build the final permission set
    const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@@ -256,13 +270,6 @@ export const permissionServiceFactory = ({
    return {
      permission,
      membership: userProjectPermission,
      ForbidOnInvalidProjectType: (productType: ProjectType) => {
        if (productType !== userProjectPermission.projectType) {
          throw new BadRequestError({
            message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
          });
        }
      },
      hasRole: (role: string) =>
        userProjectPermission.roles.findIndex(
          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@@ -270,11 +277,12 @@ export const permissionServiceFactory = ({
    };
  };
-  const getIdentityProjectPermission = async (
+  const getIdentityProjectPermission = async ({
-    identityId: string,
+    identityId,
-    projectId: string,
+    projectId,
-    identityOrgId: string | undefined
+    identityOrgId,
-  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
+    actionProjectType
  }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
    if (!identityProjectPermission)
      throw new ForbiddenRequestError({
@@ -293,6 +301,12 @@ export const permissionServiceFactory = ({
      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
    }
    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
      throw new BadRequestError({
        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
      });
    }
    const rolePermissions =
      identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@@ -331,13 +345,6 @@ export const permissionServiceFactory = ({
    return {
      permission,
      membership: identityProjectPermission,
      ForbidOnInvalidProjectType: (productType: ProjectType) => {
        if (productType !== identityProjectPermission.projectType) {
          throw new BadRequestError({
            message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
          });
        }
      },
      hasRole: (role: string) =>
        identityProjectPermission.roles.findIndex(
          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@@ -345,11 +352,12 @@ export const permissionServiceFactory = ({
    };
  };
-  const getServiceTokenProjectPermission = async (
+  const getServiceTokenProjectPermission = async ({
-    serviceTokenId: string,
+    serviceTokenId,
-    projectId: string,
+    projectId,
-    actorOrgId: string | undefined
+    actorOrgId,
-  ) => {
+    actionProjectType
  }: TGetServiceTokenProjectPermissionArg) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
    if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
@@ -373,17 +381,16 @@ export const permissionServiceFactory = ({
      });
    }
    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
      throw new BadRequestError({
        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
      });
    }
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
-      membership: undefined,
+      membership: undefined
      ForbidOnInvalidProjectType: (productType: ProjectType) => {
        if (productType !== serviceTokenProject.type) {
          throw new BadRequestError({
            message: `The project is of type ${serviceTokenProject.type}. Operations of type ${productType} are not allowed.`
          });
        }
      }
    };
  };
@@ -392,7 +399,6 @@ export const permissionServiceFactory = ({
        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
        membership: undefined;
        hasRole: (arg: string) => boolean;
        ForbidOnInvalidProjectType: (type: ProjectType) => void;
      } // service token doesn't have both membership and roles
    : {
        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
@@ -402,7 +408,6 @@ export const permissionServiceFactory = ({
          roles: Array<{ role: string }>;
        };
        hasRole: (role: string) => boolean;
        ForbidOnInvalidProjectType: (type: ProjectType) => void;
      };
  const getProjectPermissions = async (projectId: string) => {
@@ -522,20 +527,37 @@ export const permissionServiceFactory = ({
    };
  };
-  const getProjectPermission = async <T extends ActorType>(
+  const getProjectPermission = async <T extends ActorType>({
-    type: T,
+    actor,
-    id: string,
+    actorId,
-    projectId: string,
+    projectId,
-    actorAuthMethod: ActorAuthMethod,
+    actorAuthMethod,
-    actorOrgId: string | undefined
+    actorOrgId,
-  ): Promise<TProjectPermissionRT<T>> => {
+    actionProjectType
-    switch (type) {
+  }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
    switch (actor) {
      case ActorType.USER:
-        return getUserProjectPermission(id, projectId, actorAuthMethod, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getUserProjectPermission({
          userId: actorId,
          projectId,
          authMethod: actorAuthMethod,
          userOrgId: actorOrgId,
          actionProjectType
        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.SERVICE:
-        return getServiceTokenProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getServiceTokenProjectPermission({
          serviceTokenId: actorId,
          projectId,
          actorOrgId,
          actionProjectType
        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.IDENTITY:
-        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getIdentityProjectPermission({
          identityId: actorId,
          projectId,
          identityOrgId: actorOrgId,
          actionProjectType
        }) as Promise<TProjectPermissionRT<T>>;
      default:
        throw new BadRequestError({
          message: "Invalid actor provided",
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -1,6 +1,10 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 import {
  CASL_ACTION_SCHEMA_ENUM,
  CASL_ACTION_SCHEMA_NATIVE_ENUM
 } from "@app/ee/services/permission/permission-schemas";
 import { conditionsMatcher, PermissionConditionOperators } from "@app/lib/casl";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@@ -30,6 +34,16 @@ export enum ProjectPermissionDynamicSecretActions {
  Lease = "lease"
 }
 export enum ProjectPermissionSecretSyncActions {
  Read = "read",
  Create = "create",
  Edit = "edit",
  Delete = "delete",
  SyncSecrets = "sync-secrets",
  ImportSecrets = "import-secrets",
  RemoveSecrets = "remove-secrets"
 }
 export enum ProjectPermissionSub {
  Role = "role",
  Member = "member",
@@ -60,7 +74,8 @@ export enum ProjectPermissionSub {
  PkiAlerts = "pki-alerts",
  PkiCollections = "pki-collections",
  Kms = "kms",
-  Cmek = "cmek"
+  Cmek = "cmek",
  SecretSyncs = "secret-syncs"
 }
 export type SecretSubjectFields = {
@@ -140,6 +155,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
  | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
  | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
@@ -147,14 +163,27 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
-const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
+const SECRET_PATH_MISSING_SLASH_ERR_MSG = "Invalid Secret Path; it must start with a '/'";
 const SECRET_PATH_PERMISSION_OPERATOR_SCHEMA = z.union([
  z.string().refine((val) => val.startsWith("/"), SECRET_PATH_MISSING_SLASH_ERR_MSG),
  z
-    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
+    .object({
-    .transform((el) => (typeof el === "string" ? [el] : el));
+      [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ].refine(
-
+        (val) => val.startsWith("/"),
-const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
+        SECRET_PATH_MISSING_SLASH_ERR_MSG
-  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
+      ),
-
+      [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ].refine(
        (val) => val.startsWith("/"),
        SECRET_PATH_MISSING_SLASH_ERR_MSG
      ),
      [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN].refine(
        (val) => val.every((el) => el.startsWith("/")),
        SECRET_PATH_MISSING_SLASH_ERR_MSG
      ),
      [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
    })
    .partial()
 ]);
 // akhilmhdh: don't modify this for v2
 // if you want to update create a new schema
 const SecretConditionV1Schema = z
@@ -169,17 +198,7 @@ const SecretConditionV1Schema = z
        })
        .partial()
    ]),
-    secretPath: z.union([
+    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA
      z.string(),
      z
        .object({
          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
        })
        .partial()
    ])
  })
  .partial();
@@ -196,17 +215,7 @@ const SecretConditionV2Schema = z
        })
        .partial()
    ]),
-    secretPath: z.union([
+    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA,
      z.string(),
      z
        .object({
          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
        })
        .partial()
    ]),
    secretName: z.union([
      z.string(),
      z
@@ -392,10 +401,15 @@ const GeneralPermissionSchema = [
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.SecretSyncs).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretSyncActions).describe(
      "Describe what action an entity can take."
    )
  })
 ];
@@ -549,6 +563,18 @@ const buildAdminPermissionRules = () => {
    ],
    ProjectPermissionSub.Cmek
  );
  can(
    [
      ProjectPermissionSecretSyncActions.Create,
      ProjectPermissionSecretSyncActions.Edit,
      ProjectPermissionSecretSyncActions.Delete,
      ProjectPermissionSecretSyncActions.Read,
      ProjectPermissionSecretSyncActions.SyncSecrets,
      ProjectPermissionSecretSyncActions.ImportSecrets,
      ProjectPermissionSecretSyncActions.RemoveSecrets
    ],
    ProjectPermissionSub.SecretSyncs
  );
  return rules;
 };
@@ -713,6 +739,19 @@ const buildMemberPermissionRules = () => {
    ProjectPermissionSub.Cmek
  );
  can(
    [
      ProjectPermissionSecretSyncActions.Create,
      ProjectPermissionSecretSyncActions.Edit,
      ProjectPermissionSecretSyncActions.Delete,
      ProjectPermissionSecretSyncActions.Read,
      ProjectPermissionSecretSyncActions.SyncSecrets,
      ProjectPermissionSecretSyncActions.ImportSecrets,
      ProjectPermissionSecretSyncActions.RemoveSecrets
    ],
    ProjectPermissionSub.SecretSyncs
  );
  return rules;
 };
@@ -746,6 +785,7 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
  return rules;
 };
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@@ -2,7 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@@ -55,21 +55,23 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    if (!projectMembership)
      throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} found` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
-      projectMembership.userId,
+      actorId: projectMembership.userId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -140,21 +142,23 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
-      projectMembership.userId,
+      actorId: projectMembership.userId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -224,13 +228,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
    const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
@@ -260,13 +265,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
    return {
@@ -286,13 +292,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    if (!projectMembership)
      throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} not found` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
    const userPrivileges = await projectUserAdditionalPrivilegeDAL.find(
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -421,14 +421,14 @@ export const samlConfigServiceFactory = ({
      });
    } else {
      const plan = await licenseService.getPlan(orgId);
-      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
        throw new BadRequestError({
          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
        });
      }
-      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
        throw new BadRequestError({
          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@@ -531,7 +531,7 @@ export const scimServiceFactory = ({
          firstName: scimUser.name.givenName,
          email: scimUser.emails[0].value,
          lastName: scimUser.name.familyName,
-          isEmailVerified: hasEmailChanged ? trustScimEmails : true
+          isEmailVerified: hasEmailChanged ? trustScimEmails : undefined
        },
        tx
      );
@@ -790,6 +790,21 @@ export const scimServiceFactory = ({
      });
    const newGroup = await groupDAL.transaction(async (tx) => {
      const conflictingGroup = await groupDAL.findOne(
        {
          name: displayName,
          orgId
        },
        tx
      );
      if (conflictingGroup) {
        throw new ScimRequestError({
          detail: `Group with name '${displayName}' already exists in the organization`,
          status: 409
        });
      }
      const group = await groupDAL.create(
        {
          name: displayName,
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";
-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -79,14 +79,14 @@ export const secretApprovalPolicyServiceFactory = ({
    if (!groupApprovers.length && approvals > approvers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretApproval
@@ -193,14 +193,14 @@ export const secretApprovalPolicyServiceFactory = ({
      });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      secretApprovalPolicy.projectId,
+      projectId: secretApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
    const plan = await licenseService.getPlan(actorOrgId);
@@ -288,14 +288,14 @@ export const secretApprovalPolicyServiceFactory = ({
    if (!sapPolicy)
      throw new NotFoundError({ message: `Secret approval policy with ID '${secretPolicyId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sapPolicy.projectId,
+      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretApproval
@@ -328,13 +328,14 @@ export const secretApprovalPolicyServiceFactory = ({
    actorAuthMethod,
    projectId
  }: TListSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
    const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
@@ -372,7 +373,14 @@ export const secretApprovalPolicyServiceFactory = ({
    environment,
    secretPath
  }: TGetBoardSapDTO) => {
-    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
    return getSecretApprovalPolicy(projectId, environment, secretPath);
  };
@@ -392,13 +400,14 @@ export const secretApprovalPolicyServiceFactory = ({
      });
    }
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sapPolicy.projectId,
+      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -1,8 +1,8 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import {
  ActionProjectType,
  ProjectMembershipRole,
  ProjectType,
  SecretEncryptionAlgo,
  SecretKeyEncoding,
  SecretType,
@@ -147,13 +147,14 @@ export const secretApprovalRequestServiceFactory = ({
  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
-    await permissionService.getProjectPermission(
+    await permissionService.getProjectPermission({
-      actor as ActorType.USER,
+      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
    return count;
@@ -173,7 +174,14 @@ export const secretApprovalRequestServiceFactory = ({
  }: TListApprovalsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
-    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    if (shouldUseSecretV2Bridge) {
@@ -216,13 +224,14 @@ export const secretApprovalRequestServiceFactory = ({
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    const { policy } = secretApprovalRequest;
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerUserId !== actorId &&
@@ -336,13 +345,14 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
      actorId,
-      secretApprovalRequest.projectId,
+      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerUserId !== actorId &&
@@ -402,13 +412,14 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
      actorId,
-      secretApprovalRequest.projectId,
+      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerUserId !== actorId &&
@@ -458,13 +469,14 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
@@ -889,14 +901,14 @@ export const secretApprovalRequestServiceFactory = ({
  }: TGenerateSecretApprovalRequestDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
@@ -1170,14 +1182,14 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor === ActorType.SERVICE || actor === ActorType.Machine)
      throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
      throw new NotFoundError({
@@ -1255,9 +1267,10 @@ export const secretApprovalRequestServiceFactory = ({
            type: SecretType.Shared
          }))
        );
-        if (secrets.length)
+
        if (secrets.length !== secretsWithNewName.length)
          throw new NotFoundError({
-            message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
+            message: `Secret does not exist: ${secrets.map((el) => el.key).join(",")}`
          });
      }
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@@ -180,6 +180,8 @@ export const secretRotationQueueFactory = ({
          provider.template.client === TDbProviderClients.MsSqlServer
            ? ({
                encrypt: appCfg.ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT,
                // when ca is provided use that
                trustServerCertificate: !ca,
                cryptoCredentialsDetails: ca ? { ca } : {}
              } as Record<string, unknown>)
            : undefined;
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
-import { ProjectType, ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -53,14 +53,14 @@ export const secretRotationServiceFactory = ({
    actorAuthMethod,
    projectId
  }: TProjectPermission) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
    return {
@@ -82,14 +82,14 @@ export const secretRotationServiceFactory = ({
    secretPath,
    environment
  }: TCreateSecretRotationDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRotation
@@ -191,13 +191,14 @@ export const secretRotationServiceFactory = ({
  };
  const getByProjectId = async ({ actorId, projectId, actor, actorOrgId, actorAuthMethod }: TListByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    if (shouldUseSecretV2Bridge) {
@@ -236,14 +237,14 @@ export const secretRotationServiceFactory = ({
        message: "Failed to add secret rotation due to plan restriction. Upgrade plan to add secret rotation."
      });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      doc.projectId,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
    await secretRotationQueue.removeFromQueue(doc.id, doc.interval);
    await secretRotationQueue.addToQueue(doc.id, doc.interval);
@@ -254,14 +255,14 @@ export const secretRotationServiceFactory = ({
    const doc = await secretRotationDAL.findById(rotationId);
    if (!doc) throw new NotFoundError({ message: `Rotation with ID '${rotationId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      doc.projectId,
+      projectId: doc.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretRotation
--- a/backend/src/ee/services/secret-scanning/secret-scanning-dal.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-dal.ts
@@ -1,9 +1,12 @@
-import { Knex } from "knex";
+import knex, { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { TableName, TSecretScanningGitRisksInsert } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
+import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
-import { ormify } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { SecretScanningResolvedStatus, TGetOrgRisksDTO } from "./secret-scanning-types";
 export type TSecretScanningDALFactory = ReturnType<typeof secretScanningDALFactory>;
@@ -19,5 +22,70 @@ export const secretScanningDALFactory = (db: TDbClient) => {
    }
  };
-  return { ...gitRiskOrm, upsert };
+  const findByOrgId = async (orgId: string, filter: TGetOrgRisksDTO["filter"], tx?: Knex) => {
    try {
      // Find statements
      const sqlQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
        // eslint-disable-next-line func-names
        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId);
      if (filter.repositoryNames) {
        void sqlQuery.whereIn(`${TableName.SecretScanningGitRisk}.repositoryFullName`, filter.repositoryNames);
      }
      if (filter.resolvedStatus) {
        if (filter.resolvedStatus !== SecretScanningResolvedStatus.All) {
          const isResolved = filter.resolvedStatus === SecretScanningResolvedStatus.Resolved;
          void sqlQuery.where(`${TableName.SecretScanningGitRisk}.isResolved`, isResolved);
        }
      }
      // Select statements
      void sqlQuery
        .select(selectAllTableCols(TableName.SecretScanningGitRisk))
        .limit(filter.limit)
        .offset(filter.offset);
      if (filter.orderBy) {
        const orderDirection = filter.orderDirection || OrderByDirection.ASC;
        void sqlQuery.orderBy(filter.orderBy, orderDirection);
      }
      const countQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
        .count();
      const uniqueReposQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
        .distinct("repositoryFullName")
        .select("repositoryFullName");
      // we timeout long running queries to prevent DB resource issues (2 minutes)
      const docs = await sqlQuery.timeout(1000 * 120);
      const uniqueRepos = await uniqueReposQuery.timeout(1000 * 120);
      const totalCount = await countQuery;
      return {
        risks: docs,
        totalCount: Number(totalCount?.[0].count),
        repos: uniqueRepos
          .filter(Boolean)
          .map((r) => r.repositoryFullName!)
          .sort((a, b) => a.localeCompare(b))
      };
    } catch (error) {
      if (error instanceof knex.KnexTimeoutError) {
        throw new GatewayTimeoutError({
          error,
          message: "Failed to fetch secret leaks due to timeout. Add more search filters."
        });
      }
      throw new DatabaseError({ error });
    }
  };
  return { ...gitRiskOrm, upsert, findByOrgId };
 };
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@@ -15,6 +15,7 @@ import { TSecretScanningDALFactory } from "./secret-scanning-dal";
 import { TSecretScanningQueueFactory } from "./secret-scanning-queue";
 import {
  SecretScanningRiskStatus,
  TGetAllOrgRisksDTO,
  TGetOrgInstallStatusDTO,
  TGetOrgRisksDTO,
  TInstallAppSessionDTO,
@@ -118,11 +119,21 @@ export const secretScanningServiceFactory = ({
    return Boolean(appInstallation);
  };
-  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetOrgRisksDTO) => {
+  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId, filter }: TGetOrgRisksDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
    const results = await secretScanningDAL.findByOrgId(orgId, filter);
    return results;
  };
  const getAllRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetAllOrgRisksDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
    const risks = await secretScanningDAL.find({ orgId }, { sort: [["createdAt", "desc"]] });
-    return { risks };
+    return risks;
  };
  const updateRiskStatus = async ({
@@ -189,6 +200,7 @@ export const secretScanningServiceFactory = ({
    linkInstallationToOrg,
    getOrgInstallationStatus,
    getRisksByOrg,
    getAllRisksByOrg,
    updateRiskStatus,
    handleRepoPushEvent,
    handleRepoDeleteEvent
--- a/backend/src/ee/services/secret-scanning/secret-scanning-types.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-types.ts
@@ -1,4 +1,4 @@
-import { TOrgPermission } from "@app/lib/types";
+import { OrderByDirection, TOrgPermission } from "@app/lib/types";
 export enum SecretScanningRiskStatus {
  FalsePositive = "RESOLVED_FALSE_POSITIVE",
@@ -7,6 +7,12 @@ export enum SecretScanningRiskStatus {
  Unresolved = "UNRESOLVED"
 }
 export enum SecretScanningResolvedStatus {
  All = "all",
  Resolved = "resolved",
  Unresolved = "unresolved"
 }
 export type TInstallAppSessionDTO = TOrgPermission;
 export type TLinkInstallSessionDTO = {
@@ -16,7 +22,22 @@ export type TLinkInstallSessionDTO = {
 export type TGetOrgInstallStatusDTO = TOrgPermission;
-export type TGetOrgRisksDTO = TOrgPermission;
+type RiskFilter = {
  offset: number;
  limit: number;
  orderBy?: "createdAt" | "name";
  orderDirection?: OrderByDirection;
  repositoryNames?: string[];
  resolvedStatus?: SecretScanningResolvedStatus;
 };
 export type TGetOrgRisksDTO = {
  filter: RiskFilter;
 } & TOrgPermission;
 export type TGetAllOrgRisksDTO = {
  filter: Omit<RiskFilter, "offset" | "limit" | "orderBy" | "orderDirection">;
 } & TOrgPermission;
 export type TUpdateRiskStatusDTO = {
  riskId: string;
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
-import { ProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -83,13 +83,14 @@ export const secretSnapshotServiceFactory = ({
    actorAuthMethod,
    path
  }: TProjectSnapshotCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@@ -119,13 +120,14 @@ export const secretSnapshotServiceFactory = ({
    limit = 20,
    offset = 0
  }: TProjectSnapshotListDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@@ -147,13 +149,14 @@ export const secretSnapshotServiceFactory = ({
  const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
    const snapshot = await snapshotDAL.findById(id);
    if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${id}' not found` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      snapshot.projectId,
+      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    const shouldUseBridge = snapshot.projectVersion === 3;
@@ -322,14 +325,14 @@ export const secretSnapshotServiceFactory = ({
    if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${snapshotId}' not found` });
    const shouldUseBridge = snapshot.projectVersion === 3;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      snapshot.projectId,
+      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRollback
--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -54,15 +54,15 @@ export const sshCertificateTemplateServiceFactory = ({
      });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificateTemplates
@@ -127,15 +127,15 @@ export const sshCertificateTemplateServiceFactory = ({
      });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certTemplate.projectId,
+      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      ProjectPermissionSub.SshCertificateTemplates
@@ -196,15 +196,15 @@ export const sshCertificateTemplateServiceFactory = ({
      });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certificateTemplate.projectId,
+      projectId: certificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SshCertificateTemplates
@@ -223,15 +223,15 @@ export const sshCertificateTemplateServiceFactory = ({
      });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certTemplate.projectId,
+      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateTemplates
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@@ -65,15 +65,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    actor,
    actorOrgId
  }: TCreateSshCaDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificateAuthorities
@@ -118,15 +118,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateAuthorities
@@ -187,15 +187,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      ProjectPermissionSub.SshCertificateAuthorities
@@ -226,15 +226,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SshCertificateAuthorities
@@ -268,15 +268,15 @@ export const sshCertificateAuthorityServiceFactory = ({
      });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sshCertificateTemplate.projectId,
+      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificates
@@ -390,15 +390,15 @@ export const sshCertificateAuthorityServiceFactory = ({
      });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sshCertificateTemplate.projectId,
+      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificates
@@ -488,15 +488,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SSH
    });
    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateTemplates
--- a/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
+++ b/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectPermission } from "@app/lib/types";
@@ -27,13 +28,14 @@ export const trustedIpServiceFactory = ({
  projectDAL
 }: TTrustedIpServiceFactoryDep) => {
  const listIpsByProjectId = async ({ projectId, actor, actorId, actorAuthMethod, actorOrgId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
    const trustedIps = await trustedIpDAL.find({
      projectId
@@ -51,13 +53,14 @@ export const trustedIpServiceFactory = ({
    comment,
    isActive
  }: TCreateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
    const project = await projectDAL.findById(projectId);
@@ -96,13 +99,14 @@ export const trustedIpServiceFactory = ({
    comment,
    trustedIpId
  }: TUpdateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
    const project = await projectDAL.findById(projectId);
@@ -141,13 +145,14 @@ export const trustedIpServiceFactory = ({
    actorAuthMethod,
    trustedIpId
  }: TDeleteIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
    const project = await projectDAL.findById(projectId);
--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@@ -23,6 +23,8 @@ export const KeyStorePrefixes = {
    `sync-integration-mutex-${projectId}-${environmentSlug}-${secretPath}` as const,
  SyncSecretIntegrationLastRunTimestamp: (projectId: string, environmentSlug: string, secretPath: string) =>
    `sync-integration-last-run-${projectId}-${environmentSlug}-${secretPath}` as const,
  SecretSyncLock: (syncId: string) => `secret-sync-mutex-${syncId}` as const,
  SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
  IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
    `identity-access-token-status:${identityAccessTokenId}`,
  ServiceTokenStatusUpdate: (serviceTokenId: string) => `service-token-status:${serviceTokenId}`
@@ -30,6 +32,7 @@ export const KeyStorePrefixes = {
 export const KeyStoreTtls = {
  SetSyncSecretIntegrationLastRunTimestampInSeconds: 60,
  SetSecretSyncLastRunTimestampInSeconds: 60,
  AccessTokenStatusUpdateInSeconds: 120
 };
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -1,5 +1,7 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 export const GROUPS = {
  CREATE: {
@@ -474,7 +476,7 @@ export const PROJECTS = {
  },
  ADD_GROUP_TO_PROJECT: {
    projectId: "The ID of the project to add the group to.",
-    groupId: "The ID of the group to add to the project.",
+    groupIdOrName: "The ID or name of the group to add to the project.",
    role: "The role for the group to assume in the project."
  },
  UPDATE_GROUP_IN_PROJECT: {
@@ -686,7 +688,9 @@ export const RAW_SECRETS = {
    environment: "The slug of the environment to list secrets from.",
    secretPath: "The secret path to list secrets from.",
    includeImports: "Weather to include imported secrets or not.",
-    tagSlugs: "The comma separated tag slugs to filter secrets."
+    tagSlugs: "The comma separated tag slugs to filter secrets.",
    metadataFilter:
      "The secret metadata key-value pairs to filter secrets by. When querying for multiple metadata pairs, the query is treated as an AND operation. Secret metadata format is key=value1,value=value2|key=value3,value=value4."
  },
  CREATE: {
    secretName: "The name of the secret to create.",
@@ -826,6 +830,8 @@ export const AUDIT_LOGS = {
    projectId:
      "Optionally filter logs by project ID. If not provided, logs from the entire organization will be returned.",
    eventType: "The type of the event to export.",
    secretPath:
      "The path of the secret to query audit logs for. Note that the projectId parameter must also be provided.",
    userAgentType: "Choose which consuming application to export audit logs for.",
    eventMetadata:
      "Filter by event metadata key-value pairs. Formatted as `key1=value1,key2=value2`, with comma-separation.",
@@ -1587,6 +1593,13 @@ export const KMS = {
    orderDirection: "The direction to order keys in.",
    search: "The text string to filter key names by."
  },
  GET_KEY_BY_ID: {
    keyId: "The ID of the KMS key to retrieve."
  },
  GET_KEY_BY_NAME: {
    keyName: "The name of the KMS key to retrieve.",
    projectId: "The ID of the project the key belongs to."
  },
  ENCRYPT: {
    keyId: "The ID of the key to encrypt the data with.",
    plaintext: "The plaintext to be encrypted (base64 encoded)."
@@ -1643,6 +1656,98 @@ export const AppConnections = {
    };
  },
  DELETE: (app: AppConnection) => ({
-    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} connection to be deleted.`
+    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to be deleted.`
  })
 };
 export const SecretSyncs = {
  LIST: (destination?: SecretSync) => ({
    projectId: `The ID of the project to list ${destination ? SECRET_SYNC_NAME_MAP[destination] : "Secret"} Syncs from.`
  }),
  GET_BY_ID: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`
  }),
  GET_BY_NAME: (destination: SecretSync) => ({
    syncName: `The name of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`,
    projectId: `The ID of the project the ${SECRET_SYNC_NAME_MAP[destination]} Sync is associated with.`
  }),
  CREATE: (destination: SecretSync) => {
    const destinationName = SECRET_SYNC_NAME_MAP[destination];
    return {
      name: `The name of the ${destinationName} Sync to create. Must be slug-friendly.`,
      description: `An optional description for the ${destinationName} Sync.`,
      projectId: "The ID of the project to create the sync in.",
      environment: `The slug of the project environment to sync secrets from.`,
      secretPath: `The folder path to sync secrets from.`,
      connectionId: `The ID of the ${
        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
      } Connection to use for syncing.`,
      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
      syncOptions: "Optional parameters to modify how secrets are synced."
    };
  },
  UPDATE: (destination: SecretSync) => {
    const destinationName = SECRET_SYNC_NAME_MAP[destination];
    return {
      syncId: `The ID of the ${destinationName} Sync to be updated.`,
      connectionId: `The updated ID of the ${
        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
      } Connection to use for syncing.`,
      name: `The updated name of the ${destinationName} Sync. Must be slug-friendly.`,
      environment: `The updated slug of the project environment to sync secrets from.`,
      secretPath: `The updated folder path to sync secrets from.`,
      description: `The updated description of the ${destinationName} Sync.`,
      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
      syncOptions: "Optional parameters to modify how secrets are synced."
    };
  },
  DELETE: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to be deleted.`,
    removeSecrets: `Whether previously synced secrets should be removed prior to deletion.`
  }),
  SYNC_SECRETS: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger a sync for.`
  }),
  IMPORT_SECRETS: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger importing secrets for.`,
    importBehavior: `Specify whether Infisical should prioritize secret values from Infisical or ${SECRET_SYNC_NAME_MAP[destination]}.`
  }),
  REMOVE_SECRETS: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger removing secrets for.`
  }),
  SYNC_OPTIONS: (destination: SecretSync) => {
    const destinationName = SECRET_SYNC_NAME_MAP[destination];
    return {
      INITIAL_SYNC_BEHAVIOR: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
      PREPEND_PREFIX: `Optionally prepend a prefix to your secrets' keys when syncing to ${destinationName}.`,
      APPEND_SUFFIX: `Optionally append a suffix to your secrets' keys when syncing to ${destinationName}.`
    };
  },
  DESTINATION_CONFIG: {
    AWS_PARAMETER_STORE: {
      REGION: "The AWS region to sync secrets to.",
      PATH: "The Parameter Store path to sync secrets to."
    },
    AWS_SECRETS_MANAGER: {
      REGION: "The AWS region to sync secrets to.",
      MAPPING_BEHAVIOR:
        "How secrets from Infisical should be mapped to AWS Secrets Manager; one-to-one or many-to-one.",
      SECRET_NAME: "The secret name in AWS Secrets Manager to sync to when using mapping behavior many-to-one."
    },
    GITHUB: {
      ORG: "The name of the GitHub organization.",
      OWNER: "The name of the GitHub account owner of the repository.",
      REPO: "The name of the GitHub repository.",
      ENV: "The name of the GitHub environment."
    },
    AZURE_KEY_VAULT: {
      VAULT_BASE_URL:
        "The base URL of the Azure Key Vault to sync secrets to. Example: https://example.vault.azure.net/"
    },
    AZURE_APP_CONFIGURATION: {
      CONFIGURATION_URL:
        "The URL of the Azure App Configuration to sync secrets to. Example: https://example.azconfig.io/",
      LABEL: "An optional label to assign to secrets created in Azure App Configuration."
    }
  }
 };
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -199,7 +199,36 @@ const envSchema = z
    INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET: zpStr(z.string().optional()),
    INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY: zpStr(z.string().optional()),
    INF_APP_CONNECTION_GITHUB_APP_SLUG: zpStr(z.string().optional()),
-    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional())
+    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional()),
    // gcp app
    INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL: zpStr(z.string().optional()),
    // azure app
    INF_APP_CONNECTION_AZURE_CLIENT_ID: zpStr(z.string().optional()),
    INF_APP_CONNECTION_AZURE_CLIENT_SECRET: zpStr(z.string().optional()),
    /* CORS ----------------------------------------------------------------------------- */
    CORS_ALLOWED_ORIGINS: zpStr(
      z
        .string()
        .optional()
        .transform((val) => {
          if (!val) return undefined;
          return JSON.parse(val) as string[];
        })
    ),
    CORS_ALLOWED_HEADERS: zpStr(
      z
        .string()
        .optional()
        .transform((val) => {
          if (!val) return undefined;
          return JSON.parse(val) as string[];
        })
    )
  })
  // To ensure that basic encryption is always possible.
  .refine(
--- a/backend/src/lib/crypto/encryption.ts
+++ b/backend/src/lib/crypto/encryption.ts
@@ -116,7 +116,7 @@ export const decryptAsymmetric = ({ ciphertext, nonce, publicKey, privateKey }:
 export const generateSymmetricKey = (size = 32) => crypto.randomBytes(size).toString("base64");
-export const generateHash = (value: string) => crypto.createHash("sha256").update(value).digest("hex");
+export const generateHash = (value: string | Buffer) => crypto.createHash("sha256").update(value).digest("hex");
 export const generateAsymmetricKeyPair = () => {
  const pair = nacl.box.keyPair();
--- a/backend/src/lib/error-codes/database.ts
+++ b/backend/src/lib/error-codes/database.ts
@@ -0,0 +1,4 @@
 export enum DatabaseErrorCode {
  ForeignKeyViolation = "23503",
  UniqueViolation = "23505"
 }
--- a/backend/src/lib/error-codes/index.ts
+++ b/backend/src/lib/error-codes/index.ts
@@ -0,0 +1 @@
 export * from "./database";
--- a/backend/src/lib/knex/index.ts
+++ b/backend/src/lib/knex/index.ts
@@ -7,6 +7,7 @@ import { buildDynamicKnexQuery, TKnexDynamicOperator } from "./dynamic";
 export * from "./connection";
 export * from "./join";
 export * from "./prependTableNameToFindFilter";
 export * from "./select";
 export const withTransaction = <K extends object>(db: Knex, dal: K) => ({
--- a/backend/src/lib/knex/prependTableNameToFindFilter.ts
+++ b/backend/src/lib/knex/prependTableNameToFindFilter.ts
@@ -0,0 +1,13 @@
 import { TableName } from "@app/db/schemas";
 import { buildFindFilter } from "@app/lib/knex/index";
 type TFindFilterParameters = Parameters<typeof buildFindFilter<object>>[0];
 export const prependTableNameToFindFilter = (tableName: TableName, filterObj: object): TFindFilterParameters =>
  Object.fromEntries(
    Object.entries(filterObj).map(([key, value]) =>
      key.startsWith("$")
        ? [key, prependTableNameToFindFilter(tableName, value as object)]
        : [`${tableName}.${key}`, value]
    )
  );
--- a/backend/src/lib/validator/index.ts
+++ b/backend/src/lib/validator/index.ts
@@ -1,3 +1,4 @@
 export { isDisposableEmail } from "./validate-email";
 export { isValidFolderName, isValidSecretPath } from "./validate-folder-name";
 export { blockLocalAndPrivateIpAddresses } from "./validate-url";
 export { isUuidV4 } from "./validate-uuid";
--- a/backend/src/lib/validator/validate-uuid.ts
+++ b/backend/src/lib/validator/validate-uuid.ts
@@ -0,0 +1,3 @@
 import { z } from "zod";
 export const isUuidV4 = (uuid: string) => z.string().uuid().safeParse(uuid).success;
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -15,6 +15,12 @@ import {
  TIntegrationSyncPayload,
  TSyncSecretsDTO
 } from "@app/services/secret/secret-types";
 import {
  TQueueSecretSyncImportSecretsByIdDTO,
  TQueueSecretSyncRemoveSecretsByIdDTO,
  TQueueSecretSyncSyncSecretsByIdDTO,
  TQueueSendSecretSyncActionFailedNotificationsDTO
 } from "@app/services/secret-sync/secret-sync-types";
 export enum QueueName {
  SecretRotation = "secret-rotation",
@@ -36,7 +42,8 @@ export enum QueueName {
  SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
  ProjectV3Migration = "project-v3-migration",
  AccessTokenStatusUpdate = "access-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
  AppConnectionSecretSync = "app-connection-secret-sync"
 }
 export enum QueueJobs {
@@ -61,7 +68,11 @@ export enum QueueJobs {
  ProjectV3Migration = "project-v3-migration",
  IdentityAccessTokenStatusUpdate = "identity-access-token-status-update",
  ServiceTokenStatusUpdate = "service-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
  SecretSyncSyncSecrets = "secret-sync-sync-secrets",
  SecretSyncImportSecrets = "secret-sync-import-secrets",
  SecretSyncRemoveSecrets = "secret-sync-remove-secrets",
  SecretSyncSendActionFailedNotifications = "secret-sync-send-action-failed-notifications"
 }
 export type TQueueJobTypes = {
@@ -184,6 +195,23 @@ export type TQueueJobTypes = {
      };
    };
  };
  [QueueName.AppConnectionSecretSync]:
    | {
        name: QueueJobs.SecretSyncSyncSecrets;
        payload: TQueueSecretSyncSyncSecretsByIdDTO;
      }
    | {
        name: QueueJobs.SecretSyncImportSecrets;
        payload: TQueueSecretSyncImportSecretsByIdDTO;
      }
    | {
        name: QueueJobs.SecretSyncRemoveSecrets;
        payload: TQueueSecretSyncRemoveSecretsByIdDTO;
      }
    | {
        name: QueueJobs.SecretSyncSendActionFailedNotifications;
        payload: TQueueSendSecretSyncActionFailedNotificationsDTO;
      };
 };
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
--- a/backend/src/server/app.ts
+++ b/backend/src/server/app.ts
@@ -87,7 +87,16 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
    await server.register<FastifyCorsOptions>(cors, {
      credentials: true,
-      origin: appCfg.SITE_URL || true
+      ...(appCfg.CORS_ALLOWED_ORIGINS?.length
        ? {
            origin: [...appCfg.CORS_ALLOWED_ORIGINS, ...(appCfg.SITE_URL ? [appCfg.SITE_URL] : [])]
          }
        : {
            origin: appCfg.SITE_URL || true
          }),
      ...(appCfg.CORS_ALLOWED_HEADERS?.length && {
        allowedHeaders: appCfg.CORS_ALLOWED_HEADERS
      })
    });
    await server.register(addErrorsToResponseSchemas);
--- a/backend/src/server/plugins/audit-log.ts
+++ b/backend/src/server/plugins/audit-log.ts
@@ -32,13 +32,21 @@ export const getUserAgentType = (userAgent: string | undefined) => {
 export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
  server.decorateRequest("auditLogInfo", null);
  server.addHook("onRequest", async (req) => {
    if (!req.auth) return;
    const userAgent = req.headers["user-agent"] ?? "";
    const payload = {
      ipAddress: req.realIp,
      userAgent,
      userAgentType: getUserAgentType(userAgent)
    } as typeof req.auditLogInfo;
    if (!req.auth) {
      payload.actor = {
        type: ActorType.UNKNOWN_USER,
        metadata: {}
      };
      req.auditLogInfo = payload;
      return;
    }
    if (req.auth.actor === ActorType.USER) {
      payload.actor = {
        type: ActorType.USER,
--- a/backend/src/server/plugins/secret-scanner.ts
+++ b/backend/src/server/plugins/secret-scanner.ts
@@ -1,3 +1,4 @@
 import type { EmitterWebhookEventName } from "@octokit/webhooks/dist-types/types";
 import { PushEvent } from "@octokit/webhooks-types";
 import { Probot } from "probot";
 import SmeeClient from "smee-client";
@@ -54,14 +55,14 @@ export const registerSecretScannerGhApp = async (server: FastifyZodProvider) =>
        rateLimit: writeLimit
      },
      handler: async (req, res) => {
-        const eventName = req.headers["x-github-event"];
+        const eventName = req.headers["x-github-event"] as EmitterWebhookEventName;
        const signatureSHA256 = req.headers["x-hub-signature-256"] as string;
        const id = req.headers["x-github-delivery"] as string;
        await probot.webhooks.verifyAndReceive({
          id,
          // @ts-expect-error type
          name: eventName,
-          payload: req.body as string,
+          payload: JSON.stringify(req.body),
          signature: signatureSHA256
        });
        void res.send("ok");
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -196,6 +196,9 @@ import { secretImportDALFactory } from "@app/services/secret-import/secret-impor
 import { secretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { secretSharingDALFactory } from "@app/services/secret-sharing/secret-sharing-dal";
 import { secretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
 import { secretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
 import { secretSyncQueueFactory } from "@app/services/secret-sync/secret-sync-queue";
 import { secretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 import { secretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
@@ -318,6 +321,7 @@ export const registerRoutes = async (
  const trustedIpDAL = trustedIpDALFactory(db);
  const telemetryDAL = telemetryDALFactory(db);
  const appConnectionDAL = appConnectionDALFactory(db);
  const secretSyncDAL = secretSyncDALFactory(db, folderDAL);
  // ee db layer ops
  const permissionDAL = permissionDALFactory(db);
@@ -463,7 +467,8 @@ export const registerRoutes = async (
    projectBotDAL,
    projectKeyDAL,
    permissionService,
-    licenseService
+    licenseService,
    oidcConfigDAL
  });
  const groupProjectService = groupProjectServiceFactory({
    groupDAL,
@@ -608,6 +613,7 @@ export const registerRoutes = async (
  });
  const superAdminService = superAdminServiceFactory({
    userDAL,
    userAliasDAL,
    authService: loginService,
    serverCfgDAL: superAdminDAL,
    kmsRootConfigDAL,
@@ -823,6 +829,30 @@ export const registerRoutes = async (
    kmsService
  });
  const secretSyncQueue = secretSyncQueueFactory({
    queueService,
    secretSyncDAL,
    folderDAL,
    secretImportDAL,
    secretV2BridgeDAL,
    kmsService,
    keyStore,
    auditLogService,
    smtpService,
    projectDAL,
    projectMembershipDAL,
    projectBotDAL,
    secretDAL,
    secretBlindIndexDAL,
    secretVersionDAL,
    secretTagDAL,
    secretVersionTagDAL,
    secretVersionV2BridgeDAL,
    secretVersionTagV2BridgeDAL,
    resourceMetadataDAL,
    appConnectionDAL
  });
  const secretQueueService = secretQueueFactory({
    keyStore,
    queueService,
@@ -857,7 +887,8 @@ export const registerRoutes = async (
    projectKeyDAL,
    projectUserMembershipRoleDAL,
    orgService,
-    resourceMetadataDAL
+    resourceMetadataDAL,
    secretSyncQueue
  });
  const projectService = projectServiceFactory({
@@ -894,7 +925,8 @@ export const registerRoutes = async (
    certificateTemplateDAL,
    projectSlackConfigDAL,
    slackIntegrationDAL,
-    projectTemplateService
+    projectTemplateService,
    groupProjectDAL
  });
  const projectEnvService = projectEnvServiceFactory({
@@ -1307,7 +1339,14 @@ export const registerRoutes = async (
    smtpService,
    orgBotDAL,
    permissionService,
-    oidcConfigDAL
+    oidcConfigDAL,
    projectBotDAL,
    projectKeyDAL,
    projectDAL,
    userGroupMembershipDAL,
    groupProjectDAL,
    groupDAL,
    auditLogService
  });
  const userEngagementService = userEngagementServiceFactory({
@@ -1367,8 +1406,17 @@ export const registerRoutes = async (
  const appConnectionService = appConnectionServiceFactory({
    appConnectionDAL,
    permissionService,
-    kmsService,
+    kmsService
-    licenseService
+  });
  const secretSyncService = secretSyncServiceFactory({
    secretSyncDAL,
    permissionService,
    appConnectionService,
    folderDAL,
    secretSyncQueue,
    projectBotService,
    keyStore
  });
  await superAdminService.initServerCfg();
@@ -1468,7 +1516,8 @@ export const registerRoutes = async (
    externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService,
    projectTemplate: projectTemplateService,
    totp: totpService,
-    appConnection: appConnectionService
+    appConnection: appConnectionService,
    secretSync: secretSyncService
  });
  const cronJobs: CronJob[] = [];
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@@ -110,7 +110,6 @@ export const secretRawSchema = z.object({
  secretReminderNote: z.string().nullable().optional(),
  secretReminderRepeatDays: z.number().nullable().optional(),
  skipMultilineEncoding: z.boolean().default(false).nullable().optional(),
  metadata: z.unknown().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
--- a/backend/src/server/routes/v1/app-connection-routers/apps/app-connection-endpoints.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/apps/app-connection-endpoints.ts
@@ -15,7 +15,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
  app,
  createSchema,
  updateSchema,
-  responseSchema
+  sanitizedResponseSchema
 }: {
  app: AppConnection;
  server: FastifyZodProvider;
@@ -26,7 +26,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
    description?: string | null;
  }>;
  updateSchema: z.ZodType<{ name?: string; credentials?: I["credentials"]; description?: string | null }>;
-  responseSchema: z.ZodTypeAny;
+  sanitizedResponseSchema: z.ZodTypeAny;
 }) => {
  const appName = APP_CONNECTION_NAME_MAP[app];
@@ -39,7 +39,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
    schema: {
      description: `List the ${appName} Connections for the current organization.`,
      response: {
-        200: z.object({ appConnections: responseSchema.array() })
+        200: z.object({ appConnections: sanitizedResponseSchema.array() })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -63,6 +63,50 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
    }
  });
  server.route({
    method: "GET",
    url: "/available",
    config: {
      rateLimit: readLimit
    },
    schema: {
      description: `List the ${appName} Connections the current user has permission to establish connections with.`,
      response: {
        200: z.object({
          appConnections: z
            .object({
              app: z.literal(app),
              name: z.string(),
              id: z.string().uuid()
            })
            .array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const appConnections = await server.services.appConnection.listAvailableAppConnectionsForUser(
        app,
        req.permission
      );
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        orgId: req.permission.orgId,
        event: {
          type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS,
          metadata: {
            app,
            count: appConnections.length,
            connectionIds: appConnections.map((connection) => connection.id)
          }
        }
      });
      return { appConnections };
    }
  });
  server.route({
    method: "GET",
    url: "/:connectionId",
@@ -75,7 +119,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
        connectionId: z.string().uuid().describe(AppConnections.GET_BY_ID(app).connectionId)
      }),
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -105,7 +149,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
  server.route({
    method: "GET",
-    url: `/name/:connectionName`,
+    url: `/connection-name/:connectionName`,
    config: {
      rateLimit: readLimit
    },
@@ -114,11 +158,12 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      params: z.object({
        connectionName: z
          .string()
-          .min(0, "Connection name required")
+          .trim()
          .min(1, "Connection name required")
          .describe(AppConnections.GET_BY_NAME(app).connectionName)
      }),
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -158,7 +203,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      } ${appName} Connection for the current organization.`,
      body: createSchema,
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -168,7 +213,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      const appConnection = (await server.services.appConnection.createAppConnection(
        { name, method, app, credentials, description },
        req.permission
-      )) as TAppConnection;
+      )) as T;
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
@@ -201,7 +246,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      }),
      body: updateSchema,
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -244,7 +289,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
        connectionId: z.string().uuid().describe(AppConnections.DELETE(app).connectionId)
      }),
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -4,18 +4,33 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AwsConnectionListItemSchema, SanitizedAwsConnectionSchema } from "@app/services/app-connection/aws";
 import {
  AzureAppConfigurationConnectionListItemSchema,
  SanitizedAzureAppConfigurationConnectionSchema
 } from "@app/services/app-connection/azure-app-configuration";
 import {
  AzureKeyVaultConnectionListItemSchema,
  SanitizedAzureKeyVaultConnectionSchema
 } from "@app/services/app-connection/azure-key-vault";
 import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
 import { AuthMode } from "@app/services/auth/auth-type";
 // can't use discriminated due to multiple schemas for certain apps
 const SanitizedAppConnectionSchema = z.union([
  ...SanitizedAwsConnectionSchema.options,
-  ...SanitizedGitHubConnectionSchema.options
+  ...SanitizedGitHubConnectionSchema.options,
  ...SanitizedGcpConnectionSchema.options,
  ...SanitizedAzureKeyVaultConnectionSchema.options,
  ...SanitizedAzureAppConfigurationConnectionSchema.options
 ]);
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  AwsConnectionListItemSchema,
-  GitHubConnectionListItemSchema
+  GitHubConnectionListItemSchema,
  GcpConnectionListItemSchema,
  AzureKeyVaultConnectionListItemSchema,
  AzureAppConfigurationConnectionListItemSchema
 ]);
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v1/app-connection-routers/apps/github-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/apps/github-connection-router.ts
@@ -1,17 +0,0 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  CreateGitHubConnectionSchema,
  SanitizedGitHubConnectionSchema,
  UpdateGitHubConnectionSchema
 } from "@app/services/app-connection/github";
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 export const registerGitHubConnectionRouter = async (server: FastifyZodProvider) =>
  registerAppConnectionEndpoints({
    app: AppConnection.GitHub,
    server,
    responseSchema: SanitizedGitHubConnectionSchema,
    createSchema: CreateGitHubConnectionSchema,
    updateSchema: UpdateGitHubConnectionSchema
  });
--- a/backend/src/server/routes/v1/app-connection-routers/apps/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/apps/index.ts
@@ -1,8 +0,0 @@
 import { registerAwsConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/aws-connection-router";
 import { registerGitHubConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/github-connection-router";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 export const APP_CONNECTION_REGISTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> = {
  [AppConnection.AWS]: registerAwsConnectionRouter,
  [AppConnection.GitHub]: registerGitHubConnectionRouter
 };
--- a/backend/src/server/routes/v1/app-connection-routers/apps/aws-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/apps/aws-connection-router.ts
@@ -11,7 +11,7 @@ export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
  registerAppConnectionEndpoints({
    app: AppConnection.AWS,
    server,
-    responseSchema: SanitizedAwsConnectionSchema,
+    sanitizedResponseSchema: SanitizedAwsConnectionSchema,
    createSchema: CreateAwsConnectionSchema,
    updateSchema: UpdateAwsConnectionSchema
  });
--- a/backend/src/server/routes/v1/app-connection-routers/azure-app-configuration-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/azure-app-configuration-connection-router.ts
@@ -0,0 +1,18 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  CreateAzureAppConfigurationConnectionSchema,
  SanitizedAzureAppConfigurationConnectionSchema,
  UpdateAzureAppConfigurationConnectionSchema
 } from "@app/services/app-connection/azure-app-configuration";
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 export const registerAzureAppConfigurationConnectionRouter = async (server: FastifyZodProvider) => {
  registerAppConnectionEndpoints({
    app: AppConnection.AzureAppConfiguration,
    server,
    sanitizedResponseSchema: SanitizedAzureAppConfigurationConnectionSchema,
    createSchema: CreateAzureAppConfigurationConnectionSchema,
    updateSchema: UpdateAzureAppConfigurationConnectionSchema
  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/azure-key-vault-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/azure-key-vault-connection-router.ts
@@ -0,0 +1,18 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  CreateAzureKeyVaultConnectionSchema,
  SanitizedAzureKeyVaultConnectionSchema,
  UpdateAzureKeyVaultConnectionSchema
 } from "@app/services/app-connection/azure-key-vault";
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 export const registerAzureKeyVaultConnectionRouter = async (server: FastifyZodProvider) => {
  registerAppConnectionEndpoints({
    app: AppConnection.AzureKeyVault,
    server,
    sanitizedResponseSchema: SanitizedAzureKeyVaultConnectionSchema,
    createSchema: CreateAzureKeyVaultConnectionSchema,
    updateSchema: UpdateAzureKeyVaultConnectionSchema
  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/gcp-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/gcp-connection-router.ts
@@ -0,0 +1,48 @@
 import z from "zod";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  CreateGcpConnectionSchema,
  SanitizedGcpConnectionSchema,
  UpdateGcpConnectionSchema
 } from "@app/services/app-connection/gcp";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 export const registerGcpConnectionRouter = async (server: FastifyZodProvider) => {
  registerAppConnectionEndpoints({
    app: AppConnection.GCP,
    server,
    sanitizedResponseSchema: SanitizedGcpConnectionSchema,
    createSchema: CreateGcpConnectionSchema,
    updateSchema: UpdateGcpConnectionSchema
  });
  // The below endpoints are not exposed and for Infisical App use
  server.route({
    method: "GET",
    url: `/:connectionId/secret-manager-projects`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      response: {
        200: z.object({ id: z.string(), name: z.string() }).array()
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const projects = await server.services.appConnection.gcp.listSecretManagerProjects(connectionId, req.permission);
      return projects;
    }
  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/github-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/github-connection-router.ts
@@ -0,0 +1,117 @@
 import { z } from "zod";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  CreateGitHubConnectionSchema,
  SanitizedGitHubConnectionSchema,
  UpdateGitHubConnectionSchema
 } from "@app/services/app-connection/github";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 export const registerGitHubConnectionRouter = async (server: FastifyZodProvider) => {
  registerAppConnectionEndpoints({
    app: AppConnection.GitHub,
    server,
    sanitizedResponseSchema: SanitizedGitHubConnectionSchema,
    createSchema: CreateGitHubConnectionSchema,
    updateSchema: UpdateGitHubConnectionSchema
  });
  // The below endpoints are not exposed and for Infisical App use
  server.route({
    method: "GET",
    url: `/:connectionId/repositories`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      response: {
        200: z.object({
          repositories: z
            .object({ id: z.number(), name: z.string(), owner: z.object({ login: z.string(), id: z.number() }) })
            .array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const repositories = await server.services.appConnection.github.listRepositories(connectionId, req.permission);
      return { repositories };
    }
  });
  server.route({
    method: "GET",
    url: `/:connectionId/organizations`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      response: {
        200: z.object({
          organizations: z.object({ id: z.number(), login: z.string() }).array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const organizations = await server.services.appConnection.github.listOrganizations(connectionId, req.permission);
      return { organizations };
    }
  });
  server.route({
    method: "GET",
    url: `/:connectionId/environments`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      querystring: z.object({
        repo: z.string().min(1, "Repository name is required"),
        owner: z.string().min(1, "Repository owner name is required")
      }),
      response: {
        200: z.object({
          environments: z.object({ id: z.number(), name: z.string() }).array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const { repo, owner } = req.query;
      const environments = await server.services.appConnection.github.listEnvironments(
        {
          connectionId,
          repo,
          owner
        },
        req.permission
      );
      return { environments };
    }
  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -1,2 +1,18 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { registerAwsConnectionRouter } from "./aws-connection-router";
 import { registerAzureAppConfigurationConnectionRouter } from "./azure-app-configuration-connection-router";
 import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
 export * from "./app-connection-router";
-export * from "./apps";
+
 export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> =
  {
    [AppConnection.AWS]: registerAwsConnectionRouter,
    [AppConnection.GitHub]: registerGitHubConnectionRouter,
    [AppConnection.GCP]: registerGcpConnectionRouter,
    [AppConnection.AzureKeyVault]: registerAzureKeyVaultConnectionRouter,
    [AppConnection.AzureAppConfiguration]: registerAzureAppConfigurationConnectionRouter
  };
--- a/backend/src/server/routes/v1/cmek-router.ts
+++ b/backend/src/server/routes/v1/cmek-router.ts
@@ -15,6 +15,10 @@ import { CmekOrderBy } from "@app/services/cmek/cmek-types";
 const keyNameSchema = slugSchema({ min: 1, max: 32, field: "Name" });
 const keyDescriptionSchema = z.string().trim().max(500).optional();
 const CmekSchema = KmsKeysSchema.merge(InternalKmsSchema.pick({ version: true, encryptionAlgorithm: true })).omit({
  isReserved: true
 });
 const base64Schema = z.string().superRefine((val, ctx) => {
  if (!isBase64(val)) {
    ctx.addIssue({
@@ -53,7 +57,7 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          key: KmsKeysSchema
+          key: CmekSchema
        })
      }
    },
@@ -106,7 +110,7 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          key: KmsKeysSchema
+          key: CmekSchema
        })
      }
    },
@@ -150,7 +154,7 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          key: KmsKeysSchema
+          key: CmekSchema
        })
      }
    },
@@ -201,7 +205,7 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          keys: KmsKeysSchema.merge(InternalKmsSchema.pick({ version: true, encryptionAlgorithm: true })).array(),
+          keys: CmekSchema.array(),
          totalCount: z.number()
        })
      }
@@ -230,6 +234,92 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
    }
  });
  server.route({
    method: "GET",
    url: "/keys/:keyId",
    config: {
      rateLimit: readLimit
    },
    schema: {
      description: "Get KMS key by ID",
      params: z.object({
        keyId: z.string().uuid().describe(KMS.GET_KEY_BY_ID.keyId)
      }),
      response: {
        200: z.object({
          key: CmekSchema
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const {
        params: { keyId },
        permission
      } = req;
      const key = await server.services.cmek.findCmekById(keyId, permission);
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: key.projectId!,
        event: {
          type: EventType.GET_CMEK,
          metadata: {
            keyId: key.id
          }
        }
      });
      return { key };
    }
  });
  server.route({
    method: "GET",
    url: "/keys/key-name/:keyName",
    config: {
      rateLimit: readLimit
    },
    schema: {
      description: "Get KMS key by Name",
      params: z.object({
        keyName: slugSchema({ field: "Key name" }).describe(KMS.GET_KEY_BY_NAME.keyName)
      }),
      querystring: z.object({
        projectId: z.string().min(1, "Project ID is required").describe(KMS.GET_KEY_BY_NAME.projectId)
      }),
      response: {
        200: z.object({
          key: CmekSchema
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const {
        params: { keyName },
        query: { projectId },
        permission
      } = req;
      const key = await server.services.cmek.findCmekByName(keyName, projectId, permission);
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: key.projectId!,
        event: {
          type: EventType.GET_CMEK,
          metadata: {
            keyId: key.id
          }
        }
      });
      return { key };
    }
  });
  // encrypt data
  server.route({
    method: "POST",
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { z } from "zod";
-import { SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
+import { ActionProjectType, SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import {
  ProjectPermissionDynamicSecretActions,
@@ -220,13 +220,14 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          totalCount: totalFolderCount ?? 0
        };
-      const { permission } = await server.services.permission.getProjectPermission(
+      const { permission } = await server.services.permission.getProjectPermission({
-        req.permission.type,
+        actor: req.permission.type,
-        req.permission.id,
+        actorId: req.permission.id,
        projectId,
-        req.permission.authMethod,
+        actorAuthMethod: req.permission.authMethod,
-        req.permission.orgId
+        actorOrgId: req.permission.orgId,
-      );
+        actionProjectType: ActionProjectType.SecretManager
      });
      const allowedDynamicSecretEnvironments = // filter envs user has access to
        environments.filter((environment) =>
--- a/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
@@ -79,44 +79,44 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
      params: z.object({
        identityId: z.string().trim().describe(AWS_AUTH.ATTACH.identityId)
      }),
-      body: z.object({
+      body: z
-        stsEndpoint: z
+        .object({
-          .string()
+          stsEndpoint: z
-          .trim()
+            .string()
-          .min(1)
+            .trim()
-          .default("https://sts.amazonaws.com/")
+            .min(1)
-          .describe(AWS_AUTH.ATTACH.stsEndpoint),
+            .default("https://sts.amazonaws.com/")
-        allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.ATTACH.allowedPrincipalArns),
+            .describe(AWS_AUTH.ATTACH.stsEndpoint),
-        allowedAccountIds: validateAccountIds.describe(AWS_AUTH.ATTACH.allowedAccountIds),
+          allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.ATTACH.allowedPrincipalArns),
-        accessTokenTrustedIps: z
+          allowedAccountIds: validateAccountIds.describe(AWS_AUTH.ATTACH.allowedAccountIds),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .min(1)
-          .describe(AWS_AUTH.ATTACH.accessTokenTrustedIps),
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-        accessTokenTTL: z
+            .describe(AWS_AUTH.ATTACH.accessTokenTrustedIps),
-          .number()
+          accessTokenTTL: z
-          .int()
+            .number()
-          .min(1)
+            .int()
-          .max(315360000)
+            .min(0)
-          .refine((value) => value !== 0, {
+            .max(315360000)
-            message: "accessTokenTTL must have a non zero number"
+            .default(2592000)
-          })
+            .describe(AWS_AUTH.ATTACH.accessTokenTTL),
-          .default(2592000)
+          accessTokenMaxTTL: z
-          .describe(AWS_AUTH.ATTACH.accessTokenTTL),
+            .number()
-        accessTokenMaxTTL: z
+            .int()
-          .number()
+            .min(1)
-          .int()
+            .max(315360000)
-          .max(315360000)
+            .default(2592000)
-          .refine((value) => value !== 0, {
+            .describe(AWS_AUTH.ATTACH.accessTokenMaxTTL),
-            message: "accessTokenMaxTTL must have a non zero number"
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AWS_AUTH.ATTACH.accessTokenNumUsesLimit)
-          })
+        })
-          .default(2592000)
+        .refine(
-          .describe(AWS_AUTH.ATTACH.accessTokenMaxTTL),
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AWS_AUTH.ATTACH.accessTokenNumUsesLimit)
+          "Access Token TTL cannot be greater than Access Token Max TTL."
-      }),
+        ),
      response: {
        200: z.object({
          identityAwsAuth: IdentityAwsAuthsSchema
@@ -172,30 +172,33 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
      params: z.object({
        identityId: z.string().describe(AWS_AUTH.UPDATE.identityId)
      }),
-      body: z.object({
+      body: z
-        stsEndpoint: z.string().trim().min(1).optional().describe(AWS_AUTH.UPDATE.stsEndpoint),
+        .object({
-        allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.UPDATE.allowedPrincipalArns),
+          stsEndpoint: z.string().trim().min(1).optional().describe(AWS_AUTH.UPDATE.stsEndpoint),
-        allowedAccountIds: validateAccountIds.describe(AWS_AUTH.UPDATE.allowedAccountIds),
+          allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.UPDATE.allowedPrincipalArns),
-        accessTokenTrustedIps: z
+          allowedAccountIds: validateAccountIds.describe(AWS_AUTH.UPDATE.allowedAccountIds),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .optional()
+            .min(1)
-          .describe(AWS_AUTH.UPDATE.accessTokenTrustedIps),
+            .optional()
-        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AWS_AUTH.UPDATE.accessTokenTTL),
+            .describe(AWS_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AWS_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AWS_AUTH.UPDATE.accessTokenTTL),
-        accessTokenMaxTTL: z
+          accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AWS_AUTH.UPDATE.accessTokenNumUsesLimit),
-          .number()
+          accessTokenMaxTTL: z
-          .int()
+            .number()
-          .max(315360000)
+            .int()
-          .refine((value) => value !== 0, {
+            .max(315360000)
-            message: "accessTokenMaxTTL must have a non zero number"
+            .min(0)
-          })
+            .optional()
-          .optional()
+            .describe(AWS_AUTH.UPDATE.accessTokenMaxTTL)
-          .describe(AWS_AUTH.UPDATE.accessTokenMaxTTL)
+        })
-      }),
+        .refine(
          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityAwsAuth: IdentityAwsAuthsSchema
--- a/backend/src/server/routes/v1/identity-azure-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-azure-auth-router.ts
@@ -76,39 +76,44 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
      params: z.object({
        identityId: z.string().trim().describe(AZURE_AUTH.LOGIN.identityId)
      }),
-      body: z.object({
+      body: z
-        tenantId: z.string().trim().describe(AZURE_AUTH.ATTACH.tenantId),
+        .object({
-        resource: z.string().trim().describe(AZURE_AUTH.ATTACH.resource),
+          tenantId: z.string().trim().describe(AZURE_AUTH.ATTACH.tenantId),
-        allowedServicePrincipalIds: validateAzureAuthField.describe(AZURE_AUTH.ATTACH.allowedServicePrincipalIds),
+          resource: z.string().trim().describe(AZURE_AUTH.ATTACH.resource),
-        accessTokenTrustedIps: z
+          allowedServicePrincipalIds: validateAzureAuthField.describe(AZURE_AUTH.ATTACH.allowedServicePrincipalIds),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .min(1)
-          .describe(AZURE_AUTH.ATTACH.accessTokenTrustedIps),
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-        accessTokenTTL: z
+            .describe(AZURE_AUTH.ATTACH.accessTokenTrustedIps),
-          .number()
+          accessTokenTTL: z
-          .int()
+            .number()
-          .min(1)
+            .int()
-          .max(315360000)
+            .min(0)
-          .refine((value) => value !== 0, {
+            .max(315360000)
-            message: "accessTokenTTL must have a non zero number"
+            .default(2592000)
-          })
+            .describe(AZURE_AUTH.ATTACH.accessTokenTTL),
-          .default(2592000)
+          accessTokenMaxTTL: z
-          .describe(AZURE_AUTH.ATTACH.accessTokenTTL),
+            .number()
-        accessTokenMaxTTL: z
+            .int()
-          .number()
+            .min(0)
-          .int()
+            .max(315360000)
-          .max(315360000)
+            .default(2592000)
-          .refine((value) => value !== 0, {
+            .describe(AZURE_AUTH.ATTACH.accessTokenMaxTTL),
-            message: "accessTokenMaxTTL must have a non zero number"
+          accessTokenNumUsesLimit: z
-          })
+            .number()
-          .default(2592000)
+            .int()
-          .describe(AZURE_AUTH.ATTACH.accessTokenMaxTTL),
+            .min(0)
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AZURE_AUTH.ATTACH.accessTokenNumUsesLimit)
+            .default(0)
-      }),
+            .describe(AZURE_AUTH.ATTACH.accessTokenNumUsesLimit)
        })
        .refine(
          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityAzureAuth: IdentityAzureAuthsSchema
@@ -163,32 +168,40 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
      params: z.object({
        identityId: z.string().trim().describe(AZURE_AUTH.UPDATE.identityId)
      }),
-      body: z.object({
+      body: z
-        tenantId: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.tenantId),
+        .object({
-        resource: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.resource),
+          tenantId: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.tenantId),
-        allowedServicePrincipalIds: validateAzureAuthField
+          resource: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.resource),
-          .optional()
+          allowedServicePrincipalIds: validateAzureAuthField
-          .describe(AZURE_AUTH.UPDATE.allowedServicePrincipalIds),
+            .optional()
-        accessTokenTrustedIps: z
+            .describe(AZURE_AUTH.UPDATE.allowedServicePrincipalIds),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .optional()
+            .min(1)
-          .describe(AZURE_AUTH.UPDATE.accessTokenTrustedIps),
+            .optional()
-        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AZURE_AUTH.UPDATE.accessTokenTTL),
+            .describe(AZURE_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AZURE_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AZURE_AUTH.UPDATE.accessTokenTTL),
-        accessTokenMaxTTL: z
+          accessTokenNumUsesLimit: z
-          .number()
+            .number()
-          .int()
+            .int()
-          .max(315360000)
+            .min(0)
-          .refine((value) => value !== 0, {
+            .optional()
-            message: "accessTokenMaxTTL must have a non zero number"
+            .describe(AZURE_AUTH.UPDATE.accessTokenNumUsesLimit),
-          })
+          accessTokenMaxTTL: z
-          .optional()
+            .number()
-          .describe(AZURE_AUTH.UPDATE.accessTokenMaxTTL)
+            .int()
-      }),
+            .max(315360000)
            .min(0)
            .optional()
            .describe(AZURE_AUTH.UPDATE.accessTokenMaxTTL)
        })
        .refine(
          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityAzureAuth: IdentityAzureAuthsSchema
--- a/backend/src/server/routes/v1/identity-gcp-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-gcp-auth-router.ts
@@ -74,40 +74,40 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
      params: z.object({
        identityId: z.string().trim().describe(GCP_AUTH.ATTACH.identityId)
      }),
-      body: z.object({
+      body: z
-        type: z.enum(["iam", "gce"]),
+        .object({
-        allowedServiceAccounts: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedServiceAccounts),
+          type: z.enum(["iam", "gce"]),
-        allowedProjects: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedProjects),
+          allowedServiceAccounts: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedServiceAccounts),
-        allowedZones: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedZones),
+          allowedProjects: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedProjects),
-        accessTokenTrustedIps: z
+          allowedZones: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedZones),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .min(1)
-          .describe(GCP_AUTH.ATTACH.accessTokenTrustedIps),
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-        accessTokenTTL: z
+            .describe(GCP_AUTH.ATTACH.accessTokenTrustedIps),
-          .number()
+          accessTokenTTL: z
-          .int()
+            .number()
-          .min(1)
+            .int()
-          .max(315360000)
+            .min(0)
-          .refine((value) => value !== 0, {
+            .max(315360000)
-            message: "accessTokenTTL must have a non zero number"
+            .default(2592000)
-          })
+            .describe(GCP_AUTH.ATTACH.accessTokenTTL),
-          .default(2592000)
+          accessTokenMaxTTL: z
-          .describe(GCP_AUTH.ATTACH.accessTokenTTL),
+            .number()
-        accessTokenMaxTTL: z
+            .int()
-          .number()
+            .min(0)
-          .int()
+            .max(315360000)
-          .max(315360000)
+            .default(2592000)
-          .refine((value) => value !== 0, {
+            .describe(GCP_AUTH.ATTACH.accessTokenMaxTTL),
-            message: "accessTokenMaxTTL must have a non zero number"
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(GCP_AUTH.ATTACH.accessTokenNumUsesLimit)
-          })
+        })
-          .default(2592000)
+        .refine(
-          .describe(GCP_AUTH.ATTACH.accessTokenMaxTTL),
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(GCP_AUTH.ATTACH.accessTokenNumUsesLimit)
+          "Access Token TTL cannot be greater than Access Token Max TTL."
-      }),
+        ),
      response: {
        200: z.object({
          identityGcpAuth: IdentityGcpAuthsSchema
@@ -164,31 +164,34 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
      params: z.object({
        identityId: z.string().trim().describe(GCP_AUTH.UPDATE.identityId)
      }),
-      body: z.object({
+      body: z
-        type: z.enum(["iam", "gce"]).optional(),
+        .object({
-        allowedServiceAccounts: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedServiceAccounts),
+          type: z.enum(["iam", "gce"]).optional(),
-        allowedProjects: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedProjects),
+          allowedServiceAccounts: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedServiceAccounts),
-        allowedZones: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedZones),
+          allowedProjects: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedProjects),
-        accessTokenTrustedIps: z
+          allowedZones: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedZones),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .optional()
+            .min(1)
-          .describe(GCP_AUTH.UPDATE.accessTokenTrustedIps),
+            .optional()
-        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(GCP_AUTH.UPDATE.accessTokenTTL),
+            .describe(GCP_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(GCP_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(GCP_AUTH.UPDATE.accessTokenTTL),
-        accessTokenMaxTTL: z
+          accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(GCP_AUTH.UPDATE.accessTokenNumUsesLimit),
-          .number()
+          accessTokenMaxTTL: z
-          .int()
+            .number()
-          .max(315360000)
+            .int()
-          .refine((value) => value !== 0, {
+            .min(0)
-            message: "accessTokenMaxTTL must have a non zero number"
+            .max(315360000)
-          })
+            .optional()
-          .optional()
+            .describe(GCP_AUTH.UPDATE.accessTokenMaxTTL)
-          .describe(GCP_AUTH.UPDATE.accessTokenMaxTTL)
+        })
-      }),
+        .refine(
          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityGcpAuth: IdentityGcpAuthsSchema
--- a/backend/src/server/routes/v1/identity-jwt-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-jwt-auth-router.ts
@@ -34,23 +34,12 @@ const CreateBaseSchema = z.object({
    .min(1)
    .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
    .describe(JWT_AUTH.ATTACH.accessTokenTrustedIps),
-  accessTokenTTL: z
+  accessTokenTTL: z.number().int().min(0).max(315360000).default(2592000).describe(JWT_AUTH.ATTACH.accessTokenTTL),
    .number()
    .int()
    .min(1)
    .max(315360000)
    .refine((value) => value !== 0, {
      message: "accessTokenTTL must have a non zero number"
    })
    .default(2592000)
    .describe(JWT_AUTH.ATTACH.accessTokenTTL),
  accessTokenMaxTTL: z
    .number()
    .int()
    .min(0)
    .max(315360000)
    .refine((value) => value !== 0, {
      message: "accessTokenMaxTTL must have a non zero number"
    })
    .default(2592000)
    .describe(JWT_AUTH.ATTACH.accessTokenMaxTTL),
  accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(JWT_AUTH.ATTACH.accessTokenNumUsesLimit)
@@ -70,23 +59,12 @@ const UpdateBaseSchema = z
      .min(1)
      .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
      .describe(JWT_AUTH.UPDATE.accessTokenTrustedIps),
-    accessTokenTTL: z
+    accessTokenTTL: z.number().int().min(0).max(315360000).default(2592000).describe(JWT_AUTH.UPDATE.accessTokenTTL),
      .number()
      .int()
      .min(1)
      .max(315360000)
      .refine((value) => value !== 0, {
        message: "accessTokenTTL must have a non zero number"
      })
      .default(2592000)
      .describe(JWT_AUTH.UPDATE.accessTokenTTL),
    accessTokenMaxTTL: z
      .number()
      .int()
      .min(0)
      .max(315360000)
      .refine((value) => value !== 0, {
        message: "accessTokenMaxTTL must have a non zero number"
      })
      .default(2592000)
      .describe(JWT_AUTH.UPDATE.accessTokenMaxTTL),
    accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(JWT_AUTH.UPDATE.accessTokenNumUsesLimit)
--- a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
@@ -87,47 +87,47 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
      params: z.object({
        identityId: z.string().trim().describe(KUBERNETES_AUTH.ATTACH.identityId)
      }),
-      body: z.object({
+      body: z
-        kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
+        .object({
-        caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
+          kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
-        tokenReviewerJwt: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
+          caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
-        allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
+          tokenReviewerJwt: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
-        allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
+          allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
-        allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
+          allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
-        accessTokenTrustedIps: z
+          allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .min(1)
-          .describe(KUBERNETES_AUTH.ATTACH.accessTokenTrustedIps),
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-        accessTokenTTL: z
+            .describe(KUBERNETES_AUTH.ATTACH.accessTokenTrustedIps),
-          .number()
+          accessTokenTTL: z
-          .int()
+            .number()
-          .min(1)
+            .int()
-          .max(315360000)
+            .min(0)
-          .refine((value) => value !== 0, {
+            .max(315360000)
-            message: "accessTokenTTL must have a non zero number"
+            .default(2592000)
-          })
+            .describe(KUBERNETES_AUTH.ATTACH.accessTokenTTL),
-          .default(2592000)
+          accessTokenMaxTTL: z
-          .describe(KUBERNETES_AUTH.ATTACH.accessTokenTTL),
+            .number()
-        accessTokenMaxTTL: z
+            .int()
-          .number()
+            .min(0)
-          .int()
+            .max(315360000)
-          .max(315360000)
+            .default(2592000)
-          .refine((value) => value !== 0, {
+            .describe(KUBERNETES_AUTH.ATTACH.accessTokenMaxTTL),
-            message: "accessTokenMaxTTL must have a non zero number"
+          accessTokenNumUsesLimit: z
-          })
+            .number()
-          .default(2592000)
+            .int()
-          .describe(KUBERNETES_AUTH.ATTACH.accessTokenMaxTTL),
+            .min(0)
-        accessTokenNumUsesLimit: z
+            .default(0)
-          .number()
+            .describe(KUBERNETES_AUTH.ATTACH.accessTokenNumUsesLimit)
-          .int()
+        })
-          .min(0)
+        .refine(
-          .default(0)
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-          .describe(KUBERNETES_AUTH.ATTACH.accessTokenNumUsesLimit)
+          "Access Token TTL cannot be greater than Access Token Max TTL."
-      }),
+        ),
      response: {
        200: z.object({
          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
@@ -183,44 +183,47 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
      params: z.object({
        identityId: z.string().describe(KUBERNETES_AUTH.UPDATE.identityId)
      }),
-      body: z.object({
+      body: z
-        kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
+        .object({
-        caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
+          kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
-        tokenReviewerJwt: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
+          caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
-        allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
+          tokenReviewerJwt: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
-        allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
+          allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
-        allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
+          allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
-        accessTokenTrustedIps: z
+          allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .optional()
+            .min(1)
-          .describe(KUBERNETES_AUTH.UPDATE.accessTokenTrustedIps),
+            .optional()
-        accessTokenTTL: z
+            .describe(KUBERNETES_AUTH.UPDATE.accessTokenTrustedIps),
-          .number()
+          accessTokenTTL: z
-          .int()
+            .number()
-          .min(0)
+            .int()
-          .max(315360000)
+            .min(0)
-          .optional()
+            .max(315360000)
-          .describe(KUBERNETES_AUTH.UPDATE.accessTokenTTL),
+            .optional()
-        accessTokenNumUsesLimit: z
+            .describe(KUBERNETES_AUTH.UPDATE.accessTokenTTL),
-          .number()
+          accessTokenNumUsesLimit: z
-          .int()
+            .number()
-          .min(0)
+            .int()
-          .optional()
+            .min(0)
-          .describe(KUBERNETES_AUTH.UPDATE.accessTokenNumUsesLimit),
+            .optional()
-        accessTokenMaxTTL: z
+            .describe(KUBERNETES_AUTH.UPDATE.accessTokenNumUsesLimit),
-          .number()
+          accessTokenMaxTTL: z
-          .int()
+            .number()
-          .max(315360000)
+            .int()
-          .refine((value) => value !== 0, {
+            .min(0)
-            message: "accessTokenMaxTTL must have a non zero number"
+            .max(315360000)
-          })
+            .optional()
-          .optional()
+            .describe(KUBERNETES_AUTH.UPDATE.accessTokenMaxTTL)
-          .describe(KUBERNETES_AUTH.UPDATE.accessTokenMaxTTL)
+        })
-      }),
+        .refine(
          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
--- a/backend/src/server/routes/v1/identity-oidc-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-oidc-auth-router.ts
@@ -87,42 +87,42 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
      params: z.object({
        identityId: z.string().trim().describe(OIDC_AUTH.ATTACH.identityId)
      }),
-      body: z.object({
+      body: z
-        oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.ATTACH.oidcDiscoveryUrl),
+        .object({
-        caCert: z.string().trim().default("").describe(OIDC_AUTH.ATTACH.caCert),
+          oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.ATTACH.oidcDiscoveryUrl),
-        boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
+          caCert: z.string().trim().default("").describe(OIDC_AUTH.ATTACH.caCert),
-        boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
+          boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
-        boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
+          boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
-        boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
+          boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
-        accessTokenTrustedIps: z
+          boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .min(1)
-          .describe(OIDC_AUTH.ATTACH.accessTokenTrustedIps),
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-        accessTokenTTL: z
+            .describe(OIDC_AUTH.ATTACH.accessTokenTrustedIps),
-          .number()
+          accessTokenTTL: z
-          .int()
+            .number()
-          .min(1)
+            .int()
-          .max(315360000)
+            .min(0)
-          .refine((value) => value !== 0, {
+            .max(315360000)
-            message: "accessTokenTTL must have a non zero number"
+            .default(2592000)
-          })
+            .describe(OIDC_AUTH.ATTACH.accessTokenTTL),
-          .default(2592000)
+          accessTokenMaxTTL: z
-          .describe(OIDC_AUTH.ATTACH.accessTokenTTL),
+            .number()
-        accessTokenMaxTTL: z
+            .int()
-          .number()
+            .min(0)
-          .int()
+            .max(315360000)
-          .max(315360000)
+            .default(2592000)
-          .refine((value) => value !== 0, {
+            .describe(OIDC_AUTH.ATTACH.accessTokenMaxTTL),
-            message: "accessTokenMaxTTL must have a non zero number"
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.ATTACH.accessTokenNumUsesLimit)
-          })
+        })
-          .default(2592000)
+        .refine(
-          .describe(OIDC_AUTH.ATTACH.accessTokenMaxTTL),
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.ATTACH.accessTokenNumUsesLimit)
+          "Access Token TTL cannot be greater than Access Token Max TTL."
-      }),
+        ),
      response: {
        200: z.object({
          identityOidcAuth: IdentityOidcAuthResponseSchema
@@ -202,26 +202,24 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
          accessTokenTTL: z
            .number()
            .int()
-            .min(1)
+            .min(0)
            .max(315360000)
            .refine((value) => value !== 0, {
              message: "accessTokenTTL must have a non zero number"
            })
            .default(2592000)
            .describe(OIDC_AUTH.UPDATE.accessTokenTTL),
          accessTokenMaxTTL: z
            .number()
            .int()
            .min(0)
            .max(315360000)
            .refine((value) => value !== 0, {
              message: "accessTokenMaxTTL must have a non zero number"
            })
            .default(2592000)
            .describe(OIDC_AUTH.UPDATE.accessTokenMaxTTL),
          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.UPDATE.accessTokenNumUsesLimit)
        })
-        .partial(),
+        .partial()
        .refine(
          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityOidcAuth: IdentityOidcAuthResponseSchema
--- a/backend/src/server/routes/v1/identity-token-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-token-auth-router.ts
@@ -26,36 +26,41 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
      params: z.object({
        identityId: z.string().trim().describe(TOKEN_AUTH.ATTACH.identityId)
      }),
-      body: z.object({
+      body: z
-        accessTokenTrustedIps: z
+        .object({
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .min(1)
-          .describe(TOKEN_AUTH.ATTACH.accessTokenTrustedIps),
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-        accessTokenTTL: z
+            .describe(TOKEN_AUTH.ATTACH.accessTokenTrustedIps),
-          .number()
+          accessTokenTTL: z
-          .int()
+            .number()
-          .min(1)
+            .int()
-          .max(315360000)
+            .min(0)
-          .refine((value) => value !== 0, {
+            .max(315360000)
-            message: "accessTokenTTL must have a non zero number"
+            .default(2592000)
-          })
+            .describe(TOKEN_AUTH.ATTACH.accessTokenTTL),
-          .default(2592000)
+          accessTokenMaxTTL: z
-          .describe(TOKEN_AUTH.ATTACH.accessTokenTTL),
+            .number()
-        accessTokenMaxTTL: z
+            .int()
-          .number()
+            .min(0)
-          .int()
+            .max(315360000)
-          .max(315360000)
+            .default(2592000)
-          .refine((value) => value !== 0, {
+            .describe(TOKEN_AUTH.ATTACH.accessTokenMaxTTL),
-            message: "accessTokenMaxTTL must have a non zero number"
+          accessTokenNumUsesLimit: z
-          })
+            .number()
-          .default(2592000)
+            .int()
-          .describe(TOKEN_AUTH.ATTACH.accessTokenMaxTTL),
+            .min(0)
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(TOKEN_AUTH.ATTACH.accessTokenNumUsesLimit)
+            .default(0)
-      }),
+            .describe(TOKEN_AUTH.ATTACH.accessTokenNumUsesLimit)
        })
        .refine(
          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityTokenAuth: IdentityTokenAuthsSchema
@@ -110,27 +115,35 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
      params: z.object({
        identityId: z.string().trim().describe(TOKEN_AUTH.UPDATE.identityId)
      }),
-      body: z.object({
+      body: z
-        accessTokenTrustedIps: z
+        .object({
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .optional()
+            .min(1)
-          .describe(TOKEN_AUTH.UPDATE.accessTokenTrustedIps),
+            .optional()
-        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(TOKEN_AUTH.UPDATE.accessTokenTTL),
+            .describe(TOKEN_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(TOKEN_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(TOKEN_AUTH.UPDATE.accessTokenTTL),
-        accessTokenMaxTTL: z
+          accessTokenNumUsesLimit: z
-          .number()
+            .number()
-          .int()
+            .int()
-          .max(315360000)
+            .min(0)
-          .refine((value) => value !== 0, {
+            .optional()
-            message: "accessTokenMaxTTL must have a non zero number"
+            .describe(TOKEN_AUTH.UPDATE.accessTokenNumUsesLimit),
-          })
+          accessTokenMaxTTL: z
-          .optional()
+            .number()
-          .describe(TOKEN_AUTH.UPDATE.accessTokenMaxTTL)
+            .int()
-      }),
+            .min(0)
            .max(315360000)
            .optional()
            .describe(TOKEN_AUTH.UPDATE.accessTokenMaxTTL)
        })
        .refine(
          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityTokenAuth: IdentityTokenAuthsSchema
--- a/backend/src/server/routes/v1/identity-universal-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-universal-auth-router.ts
@@ -86,49 +86,49 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      params: z.object({
        identityId: z.string().trim().describe(UNIVERSAL_AUTH.ATTACH.identityId)
      }),
-      body: z.object({
+      body: z
-        clientSecretTrustedIps: z
+        .object({
-          .object({
+          clientSecretTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .min(1)
-          .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-        accessTokenTrustedIps: z
+            .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .min(1)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-        accessTokenTTL: z
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
-          .number()
+          accessTokenTTL: z
-          .int()
+            .number()
-          .min(1)
+            .int()
-          .max(315360000)
+            .min(0)
-          .refine((value) => value !== 0, {
+            .max(315360000)
-            message: "accessTokenTTL must have a non zero number"
+            .default(2592000)
-          })
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
-          .default(2592000)
+          accessTokenMaxTTL: z
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
+            .number()
-        accessTokenMaxTTL: z
+            .int()
-          .number()
+            .min(0)
-          .int()
+            .max(315360000)
-          .max(315360000)
+            .default(2592000)
-          .refine((value) => value !== 0, {
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
-            message: "accessTokenMaxTTL must have a non zero number"
+          accessTokenNumUsesLimit: z
-          })
+            .number()
-          .default(2592000)
+            .int()
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
+            .min(0)
-        accessTokenNumUsesLimit: z
+            .default(0)
-          .number()
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
-          .int()
+        })
-          .min(0)
+        .refine(
-          .default(0)
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
+          "Access Token TTL cannot be greater than Access Token Max TTL."
-      }),
+        ),
      response: {
        200: z.object({
          identityUniversalAuth: IdentityUniversalAuthsSchema
@@ -181,46 +181,49 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      params: z.object({
        identityId: z.string().describe(UNIVERSAL_AUTH.UPDATE.identityId)
      }),
-      body: z.object({
+      body: z
-        clientSecretTrustedIps: z
+        .object({
-          .object({
+          clientSecretTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .optional()
+            .min(1)
-          .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
+            .optional()
-        accessTokenTrustedIps: z
+            .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
-          .object({
+          accessTokenTrustedIps: z
-            ipAddress: z.string().trim()
+            .object({
-          })
+              ipAddress: z.string().trim()
-          .array()
+            })
-          .min(1)
+            .array()
-          .optional()
+            .min(1)
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
+            .optional()
-        accessTokenTTL: z
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
-          .number()
+          accessTokenTTL: z
-          .int()
+            .number()
-          .min(0)
+            .int()
-          .max(315360000)
+            .min(0)
-          .optional()
+            .max(315360000)
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
+            .optional()
-        accessTokenNumUsesLimit: z
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
-          .number()
+          accessTokenNumUsesLimit: z
-          .int()
+            .number()
-          .min(0)
+            .int()
-          .optional()
+            .min(0)
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
+            .optional()
-        accessTokenMaxTTL: z
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
-          .number()
+          accessTokenMaxTTL: z
-          .int()
+            .number()
-          .max(315360000)
+            .int()
-          .refine((value) => value !== 0, {
+            .min(0)
-            message: "accessTokenMaxTTL must have a non zero number"
+            .max(315360000)
-          })
+            .optional()
-          .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
+        })
-      }),
+        .refine(
          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
          "Access Token TTL cannot be greater than Access Token Max TTL."
        ),
      response: {
        200: z.object({
          identityUniversalAuth: IdentityUniversalAuthsSchema
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`
							`import { z } from "zod";`

							`export const isUuidV4 = (uuid: string) => z.string().uuid().safeParse(uuid).success;`