Merge branch 'misc/privilege-management-v2-transition' of https://github.com/Infisical/infisical into misc/privilege-management-v2-transition

misc: added no access exemption
misc: finalized docs
2025-08-31 15:32:32 +00:00 · 2025-03-27 13:26:57 +08:00 · 2025-03-27 13:26:30 +08:00 · 2025-03-27 04:54:19 +00:00 · 2025-03-27 12:17:36 +08:00 · 2025-03-26 21:41:07 -04:00
357 changed files with 11411 additions and 1956 deletions
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -31,7 +31,7 @@
        "@fastify/swagger-ui": "^2.1.0",
        "@google-cloud/kms": "^4.5.0",
        "@infisical/quic": "^1.0.8",
-        "@node-saml/passport-saml": "^4.0.4",
+        "@node-saml/passport-saml": "^5.0.1",
        "@octokit/auth-app": "^7.1.1",
        "@octokit/plugin-retry": "^5.0.5",
        "@octokit/rest": "^20.0.2",
@@ -6747,32 +6747,35 @@
      }
    },
    "node_modules/@node-saml/node-saml": {
-      "version": "4.0.5",
-      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-4.0.5.tgz",
-      "integrity": "sha512-J5DglElbY1tjOuaR1NPtjOXkXY5bpUhDoKVoeucYN98A3w4fwgjIOPqIGcb6cQsqFq2zZ6vTCeKn5C/hvefSaw==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-5.0.1.tgz",
+      "integrity": "sha512-YQzFPEC+CnsfO9AFYnwfYZKIzOLx3kITaC1HrjHVLTo6hxcQhc+LgHODOMvW4VCV95Gwrz1MshRUWCPzkDqmnA==",
+      "license": "MIT",
      "dependencies": {
-        "@types/debug": "^4.1.7",
-        "@types/passport": "^1.0.11",
-        "@types/xml-crypto": "^1.4.2",
-        "@types/xml-encryption": "^1.2.1",
-        "@types/xml2js": "^0.4.11",
-        "@xmldom/xmldom": "^0.8.6",
+        "@types/debug": "^4.1.12",
+        "@types/qs": "^6.9.11",
+        "@types/xml-encryption": "^1.2.4",
+        "@types/xml2js": "^0.4.14",
+        "@xmldom/is-dom-node": "^1.0.1",
+        "@xmldom/xmldom": "^0.8.10",
        "debug": "^4.3.4",
-        "xml-crypto": "^3.0.1",
+        "xml-crypto": "^6.0.1",
        "xml-encryption": "^3.0.2",
-        "xml2js": "^0.5.0",
-        "xmlbuilder": "^15.1.1"
+        "xml2js": "^0.6.2",
+        "xmlbuilder": "^15.1.1",
+        "xpath": "^0.0.34"
      },
      "engines": {
-        "node": ">= 14"
+        "node": ">= 18"
      }
    },
    "node_modules/@node-saml/node-saml/node_modules/debug": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
-      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "version": "4.4.0",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
+      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
+      "license": "MIT",
      "dependencies": {
-        "ms": "2.1.2"
+        "ms": "^2.1.3"
      },
      "engines": {
        "node": ">=6.0"
@@ -6783,25 +6786,43 @@
        }
      }
    },
-    "node_modules/@node-saml/node-saml/node_modules/ms": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    "node_modules/@node-saml/node-saml/node_modules/xml2js": {
+      "version": "0.6.2",
+      "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.6.2.tgz",
+      "integrity": "sha512-T4rieHaC1EXcES0Kxxj4JWgaUQHDk+qwHcYOCFHfiwKz7tOVPLq7Hjq9dM1WCMhylqMEfP7hMcOIChvotiZegA==",
+      "license": "MIT",
+      "dependencies": {
+        "sax": ">=0.6.0",
+        "xmlbuilder": "~11.0.0"
+      },
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
+    "node_modules/@node-saml/node-saml/node_modules/xml2js/node_modules/xmlbuilder": {
+      "version": "11.0.1",
+      "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-11.0.1.tgz",
+      "integrity": "sha512-fDlsI/kFEx7gLvbecc0/ohLG50fugQp8ryHzMTuW9vSa1GJ0XYWKnhsUx7oie3G98+r56aTQIUB4kht42R3JvA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=4.0"
+      }
    },
    "node_modules/@node-saml/passport-saml": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-4.0.4.tgz",
-      "integrity": "sha512-xFw3gw0yo+K1mzlkW15NeBF7cVpRHN/4vpjmBKzov5YFImCWh/G0LcTZ8krH3yk2/eRPc3Or8LRPudVJBjmYaw==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-5.0.1.tgz",
+      "integrity": "sha512-fMztg3zfSnjLEgxvpl6HaDMNeh0xeQX4QHiF9e2Lsie2dc4qFE37XYbQZhVmn8XJ2awPpSWLQ736UskYgGU8lQ==",
+      "license": "MIT",
      "dependencies": {
-        "@node-saml/node-saml": "^4.0.4",
-        "@types/express": "^4.17.14",
-        "@types/passport": "^1.0.11",
-        "@types/passport-strategy": "^0.2.35",
-        "passport": "^0.6.0",
+        "@node-saml/node-saml": "^5.0.1",
+        "@types/express": "^4.17.21",
+        "@types/passport": "^1.0.16",
+        "@types/passport-strategy": "^0.2.38",
+        "passport": "^0.7.0",
        "passport-strategy": "^1.0.0"
      },
      "engines": {
-        "node": ">= 14"
+        "node": ">= 18"
      }
    },
    "node_modules/@nodelib/fs.scandir": {
@@ -9606,6 +9627,7 @@
      "version": "4.1.12",
      "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.12.tgz",
      "integrity": "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==",
+      "license": "MIT",
      "dependencies": {
        "@types/ms": "*"
      }
@@ -9725,9 +9747,10 @@
      "integrity": "sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w=="
    },
    "node_modules/@types/ms": {
-      "version": "0.7.34",
-      "resolved": "https://registry.npmjs.org/@types/ms/-/ms-0.7.34.tgz",
-      "integrity": "sha512-nG96G3Wp6acyAgJqGasjODb+acrI7KltPiRxzHPXnP3NgI28bpQDRv53olbqGXbfcgF5aiiHmO3xpwEpS5Ld9g=="
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@types/ms/-/ms-2.1.0.tgz",
+      "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==",
+      "license": "MIT"
    },
    "node_modules/@types/node": {
      "version": "20.9.5",
@@ -9907,9 +9930,10 @@
      "dev": true
    },
    "node_modules/@types/qs": {
-      "version": "6.9.10",
-      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.10.tgz",
-      "integrity": "sha512-3Gnx08Ns1sEoCrWssEgTSJs/rsT2vhGP+Ja9cnnk9k4ALxinORlQneLXFeFKOTJMOeZUFD1s7w+w2AphTpvzZw=="
+      "version": "6.9.18",
+      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.18.tgz",
+      "integrity": "sha512-kK7dgTYDyGqS+e2Q4aK9X3D7q234CIZ1Bv0q/7Z5IwRDoADNU81xXJK/YVyLbLTZCoIwUoDoffFeF+p/eIklAA==",
+      "license": "MIT"
    },
    "node_modules/@types/range-parser": {
      "version": "1.2.7",
@@ -10058,19 +10082,11 @@
        "@types/webidl-conversions": "*"
      }
    },
-    "node_modules/@types/xml-crypto": {
-      "version": "1.4.6",
-      "resolved": "https://registry.npmjs.org/@types/xml-crypto/-/xml-crypto-1.4.6.tgz",
-      "integrity": "sha512-A6jEW2FxLZo1CXsRWnZHUX2wzR3uDju2Bozt6rDbSmU/W8gkilaVbwFEVN0/NhnUdMVzwYobWtM6bU1QJJFb7Q==",
-      "dependencies": {
-        "@types/node": "*",
-        "xpath": "0.0.27"
-      }
-    },
    "node_modules/@types/xml-encryption": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@types/xml-encryption/-/xml-encryption-1.2.4.tgz",
      "integrity": "sha512-I69K/WW1Dv7j6O3jh13z0X8sLWJRXbu5xnHDl9yHzUNDUBtUoBY058eb5s+x/WG6yZC1h8aKdI2EoyEPjyEh+Q==",
+      "license": "MIT",
      "dependencies": {
        "@types/node": "*"
      }
@@ -10079,6 +10095,7 @@
      "version": "0.4.14",
      "resolved": "https://registry.npmjs.org/@types/xml2js/-/xml2js-0.4.14.tgz",
      "integrity": "sha512-4YnrRemBShWRO2QjvUin8ESA41rH+9nQGLUGZV/1IDhi3SL9OhdpNC/MrulTWuptXKwhx/aDxE7toV0f/ypIXQ==",
+      "license": "MIT",
      "dependencies": {
        "@types/node": "*"
      }
@@ -10522,10 +10539,20 @@
        "url": "https://opencollective.com/vitest"
      }
    },
+    "node_modules/@xmldom/is-dom-node": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@xmldom/is-dom-node/-/is-dom-node-1.0.1.tgz",
+      "integrity": "sha512-CJDxIgE5I0FH+ttq/Fxy6nRpxP70+e2O048EPe85J2use3XKdatVM7dDVvFNjQudd9B49NPoZ+8PG49zj4Er8Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 16"
+      }
+    },
    "node_modules/@xmldom/xmldom": {
      "version": "0.8.10",
      "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.10.tgz",
      "integrity": "sha512-2WALfTl4xo2SkGCYRt6rDTFfk9R1czmBvUQy12gK2KuRKIpWEhcbbzy8EZXtz/jkRqHX8bFEc6FC1HjX4TUWYw==",
+      "license": "MIT",
      "engines": {
        "node": ">=10.0.0"
      }
@@ -18222,9 +18249,10 @@
      }
    },
    "node_modules/passport": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/passport/-/passport-0.6.0.tgz",
-      "integrity": "sha512-0fe+p3ZnrWRW74fe8+SvCyf4a3Pb2/h7gFkQ8yTJpAO50gDzlfjZUZTO1k5Eg9kUct22OxHLqDZoKUWRHOh9ug==",
+      "version": "0.7.0",
+      "resolved": "https://registry.npmjs.org/passport/-/passport-0.7.0.tgz",
+      "integrity": "sha512-cPLl+qZpSc+ireUvt+IzqbED1cHHkDoVYMo30jbJIdOOjQ1MQYZBPiNvmi8UM6lJuOpTPXJGZQk0DtC4y61MYQ==",
+      "license": "MIT",
      "dependencies": {
        "passport-strategy": "1.x.x",
        "pause": "0.0.1",
@@ -23692,42 +23720,44 @@
      }
    },
    "node_modules/xml-crypto": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-3.2.0.tgz",
-      "integrity": "sha512-qVurBUOQrmvlgmZqIVBqmb06TD2a/PpEUfFPgD7BuBfjmoH4zgkqaWSIJrnymlCvM2GGt9x+XtJFA+ttoAufqg==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",
+      "integrity": "sha512-v05aU7NS03z4jlZ0iZGRFeZsuKO1UfEbbYiaeRMiATBFs6Jq9+wqKquEMTn4UTrYZ9iGD8yz3KT4L9o2iF682w==",
+      "license": "MIT",
      "dependencies": {
-        "@xmldom/xmldom": "^0.8.8",
-        "xpath": "0.0.32"
+        "@xmldom/is-dom-node": "^1.0.1",
+        "@xmldom/xmldom": "^0.8.10",
+        "xpath": "^0.0.33"
      },
      "engines": {
-        "node": ">=4.0.0"
+        "node": ">=16"
      }
    },
    "node_modules/xml-crypto/node_modules/xpath": {
-      "version": "0.0.32",
-      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.32.tgz",
-      "integrity": "sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==",
+      "version": "0.0.33",
+      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.33.tgz",
+      "integrity": "sha512-NNXnzrkDrAzalLhIUc01jO2mOzXGXh1JwPgkihcLLzw98c0WgYDmmjSh1Kl3wzaxSVWMuA+fe0WTWOBDWCBmNA==",
+      "license": "MIT",
      "engines": {
        "node": ">=0.6.0"
      }
    },
    "node_modules/xml-encryption": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/xml-encryption/-/xml-encryption-3.0.2.tgz",
-      "integrity": "sha512-VxYXPvsWB01/aqVLd6ZMPWZ+qaj0aIdF+cStrVJMcFj3iymwZeI0ABzB3VqMYv48DkSpRhnrXqTUkR34j+UDyg==",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/xml-encryption/-/xml-encryption-3.1.0.tgz",
+      "integrity": "sha512-PV7qnYpoAMXbf1kvQkqMScLeQpjCMixddAKq9PtqVrho8HnYbBOWNfG0kA4R7zxQDo7w9kiYAyzS/ullAyO55Q==",
+      "license": "MIT",
      "dependencies": {
        "@xmldom/xmldom": "^0.8.5",
        "escape-html": "^1.0.3",
        "xpath": "0.0.32"
-      },
-      "engines": {
-        "node": ">=12"
      }
    },
    "node_modules/xml-encryption/node_modules/xpath": {
      "version": "0.0.32",
      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.32.tgz",
      "integrity": "sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==",
+      "license": "MIT",
      "engines": {
        "node": ">=0.6.0"
      }
@@ -23764,6 +23794,7 @@
      "version": "15.1.1",
      "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-15.1.1.tgz",
      "integrity": "sha512-yMqGBqtXyeN1e3TGYvgNgDVZ3j84W4cwkOXQswghol6APgZWaff9lnbvN7MHYJOiXsvGPXtjTYJEiC9J2wv9Eg==",
+      "license": "MIT",
      "engines": {
        "node": ">=8.0"
      }
@@ -23774,9 +23805,10 @@
      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw=="
    },
    "node_modules/xpath": {
-      "version": "0.0.27",
-      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.27.tgz",
-      "integrity": "sha512-fg03WRxtkCV6ohClePNAECYsmpKKTv5L8y/X3Dn1hQrec3POx2jHZ/0P2qQ6HvsrU1BmeqXcof3NGGueG6LxwQ==",
+      "version": "0.0.34",
+      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.34.tgz",
+      "integrity": "sha512-FxF6+rkr1rNSQrhUNYrAFJpRXNzlDoMxeXN5qI84939ylEv3qqPFKa85Oxr6tDaJKqwW6KKyo2v26TSv3k6LeA==",
+      "license": "MIT",
      "engines": {
        "node": ">=0.6.0"
      }
--- a/backend/package.json
+++ b/backend/package.json
@@ -148,7 +148,7 @@
    "@fastify/swagger-ui": "^2.1.0",
    "@google-cloud/kms": "^4.5.0",
    "@infisical/quic": "^1.0.8",
-    "@node-saml/passport-saml": "^4.0.4",
+    "@node-saml/passport-saml": "^5.0.1",
    "@octokit/auth-app": "^7.1.1",
    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
--- a/backend/src/@types/fastify-request-context.d.ts
+++ b/backend/src/@types/fastify-request-context.d.ts
@@ -1,7 +0,0 @@
-import "@fastify/request-context";
-
-declare module "@fastify/request-context" {
-  interface RequestContextData {
-    reqId: string;
-  }
-}
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -100,6 +100,12 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
  interface RequestContextData {
    reqId: string;
+    identityAuthInfo?: {
+      identityId: string;
+      oidc?: {
+        claims: Record<string, string>;
+      };
+    };
  }
 }

--- a/backend/src/db/migrations/20250212191958_create-gateway.ts
+++ b/backend/src/db/migrations/20250212191958_create-gateway.ts
@@ -85,7 +85,7 @@ export async function up(knex: Knex): Promise<void> {
  }

  if (await knex.schema.hasTable(TableName.DynamicSecret)) {
-    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId");
+    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
      // not setting a foreign constraint so that cascade effects are not triggered
      if (!doesGatewayColExist) {
--- a/backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts
+++ b/backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts
@@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
+      TableName.Organization,
+      "allowSecretSharingOutsideOrganization"
+    );
+
+    if (!hasSecretShareToAnyoneCol) {
+      await knex.schema.alterTable(TableName.Organization, (t) => {
+        t.boolean("allowSecretSharingOutsideOrganization").defaultTo(true);
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
+      TableName.Organization,
+      "allowSecretSharingOutsideOrganization"
+    );
+    if (hasSecretShareToAnyoneCol) {
+      await knex.schema.alterTable(TableName.Organization, (t) => {
+        t.dropColumn("allowSecretSharingOutsideOrganization");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20250313124706_add-privilege-upgrade-field.ts
+++ b/backend/src/db/migrations/20250313124706_add-privilege-upgrade-field.ts
@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem"))) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.boolean("shouldUseNewPrivilegeSystem");
+      t.string("privilegeUpgradeInitiatedByUsername");
+      t.dateTime("privilegeUpgradeInitiatedAt");
+    });
+
+    await knex(TableName.Organization).update({
+      shouldUseNewPrivilegeSystem: false
+    });
+
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.boolean("shouldUseNewPrivilegeSystem").defaultTo(true).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem")) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.dropColumn("shouldUseNewPrivilegeSystem");
+      t.dropColumn("privilegeUpgradeInitiatedByUsername");
+      t.dropColumn("privilegeUpgradeInitiatedAt");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250314145202_identity-oidc-claim-mapping.ts
+++ b/backend/src/db/migrations/20250314145202_identity-oidc-claim-mapping.ts
@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
+  if (!hasMappingField) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.jsonb("claimMetadataMapping");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
+  if (hasMappingField) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.dropColumn("claimMetadataMapping");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250317101525_add-instance-admin-mi.ts
+++ b/backend/src/db/migrations/20250317101525_add-instance-admin-mi.ts
@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds"))) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.specificType("adminIdentityIds", "text[]");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("adminIdentityIds");
+    });
+  }
+}
--- a/backend/src/db/schemas/identity-oidc-auths.ts
+++ b/backend/src/db/schemas/identity-oidc-auths.ts
@@ -26,7 +26,8 @@ export const IdentityOidcAuthsSchema = z.object({
  boundSubject: z.string().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  encryptedCaCertificate: zodBuffer.nullable().optional()
+  encryptedCaCertificate: zodBuffer.nullable().optional(),
+  claimMetadataMapping: z.unknown().nullable().optional()
 });

 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@@ -22,7 +22,11 @@ export const OrganizationsSchema = z.object({
  kmsEncryptedDataKey: zodBuffer.nullable().optional(),
  defaultMembershipRole: z.string().default("member"),
  enforceMfa: z.boolean().default(false),
-  selectedMfaMethod: z.string().nullable().optional()
+  selectedMfaMethod: z.string().nullable().optional(),
+  shouldUseNewPrivilegeSystem: z.boolean().default(true),
+  privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
+  privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
+  allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional()
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/secret-sharing.ts
+++ b/backend/src/db/schemas/secret-sharing.ts
@@ -12,7 +12,6 @@ import { TImmutableDBKeys } from "./models";
 export const SecretSharingSchema = z.object({
  id: z.string().uuid(),
  encryptedValue: z.string().nullable().optional(),
-  type: z.string(),
  iv: z.string().nullable().optional(),
  tag: z.string().nullable().optional(),
  hashedHex: z.string().nullable().optional(),
@@ -27,7 +26,8 @@ export const SecretSharingSchema = z.object({
  lastViewedAt: z.date().nullable().optional(),
  password: z.string().nullable().optional(),
  encryptedSecret: zodBuffer.nullable().optional(),
-  identifier: z.string().nullable().optional()
+  identifier: z.string().nullable().optional(),
+  type: z.string().default("share")
 });

 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;
--- a/backend/src/db/schemas/super-admin.ts
+++ b/backend/src/db/schemas/super-admin.ts
@@ -25,7 +25,8 @@ export const SuperAdminSchema = z.object({
  encryptedSlackClientId: zodBuffer.nullable().optional(),
  encryptedSlackClientSecret: zodBuffer.nullable().optional(),
  authConsentContent: z.string().nullable().optional(),
-  pageFrameContent: z.string().nullable().optional()
+  pageFrameContent: z.string().nullable().optional(),
+  adminIdentityIds: z.string().array().nullable().optional()
 });

 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;
--- a/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
@@ -1,10 +1,10 @@
-import ms from "ms";
 import { z } from "zod";

 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@@ -1,4 +1,3 @@
-import ms from "ms";
 import { z } from "zod";

 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
@@ -6,6 +5,7 @@ import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/pro
 import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@@ -1,11 +1,11 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
 import { z } from "zod";

 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
--- a/backend/src/ee/routes/v1/kmip-router.ts
+++ b/backend/src/ee/routes/v1/kmip-router.ts
@@ -1,10 +1,10 @@
-import ms from "ms";
 import { z } from "zod";

 import { KmipClientsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { KmipPermission } from "@app/ee/services/kmip/kmip-enum";
 import { KmipClientOrderBy } from "@app/ee/services/kmip/kmip-types";
+import { ms } from "@app/lib/ms";
 import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@@ -25,7 +25,7 @@ type TSAMLConfig = {
  callbackUrl: string;
  entryPoint: string;
  issuer: string;
-  cert: string;
+  idpCert: string;
  audience: string;
  wantAuthnResponseSigned?: boolean;
  wantAssertionsSigned?: boolean;
@@ -72,7 +72,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
              callbackUrl: `${appCfg.SITE_URL}/api/v1/sso/saml2/${ssoConfig.id}`,
              entryPoint: ssoConfig.entryPoint,
              issuer: ssoConfig.issuer,
-              cert: ssoConfig.cert,
+              idpCert: ssoConfig.cert,
              audience: appCfg.SITE_URL || ""
            };
            if (ssoConfig.authProvider === SamlProviders.JUMPCLOUD_SAML) {
@@ -302,15 +302,21 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const saml = await server.services.saml.createSamlCfg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.body.organizationId,
-        ...req.body
+      const { isActive, authProvider, issuer, entryPoint, cert } = req.body;
+      const { permission } = req;
+
+      return server.services.saml.createSamlCfg({
+        isActive,
+        authProvider,
+        issuer,
+        entryPoint,
+        idpCert: cert,
+        actor: permission.type,
+        actorId: permission.id,
+        actorAuthMethod: permission.authMethod,
+        actorOrgId: permission.orgId,
+        orgId: req.body.organizationId
      });
-      return saml;
    }
  });

@@ -337,15 +343,21 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const saml = await server.services.saml.updateSamlCfg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.body.organizationId,
-        ...req.body
+      const { isActive, authProvider, issuer, entryPoint, cert } = req.body;
+      const { permission } = req;
+
+      return server.services.saml.updateSamlCfg({
+        isActive,
+        authProvider,
+        issuer,
+        entryPoint,
+        idpCert: cert,
+        actor: permission.type,
+        actorId: permission.id,
+        actorAuthMethod: permission.authMethod,
+        actorOrgId: permission.orgId,
+        orgId: req.body.organizationId
      });
-      return saml;
    }
  });
 };
--- a/backend/src/ee/routes/v1/ssh-certificate-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-router.ts
@@ -1,9 +1,9 @@
-import ms from "ms";
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
--- a/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
@@ -1,5 +1,4 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
 import { z } from "zod";

 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
@@ -10,6 +9,7 @@ import {
  isValidUserPattern
 } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-validators";
 import { SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
--- a/backend/src/ee/routes/v1/user-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/user-additional-privilege-router.ts
@@ -1,11 +1,11 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
 import { z } from "zod";

 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
 import { PROJECT_USER_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
--- a/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
@@ -1,11 +1,11 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
 import { z } from "zod";

 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -1,9 +1,10 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
+import msFn from "ms";

 import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -246,7 +247,7 @@ export const accessApprovalRequestServiceFactory = ({
          requesterEmail: requestedByUser.email,
          isTemporary,
          ...(isTemporary && {
-            expiresIn: ms(ms(temporaryRange || ""), { long: true })
+            expiresIn: msFn(ms(temporaryRange || ""), { long: true })
          }),
          secretPath,
          environment: envSlug,
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -978,6 +978,7 @@ interface AddIdentityOidcAuthEvent {
    boundIssuer: string;
    boundAudiences: string;
    boundClaims: Record<string, string>;
+    claimMetadataMapping: Record<string, string>;
    boundSubject: string;
    accessTokenTTL: number;
    accessTokenMaxTTL: number;
@@ -1002,6 +1003,7 @@ interface UpdateIdentityOidcAuthEvent {
    boundIssuer?: string;
    boundAudiences?: string;
    boundClaims?: Record<string, string>;
+    claimMetadataMapping?: Record<string, string>;
    boundSubject?: string;
    accessTokenTTL?: number;
    accessTokenMaxTTL?: number;
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@@ -1,5 +1,4 @@
 import { ForbiddenError, subject } from "@casl/ability";
-import ms from "ms";

 import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -11,6 +10,7 @@ import {
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
+import { ms } from "@app/lib/ms";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@@ -3,8 +3,7 @@ import slugify from "@sindresorhus/slugify";

 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
-import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -14,7 +13,8 @@ import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal
 import { TUserDALFactory } from "@app/services/user/user-dal";

 import { TLicenseServiceFactory } from "../license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { OrgPermissionGroupActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TGroupDALFactory } from "./group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "./group-fns";
@@ -67,14 +67,14 @@ export const groupServiceFactory = ({
  const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      actorOrgId,
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Create, OrgPermissionSubjects.Groups);

    const plan = await licenseService.getPlan(actorOrgId);
    if (!plan.groups)
@@ -87,14 +87,26 @@ export const groupServiceFactory = ({
      actorOrgId
    );
    const isCustomRole = Boolean(customRole);
+    if (role !== OrgMembershipRole.NoAccess) {
+      const permissionBoundary = validatePrivilegeChangeOperation(
+        membership.shouldUseNewPrivilegeSystem,
+        OrgPermissionGroupActions.GrantPrivileges,
+        OrgPermissionSubjects.Groups,
+        permission,
+        rolePermission
+      );

-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to create a more privileged group",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+      if (!permissionBoundary.isValid)
+        throw new PermissionBoundaryError({
+          message: constructPermissionErrorMessage(
+            "Failed to create group",
+            membership.shouldUseNewPrivilegeSystem,
+            OrgPermissionGroupActions.GrantPrivileges,
+            OrgPermissionSubjects.Groups
+          ),
+          details: { missingPermissions: permissionBoundary.missingPermissions }
+        });
+    }

    const group = await groupDAL.transaction(async (tx) => {
      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
@@ -133,14 +145,15 @@ export const groupServiceFactory = ({
  }: TUpdateGroupDTO) => {
    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      actorOrgId,
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Edit, OrgPermissionSubjects.Groups);

    const plan = await licenseService.getPlan(actorOrgId);
    if (!plan.groups)
@@ -161,11 +174,21 @@ export const groupServiceFactory = ({
      );

      const isCustomRole = Boolean(customOrgRole);
-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+      const permissionBoundary = validatePrivilegeChangeOperation(
+        membership.shouldUseNewPrivilegeSystem,
+        OrgPermissionGroupActions.GrantPrivileges,
+        OrgPermissionSubjects.Groups,
+        permission,
+        rolePermission
+      );
      if (!permissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to update a more privileged group",
+        throw new PermissionBoundaryError({
+          message: constructPermissionErrorMessage(
+            "Failed to update group",
+            membership.shouldUseNewPrivilegeSystem,
+            OrgPermissionGroupActions.GrantPrivileges,
+            OrgPermissionSubjects.Groups
+          ),
          details: { missingPermissions: permissionBoundary.missingPermissions }
        });
      if (isCustomRole) customRole = customOrgRole;
@@ -215,7 +238,7 @@ export const groupServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Delete, OrgPermissionSubjects.Groups);

    const plan = await licenseService.getPlan(actorOrgId);

@@ -242,7 +265,7 @@ export const groupServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);

    const group = await groupDAL.findById(id);
    if (!group) {
@@ -275,7 +298,7 @@ export const groupServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);

    const group = await groupDAL.findOne({
      orgId: actorOrgId,
@@ -303,14 +326,14 @@ export const groupServiceFactory = ({
  const addUserToGroup = async ({ id, username, actor, actorId, actorAuthMethod, actorOrgId }: TAddUserToGroupDTO) => {
    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      actorOrgId,
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Edit, OrgPermissionSubjects.Groups);

    // check if group with slug exists
    const group = await groupDAL.findOne({
@@ -338,11 +361,22 @@ export const groupServiceFactory = ({
    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);

    // check if user has broader or equal to privileges than group
-    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionGroupActions.AddMembers,
+      OrgPermissionSubjects.Groups,
+      permission,
+      groupRolePermission
+    );
+
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to add user to more privileged group",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to add user to more privileged group",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionGroupActions.AddMembers,
+          OrgPermissionSubjects.Groups
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

@@ -374,14 +408,14 @@ export const groupServiceFactory = ({
  }: TRemoveUserFromGroupDTO) => {
    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      actorOrgId,
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Edit, OrgPermissionSubjects.Groups);

    // check if group with slug exists
    const group = await groupDAL.findOne({
@@ -409,11 +443,21 @@ export const groupServiceFactory = ({
    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);

    // check if user has broader or equal to privileges than group
-    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionGroupActions.RemoveMembers,
+      OrgPermissionSubjects.Groups,
+      permission,
+      groupRolePermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to delete user from more privileged group",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to delete user from more privileged group",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionGroupActions.RemoveMembers,
+          OrgPermissionSubjects.Groups
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
@@ -1,17 +1,17 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
-import ms from "ms";

 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { unpackPermissions } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";

+import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionIdentityActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TIdentityProjectAdditionalPrivilegeV2DALFactory } from "./identity-project-additional-privilege-v2-dal";
 import {
  IdentityProjectAdditionalPrivilegeTemporaryMode,
@@ -64,10 +64,10 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
+      ProjectPermissionIdentityActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
+    const { permission: targetIdentityPermission, membership } = await permissionService.getProjectPermission({
      actor: ActorType.IDENTITY,
      actorId: identityId,
      projectId: identityProjectMembership.projectId,
@@ -79,11 +79,21 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      ProjectPermissionIdentityActions.GrantPrivileges,
+      ProjectPermissionSub.Identity,
+      permission,
+      targetIdentityPermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to update more privileged identity",
+          membership.shouldUseNewPrivilegeSystem,
+          ProjectPermissionIdentityActions.GrantPrivileges,
+          ProjectPermissionSub.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

@@ -150,10 +160,10 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
+      ProjectPermissionIdentityActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
+    const { permission: targetIdentityPermission, membership } = await permissionService.getProjectPermission({
      actor: ActorType.IDENTITY,
      actorId: identityProjectMembership.identityId,
      projectId: identityProjectMembership.projectId,
@@ -165,11 +175,21 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      ProjectPermissionIdentityActions.GrantPrivileges,
+      ProjectPermissionSub.Identity,
+      permission,
+      targetIdentityPermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to update more privileged identity",
+          membership.shouldUseNewPrivilegeSystem,
+          ProjectPermissionIdentityActions.GrantPrivileges,
+          ProjectPermissionSub.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

@@ -227,7 +247,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: identityProjectMembership.projectId,
@@ -236,7 +256,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
+      ProjectPermissionIdentityActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );
    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
@@ -247,11 +267,21 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      ProjectPermissionIdentityActions.GrantPrivileges,
+      ProjectPermissionSub.Identity,
+      permission,
+      identityRolePermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to update more privileged identity",
+          membership.shouldUseNewPrivilegeSystem,
+          ProjectPermissionIdentityActions.GrantPrivileges,
+          ProjectPermissionSub.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

@@ -287,7 +317,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
+      ProjectPermissionIdentityActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );

@@ -322,7 +352,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
+      ProjectPermissionIdentityActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );

@@ -358,7 +388,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
+      ProjectPermissionIdentityActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );

--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@@ -1,17 +1,21 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
-import ms from "ms";

 import { ActionProjectType } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";

+import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSet, ProjectPermissionSub } from "../permission/project-permission";
+import {
+  ProjectPermissionIdentityActions,
+  ProjectPermissionSet,
+  ProjectPermissionSub
+} from "../permission/project-permission";
 import { TIdentityProjectAdditionalPrivilegeDALFactory } from "./identity-project-additional-privilege-dal";
 import {
  IdentityProjectAdditionalPrivilegeTemporaryMode,
@@ -63,7 +67,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: identityProjectMembership.projectId,
@@ -71,8 +75,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
+
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
+      ProjectPermissionIdentityActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );

@@ -88,11 +93,21 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      ProjectPermissionIdentityActions.GrantPrivileges,
+      ProjectPermissionSub.Identity,
+      permission,
+      targetIdentityPermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to update more privileged identity",
+          membership.shouldUseNewPrivilegeSystem,
+          ProjectPermissionIdentityActions.GrantPrivileges,
+          ProjectPermissionSub.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

@@ -150,7 +165,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: identityProjectMembership.projectId,
@@ -160,7 +175,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    });

    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
+      ProjectPermissionIdentityActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );

@@ -176,11 +191,21 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      ProjectPermissionIdentityActions.GrantPrivileges,
+      ProjectPermissionSub.Identity,
+      permission,
+      targetIdentityPermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to update more privileged identity",
+          membership.shouldUseNewPrivilegeSystem,
+          ProjectPermissionIdentityActions.GrantPrivileges,
+          ProjectPermissionSub.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

@@ -255,7 +280,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: identityProjectMembership.projectId,
@@ -264,7 +289,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
+      ProjectPermissionIdentityActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );

@@ -276,11 +301,21 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      ProjectPermissionIdentityActions.GrantPrivileges,
+      ProjectPermissionSub.Identity,
+      permission,
+      identityRolePermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to edit more privileged identity",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to edit more privileged identity",
+          membership.shouldUseNewPrivilegeSystem,
+          ProjectPermissionIdentityActions.GrantPrivileges,
+          ProjectPermissionSub.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

@@ -327,7 +362,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
+      ProjectPermissionIdentityActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId })
    );

@@ -371,7 +406,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    });

    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
+      ProjectPermissionIdentityActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId })
    );

--- a/backend/src/ee/services/kmip/kmip-service.ts
+++ b/backend/src/ee/services/kmip/kmip-service.ts
@@ -1,11 +1,11 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import crypto, { KeyObject } from "crypto";
-import ms from "ms";

 import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidHostname, isValidIp } from "@app/lib/ip";
+import { ms } from "@app/lib/ms";
 import { constructPemChainFromCerts } from "@app/services/certificate/certificate-fns";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
 import {
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@@ -50,7 +50,7 @@ export type TLicenseServiceFactory = ReturnType<typeof licenseServiceFactory>;
 const LICENSE_SERVER_CLOUD_LOGIN = "/api/auth/v1/license-server-login";
 const LICENSE_SERVER_ON_PREM_LOGIN = "/api/auth/v1/license-login";

-const LICENSE_SERVER_CLOUD_PLAN_TTL = 30; // 30 second
+const LICENSE_SERVER_CLOUD_PLAN_TTL = 5 * 60; // 5 mins
 const FEATURE_CACHE_KEY = (orgId: string) => `infisical-cloud-plan-${orgId}`;

 export const licenseServiceFactory = ({
@@ -142,7 +142,10 @@ export const licenseServiceFactory = ({
    try {
      if (instanceType === InstanceType.Cloud) {
        const cachedPlan = await keyStore.getItem(FEATURE_CACHE_KEY(orgId));
-        if (cachedPlan) return JSON.parse(cachedPlan) as TFeatureSet;
+        if (cachedPlan) {
+          logger.info(`getPlan: plan fetched from cache [orgId=${orgId}] [projectId=${projectId}]`);
+          return JSON.parse(cachedPlan) as TFeatureSet;
+        }

        const org = await orgDAL.findOrgById(orgId);
        if (!org) throw new NotFoundError({ message: `Organization with ID '${orgId}' not found` });
@@ -170,6 +173,8 @@ export const licenseServiceFactory = ({
        JSON.stringify(onPremFeatures)
      );
      return onPremFeatures;
+    } finally {
+      logger.info(`getPlan: Process done for [orgId=${orgId}] [projectId=${projectId}]`);
    }
    return onPremFeatures;
  };
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@@ -32,6 +32,10 @@ export enum OrgPermissionAdminConsoleAction {
  AccessAllProjects = "access-all-projects"
 }

+export enum OrgPermissionSecretShareAction {
+  ManageSettings = "manage-settings"
+}
+
 export enum OrgPermissionGatewayActions {
  // is there a better word for this. This mean can an identity be a gateway
  CreateGateways = "create-gateways",
@@ -40,6 +44,28 @@ export enum OrgPermissionGatewayActions {
  DeleteGateways = "delete-gateways"
 }

+export enum OrgPermissionIdentityActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  GrantPrivileges = "grant-privileges",
+  RevokeAuth = "revoke-auth",
+  CreateToken = "create-token",
+  GetToken = "get-token",
+  DeleteToken = "delete-token"
+}
+
+export enum OrgPermissionGroupActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  GrantPrivileges = "grant-privileges",
+  AddMembers = "add-members",
+  RemoveMembers = "remove-members"
+}
+
 export enum OrgPermissionSubjects {
  Workspace = "workspace",
  Role = "role",
@@ -59,7 +85,8 @@ export enum OrgPermissionSubjects {
  ProjectTemplates = "project-templates",
  AppConnections = "app-connections",
  Kmip = "kmip",
-  Gateway = "gateway"
+  Gateway = "gateway",
+  SecretShare = "secret-share"
 }

 export type AppConnectionSubjectFields = {
@@ -75,10 +102,10 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Sso]
  | [OrgPermissionActions, OrgPermissionSubjects.Scim]
  | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
-  | [OrgPermissionActions, OrgPermissionSubjects.Groups]
+  | [OrgPermissionGroupActions, OrgPermissionSubjects.Groups]
  | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
-  | [OrgPermissionActions, OrgPermissionSubjects.Identity]
+  | [OrgPermissionIdentityActions, OrgPermissionSubjects.Identity]
  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
@@ -91,7 +118,8 @@ export type OrgPermissionSet =
      )
    ]
  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
-  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip];
+  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip]
+  | [OrgPermissionSecretShareAction, OrgPermissionSubjects.SecretShare];

 const AppConnectionConditionSchema = z
  .object({
@@ -185,6 +213,12 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
      "Describe what action an entity can take."
    )
  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.SecretShare).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionSecretShareAction).describe(
+      "Describe what action an entity can take."
+    )
+  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Kmip).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionKmipActions).describe(
@@ -244,20 +278,28 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Ldap);

-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.Groups);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Groups);
+  can(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
+  can(OrgPermissionGroupActions.Create, OrgPermissionSubjects.Groups);
+  can(OrgPermissionGroupActions.Edit, OrgPermissionSubjects.Groups);
+  can(OrgPermissionGroupActions.Delete, OrgPermissionSubjects.Groups);
+  can(OrgPermissionGroupActions.GrantPrivileges, OrgPermissionSubjects.Groups);
+  can(OrgPermissionGroupActions.AddMembers, OrgPermissionSubjects.Groups);
+  can(OrgPermissionGroupActions.RemoveMembers, OrgPermissionSubjects.Groups);

  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Billing);

-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.Delete, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.GrantPrivileges, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.RevokeAuth, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.CreateToken, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.GetToken, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.DeleteToken, OrgPermissionSubjects.Identity);

  can(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Kms);
@@ -292,6 +334,8 @@ const buildAdminPermission = () => {
  // the proxy assignment is temporary in order to prevent "more privilege" error during role assignment to MI
  can(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);

+  can(OrgPermissionSecretShareAction.ManageSettings, OrgPermissionSubjects.SecretShare);
+
  return rules;
 };

@@ -302,7 +346,7 @@ const buildMemberPermission = () => {

  can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+  can(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
@@ -313,10 +357,10 @@ const buildMemberPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.SecretScanning);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.SecretScanning);

-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+  can(OrgPermissionIdentityActions.Delete, OrgPermissionSubjects.Identity);

  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);

--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@@ -49,6 +49,7 @@ export const permissionDALFactory = (db: TDbClient) => {
        .join(TableName.Organization, `${TableName.Organization}.id`, `${TableName.OrgMembership}.orgId`)
        .select(
          selectAllTableCols(TableName.OrgMembership),
+          db.ref("shouldUseNewPrivilegeSystem").withSchema(TableName.Organization),
          db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
          db.ref("permissions").withSchema(TableName.OrgRoles),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
@@ -70,7 +71,8 @@ export const permissionDALFactory = (db: TDbClient) => {
          OrgMembershipsSchema.extend({
            permissions: z.unknown(),
            orgAuthEnforced: z.boolean().optional().nullable(),
-            customRoleSlug: z.string().optional().nullable()
+            customRoleSlug: z.string().optional().nullable(),
+            shouldUseNewPrivilegeSystem: z.boolean()
          }).parse(el),
        childrenMapper: [
          {
@@ -118,7 +120,9 @@ export const permissionDALFactory = (db: TDbClient) => {
        .select(selectAllTableCols(TableName.IdentityOrgMembership))
        .select(db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"))
        .select("permissions")
+        .select(db.ref("shouldUseNewPrivilegeSystem").withSchema(TableName.Organization))
        .first();
+
      return membership;
    } catch (error) {
      throw new DatabaseError({ error, name: "GetOrgIdentityPermission" });
@@ -668,7 +672,8 @@ export const permissionDALFactory = (db: TDbClient) => {
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
          db.ref("orgId").withSchema(TableName.Project),
          db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("id").withSchema(TableName.Project).as("projectId")
+          db.ref("id").withSchema(TableName.Project).as("projectId"),
+          db.ref("shouldUseNewPrivilegeSystem").withSchema(TableName.Organization)
        );

      const [userPermission] = sqlNestRelationships({
@@ -684,7 +689,8 @@ export const permissionDALFactory = (db: TDbClient) => {
          groupMembershipCreatedAt,
          groupMembershipUpdatedAt,
          membershipUpdatedAt,
-          projectType
+          projectType,
+          shouldUseNewPrivilegeSystem
        }) => ({
          orgId,
          orgAuthEnforced,
@@ -694,7 +700,8 @@ export const permissionDALFactory = (db: TDbClient) => {
          projectType,
          id: membershipId || groupMembershipId,
          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
-          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
+          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt,
+          shouldUseNewPrivilegeSystem
        }),
        childrenMapper: [
          {
@@ -995,6 +1002,7 @@ export const permissionDALFactory = (db: TDbClient) => {
          `${TableName.IdentityProjectMembership}.projectId`,
          `${TableName.Project}.id`
        )
+        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
          void queryBuilder
            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
@@ -1012,6 +1020,7 @@ export const permissionDALFactory = (db: TDbClient) => {
          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
          db.ref("permissions").withSchema(TableName.ProjectRoles),
+          db.ref("shouldUseNewPrivilegeSystem").withSchema(TableName.Organization),
          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
          db
@@ -1045,7 +1054,8 @@ export const permissionDALFactory = (db: TDbClient) => {
          membershipUpdatedAt,
          orgId,
          identityName,
-          projectType
+          projectType,
+          shouldUseNewPrivilegeSystem
        }) => ({
          id: membershipId,
          identityId,
@@ -1055,6 +1065,7 @@ export const permissionDALFactory = (db: TDbClient) => {
          updatedAt: membershipUpdatedAt,
          orgId,
          projectType,
+          shouldUseNewPrivilegeSystem,
          // just a prefilled value
          orgAuthEnforced: false
        }),
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@@ -3,9 +3,11 @@ import { ForbiddenError, MongoAbility, PureAbility, subject } from "@casl/abilit
 import { z } from "zod";

 import { TOrganizations } from "@app/db/schemas";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";

+import { OrgPermissionSet } from "./org-permission";
 import {
  ProjectPermissionSecretActions,
  ProjectPermissionSet,
@@ -131,12 +133,12 @@ function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrg
  }
 }

-const escapeHandlebarsMissingMetadata = (obj: Record<string, string>) => {
+const escapeHandlebarsMissingDict = (obj: Record<string, string>, key: string) => {
  const handler = {
    get(target: Record<string, string>, prop: string) {
-      if (!(prop in target)) {
+      if (!Object.hasOwn(target, prop)) {
        // eslint-disable-next-line no-param-reassign
-        target[prop] = `{{identity.metadata.${prop}}}`; // Add missing key as an "own" property
+        target[prop] = `{{${key}.${prop}}}`; // Add missing key as an "own" property
      }
      return target[prop];
    }
@@ -145,4 +147,57 @@ const escapeHandlebarsMissingMetadata = (obj: Record<string, string>) => {
  return new Proxy(obj, handler);
 };

-export { escapeHandlebarsMissingMetadata, isAuthMethodSaml, validateOrgSSO };
+// This function serves as a transition layer between the old and new privilege management system
+// the old privilege management system is based on the actor having more privileges than the managed permission
+// the new privilege management system is based on the actor having the appropriate permission to perform the privilege change,
+// regardless of the actor's privilege level.
+const validatePrivilegeChangeOperation = (
+  shouldUseNewPrivilegeSystem: boolean,
+  opAction: OrgPermissionSet[0] | ProjectPermissionSet[0],
+  opSubject: OrgPermissionSet[1] | ProjectPermissionSet[1],
+  actorPermission: MongoAbility,
+  managedPermission: MongoAbility
+) => {
+  if (shouldUseNewPrivilegeSystem) {
+    if (actorPermission.can(opAction, opSubject)) {
+      return {
+        isValid: true,
+        missingPermissions: []
+      };
+    }
+
+    return {
+      isValid: false,
+      missingPermissions: [
+        {
+          action: opAction,
+          subject: opSubject
+        }
+      ]
+    };
+  }
+
+  // if not, we check if the actor is indeed more privileged than the managed permission - this is the old system
+  return validatePermissionBoundary(actorPermission, managedPermission);
+};
+
+const constructPermissionErrorMessage = (
+  baseMessage: string,
+  shouldUseNewPrivilegeSystem: boolean,
+  opAction: OrgPermissionSet[0] | ProjectPermissionSet[0],
+  opSubject: OrgPermissionSet[1] | ProjectPermissionSet[1]
+) => {
+  return `${baseMessage}${
+    shouldUseNewPrivilegeSystem
+      ? `. Actor is missing permission ${opAction as string} on ${opSubject as string}`
+      : ". Actor privilege level is not high enough to perform this action"
+  }`;
+};
+
+export {
+  constructPermissionErrorMessage,
+  escapeHandlebarsMissingDict,
+  isAuthMethodSaml,
+  validateOrgSSO,
+  validatePrivilegeChangeOperation
+};
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -1,5 +1,6 @@
 import { createMongoAbility, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, unpackRules } from "@casl/ability/extra";
+import { requestContext } from "@fastify/request-context";
 import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";

@@ -22,7 +23,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok

 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
-import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
+import { escapeHandlebarsMissingDict, validateOrgSSO } from "./permission-fns";
 import {
  TBuildOrgPermissionDTO,
  TBuildProjectPermissionDTO,
@@ -243,20 +244,22 @@ export const permissionServiceFactory = ({

    const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+    const metadataKeyValuePair = escapeHandlebarsMissingDict(
      objectify(
        userProjectPermission.metadata,
        (i) => i.key,
        (i) => i.value
-      )
+      ),
+      "identity.metadata"
    );
+    const templateValue = {
+      id: userProjectPermission.userId,
+      username: userProjectPermission.username,
+      metadata: metadataKeyValuePair
+    };
    const interpolateRules = templatedRules(
      {
-        identity: {
-          id: userProjectPermission.userId,
-          username: userProjectPermission.username,
-          metadata: metadataKeyValuePair
-        }
+        identity: templateValue
      },
      { data: false }
    );
@@ -317,21 +320,26 @@ export const permissionServiceFactory = ({

    const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-      objectify(
-        identityProjectPermission.metadata,
-        (i) => i.key,
-        (i) => i.value
-      )
+    const unescapedIdentityAuthInfo = requestContext.get("identityAuthInfo");
+    const unescapedMetadata = objectify(
+      identityProjectPermission.metadata,
+      (i) => i.key,
+      (i) => i.value
    );
-
+    const identityAuthInfo =
+      unescapedIdentityAuthInfo?.identityId === identityId && unescapedIdentityAuthInfo
+        ? escapeHandlebarsMissingDict(unescapedIdentityAuthInfo as never, "identity.auth")
+        : {};
+    const metadataKeyValuePair = escapeHandlebarsMissingDict(unescapedMetadata, "identity.metadata");
+    const templateValue = {
+      id: identityProjectPermission.identityId,
+      username: identityProjectPermission.username,
+      metadata: metadataKeyValuePair,
+      auth: identityAuthInfo
+    };
    const interpolateRules = templatedRules(
      {
-        identity: {
-          id: identityProjectPermission.identityId,
-          username: identityProjectPermission.username,
-          metadata: metadataKeyValuePair
-        }
+        identity: templateValue
      },
      { data: false }
    );
@@ -390,14 +398,18 @@ export const permissionServiceFactory = ({
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
-      membership: undefined
+      membership: {
+        shouldUseNewPrivilegeSystem: true
+      }
    };
  };

  type TProjectPermissionRT<T extends ActorType> = T extends ActorType.SERVICE
    ? {
        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
-        membership: undefined;
+        membership: {
+          shouldUseNewPrivilegeSystem: boolean;
+        };
        hasRole: (arg: string) => boolean;
      } // service token doesn't have both membership and roles
    : {
@@ -406,6 +418,7 @@ export const permissionServiceFactory = ({
          orgAuthEnforced: boolean | null | undefined;
          orgId: string;
          roles: Array<{ role: string }>;
+          shouldUseNewPrivilegeSystem: boolean;
        };
        hasRole: (role: string) => boolean;
      };
@@ -424,20 +437,22 @@ export const permissionServiceFactory = ({

      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+      const metadataKeyValuePair = escapeHandlebarsMissingDict(
        objectify(
          userProjectPermission.metadata,
          (i) => i.key,
          (i) => i.value
-        )
+        ),
+        "identity.metadata"
      );
+      const templateValue = {
+        id: userProjectPermission.userId,
+        username: userProjectPermission.username,
+        metadata: metadataKeyValuePair
+      };
      const interpolateRules = templatedRules(
        {
-          identity: {
-            id: userProjectPermission.userId,
-            username: userProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
+          identity: templateValue
        },
        { data: false }
      );
@@ -469,21 +484,22 @@ export const permissionServiceFactory = ({

      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+      const metadataKeyValuePair = escapeHandlebarsMissingDict(
        objectify(
          identityProjectPermission.metadata,
          (i) => i.key,
          (i) => i.value
-        )
+        ),
+        "identity.metadata"
      );
-
+      const templateValue = {
+        id: identityProjectPermission.identityId,
+        username: identityProjectPermission.username,
+        metadata: metadataKeyValuePair
+      };
      const interpolateRules = templatedRules(
        {
-          identity: {
-            id: identityProjectPermission.identityId,
-            username: identityProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
+          identity: templateValue
        },
        { data: false }
      );
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -43,6 +43,30 @@ export enum ProjectPermissionDynamicSecretActions {
  Lease = "lease"
 }

+export enum ProjectPermissionIdentityActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  GrantPrivileges = "grant-privileges"
+}
+
+export enum ProjectPermissionMemberActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  GrantPrivileges = "grant-privileges"
+}
+
+export enum ProjectPermissionGroupActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  GrantPrivileges = "grant-privileges"
+}
+
 export enum ProjectPermissionSecretSyncActions {
  Read = "read",
  Create = "create",
@@ -150,8 +174,8 @@ export type ProjectPermissionSet =
    ]
  | [ProjectPermissionActions, ProjectPermissionSub.Role]
  | [ProjectPermissionActions, ProjectPermissionSub.Tags]
-  | [ProjectPermissionActions, ProjectPermissionSub.Member]
-  | [ProjectPermissionActions, ProjectPermissionSub.Groups]
+  | [ProjectPermissionMemberActions, ProjectPermissionSub.Member]
+  | [ProjectPermissionGroupActions, ProjectPermissionSub.Groups]
  | [ProjectPermissionActions, ProjectPermissionSub.Integrations]
  | [ProjectPermissionActions, ProjectPermissionSub.Webhooks]
  | [ProjectPermissionActions, ProjectPermissionSub.AuditLogs]
@@ -162,7 +186,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
  | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
  | [
-      ProjectPermissionActions,
+      ProjectPermissionIdentityActions,
      ProjectPermissionSub.Identity | (ForcedSubject<ProjectPermissionSub.Identity> & IdentityManagementSubjectFields)
    ]
  | [ProjectPermissionActions, ProjectPermissionSub.CertificateAuthorities]
@@ -290,13 +314,13 @@ const GeneralPermissionSchema = [
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Member).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionMemberActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Groups).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionGroupActions).describe(
      "Describe what action an entity can take."
    )
  }),
@@ -510,7 +534,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
  z.object({
    subject: z.literal(ProjectPermissionSub.Identity).describe("The entity this permission pertains to."),
    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionIdentityActions).describe(
      "Describe what action an entity can take."
    ),
    conditions: IdentityManagementConditionSchema.describe(
@@ -531,12 +555,9 @@ const buildAdminPermissionRules = () => {
    ProjectPermissionSub.SecretImports,
    ProjectPermissionSub.SecretApproval,
    ProjectPermissionSub.SecretRotation,
-    ProjectPermissionSub.Member,
-    ProjectPermissionSub.Groups,
    ProjectPermissionSub.Role,
    ProjectPermissionSub.Integrations,
    ProjectPermissionSub.Webhooks,
-    ProjectPermissionSub.Identity,
    ProjectPermissionSub.ServiceTokens,
    ProjectPermissionSub.Settings,
    ProjectPermissionSub.Environments,
@@ -563,6 +584,39 @@ const buildAdminPermissionRules = () => {
    );
  });

+  can(
+    [
+      ProjectPermissionMemberActions.Create,
+      ProjectPermissionMemberActions.Edit,
+      ProjectPermissionMemberActions.Delete,
+      ProjectPermissionMemberActions.Read,
+      ProjectPermissionMemberActions.GrantPrivileges
+    ],
+    ProjectPermissionSub.Member
+  );
+
+  can(
+    [
+      ProjectPermissionGroupActions.Create,
+      ProjectPermissionGroupActions.Edit,
+      ProjectPermissionGroupActions.Delete,
+      ProjectPermissionGroupActions.Read,
+      ProjectPermissionGroupActions.GrantPrivileges
+    ],
+    ProjectPermissionSub.Groups
+  );
+
+  can(
+    [
+      ProjectPermissionIdentityActions.Create,
+      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionIdentityActions.Delete,
+      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionIdentityActions.GrantPrivileges
+    ],
+    ProjectPermissionSub.Identity
+  );
+
  can(
    [
      ProjectPermissionSecretActions.DescribeAndReadValue,
@@ -677,9 +731,9 @@ const buildMemberPermissionRules = () => {

  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);

-  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.Member);
+  can([ProjectPermissionMemberActions.Read, ProjectPermissionMemberActions.Create], ProjectPermissionSub.Member);

-  can([ProjectPermissionActions.Read], ProjectPermissionSub.Groups);
+  can([ProjectPermissionGroupActions.Read], ProjectPermissionSub.Groups);

  can(
    [
@@ -703,10 +757,10 @@ const buildMemberPermissionRules = () => {

  can(
    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
+      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionIdentityActions.Create,
+      ProjectPermissionIdentityActions.Delete
    ],
    ProjectPermissionSub.Identity
  );
@@ -820,12 +874,12 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
+  can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
+  can(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+  can(ProjectPermissionIdentityActions.Read, ProjectPermissionSub.Identity);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@@ -1,16 +1,20 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
-import ms from "ms";

 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";

+import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSet, ProjectPermissionSub } from "../permission/project-permission";
+import {
+  ProjectPermissionMemberActions,
+  ProjectPermissionSet,
+  ProjectPermissionSub
+} from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "./project-user-additional-privilege-dal";
 import {
  ProjectUserAdditionalPrivilegeTemporaryMode,
@@ -63,8 +67,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
+    const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
      actor: ActorType.USER,
      actorId: projectMembership.userId,
      projectId: projectMembership.projectId,
@@ -76,11 +80,21 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetUserPermission.update(targetUserPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      ProjectPermissionMemberActions.GrantPrivileges,
+      ProjectPermissionSub.Member,
+      permission,
+      targetUserPermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged user",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to update more privileged user",
+          membership.shouldUseNewPrivilegeSystem,
+          ProjectPermissionMemberActions.GrantPrivileges,
+          ProjectPermissionSub.Member
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

@@ -146,7 +160,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: projectMembership.projectId,
@@ -154,7 +168,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
      actor: ActorType.USER,
      actorId: projectMembership.userId,
@@ -167,11 +181,21 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetUserPermission.update(targetUserPermission.rules.concat(dto.permissions || []));
-    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      ProjectPermissionMemberActions.GrantPrivileges,
+      ProjectPermissionSub.Member,
+      permission,
+      targetUserPermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to update more privileged user",
+          membership.shouldUseNewPrivilegeSystem,
+          ProjectPermissionMemberActions.GrantPrivileges,
+          ProjectPermissionSub.Member
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

@@ -244,7 +268,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);

    const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
    return {
@@ -281,7 +305,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);

    return {
      ...userPrivilege,
@@ -308,7 +332,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);

    const userPrivileges = await projectUserAdditionalPrivilegeDAL.find(
      {
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -63,7 +63,7 @@ export const samlConfigServiceFactory = ({
  kmsService
 }: TSamlConfigServiceFactoryDep) => {
  const createSamlCfg = async ({
-    cert,
+    idpCert,
    actor,
    actorAuthMethod,
    actorOrgId,
@@ -93,9 +93,9 @@ export const samlConfigServiceFactory = ({
      orgId,
      authProvider,
      isActive,
-      encryptedSamlIssuer: encryptor({ plainText: Buffer.from(issuer) }).cipherTextBlob,
+      encryptedSamlCertificate: encryptor({ plainText: Buffer.from(idpCert) }).cipherTextBlob,
      encryptedSamlEntryPoint: encryptor({ plainText: Buffer.from(entryPoint) }).cipherTextBlob,
-      encryptedSamlCertificate: encryptor({ plainText: Buffer.from(cert) }).cipherTextBlob
+      encryptedSamlIssuer: encryptor({ plainText: Buffer.from(issuer) }).cipherTextBlob
    });

    return samlConfig;
@@ -106,7 +106,7 @@ export const samlConfigServiceFactory = ({
    actor,
    actorOrgId,
    actorAuthMethod,
-    cert,
+    idpCert,
    actorId,
    issuer,
    isActive,
@@ -136,8 +136,8 @@ export const samlConfigServiceFactory = ({
      updateQuery.encryptedSamlIssuer = encryptor({ plainText: Buffer.from(issuer) }).cipherTextBlob;
    }

-    if (cert !== undefined) {
-      updateQuery.encryptedSamlCertificate = encryptor({ plainText: Buffer.from(cert) }).cipherTextBlob;
+    if (idpCert !== undefined) {
+      updateQuery.encryptedSamlCertificate = encryptor({ plainText: Buffer.from(idpCert) }).cipherTextBlob;
    }

    const [ssoConfig] = await samlConfigDAL.update({ orgId }, updateQuery);
--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@@ -15,7 +15,7 @@ export type TCreateSamlCfgDTO = {
  isActive: boolean;
  entryPoint: string;
  issuer: string;
-  cert: string;
+  idpCert: string;
 } & TOrgPermission;

 export type TUpdateSamlCfgDTO = Partial<{
@@ -23,7 +23,7 @@ export type TUpdateSamlCfgDTO = Partial<{
  isActive: boolean;
  entryPoint: string;
  issuer: string;
-  cert: string;
+  idpCert: string;
 }> &
  TOrgPermission;

--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
@@ -1,10 +1,10 @@
 import { ForbiddenError } from "@casl/ability";
-import ms from "ms";

 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";

 import { TSshCertificateAuthorityDALFactory } from "../ssh/ssh-certificate-authority-dal";
 import { TSshCertificateTemplateDALFactory } from "./ssh-certificate-template-dal";
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-fns.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-fns.ts
@@ -1,13 +1,13 @@
 import { execFile } from "child_process";
 import crypto from "crypto";
 import { promises as fs } from "fs";
-import ms from "ms";
 import os from "os";
 import path from "path";
 import { promisify } from "util";

 import { TSshCertificateTemplates } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";

 import {
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -329,6 +329,7 @@ export const OIDC_AUTH = {
    boundIssuer: "The unique identifier of the identity provider issuing the JWT.",
    boundAudiences: "The list of intended recipients.",
    boundClaims: "The attributes that should be present in the JWT for it to be valid.",
+    claimMetadataMapping: "The attributes that should be present in the permission metadata from the JWT.",
    boundSubject: "The expected principal that is the subject of the JWT.",
    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
    accessTokenTTL: "The lifetime for an access token in seconds.",
@@ -342,6 +343,7 @@ export const OIDC_AUTH = {
    boundIssuer: "The new unique identifier of the identity provider issuing the JWT.",
    boundAudiences: "The new list of intended recipients.",
    boundClaims: "The new attributes that should be present in the JWT for it to be valid.",
+    claimMetadataMapping: "The new attributes that should be present in the permission metadata from the JWT.",
    boundSubject: "The new expected principal that is the subject of the JWT.",
    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
    accessTokenTTL: "The new lifetime for an access token in seconds.",
@@ -1725,7 +1727,8 @@ export const SecretSyncs = {
  SYNC_OPTIONS: (destination: SecretSync) => {
    const destinationName = SECRET_SYNC_NAME_MAP[destination];
    return {
-      initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`
+      initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
+      disableSecretDeletion: `Enable this flag to prevent removal of secrets from the ${destinationName} destination when syncing.`
    };
  },
  ADDITIONAL_SYNC_OPTIONS: {
@@ -1771,6 +1774,12 @@ export const SecretSyncs = {
    },
    DATABRICKS: {
      scope: "The Databricks secret scope that secrets should be synced to."
+    },
+    HUMANITEC: {
+      app: "The ID of the Humanitec app to sync secrets to.",
+      org: "The ID of the Humanitec org to sync secrets to.",
+      env: "The ID of the Humanitec environment to sync secrets to.",
+      scope: "The Humanitec scope that secrets should be synced to."
    }
  }
 };
--- a/backend/src/lib/errors/index.ts
+++ b/backend/src/lib/errors/index.ts
@@ -68,6 +68,23 @@ export class ForbiddenRequestError extends Error {
  }
 }

+export class PermissionBoundaryError extends ForbiddenRequestError {
+  constructor({
+    message,
+    name,
+    error,
+    details
+  }: {
+    message?: string;
+    name?: string;
+    error?: unknown;
+    details?: unknown;
+  }) {
+    super({ message, name, error, details });
+    this.name = "PermissionBoundaryError";
+  }
+}
+
 export class BadRequestError extends Error {
  name: string;

--- a/backend/src/lib/ms/index.ts
+++ b/backend/src/lib/ms/index.ts
@@ -0,0 +1,15 @@
+import msFn, { StringValue } from "ms";
+
+import { BadRequestError } from "../errors";
+
+export const ms = (val: string) => {
+  if (typeof val !== "string") {
+    throw new BadRequestError({ message: `Date must be string` });
+  }
+
+  try {
+    return msFn(val as StringValue);
+  } catch {
+    throw new BadRequestError({ message: `Invalid date format string: ${val}` });
+  }
+};
--- a/backend/src/lib/template/dot-access.ts
+++ b/backend/src/lib/template/dot-access.ts
@@ -0,0 +1,34 @@
+/**
+ * Safely retrieves a value from a nested object using dot notation path
+ */
+export const getStringValueByDot = (
+  obj: Record<string, unknown> | null | undefined,
+  path: string,
+  defaultValue?: string
+): string | undefined => {
+  // Handle null or undefined input
+  if (!obj) {
+    return defaultValue;
+  }
+
+  const parts = path.split(".");
+  let current: unknown = obj;
+
+  for (const part of parts) {
+    const isObject = typeof current === "object" && !Array.isArray(current) && current !== null;
+    if (!isObject) {
+      return defaultValue;
+    }
+    if (!Object.hasOwn(current as object, part)) {
+      // Check if the property exists as an own property
+      return defaultValue;
+    }
+    current = (current as Record<string, unknown>)[part];
+  }
+
+  if (typeof current !== "string") {
+    return defaultValue;
+  }
+
+  return current;
+};
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@@ -1,3 +1,4 @@
+import { requestContext } from "@fastify/request-context";
 import { FastifyRequest } from "fastify";
 import fp from "fastify-plugin";
 import jwt, { JwtPayload } from "jsonwebtoken";
@@ -8,6 +9,7 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType, AuthMethod, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
 import { TIdentityAccessTokenJwtPayload } from "@app/services/identity-access-token/identity-access-token-types";
+import { getServerCfg } from "@app/services/super-admin/super-admin-service";

 export type TAuthMode =
  | {
@@ -43,6 +45,7 @@ export type TAuthMode =
      identityName: string;
      orgId: string;
      authMethod: null;
+      isInstanceAdmin?: boolean;
    }
  | {
      authMode: AuthMode.SCIM_TOKEN;
@@ -129,14 +132,22 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
      }
      case AuthMode.IDENTITY_ACCESS_TOKEN: {
        const identity = await server.services.identityAccessToken.fnValidateIdentityAccessToken(token, req.realIp);
+        const serverCfg = await getServerCfg();
        req.auth = {
          authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
          actor,
          orgId: identity.orgId,
          identityId: identity.identityId,
          identityName: identity.name,
-          authMethod: null
+          authMethod: null,
+          isInstanceAdmin: serverCfg?.adminIdentityIds?.includes(identity.identityId)
        };
+        if (token?.identityAuth?.oidc) {
+          requestContext.set("identityAuthInfo", {
+            identityId: identity.identityId,
+            oidc: token?.identityAuth?.oidc
+          });
+        }
        break;
      }
      case AuthMode.SERVICE_TOKEN: {
--- a/backend/src/server/plugins/auth/superAdmin.ts
+++ b/backend/src/server/plugins/auth/superAdmin.ts
@@ -1,16 +1,18 @@
 import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";

 import { ForbiddenRequestError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";

 export const verifySuperAdmin = <T extends FastifyRequest>(
  req: T,
  _res: FastifyReply,
  done: HookHandlerDoneFunction
 ) => {
-  if (req.auth.actor !== ActorType.USER || !req.auth.user.superAdmin)
-    throw new ForbiddenRequestError({
-      message: "Requires elevated super admin privileges"
-    });
-  done();
+  if (isSuperAdmin(req.auth)) {
+    return done();
+  }
+
+  throw new ForbiddenRequestError({
+    message: "Requires elevated super admin privileges"
+  });
 };
--- a/backend/src/server/plugins/error-handler.ts
+++ b/backend/src/server/plugins/error-handler.ts
@@ -13,6 +13,7 @@ import {
  InternalServerError,
  NotFoundError,
  OidcAuthError,
+  PermissionBoundaryError,
  RateLimitError,
  ScimRequestError,
  UnauthorizedError
@@ -117,7 +118,7 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
          conditions: el.conditions
        }))
      });
-    } else if (error instanceof ForbiddenRequestError) {
+    } else if (error instanceof ForbiddenRequestError || error instanceof PermissionBoundaryError) {
      void res.status(HttpStatusCodes.Forbidden).send({
        reqId: req.id,
        statusCode: HttpStatusCodes.Forbidden,
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -637,6 +637,9 @@ export const registerRoutes = async (
    userDAL,
    identityDAL,
    userAliasDAL,
+    identityTokenAuthDAL,
+    identityAccessTokenDAL,
+    identityOrgMembershipDAL,
    authService: loginService,
    serverCfgDAL: superAdminDAL,
    kmsRootConfigDAL,
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@@ -98,7 +98,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      }
    },
    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT, AuthMode.API_KEY])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
@@ -139,7 +139,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      }
    },
    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
@@ -171,12 +171,16 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
          identities: IdentitiesSchema.pick({
            name: true,
            id: true
-          }).array()
+          })
+            .extend({
+              isInstanceAdmin: z.boolean()
+            })
+            .array()
        })
      }
    },
    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
@@ -206,7 +210,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      }
    },
    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
@@ -240,7 +244,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      }
    },
    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
@@ -265,7 +269,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      })
    },
    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
@@ -293,7 +297,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      }
    },
    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
@@ -316,7 +320,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      })
    },
    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
        verifySuperAdmin(req, res, done);
      });
    },
@@ -394,4 +398,141 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      };
    }
  });
+
+  server.route({
+    method: "DELETE",
+    url: "/identity-management/identities/:identityId/super-admin-access",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identity: IdentitiesSchema.pick({
+            name: true,
+            id: true
+          })
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      const identity = await server.services.superAdmin.deleteIdentitySuperAdminAccess(
+        req.params.identityId,
+        req.permission.id
+      );
+
+      return {
+        identity
+      };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/user-management/users/:userId/admin-access",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        userId: z.string()
+      }),
+      response: {
+        200: z.object({
+          user: UsersSchema.pick({
+            username: true,
+            firstName: true,
+            lastName: true,
+            email: true,
+            id: true
+          })
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      const user = await server.services.superAdmin.deleteUserSuperAdminAccess(req.params.userId);
+
+      return {
+        user
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/bootstrap",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        email: z.string().email().trim().min(1),
+        password: z.string().trim().min(1),
+        organization: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          message: z.string(),
+          user: UsersSchema.pick({
+            username: true,
+            firstName: true,
+            lastName: true,
+            email: true,
+            id: true,
+            superAdmin: true
+          }),
+          organization: OrganizationsSchema.pick({
+            id: true,
+            name: true,
+            slug: true
+          }),
+          identity: IdentitiesSchema.pick({
+            id: true,
+            name: true
+          }).extend({
+            credentials: z.object({
+              token: z.string()
+            }) // would just be Token AUTH for now
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const { user, organization, machineIdentity } = await server.services.superAdmin.bootstrapInstance({
+        ...req.body,
+        organizationName: req.body.organization
+      });
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.AdminInit,
+        distinctId: user.user.username ?? "",
+        properties: {
+          username: user.user.username,
+          email: user.user.email ?? "",
+          lastName: user.user.lastName || "",
+          firstName: user.user.firstName || ""
+        }
+      });
+
+      return {
+        message: "Successfully bootstrapped instance",
+        user: user.user,
+        organization,
+        identity: machineIdentity
+      };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -18,6 +18,10 @@ import {
 } from "@app/services/app-connection/databricks";
 import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
+import {
+  HumanitecConnectionListItemSchema,
+  SanitizedHumanitecConnectionSchema
+} from "@app/services/app-connection/humanitec";
 import { AuthMode } from "@app/services/auth/auth-type";

 // can't use discriminated due to multiple schemas for certain apps
@@ -27,7 +31,8 @@ const SanitizedAppConnectionSchema = z.union([
  ...SanitizedGcpConnectionSchema.options,
  ...SanitizedAzureKeyVaultConnectionSchema.options,
  ...SanitizedAzureAppConfigurationConnectionSchema.options,
-  ...SanitizedDatabricksConnectionSchema.options
+  ...SanitizedDatabricksConnectionSchema.options,
+  ...SanitizedHumanitecConnectionSchema.options
 ]);

 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -36,7 +41,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  GcpConnectionListItemSchema,
  AzureKeyVaultConnectionListItemSchema,
  AzureAppConfigurationConnectionListItemSchema,
-  DatabricksConnectionListItemSchema
+  DatabricksConnectionListItemSchema,
+  HumanitecConnectionListItemSchema
 ]);

 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v1/app-connection-routers/humanitec-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/humanitec-connection-router.ts
@@ -0,0 +1,69 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateHumanitecConnectionSchema,
+  HumanitecOrgWithApps,
+  SanitizedHumanitecConnectionSchema,
+  UpdateHumanitecConnectionSchema
+} from "@app/services/app-connection/humanitec";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerHumanitecConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Humanitec,
+    server,
+    sanitizedResponseSchema: SanitizedHumanitecConnectionSchema,
+    createSchema: CreateHumanitecConnectionSchema,
+    updateSchema: UpdateHumanitecConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/organizations`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string(),
+            apps: z
+              .object({
+                id: z.string(),
+                name: z.string(),
+                envs: z
+                  .object({
+                    id: z.string(),
+                    name: z.string()
+                  })
+                  .array()
+              })
+              .array()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const organizations: HumanitecOrgWithApps[] = await server.services.appConnection.humanitec.listOrganizations(
+        connectionId,
+        req.permission
+      );
+
+      return organizations;
+    }
+  });
+};
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -6,6 +6,7 @@ import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connect
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
+import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";

 export * from "./app-connection-router";

@@ -16,5 +17,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
    [AppConnection.GCP]: registerGcpConnectionRouter,
    [AppConnection.AzureKeyVault]: registerAzureKeyVaultConnectionRouter,
    [AppConnection.AzureAppConfiguration]: registerAzureAppConfigurationConnectionRouter,
-    [AppConnection.Databricks]: registerDatabricksConnectionRouter
+    [AppConnection.Databricks]: registerDatabricksConnectionRouter,
+    [AppConnection.Humanitec]: registerHumanitecConnectionRouter
  };
--- a/backend/src/server/routes/v1/certificate-authority-router.ts
+++ b/backend/src/server/routes/v1/certificate-authority-router.ts
@@ -1,10 +1,10 @@
 /* eslint-disable @typescript-eslint/no-floating-promises */
-import ms from "ms";
 import { z } from "zod";

 import { CertificateAuthoritiesSchema, CertificateTemplatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
--- a/backend/src/server/routes/v1/certificate-router.ts
+++ b/backend/src/server/routes/v1/certificate-router.ts
@@ -1,9 +1,9 @@
-import ms from "ms";
 import { z } from "zod";

 import { CertificatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CERTIFICATE_AUTHORITIES, CERTIFICATES } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
--- a/backend/src/server/routes/v1/certificate-template-router.ts
+++ b/backend/src/server/routes/v1/certificate-template-router.ts
@@ -1,9 +1,9 @@
-import ms from "ms";
 import { z } from "zod";

 import { CertificateTemplateEstConfigsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
--- a/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
@@ -11,6 +11,7 @@ import {
  validateAccountIds,
  validatePrincipalArns
 } from "@app/services/identity-aws-auth/identity-aws-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";

 export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -130,7 +131,8 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
--- a/backend/src/server/routes/v1/identity-azure-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-azure-auth-router.ts
@@ -8,8 +8,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { validateAzureAuthField } from "@app/services/identity-azure-auth/identity-azure-auth-validators";
-
-import {} from "../sanitizedSchemas";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";

 export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -127,7 +126,8 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
--- a/backend/src/server/routes/v1/identity-gcp-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-gcp-auth-router.ts
@@ -8,6 +8,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { validateGcpAuthField } from "@app/services/identity-gcp-auth/identity-gcp-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";

 export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -121,7 +122,8 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
--- a/backend/src/server/routes/v1/identity-jwt-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-jwt-auth-router.ts
@@ -12,6 +12,7 @@ import {
  validateJwtAuthAudiencesField,
  validateJwtBoundClaimsField
 } from "@app/services/identity-jwt-auth/identity-jwt-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";

 const IdentityJwtAuthResponseSchema = IdentityJwtAuthsSchema.omit({
  encryptedJwksCaCert: true,
@@ -169,7 +170,8 @@ export const registerIdentityJwtAuthRouter = async (server: FastifyZodProvider)
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
--- a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";

 const IdentityKubernetesAuthResponseSchema = IdentityKubernetesAuthsSchema.pick({
  id: true,
@@ -147,7 +148,8 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
--- a/backend/src/server/routes/v1/identity-oidc-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-oidc-auth-router.ts
@@ -11,6 +11,7 @@ import {
  validateOidcAuthAudiencesField,
  validateOidcBoundClaimsField
 } from "@app/services/identity-oidc-auth/identity-oidc-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";

 const IdentityOidcAuthResponseSchema = IdentityOidcAuthsSchema.pick({
  id: true,
@@ -23,6 +24,7 @@ const IdentityOidcAuthResponseSchema = IdentityOidcAuthsSchema.pick({
  boundIssuer: true,
  boundAudiences: true,
  boundClaims: true,
+  claimMetadataMapping: true,
  boundSubject: true,
  createdAt: true,
  updatedAt: true
@@ -104,6 +106,7 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
          boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
          boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
          boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
+          claimMetadataMapping: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.claimMetadataMapping).optional(),
          boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
          accessTokenTrustedIps: z
            .object({
@@ -146,7 +149,8 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
@@ -161,6 +165,7 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
            boundIssuer: identityOidcAuth.boundIssuer,
            boundAudiences: identityOidcAuth.boundAudiences,
            boundClaims: identityOidcAuth.boundClaims as Record<string, string>,
+            claimMetadataMapping: identityOidcAuth.claimMetadataMapping as Record<string, string>,
            boundSubject: identityOidcAuth.boundSubject as string,
            accessTokenTTL: identityOidcAuth.accessTokenTTL,
            accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL,
@@ -200,6 +205,7 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
          boundIssuer: z.string().min(1).describe(OIDC_AUTH.UPDATE.boundIssuer),
          boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.UPDATE.boundAudiences),
          boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.UPDATE.boundClaims),
+          claimMetadataMapping: validateOidcBoundClaimsField.describe(OIDC_AUTH.UPDATE.claimMetadataMapping).optional(),
          boundSubject: z.string().optional().default("").describe(OIDC_AUTH.UPDATE.boundSubject),
          accessTokenTrustedIps: z
            .object({
@@ -258,6 +264,7 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
            boundIssuer: identityOidcAuth.boundIssuer,
            boundAudiences: identityOidcAuth.boundAudiences,
            boundClaims: identityOidcAuth.boundClaims as Record<string, string>,
+            claimMetadataMapping: identityOidcAuth.claimMetadataMapping as Record<string, string>,
            boundSubject: identityOidcAuth.boundSubject as string,
            accessTokenTTL: identityOidcAuth.accessTokenTTL,
            accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL,
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

 import { SanitizedProjectSchema } from "../sanitizedSchemas";
@@ -118,6 +119,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth),
        ...req.body
      });

@@ -166,7 +168,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        id: req.params.identityId
+        id: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
--- a/backend/src/server/routes/v1/identity-token-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-token-auth-router.ts
@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";

 export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -74,7 +75,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
@@ -157,7 +159,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
@@ -257,7 +260,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      await server.services.auditLog.createAuditLog({
@@ -312,6 +316,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          identityId: req.params.identityId,
+          isActorSuperAdmin: isSuperAdmin(req.auth),
          ...req.body
        });

@@ -370,6 +375,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth),
        ...req.query
      });

@@ -421,6 +427,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        tokenId: req.params.tokenId,
+        isActorSuperAdmin: isSuperAdmin(req.auth),
        ...req.body
      });

@@ -470,7 +477,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        tokenId: req.params.tokenId
+        tokenId: req.params.tokenId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });

      return {
--- a/backend/src/server/routes/v1/identity-universal-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-universal-auth-router.ts
@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";

 export const sanitizedClientSecretSchema = IdentityUaClientSecretsSchema.pick({
  id: true,
@@ -142,8 +143,10 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
      });
+
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        orgId: identityUniversalAuth.orgId,
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -4,7 +4,6 @@ import {
  AuditLogsSchema,
  GroupsSchema,
  IncidentContactsSchema,
-  OrganizationsSchema,
  OrgMembershipsSchema,
  OrgRolesSchema,
  UsersSchema
@@ -57,7 +56,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          organization: OrganizationsSchema
+          organization: sanitizedOrganizationSchema
        })
      }
    },
@@ -257,12 +256,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        scimEnabled: z.boolean().optional(),
        defaultMembershipRoleSlug: slugSchema({ max: 64, field: "Default Membership Role" }).optional(),
        enforceMfa: z.boolean().optional(),
-        selectedMfaMethod: z.nativeEnum(MfaMethod).optional()
+        selectedMfaMethod: z.nativeEnum(MfaMethod).optional(),
+        allowSecretSharingOutsideOrganization: z.boolean().optional()
      }),
      response: {
        200: z.object({
          message: z.string(),
-          organization: OrganizationsSchema
+          organization: sanitizedOrganizationSchema
        })
      }
    },
--- a/backend/src/server/routes/v1/project-membership-router.ts
+++ b/backend/src/server/routes/v1/project-membership-router.ts
@@ -1,4 +1,3 @@
-import ms from "ms";
 import { z } from "zod";

 import {
@@ -10,6 +9,7 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { PROJECT_USERS } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
--- a/backend/src/server/routes/v1/secret-sync-routers/humanitec-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/humanitec-sync-router.ts
@@ -0,0 +1,17 @@
+import {
+  CreateHumanitecSyncSchema,
+  HumanitecSyncSchema,
+  UpdateHumanitecSyncSchema
+} from "@app/services/secret-sync/humanitec";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerHumanitecSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Humanitec,
+    server,
+    responseSchema: HumanitecSyncSchema,
+    createSchema: CreateHumanitecSyncSchema,
+    updateSchema: UpdateHumanitecSyncSchema
+  });
--- a/backend/src/server/routes/v1/secret-sync-routers/index.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/index.ts
@@ -7,6 +7,7 @@ import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
+import { registerHumanitecSyncRouter } from "./humanitec-sync-router";

 export * from "./secret-sync-router";

@@ -17,5 +18,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
  [SecretSync.GCPSecretManager]: registerGcpSyncRouter,
  [SecretSync.AzureKeyVault]: registerAzureKeyVaultSyncRouter,
  [SecretSync.AzureAppConfiguration]: registerAzureAppConfigurationSyncRouter,
-  [SecretSync.Databricks]: registerDatabricksSyncRouter
+  [SecretSync.Databricks]: registerDatabricksSyncRouter,
+  [SecretSync.Humanitec]: registerHumanitecSyncRouter
 };
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
@@ -21,6 +21,7 @@ import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/s
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
+import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";

 const SecretSyncSchema = z.discriminatedUnion("destination", [
  AwsParameterStoreSyncSchema,
@@ -29,7 +30,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
  GcpSyncSchema,
  AzureKeyVaultSyncSchema,
  AzureAppConfigurationSyncSchema,
-  DatabricksSyncSchema
+  DatabricksSyncSchema,
+  HumanitecSyncSchema
 ]);

 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -39,7 +41,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
  GcpSyncListItemSchema,
  AzureKeyVaultSyncListItemSchema,
  AzureAppConfigurationSyncListItemSchema,
-  DatabricksSyncListItemSchema
+  DatabricksSyncListItemSchema,
+  HumanitecSyncListItemSchema
 ]);

 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v2/group-project-router.ts
+++ b/backend/src/server/routes/v2/group-project-router.ts
@@ -1,4 +1,3 @@
-import ms from "ms";
 import { z } from "zod";

 import {
@@ -8,6 +7,7 @@ import {
  ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
--- a/backend/src/server/routes/v2/identity-project-router.ts
+++ b/backend/src/server/routes/v2/identity-project-router.ts
@@ -1,4 +1,3 @@
-import ms from "ms";
 import { z } from "zod";

 import {
@@ -9,6 +8,7 @@ import {
 } from "@app/db/schemas";
 import { ORGANIZATIONS, PROJECT_IDENTITIES } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@@ -1,7 +1,6 @@
 import { z } from "zod";

 import {
-  OrganizationsSchema,
  OrgMembershipsSchema,
  ProjectMembershipsSchema,
  ProjectsSchema,
@@ -15,6 +14,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
+import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";

 export const registerOrgRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -335,7 +335,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          organization: OrganizationsSchema
+          organization: sanitizedOrganizationSchema
        })
      }
    },
@@ -365,7 +365,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          organization: OrganizationsSchema,
+          organization: sanitizedOrganizationSchema,
          accessToken: z.string()
        })
      }
@@ -396,4 +396,30 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      return { organization, accessToken: tokens.accessToken };
    }
  });
+
+  server.route({
+    method: "POST",
+    url: "/privilege-system-upgrade",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          organization: sanitizedOrganizationSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const organization = await server.services.org.upgradePrivilegeSystem({
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        orgId: req.permission.orgId
+      });
+
+      return { organization };
+    }
+  });
 };
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@@ -4,7 +4,8 @@ export enum AppConnection {
  Databricks = "databricks",
  GCP = "gcp",
  AzureKeyVault = "azure-key-vault",
-  AzureAppConfiguration = "azure-app-configuration"
+  AzureAppConfiguration = "azure-app-configuration",
+  Humanitec = "humanitec"
 }

 export enum AWSRegion {
--- a/backend/src/services/app-connection/app-connection-fns.ts
+++ b/backend/src/services/app-connection/app-connection-fns.ts
@@ -35,6 +35,11 @@ import {
  getAzureKeyVaultConnectionListItem,
  validateAzureKeyVaultConnectionCredentials
 } from "./azure-key-vault";
+import {
+  getHumanitecConnectionListItem,
+  HumanitecConnectionMethod,
+  validateHumanitecConnectionCredentials
+} from "./humanitec";

 export const listAppConnectionOptions = () => {
  return [
@@ -43,7 +48,8 @@ export const listAppConnectionOptions = () => {
    getGcpConnectionListItem(),
    getAzureKeyVaultConnectionListItem(),
    getAzureAppConfigurationConnectionListItem(),
-    getDatabricksConnectionListItem()
+    getDatabricksConnectionListItem(),
+    getHumanitecConnectionListItem()
  ].sort((a, b) => a.name.localeCompare(b.name));
 };

@@ -106,6 +112,8 @@ export const validateAppConnectionCredentials = async (
      return validateAzureKeyVaultConnectionCredentials(appConnection);
    case AppConnection.AzureAppConfiguration:
      return validateAzureAppConfigurationConnectionCredentials(appConnection);
+    case AppConnection.Humanitec:
+      return validateHumanitecConnectionCredentials(appConnection);
    default:
      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
      throw new Error(`Unhandled App Connection ${app}`);
@@ -128,6 +136,8 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
      return "Service Account Impersonation";
    case DatabricksConnectionMethod.ServicePrincipal:
      return "Service Principal";
+    case HumanitecConnectionMethod.API_TOKEN:
+      return "API Token";
    default:
      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
      throw new Error(`Unhandled App Connection Method: ${method}`);
--- a/backend/src/services/app-connection/app-connection-maps.ts
+++ b/backend/src/services/app-connection/app-connection-maps.ts
@@ -6,5 +6,6 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
  [AppConnection.GCP]: "GCP",
  [AppConnection.AzureKeyVault]: "Azure Key Vault",
  [AppConnection.AzureAppConfiguration]: "Azure App Configuration",
-  [AppConnection.Databricks]: "Databricks"
+  [AppConnection.Databricks]: "Databricks",
+  [AppConnection.Humanitec]: "Humanitec"
 };
--- a/backend/src/services/app-connection/app-connection-service.ts
+++ b/backend/src/services/app-connection/app-connection-service.ts
@@ -35,6 +35,8 @@ import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
 import { gcpConnectionService } from "./gcp/gcp-connection-service";
 import { ValidateGitHubConnectionCredentialsSchema } from "./github";
 import { githubConnectionService } from "./github/github-connection-service";
+import { ValidateHumanitecConnectionCredentialsSchema } from "./humanitec";
+import { humanitecConnectionService } from "./humanitec/humanitec-connection-service";

 export type TAppConnectionServiceFactoryDep = {
  appConnectionDAL: TAppConnectionDALFactory;
@@ -50,7 +52,8 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
  [AppConnection.GCP]: ValidateGcpConnectionCredentialsSchema,
  [AppConnection.AzureKeyVault]: ValidateAzureKeyVaultConnectionCredentialsSchema,
  [AppConnection.AzureAppConfiguration]: ValidateAzureAppConfigurationConnectionCredentialsSchema,
-  [AppConnection.Databricks]: ValidateDatabricksConnectionCredentialsSchema
+  [AppConnection.Databricks]: ValidateDatabricksConnectionCredentialsSchema,
+  [AppConnection.Humanitec]: ValidateHumanitecConnectionCredentialsSchema
 };

 export const appConnectionServiceFactory = ({
@@ -371,6 +374,7 @@ export const appConnectionServiceFactory = ({
    github: githubConnectionService(connectAppConnectionById),
    gcp: gcpConnectionService(connectAppConnectionById),
    databricks: databricksConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
-    aws: awsConnectionService(connectAppConnectionById)
+    aws: awsConnectionService(connectAppConnectionById),
+    humanitec: humanitecConnectionService(connectAppConnectionById)
  };
 };
--- a/backend/src/services/app-connection/app-connection-types.ts
+++ b/backend/src/services/app-connection/app-connection-types.ts
@@ -32,6 +32,12 @@ import {
  TValidateAzureKeyVaultConnectionCredentials
 } from "./azure-key-vault";
 import { TGcpConnection, TGcpConnectionConfig, TGcpConnectionInput, TValidateGcpConnectionCredentials } from "./gcp";
+import {
+  THumanitecConnection,
+  THumanitecConnectionConfig,
+  THumanitecConnectionInput,
+  TValidateHumanitecConnectionCredentials
+} from "./humanitec";

 export type TAppConnection = { id: string } & (
  | TAwsConnection
@@ -40,6 +46,7 @@ export type TAppConnection = { id: string } & (
  | TAzureKeyVaultConnection
  | TAzureAppConfigurationConnection
  | TDatabricksConnection
+  | THumanitecConnection
 );

 export type TAppConnectionInput = { id: string } & (
@@ -49,6 +56,7 @@ export type TAppConnectionInput = { id: string } & (
  | TAzureKeyVaultConnectionInput
  | TAzureAppConfigurationConnectionInput
  | TDatabricksConnectionInput
+  | THumanitecConnectionInput
 );

 export type TCreateAppConnectionDTO = Pick<
@@ -66,7 +74,8 @@ export type TAppConnectionConfig =
  | TGcpConnectionConfig
  | TAzureKeyVaultConnectionConfig
  | TAzureAppConfigurationConnectionConfig
-  | TDatabricksConnectionConfig;
+  | TDatabricksConnectionConfig
+  | THumanitecConnectionConfig;

 export type TValidateAppConnectionCredentials =
  | TValidateAwsConnectionCredentials
@@ -74,7 +83,8 @@ export type TValidateAppConnectionCredentials =
  | TValidateGcpConnectionCredentials
  | TValidateAzureKeyVaultConnectionCredentials
  | TValidateAzureAppConfigurationConnectionCredentials
-  | TValidateDatabricksConnectionCredentials;
+  | TValidateDatabricksConnectionCredentials
+  | TValidateHumanitecConnectionCredentials;

 export type TListAwsConnectionKmsKeys = {
  connectionId: string;
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-enums.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-enums.ts
@@ -0,0 +1,3 @@
+export enum HumanitecConnectionMethod {
+  API_TOKEN = "api-token"
+}
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-fns.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-fns.ts
@@ -0,0 +1,95 @@
+import { AxiosError, AxiosResponse } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { HumanitecConnectionMethod } from "./humanitec-connection-enums";
+import {
+  HumanitecApp,
+  HumanitecOrg,
+  HumanitecOrgWithApps,
+  THumanitecConnection,
+  THumanitecConnectionConfig
+} from "./humanitec-connection-types";
+
+export const getHumanitecConnectionListItem = () => {
+  return {
+    name: "Humanitec" as const,
+    app: AppConnection.Humanitec as const,
+    methods: Object.values(HumanitecConnectionMethod) as [HumanitecConnectionMethod.API_TOKEN]
+  };
+};
+
+export const validateHumanitecConnectionCredentials = async (config: THumanitecConnectionConfig) => {
+  const { credentials: inputCredentials } = config;
+
+  let response: AxiosResponse<HumanitecOrg[]> | null = null;
+
+  try {
+    response = await request.get<HumanitecOrg[]>(`${IntegrationUrls.HUMANITEC_API_URL}/orgs`, {
+      headers: {
+        Authorization: `Bearer ${inputCredentials.apiToken}`
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection - verify credentials"
+    });
+  }
+
+  if (!response?.data) {
+    throw new InternalServerError({
+      message: "Failed to get organizations: Response was empty"
+    });
+  }
+
+  return inputCredentials;
+};
+
+export const listOrganizations = async (appConnection: THumanitecConnection): Promise<HumanitecOrgWithApps[]> => {
+  const {
+    credentials: { apiToken }
+  } = appConnection;
+  const response = await request.get<HumanitecOrg[]>(`${IntegrationUrls.HUMANITEC_API_URL}/orgs`, {
+    headers: {
+      Authorization: `Bearer ${apiToken}`
+    }
+  });
+
+  if (!response.data) {
+    throw new InternalServerError({
+      message: "Failed to get organizations: Response was empty"
+    });
+  }
+  const orgs = response.data;
+  const orgsWithApps: HumanitecOrgWithApps[] = [];
+
+  for (const org of orgs) {
+    // eslint-disable-next-line no-await-in-loop
+    const appsResponse = await request.get<HumanitecApp[]>(`${IntegrationUrls.HUMANITEC_API_URL}/orgs/${org.id}/apps`, {
+      headers: {
+        Authorization: `Bearer ${apiToken}`
+      }
+    });
+
+    if (appsResponse.data) {
+      const apps = appsResponse.data;
+      orgsWithApps.push({
+        ...org,
+        apps: apps.map((app) => ({
+          name: app.name,
+          id: app.id,
+          envs: app.envs
+        }))
+      });
+    }
+  }
+  return orgsWithApps;
+};
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-schemas.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-schemas.ts
@@ -0,0 +1,58 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { HumanitecConnectionMethod } from "./humanitec-connection-enums";
+
+export const HumanitecConnectionAccessTokenCredentialsSchema = z.object({
+  apiToken: z.string().trim().min(1, "API Token required")
+});
+
+const BaseHumanitecConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Humanitec) });
+
+export const HumanitecConnectionSchema = BaseHumanitecConnectionSchema.extend({
+  method: z.literal(HumanitecConnectionMethod.API_TOKEN),
+  credentials: HumanitecConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedHumanitecConnectionSchema = z.discriminatedUnion("method", [
+  BaseHumanitecConnectionSchema.extend({
+    method: z.literal(HumanitecConnectionMethod.API_TOKEN),
+    credentials: HumanitecConnectionAccessTokenCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateHumanitecConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(HumanitecConnectionMethod.API_TOKEN)
+      .describe(AppConnections?.CREATE(AppConnection.Humanitec).method),
+    credentials: HumanitecConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Humanitec).credentials
+    )
+  })
+]);
+
+export const CreateHumanitecConnectionSchema = ValidateHumanitecConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Humanitec)
+);
+
+export const UpdateHumanitecConnectionSchema = z
+  .object({
+    credentials: HumanitecConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Humanitec).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Humanitec));
+
+export const HumanitecConnectionListItemSchema = z.object({
+  name: z.literal("Humanitec"),
+  app: z.literal(AppConnection.Humanitec),
+  methods: z.nativeEnum(HumanitecConnectionMethod).array()
+});
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-service.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-service.ts
@@ -0,0 +1,29 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listOrganizations as getHumanitecOrganizations } from "./humanitec-connection-fns";
+import { THumanitecConnection } from "./humanitec-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<THumanitecConnection>;
+
+export const humanitecConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listOrganizations = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Humanitec, connectionId, actor);
+    try {
+      const organizations = await getHumanitecOrganizations(appConnection);
+      return organizations;
+    } catch (error) {
+      logger.error(error, "Failed to establish connection with Humanitec");
+      return [];
+    }
+  };
+
+  return {
+    listOrganizations
+  };
+};
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-types.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-types.ts
@@ -0,0 +1,40 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateHumanitecConnectionSchema,
+  HumanitecConnectionSchema,
+  ValidateHumanitecConnectionCredentialsSchema
+} from "./humanitec-connection-schemas";
+
+export type THumanitecConnection = z.infer<typeof HumanitecConnectionSchema>;
+
+export type THumanitecConnectionInput = z.infer<typeof CreateHumanitecConnectionSchema> & {
+  app: AppConnection.Humanitec;
+};
+
+export type TValidateHumanitecConnectionCredentials = typeof ValidateHumanitecConnectionCredentialsSchema;
+
+export type THumanitecConnectionConfig = DiscriminativePick<
+  THumanitecConnectionInput,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
+
+export type HumanitecOrg = {
+  id: string;
+  name: string;
+};
+
+export type HumanitecApp = {
+  name: string;
+  id: string;
+  envs: { name: string; id: string }[];
+};
+
+export type HumanitecOrgWithApps = HumanitecOrg & {
+  apps: HumanitecApp[];
+};
--- a/backend/src/services/app-connection/humanitec/index.ts
+++ b/backend/src/services/app-connection/humanitec/index.ts
@@ -0,0 +1,4 @@
+export * from "./humanitec-connection-enums";
+export * from "./humanitec-connection-fns";
+export * from "./humanitec-connection-schemas";
+export * from "./humanitec-connection-types";
--- a/backend/src/services/certificate-authority/certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-service.ts
@@ -2,7 +2,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import crypto, { KeyObject } from "crypto";
-import ms from "ms";
 import { z } from "zod";

 import { ActionProjectType, ProjectType, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
@@ -10,6 +9,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { TCertificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
--- a/backend/src/services/certificate-template/certificate-template-fns.ts
+++ b/backend/src/services/certificate-template/certificate-template-fns.ts
@@ -1,7 +1,6 @@
-import ms from "ms";
-
 import { TCertificateTemplates } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";

 export const validateCertificateDetailsAgainstTemplate = (
  cert: {
--- a/backend/src/services/group-project/group-project-service.ts
+++ b/backend/src/services/group-project/group-project-service.ts
@@ -1,14 +1,17 @@
 import { ForbiddenError } from "@casl/ability";
-import ms from "ms";

 import { ActionProjectType, ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { ProjectPermissionGroupActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { isUuidV4 } from "@app/lib/validator";

 import { TGroupDALFactory } from "../../ee/services/group/group-dal";
@@ -70,7 +73,7 @@ export const groupProjectServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
    if (project.version < 2) throw new BadRequestError({ message: `Failed to add group to E2EE project` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
@@ -78,7 +81,7 @@ export const groupProjectServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Create, ProjectPermissionSub.Groups);

    let group: TGroups | null = null;
    if (isUuidV4(groupIdOrName)) {
@@ -102,11 +105,21 @@ export const groupProjectServiceFactory = ({
        project.id
      );

-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+      const permissionBoundary = validatePrivilegeChangeOperation(
+        membership.shouldUseNewPrivilegeSystem,
+        ProjectPermissionGroupActions.GrantPrivileges,
+        ProjectPermissionSub.Groups,
+        permission,
+        rolePermission
+      );
      if (!permissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to assign group to a more privileged role",
+        throw new PermissionBoundaryError({
+          message: constructPermissionErrorMessage(
+            "Failed to assign group to role",
+            membership.shouldUseNewPrivilegeSystem,
+            ProjectPermissionGroupActions.GrantPrivileges,
+            ProjectPermissionSub.Groups
+          ),
          details: { missingPermissions: permissionBoundary.missingPermissions }
        });
    }
@@ -248,7 +261,7 @@ export const groupProjectServiceFactory = ({

    if (!project) throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
@@ -256,7 +269,7 @@ export const groupProjectServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Edit, ProjectPermissionSub.Groups);

    const group = await groupDAL.findOne({ orgId: actorOrgId, id: groupId });
    if (!group) throw new NotFoundError({ message: `Failed to find group with ID ${groupId}` });
@@ -269,11 +282,21 @@ export const groupProjectServiceFactory = ({
        requestedRoleChange,
        project.id
      );
-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+      const permissionBoundary = validatePrivilegeChangeOperation(
+        membership.shouldUseNewPrivilegeSystem,
+        ProjectPermissionGroupActions.GrantPrivileges,
+        ProjectPermissionSub.Groups,
+        permission,
+        rolePermission
+      );
      if (!permissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to assign group to a more privileged role",
+        throw new PermissionBoundaryError({
+          message: constructPermissionErrorMessage(
+            "Failed to assign group to role",
+            membership.shouldUseNewPrivilegeSystem,
+            ProjectPermissionGroupActions.GrantPrivileges,
+            ProjectPermissionSub.Groups
+          ),
          details: { missingPermissions: permissionBoundary.missingPermissions }
        });
    }
@@ -360,7 +383,7 @@ export const groupProjectServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Delete, ProjectPermissionSub.Groups);

    const deletedProjectGroup = await groupProjectDAL.transaction(async (tx) => {
      const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id, tx);
@@ -405,7 +428,7 @@ export const groupProjectServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);

    const groupMemberships = await groupProjectDAL.findByProjectId(project.id);
    return groupMemberships;
@@ -433,7 +456,7 @@ export const groupProjectServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);

    const [groupMembership] = await groupProjectDAL.findByProjectId(project.id, {
      groupId
--- a/backend/src/services/identity-access-token/identity-access-token-service.ts
+++ b/backend/src/services/identity-access-token/identity-access-token-service.ts
@@ -78,9 +78,7 @@ export const identityAccessTokenServiceFactory = ({
  const renewAccessToken = async ({ accessToken }: TRenewAccessTokenDTO) => {
    const appCfg = getConfig();

-    const decodedToken = jwt.verify(accessToken, appCfg.AUTH_SECRET) as JwtPayload & {
-      identityAccessTokenId: string;
-    };
+    const decodedToken = jwt.verify(accessToken, appCfg.AUTH_SECRET) as TIdentityAccessTokenJwtPayload;
    if (decodedToken.authTokenType !== AuthTokenType.IDENTITY_ACCESS_TOKEN) {
      throw new BadRequestError({ message: "Only identity access tokens can be renewed" });
    }
@@ -127,7 +125,23 @@ export const identityAccessTokenServiceFactory = ({
      accessTokenLastRenewedAt: new Date()
    });

-    return { accessToken, identityAccessToken: updatedIdentityAccessToken };
+    const renewedToken = jwt.sign(
+      {
+        identityId: decodedToken.identityId,
+        clientSecretId: decodedToken.clientSecretId,
+        identityAccessTokenId: decodedToken.identityAccessTokenId,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
+    );
+
+    return { accessToken: renewedToken, identityAccessToken: updatedIdentityAccessToken };
  };

  const revokeAccessToken = async (accessToken: string) => {
--- a/backend/src/services/identity-access-token/identity-access-token-types.ts
+++ b/backend/src/services/identity-access-token/identity-access-token-types.ts
@@ -7,4 +7,9 @@ export type TIdentityAccessTokenJwtPayload = {
  clientSecretId: string;
  identityAccessTokenId: string;
  authTokenType: string;
+  identityAuth: {
+    oidc?: {
+      claims: Record<string, string>;
+    };
+  };
 };
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -5,17 +5,21 @@ import jwt from "jsonwebtoken";

 import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityAwsAuthDALFactory } from "./identity-aws-auth-dal";
 import { extractPrincipalArn } from "./identity-aws-auth-fns";
 import {
@@ -149,8 +153,11 @@ export const identityAwsAuthServiceFactory = ({
    actorId,
    actorAuthMethod,
    actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
  }: TAttachAwsAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });

@@ -171,7 +178,7 @@ export const identityAwsAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -250,7 +257,7 @@ export const identityAwsAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -304,7 +311,7 @@ export const identityAwsAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
    return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
  };

@@ -322,14 +329,14 @@ export const identityAwsAuthServiceFactory = ({
        message: "The identity does not have aws auth"
      });
    }
-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      identityMembershipOrg.orgId,
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const { permission: rolePermission } = await permissionService.getOrgPermission(
      ActorType.IDENTITY,
@@ -339,11 +346,22 @@ export const identityAwsAuthServiceFactory = ({
      actorOrgId
    );

-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionIdentityActions.RevokeAuth,
+      OrgPermissionSubjects.Identity,
+      permission,
+      rolePermission
+    );
+
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke aws auth of identity with more privileged role",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to revoke aws auth of identity with more privileged role",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionIdentityActions.RevokeAuth,
+          OrgPermissionSubjects.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

--- a/backend/src/services/identity-aws-auth/identity-aws-auth-types.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-types.ts
@@ -16,6 +16,7 @@ export type TAttachAwsAuthDTO = {
  accessTokenMaxTTL: number;
  accessTokenNumUsesLimit: number;
  accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateAwsAuthDTO = {
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
@@ -3,17 +3,21 @@ import jwt from "jsonwebtoken";

 import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityAzureAuthDALFactory } from "./identity-azure-auth-dal";
 import { validateAzureIdentity } from "./identity-azure-auth-fns";
 import {
@@ -122,8 +126,11 @@ export const identityAzureAuthServiceFactory = ({
    actorId,
    actorAuthMethod,
    actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
  }: TAttachAzureAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });

@@ -143,7 +150,7 @@ export const identityAzureAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -221,7 +228,7 @@ export const identityAzureAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -277,7 +284,7 @@ export const identityAzureAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);

    return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
  };
@@ -296,14 +303,14 @@ export const identityAzureAuthServiceFactory = ({
        message: "The identity does not have azure auth"
      });
    }
-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      identityMembershipOrg.orgId,
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const { permission: rolePermission } = await permissionService.getOrgPermission(
      ActorType.IDENTITY,
@@ -312,11 +319,21 @@ export const identityAzureAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionIdentityActions.RevokeAuth,
+      OrgPermissionSubjects.Identity,
+      permission,
+      rolePermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke azure auth of identity with more privileged role",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to revoke azure auth of identity with more privileged role",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionIdentityActions.RevokeAuth,
+          OrgPermissionSubjects.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

--- a/backend/src/services/identity-azure-auth/identity-azure-auth-types.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-types.ts
@@ -14,6 +14,7 @@ export type TAttachAzureAuthDTO = {
  accessTokenMaxTTL: number;
  accessTokenNumUsesLimit: number;
  accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateAzureAuthDTO = {
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@@ -3,17 +3,21 @@ import jwt from "jsonwebtoken";

 import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityGcpAuthDALFactory } from "./identity-gcp-auth-dal";
 import { validateIamIdentity, validateIdTokenIdentity } from "./identity-gcp-auth-fns";
 import {
@@ -162,8 +166,11 @@ export const identityGcpAuthServiceFactory = ({
    actorId,
    actorAuthMethod,
    actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
  }: TAttachGcpAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });

@@ -184,7 +191,7 @@ export const identityGcpAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -264,7 +271,7 @@ export const identityGcpAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -322,7 +329,7 @@ export const identityGcpAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);

    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
  };
@@ -342,14 +349,14 @@ export const identityGcpAuthServiceFactory = ({
        message: "The identity does not have gcp auth"
      });
    }
-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      identityMembershipOrg.orgId,
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const { permission: rolePermission } = await permissionService.getOrgPermission(
      ActorType.IDENTITY,
@@ -358,11 +365,21 @@ export const identityGcpAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionIdentityActions.RevokeAuth,
+      OrgPermissionSubjects.Identity,
+      permission,
+      rolePermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke gcp auth of identity with more privileged role",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to revoke gcp auth of identity with more privileged role",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionIdentityActions.RevokeAuth,
+          OrgPermissionSubjects.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts
@@ -15,6 +15,7 @@ export type TAttachGcpAuthDTO = {
  accessTokenMaxTTL: number;
  accessTokenNumUsesLimit: number;
  accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateGcpAuthDTO = {
--- a/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
+++ b/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
@@ -5,12 +5,22 @@ import { JwksClient } from "jwks-rsa";

 import { IdentityAuthMethod, TIdentityJwtAuthsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import {
+  BadRequestError,
+  ForbiddenRequestError,
+  NotFoundError,
+  PermissionBoundaryError,
+  UnauthorizedError
+} from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+import { getStringValueByDot } from "@app/lib/template/dot-access";

 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
@@ -18,6 +28,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityJwtAuthDALFactory } from "./identity-jwt-auth-dal";
 import { doesFieldValueMatchJwtPolicy } from "./identity-jwt-auth-fns";
 import {
@@ -177,8 +188,9 @@ export const identityJwtAuthServiceFactory = ({
    if (identityJwtAuth.boundClaims) {
      Object.keys(identityJwtAuth.boundClaims).forEach((claimKey) => {
        const claimValue = (identityJwtAuth.boundClaims as Record<string, string>)[claimKey];
+        const value = getStringValueByDot(tokenData, claimKey) || "";

-        if (!tokenData[claimKey]) {
+        if (!value) {
          throw new UnauthorizedError({
            message: `Access denied: token has no ${claimKey} field`
          });
@@ -248,8 +260,11 @@ export const identityJwtAuthServiceFactory = ({
    actorId,
    actorAuthMethod,
    actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
  }: TAttachJwtAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) {
      if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
@@ -272,7 +287,7 @@ export const identityJwtAuthServiceFactory = ({
      actorOrgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -375,7 +390,7 @@ export const identityJwtAuthServiceFactory = ({
      actorOrgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -464,7 +479,7 @@ export const identityJwtAuthServiceFactory = ({
      actorOrgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);

    const identityJwtAuth = await identityJwtAuthDAL.findOne({ identityId });

@@ -498,7 +513,7 @@ export const identityJwtAuthServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      identityMembershipOrg.orgId,
@@ -506,7 +521,7 @@ export const identityJwtAuthServiceFactory = ({
      actorOrgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const { permission: rolePermission } = await permissionService.getOrgPermission(
      ActorType.IDENTITY,
@@ -516,11 +531,21 @@ export const identityJwtAuthServiceFactory = ({
      actorOrgId
    );

-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionIdentityActions.RevokeAuth,
+      OrgPermissionSubjects.Identity,
+      permission,
+      rolePermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke jwt auth of identity with more privileged role",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to revoke jwt auth of identity with more privileged role",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionIdentityActions.RevokeAuth,
+          OrgPermissionSubjects.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

--- a/backend/src/services/identity-jwt-auth/identity-jwt-auth-types.ts
+++ b/backend/src/services/identity-jwt-auth/identity-jwt-auth-types.ts
@@ -19,6 +19,7 @@ export type TAttachJwtAuthDTO = {
  accessTokenMaxTTL: number;
  accessTokenNumUsesLimit: number;
  accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateJwtAuthDTO = {
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -5,11 +5,14 @@ import jwt from "jsonwebtoken";

 import { IdentityAuthMethod, TIdentityKubernetesAuthsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

 import { ActorType, AuthTokenType } from "../auth/auth-type";
@@ -18,6 +21,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityKubernetesAuthDALFactory } from "./identity-kubernetes-auth-dal";
 import { extractK8sUsername } from "./identity-kubernetes-auth-fns";
 import {
@@ -101,7 +105,8 @@ export const identityKubernetesAuthServiceFactory = ({
            "Content-Type": "application/json",
            Authorization: `Bearer ${tokenReviewerJwt}`
          },
-
+          signal: AbortSignal.timeout(10000),
+          timeout: 10000,
          // if ca cert, rejectUnauthorized: true
          httpsAgent: new https.Agent({
            ca: caCert,
@@ -227,8 +232,11 @@ export const identityKubernetesAuthServiceFactory = ({
    actorId,
    actorAuthMethod,
    actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
  }: TAttachKubernetesAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });

@@ -249,7 +257,7 @@ export const identityKubernetesAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -340,7 +348,7 @@ export const identityKubernetesAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -434,7 +442,7 @@ export const identityKubernetesAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);

    const { decryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
@@ -471,14 +479,14 @@ export const identityKubernetesAuthServiceFactory = ({
        message: "The identity does not have kubernetes auth"
      });
    }
-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      identityMembershipOrg.orgId,
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const { permission: rolePermission } = await permissionService.getOrgPermission(
      ActorType.IDENTITY,
@@ -487,11 +495,21 @@ export const identityKubernetesAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionIdentityActions.RevokeAuth,
+      OrgPermissionSubjects.Identity,
+      permission,
+      rolePermission
+    );
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke kubernetes auth of identity with more privileged role",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to revoke kubernetes auth of identity with more privileged role",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionIdentityActions.RevokeAuth,
+          OrgPermissionSubjects.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
@@ -17,6 +17,7 @@ export type TAttachKubernetesAuthDTO = {
  accessTokenMaxTTL: number;
  accessTokenNumUsesLimit: number;
  accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateKubernetesAuthDTO = {
--- a/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
+++ b/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
@@ -6,12 +6,22 @@ import { JwksClient } from "jwks-rsa";

 import { IdentityAuthMethod, TIdentityOidcAuthsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import {
+  BadRequestError,
+  ForbiddenRequestError,
+  NotFoundError,
+  PermissionBoundaryError,
+  UnauthorizedError
+} from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+import { getStringValueByDot } from "@app/lib/template/dot-access";

 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
@@ -19,6 +29,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityOidcAuthDALFactory } from "./identity-oidc-auth-dal";
 import { doesAudValueMatchOidcPolicy, doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
 import {
@@ -77,7 +88,7 @@ export const identityOidcAuthServiceFactory = ({
    const { data: discoveryDoc } = await axios.get<{ jwks_uri: string }>(
      `${identityOidcAuth.oidcDiscoveryUrl}/.well-known/openid-configuration`,
      {
-        httpsAgent: requestAgent
+        httpsAgent: identityOidcAuth.oidcDiscoveryUrl.includes("https") ? requestAgent : undefined
      }
    );
    const jwksUri = discoveryDoc.jwks_uri;
@@ -91,7 +102,7 @@ export const identityOidcAuthServiceFactory = ({

    const client = new JwksClient({
      jwksUri,
-      requestAgent
+      requestAgent: identityOidcAuth.oidcDiscoveryUrl.includes("https") ? requestAgent : undefined
    });

    const { kid } = decodedToken.header;
@@ -108,7 +119,6 @@ export const identityOidcAuthServiceFactory = ({
          message: `Access denied: ${error.message}`
        });
      }
-
      throw error;
    }

@@ -135,10 +145,16 @@ export const identityOidcAuthServiceFactory = ({
    if (identityOidcAuth.boundClaims) {
      Object.keys(identityOidcAuth.boundClaims).forEach((claimKey) => {
        const claimValue = (identityOidcAuth.boundClaims as Record<string, string>)[claimKey];
+        const value = getStringValueByDot(tokenData, claimKey) || "";
+
+        if (!value) {
+          throw new UnauthorizedError({
+            message: `Access denied: token has no ${claimKey} field`
+          });
+        }
+
        // handle both single and multi-valued claims
-        if (
-          !claimValue.split(", ").some((claimEntry) => doesFieldValueMatchOidcPolicy(tokenData[claimKey], claimEntry))
-        ) {
+        if (!claimValue.split(", ").some((claimEntry) => doesFieldValueMatchOidcPolicy(value, claimEntry))) {
          throw new UnauthorizedError({
            message: "Access denied: OIDC claim not allowed."
          });
@@ -146,6 +162,20 @@ export const identityOidcAuthServiceFactory = ({
      });
    }

+    const filteredClaims: Record<string, string> = {};
+    if (identityOidcAuth.claimMetadataMapping) {
+      Object.keys(identityOidcAuth.claimMetadataMapping).forEach((permissionKey) => {
+        const claimKey = (identityOidcAuth.claimMetadataMapping as Record<string, string>)[permissionKey];
+        const value = getStringValueByDot(tokenData, claimKey) || "";
+        if (!value) {
+          throw new UnauthorizedError({
+            message: `Access denied: token has no ${claimKey} field`
+          });
+        }
+        filteredClaims[permissionKey] = value;
+      });
+    }
+
    const identityAccessToken = await identityOidcAuthDAL.transaction(async (tx) => {
      const newToken = await identityAccessTokenDAL.create(
        {
@@ -167,7 +197,12 @@ export const identityOidcAuthServiceFactory = ({
      {
        identityId: identityOidcAuth.identityId,
        identityAccessTokenId: identityAccessToken.id,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN,
+        identityAuth: {
+          oidc: {
+            claims: filteredClaims
+          }
+        }
      } as TIdentityAccessTokenJwtPayload,
      appCfg.AUTH_SECRET,
      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
@@ -188,6 +223,7 @@ export const identityOidcAuthServiceFactory = ({
    boundIssuer,
    boundAudiences,
    boundClaims,
+    claimMetadataMapping,
    boundSubject,
    accessTokenTTL,
    accessTokenMaxTTL,
@@ -196,8 +232,10 @@ export const identityOidcAuthServiceFactory = ({
    actorId,
    actorAuthMethod,
    actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
  }: TAttachOidcAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) {
      if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
@@ -220,7 +258,7 @@ export const identityOidcAuthServiceFactory = ({
      actorOrgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -254,6 +292,7 @@ export const identityOidcAuthServiceFactory = ({
          boundIssuer,
          boundAudiences,
          boundClaims,
+          claimMetadataMapping,
          boundSubject,
          accessTokenMaxTTL,
          accessTokenTTL,
@@ -274,6 +313,7 @@ export const identityOidcAuthServiceFactory = ({
    boundIssuer,
    boundAudiences,
    boundClaims,
+    claimMetadataMapping,
    boundSubject,
    accessTokenTTL,
    accessTokenMaxTTL,
@@ -310,7 +350,7 @@ export const identityOidcAuthServiceFactory = ({
      actorOrgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -335,6 +375,7 @@ export const identityOidcAuthServiceFactory = ({
      boundIssuer,
      boundAudiences,
      boundClaims,
+      claimMetadataMapping,
      boundSubject,
      accessTokenMaxTTL,
      accessTokenTTL,
@@ -382,7 +423,7 @@ export const identityOidcAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);

    const identityOidcAuth = await identityOidcAuthDAL.findOne({ identityId });

@@ -410,7 +451,7 @@ export const identityOidcAuthServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getOrgPermission(
+    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      identityMembershipOrg.orgId,
@@ -418,7 +459,7 @@ export const identityOidcAuthServiceFactory = ({
      actorOrgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);

    const { permission: rolePermission } = await permissionService.getOrgPermission(
      ActorType.IDENTITY,
@@ -428,11 +469,22 @@ export const identityOidcAuthServiceFactory = ({
      actorOrgId
    );

-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionIdentityActions.RevokeAuth,
+      OrgPermissionSubjects.Identity,
+      permission,
+      rolePermission
+    );
+
    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke oidc auth of identity with more privileged role",
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to revoke oidc auth of identity with more privileged role",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionIdentityActions.RevokeAuth,
+          OrgPermissionSubjects.Identity
+        ),
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

--- a/backend/src/services/identity-oidc-auth/identity-oidc-auth-types.ts
+++ b/backend/src/services/identity-oidc-auth/identity-oidc-auth-types.ts
@@ -7,11 +7,13 @@ export type TAttachOidcAuthDTO = {
  boundIssuer: string;
  boundAudiences: string;
  boundClaims: Record<string, string>;
+  claimMetadataMapping?: Record<string, string>;
  boundSubject: string;
  accessTokenTTL: number;
  accessTokenMaxTTL: number;
  accessTokenNumUsesLimit: number;
  accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateOidcAuthDTO = {
@@ -21,6 +23,7 @@ export type TUpdateOidcAuthDTO = {
  boundIssuer?: string;
  boundAudiences?: string;
  boundClaims?: Record<string, string>;
+  claimMetadataMapping?: Record<string, string>;
  boundSubject?: string;
  accessTokenTTL?: number;
  accessTokenMaxTTL?: number;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Sheen Capadngan	73b5ca5b4f	Merge branch 'misc/privilege-management-v2-transition' of https://github.com/Infisical/infisical into misc/privilege-management-v2-transition	2025-03-27 13:26:57 +08:00
Sheen Capadngan	a1318d54b1	misc: added no access exemption	2025-03-27 13:26:30 +08:00
Sheen	44afe2fc1d	misc: finalized docs	2025-03-27 04:54:19 +00:00
Sheen Capadngan	956d0f6c5d	misc: review comments	2025-03-27 12:17:36 +08:00
Maidul Islam	c376add0fa	Make the model look simpler	2025-03-26 21:41:07 -04:00
Sheen Capadngan	67a0e5ae68	misc: addressed comments	2025-03-26 23:28:49 +08:00
Sheen Capadngan	6ebc766308	misc: added actor indication	2025-03-21 19:07:33 +08:00
Sheen Capadngan	6f9a66a0d7	misc: finalized error message	2025-03-21 18:48:02 +08:00
Sheen Capadngan	cca7b68dd0	misc: reverted a few updates	2025-03-21 18:14:59 +08:00
Sheen Capadngan	ab39f13e03	misc: added reference to permission docs	2025-03-21 17:45:56 +08:00
Sheen Capadngan	07bd527cc1	Merge remote-tracking branch 'origin/main' into misc/privilege-management-v2-transition	2025-03-21 00:19:17 +08:00
Daniel Hougaard	f7cf2bb78f	Merge pull request #3278 from Infisical/daniel/kubernetes-hsm-docs docs(hsm): kubernetes deployment docs	2025-03-20 03:25:48 +04:00
Daniel Hougaard	ff24e76a32	docs(hsm): kubernetes deployment docs, requested changes	2025-03-20 02:59:07 +04:00
Maidul Islam	6ac802b6c9	Merge pull request #3280 from akhilmhdh/fix/patch-4 feat: added k8s abort	2025-03-19 18:01:18 -04:00
=	ff92e00503	feat: added k8s abort	2025-03-20 03:29:40 +05:30
Maidul Islam	b20474c505	Merge pull request #3279 from akhilmhdh/fix/patch-4 feat: added log and updated license ttl to 5min	2025-03-19 17:11:12 -04:00
=	e19ffc91c6	feat: added more log	2025-03-20 02:40:37 +05:30
=	61eb66efca	feat: added log and updated license ttl to 5min	2025-03-20 02:36:26 +05:30
Sheen	fa7843983f	Merge branch 'misc/privilege-management-v2-transition' of https://github.com/Infisical/infisical into misc/privilege-management-v2-transition	2025-03-19 20:00:18 +00:00
Sheen	2d5b7afda7	misc: finalized permission docs	2025-03-19 19:59:50 +00:00
Daniel Hougaard	15999daa24	docs(hsm): kubernetes deployment docs	2025-03-19 23:02:39 +04:00
Daniel Hougaard	ec31211bca	Merge pull request #3277 from Infisical/daniel/fix-helm-required-field fix(k8s): remove required field from helm	2025-03-19 21:31:45 +04:00
Daniel Hougaard	0ecf6044d9	fix(k8s): remove required field from helm	2025-03-19 20:50:28 +04:00
carlosmonastyrski	6c512f47bf	Merge pull request #3274 from Infisical/fix/bulkDeleteSecretIncorrectPermissions Bulk Delete Secret Incorrectly says lacking permission	2025-03-19 12:30:19 -03:00
carlosmonastyrski	33b135f02c	Merge pull request #3275 from Infisical/fix/universalAuthDocApiUrlImprovement Universal Auth doc improvement to show US/EU API URLs	2025-03-19 11:10:23 -03:00
carlosmonastyrski	eed7cc6408	Add tip to universal auth doc to show US/EU API URLs	2025-03-19 10:49:33 -03:00
Sheen	440ada464f	Merge pull request #3259 from Infisical/feat/automated-instance-bootstrapping feat: automated bootstrapping	2025-03-19 21:40:55 +08:00
Sheen Capadngan	4f08801ae8	misc: made warning banner less intimidating	2025-03-19 20:13:25 +08:00
carlosmonastyrski	6b7abbbeb9	Return accum if no entry is found for env.slug on secretsToDelete to avoid losing reducer process due to permission.can	2025-03-19 09:10:15 -03:00
Sheen Capadngan	cfe2bbe125	misc: added new property to the pick org	2025-03-19 20:05:45 +08:00
Sheen Capadngan	29dcf229d8	Merge remote-tracking branch 'origin/main' into misc/privilege-management-v2-transition	2025-03-19 19:51:41 +08:00
carlosmonastyrski	3944e20a5b	Merge pull request #3257 from Infisical/feat/addFileImportToSecretSetCLI Add file option to secret set CLI command to retrieve secrets from .env or .yaml files	2025-03-19 08:01:11 -03:00
Sheen	2079913511	misc: final doc updates	2025-03-19 08:08:11 +00:00
Sheen Capadngan	049f0f56a0	misc: added env support for the other cli flags	2025-03-19 15:44:56 +08:00
BlackMagiq	9ad725fd6c	Merge pull request #3271 from Infisical/vmatsiiako-patch-cure53-1 Update security.mdx	2025-03-18 19:37:29 -07:00
Vlad Matsiiako	9a954c8f15	Update security.mdx	2025-03-18 19:32:26 -07:00
Daniel Hougaard	81a64d081c	Merge pull request #3270 from Infisical/daniel/helm-custom-volume-support feat(helm): custom volume support	2025-03-19 06:22:59 +04:00
Daniel Hougaard	43804f62e6	Update CHANGELOG.md	2025-03-19 06:18:48 +04:00
Daniel Hougaard	67089af17a	feat(helm): custom volume support	2025-03-19 05:39:00 +04:00
Maidul Islam	d83240749f	Merge pull request #3265 from Infisical/minor-changes Minor changes to oidc claims and mappings	2025-03-18 17:22:51 -04:00
Maidul Islam	36144d8c42	add proper docs	2025-03-18 17:21:48 -04:00
Sheen Capadngan	4478dc8659	misc: minor header label updates	2025-03-19 03:05:50 +08:00
Sheen	510ddf2b1a	misc: add machine identity server admin image	2025-03-18 19:05:23 +00:00
Sheen	5363f8c6ff	misc: doc updates	2025-03-18 18:45:43 +00:00
Sheen	7d9de6acba	Merge branch 'feat/automated-instance-bootstrapping' of https://github.com/Infisical/infisical into feat/automated-instance-bootstrapping	2025-03-18 18:37:42 +00:00
Sheen	bac944133a	doc: finalized response schema	2025-03-18 18:36:42 +00:00
Sheen Capadngan	f059d65b45	misc: finalized response	2025-03-19 02:26:51 +08:00
=	c487b2b34a	feat: updated doc	2025-03-18 23:44:50 +05:30
Sheen Capadngan	015a193330	misc: added support for removing instance admin access of users	2025-03-19 02:13:24 +08:00
=	8e20531b40	feat: changed key to be required	2025-03-18 23:05:31 +05:30
Sheen Capadngan	d91add2e7b	misc: added return statements	2025-03-18 23:49:40 +08:00
=	8ead2aa774	feat: updated documentation on identity oidc auth permission	2025-03-18 20:54:12 +05:30
=	1b2128e3cc	feat: updated code to auth field in permission for identity	2025-03-18 20:53:51 +05:30
Sheen Capadngan	6d72524896	misc: addressed typo	2025-03-18 23:15:48 +08:00
Sheen	1ec11d5963	doc: added docs	2025-03-18 14:43:19 +00:00
carlosmonastyrski	ad6f285b59	Throw if file and args secrets are used on secret set command	2025-03-18 09:58:10 -03:00
carlosmonastyrski	d4842dd273	Improve secret set --file message and make it mutually exclusive with manual secrets args	2025-03-18 08:32:31 -03:00
Maidul Islam	78f83cb478	remove default open	2025-03-17 21:51:47 -04:00
Maidul Islam	c8a871de7c	fix lint	2025-03-17 19:47:08 -04:00
Maidul Islam	64c0951df3	add new line so there is no change	2025-03-17 19:38:50 -04:00
Maidul Islam	c185414a3c	bring back .env example	2025-03-17 19:38:05 -04:00
Maidul Islam	f9695741f1	Minor changes to oidc claims and mappings - Made the claims expanded by default (it looked off when they were closed) - Moved claims from advanced to geneal tab and kept the mapping in the advanced tab - Added better description for the tooltip question: i feel like it would be better to access metadata like: `{{identity.auth.oidc.claim.<...>}}` instead of like how it is now: `{{identity.metadata.auth.oidc.claim.<...>}}`? What do you think	2025-03-17 19:36:40 -04:00
Scott Wilson	b7c4b11260	Merge pull request #3246 from Infisical/disable-delete-sync-option Feature: Disable Secret Deletion Sync Option	2025-03-17 15:16:55 -07:00
Scott Wilson	81f3613393	improvements: address feedback	2025-03-17 15:10:36 -07:00
Maidul Islam	a7fe79c046	Merge pull request #3242 from akhilmhdh/feat/metadata-oidc Feat/metadata OIDC	2025-03-17 16:55:50 -04:00
Sheen Capadngan	ed6306747a	feat: add support for removing instance admin permission from identity	2025-03-18 03:00:54 +08:00
Sheen Capadngan	64569ab44b	feat: added bootstrap to CLI	2025-03-18 02:27:42 +08:00
=	9eb89bb46d	fix: null causing ui error	2025-03-17 23:52:11 +05:30
=	c4da1ce32d	feat: resolved PR feedbacks	2025-03-17 23:38:24 +05:30
Sheen Capadngan	2d1d6f5ce8	misc: added privilege escalation checks	2025-03-18 01:20:01 +08:00
carlosmonastyrski	add97c9b38	Merge pull request #3241 from Infisical/feat/addDynamicSecretsToOverview Add dynamic secrets modal form on secrets overview page	2025-03-17 13:14:22 -03:00
Maidul Islam	768ba4f4dc	Merge pull request #3261 from Infisical/revert-3238-feat/ENG-2320-echo-environment-being-used-in-cli Revert "feat: confirm environment exists when running `run` command"	2025-03-17 12:09:39 -04:00
Maidul Islam	18c32d872c	Revert "feat: confirm environment exists when running `run` command"	2025-03-17 12:06:35 -04:00
Akhil Mohan	1fd40ab6ab	Merge pull request #3260 from akhilmhdh/fix/gateway-migration fix: corrected table name check in migration	2025-03-17 21:31:00 +05:30
=	9d258f57ce	fix: corrected table name check in migration	2025-03-17 21:28:50 +05:30
Scott Wilson	45ccbaf4c9	Merge pull request #3243 from Infisical/gcp-sync-handle-destroyed-values Fix: Handle Disabled/Destroyed Values in GCP Sync	2025-03-17 08:41:52 -07:00
Sheen Capadngan	6ef358b172	feat: initialize base	2025-03-17 22:35:37 +08:00
carlosmonastyrski	838c1af448	Add file option to secret set CLI command to retrieve secrets from .env or .yaml files	2025-03-17 09:51:21 -03:00
Maidul Islam	8de7261c9a	Update docs	2025-03-16 19:46:21 -04:00
Daniel Hougaard	67b1b79fe3	Merge pull request #3253 from Infisical/daniel/bump-helm chore: bump helm	2025-03-17 00:28:19 +04:00
Daniel Hougaard	31477f4d2b	chore: bump helm	2025-03-17 00:21:35 +04:00
Daniel Hougaard	f200372d74	Merge pull request #3252 from Infisical/daniel/patch-k8s-install fix: k8s installation failing	2025-03-17 00:11:18 +04:00
Daniel Hougaard	f955b68519	Update infisicalsecret-crd.yaml	2025-03-17 00:03:53 +04:00
Maidul Islam	9269b63943	Merge pull request #3248 from kanad13/patch-2 Grammar fixes to local-development.mdx	2025-03-15 12:09:07 -04:00
Maidul Islam	8f96653273	Merge pull request #3247 from Infisical/address-saml-cve Upgrade passport/saml to 5.0	2025-03-15 12:07:33 -04:00
=	7dffc08eba	feat: resolved type error	2025-03-15 21:32:52 +05:30
Kunal Pathak	126b0ce7e7	Grammar fixes to local-development.mdx	2025-03-15 13:15:40 +01:00
=	0b71f7f297	fix: resolved idpCert rename	2025-03-15 12:57:45 +05:30
carlosmonastyrski	e53439d586	Improvements on dynamic secrets overview	2025-03-14 23:18:57 -03:00
Maidul Islam	c86e508817	upgrade to saml 5.0	2025-03-14 21:17:57 -04:00
Maidul Islam	6426b85c1e	Upgrade passport/saml to 5.0 This addresses the breaking changes in 5.0 listed here https://github.com/node-saml/node-saml/blob/v5.0.0/CHANGELOG.md#-major-changes Todo: test with existing saml workflow	2025-03-14 21:16:42 -04:00
Scott Wilson	cc7d0d752f	improvement: improve tooltip description	2025-03-14 15:30:31 -07:00
Scott Wilson	b89212a0c9	improvement: improve property description	2025-03-14 15:27:47 -07:00
Scott Wilson	d4c69d8e5d	feature: disable secret deletion sync option	2025-03-14 15:24:21 -07:00
Maidul Islam	3d6da1e548	Merge pull request #3245 from Infisical/revert-3244-fix-saml-cve Revert "Address SAML CVE"	2025-03-14 17:58:06 -04:00
Maidul Islam	7e46fe8148	Revert "Address SAML CVE"	2025-03-14 17:57:48 -04:00
Maidul Islam	3756a1901d	Merge pull request #3244 from Infisical/fix-saml-cve Main	2025-03-14 16:35:35 -04:00
Maidul Islam	9c8adf75ec	Main Address SAML CVE in https://workos.com/blog/samlstorm	2025-03-14 16:35:23 -04:00
carlosmonastyrski	f461eaa432	Merge pull request #3221 from Infisical/feat/allowShareToAnyoneEdition Feat/allow share to anyone edition	2025-03-14 17:06:49 -03:00
carlosmonastyrski	a1fbc140ee	Merge pull request #3235 from Infisical/feat/addHumanitecIntegration Add Humanitec secret sync integration	2025-03-14 16:55:53 -03:00
carlosmonastyrski	ea27870ce3	Move useOrganization outside ShareSecretForm as it's used on a public page	2025-03-14 16:12:40 -03:00
Scott Wilson	48943b4d78	improvement: refine status check	2025-03-14 11:26:59 -07:00
Scott Wilson	fd1afc2cbe	fix: handle disabled/destroyed values in gcp sync	2025-03-14 11:04:49 -07:00
carlosmonastyrski	6905029455	Change overview dynamic secret creation modal to set only one env	2025-03-14 14:59:19 -03:00
Sheen Capadngan	3741201b87	misc: update legacy system description	2025-03-15 01:55:57 +08:00
carlosmonastyrski	e89fb33981	Add missing docs for humanitec app connection endpoints	2025-03-14 14:21:56 -03:00
=	2ef77c737a	feat: added a simple oidc server	2025-03-14 22:11:23 +05:30
=	0f31fa3128	feat: updated form for oidc auth	2025-03-14 22:11:23 +05:30
=	1da5a5f417	feat: completed backend code for oidc permission inject	2025-03-14 22:11:22 +05:30
Daniel Hougaard	5ebf142e3e	Merge pull request #3239 from Infisical/daniel/k8s-config-map feat(k8s): configmap support	2025-03-14 20:01:52 +04:00
carlosmonastyrski	94d7d2b029	Fix call of onCompleted after all promises are resolved	2025-03-14 12:44:49 -03:00
carlosmonastyrski	e39d1a0530	Fix call of onCompleted after all promises are resolved	2025-03-14 12:26:20 -03:00
carlosmonastyrski	4c5f3859d6	Add dynamic secrets modal form on secrets overview page	2025-03-14 11:59:13 -03:00
carlosmonastyrski	16866d46bf	Fix edge case for delete humanitec secret and improvements on docs	2025-03-14 09:27:21 -03:00
carlosmonastyrski	4f4764dfcd	Fix rebase issue with deleted files	2025-03-14 08:54:14 -03:00
Daniel Hougaard	bdceea4c91	requested changes	2025-03-14 06:59:04 +04:00
Daniel Hougaard	32fa6866e4	Merge pull request #3238 from Infisical/feat/ENG-2320-echo-environment-being-used-in-cli feat: confirm environment exists when running `run` command	2025-03-14 03:58:05 +04:00
Daniel Hougaard	b4faef797c	fix: address comment	2025-03-14 03:47:25 +04:00
Mahyar Mirrashed	08732cab62	refactor(projects): move rest api call directly into run command module	2025-03-13 16:36:41 -07:00
Mahyar Mirrashed	81d5f639ae	revert: "refactor: clean smelly code" This reverts commit `c04b97c689`.	2025-03-13 16:33:26 -07:00
Daniel Hougaard	25b83d4b86	docs: fix formatting	2025-03-14 02:45:59 +04:00
carlosmonastyrski	155e59e571	Fix humanitec API header	2025-03-13 18:06:18 -03:00
carlosmonastyrski	8fbd3f2fce	Fix humanitec api calls to create secret if the env has no overrides	2025-03-13 17:50:05 -03:00
Mahyar Mirrashed	a500f00a49	fix(run): compare environment slug to environment slug	2025-03-13 13:21:12 -07:00
Sheen Capadngan	63d325c208	misc: lint	2025-03-14 04:08:58 +08:00
Sheen Capadngan	2149c0a9d1	misc: added neat check all condition	2025-03-14 03:50:17 +08:00
Sheen Capadngan	430f8458cb	misc: minor format	2025-03-14 03:47:12 +08:00
Daniel Hougaard	6842f7aa8b	docs(k8s): config map support	2025-03-13 23:44:32 +04:00
Sheen Capadngan	bdb7cb4cbf	misc: improved permission error message	2025-03-14 03:29:49 +08:00
Mahyar Mirrashed	ad207786e2	refactor: clean up empty line	2025-03-13 12:18:54 -07:00
Daniel Hougaard	ace8c37c25	docs: fix formatting	2025-03-13 23:11:50 +04:00
carlosmonastyrski	f15e61dbd9	Add missing docs for humanitec app connection endpoints	2025-03-13 15:50:32 -03:00
Mahyar Mirrashed	4c82408b51	fix(run): grap workspace id from workspace file if not defined on the cli	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	8146dcef16	refactor(run): call it project instead of workspace	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	2e90addbc5	refactor(run): do not report project id in error message	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	427201a634	refactor(run): set up variable before call	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	0b55ac141c	refactor(projects): rename workspace to project	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	aecfa268ae	fix(run): handle case where we require a login	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	fdfc020efc	refactor: clean up more smelly code	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	62aa80a104	feat(run): ensure that the project has the requested environment	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	cf9d8035bd	feat(run): add function to confirm project has the requested environment	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	d0c9f1ca53	feat(projects): add new module in util package for getting project details	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	2ecc7424d9	feat(models): add model for environments	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	c04b97c689	refactor: clean smelly code	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	7600a86dfc	fix(nix): set gopath for usage by IDEs	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	8924eaf251	chore: ignore direnv folder	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	82e9504285	chore: ignore .idea and .go folders	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	c4e10df754	fix(nix): set the goroot for tools like jetbrains JetBrains needs to know the GOROOT environment variables. For the sake of other tooling, we will just set these in the flake rather than only in the `.envrc` file. It also keeps all environment configuration localized to our project flake.	2025-03-13 11:43:00 -07:00
Mahyar Mirrashed	ce60e96008	chore(nix): add golang dependency	2025-03-13 11:43:00 -07:00
Sheen Capadngan	54d002d718	Merge remote-tracking branch 'origin/main' into misc/privilege-management-v2-transition	2025-03-14 02:00:35 +08:00
Sheen Capadngan	dc2358bbaa	misc: added privilege version checks	2025-03-14 01:59:07 +08:00
Daniel Hougaard	930b59cb4f	chore: helm	2025-03-13 20:20:43 +04:00
Daniel Hougaard	ec363a5ad4	feat(infisicalsecret-crd): added configmap support	2025-03-13 20:20:43 +04:00
carlosmonastyrski	c0de4ae3ee	Add secret share permissions	2025-03-13 12:44:38 -03:00
Akhil Mohan	de7e92ccfc	Merge pull request #3236 from akhilmhdh/fix/renew-token Resolved renew token not renewing	2025-03-13 20:12:26 +05:30
Sheen Capadngan	fc651f6645	misc: added trigger for privilege upgrade	2025-03-13 22:21:44 +08:00
Akhil Mohan	522d81ae1a	Merge pull request #3237 from akhilmhdh/feat/metadata-oidc Resolved create and update failing for service token	2025-03-13 19:47:51 +05:30
carlosmonastyrski	ef22b39421	Merge branch 'main' into feat/allowShareToAnyoneEdition	2025-03-13 11:11:37 -03:00
=	02153ffb32	fix: resolved create and update failing for service token	2025-03-13 19:41:33 +05:30
carlosmonastyrski	1d14cdf334	Merge branch 'main' into feat/addHumanitecIntegration	2025-03-13 10:55:40 -03:00
carlosmonastyrski	39b323dd9c	Improve humanitec docs	2025-03-13 10:47:18 -03:00
carlosmonastyrski	b0b55344ce	General improvements to Humanitec integration	2025-03-13 09:41:12 -03:00
Sheen Capadngan	cc2c4b16bf	Merge remote-tracking branch 'origin/main' into misc/privilege-management-v2-transition	2025-03-13 18:36:26 +08:00
Scott Wilson	d9d62384e7	Merge pull request #3196 from Infisical/org-name-constraint Improvement: Add Organization Name Constraint	2025-03-12 19:02:38 -07:00
carlosmonastyrski	568aadef75	Add Humanitec secret sync integration docs	2025-03-12 18:42:07 -03:00
=	87ac723fcb	feat: resolved renew token not renewing	2025-03-13 01:45:49 +05:30
carlosmonastyrski	79d8a9debb	Add Humanitec secret sync integration	2025-03-12 16:23:59 -03:00
carlosmonastyrski	71b8e3dbce	Fix migration column name on check variable	2025-03-11 13:44:42 -03:00
carlosmonastyrski	e46f10292c	Fix createFileRoute issue due to a missing / on route definition	2025-03-11 13:09:38 -03:00
carlosmonastyrski	acb22cdf36	Added new option to enable/disable option to share secrets with anyone	2025-03-11 12:58:09 -03:00
Sheen Capadngan	1b05b7cf2c	Merge remote-tracking branch 'origin/main' into misc/privilege-management-v2-transition	2025-03-11 15:48:01 +08:00
Sheen Capadngan	dcc3509a33	misc: add doc changes	2025-03-10 21:45:20 +08:00
Sheen Capadngan	9dbe45a730	misc: added privilege check for project user invite	2025-03-10 19:53:46 +08:00
Sheen Capadngan	7875bcc067	misc: address lint	2025-03-10 16:28:37 +08:00
Sheen Capadngan	9c702b27b2	misc: updated permission usage across FE	2025-03-10 16:24:55 +08:00
Sheen Capadngan	db8a4bd26d	Merge remote-tracking branch 'origin/main' into misc/privilege-management-v2-transition	2025-03-10 15:35:48 +08:00
Sheen Capadngan	2b7e1b465f	misc: updated project rbac fe	2025-03-08 04:10:06 +08:00
Sheen Capadngan	b7b294f024	Merge remote-tracking branch 'origin/main' into misc/privilege-management-v2-transition	2025-03-08 03:40:33 +08:00
Sheen Capadngan	a3fb7c9f00	misc: add org-level UI changes for role	2025-03-07 02:39:03 +08:00
Sheen Capadngan	5ed164de24	misc: project permission transition	2025-03-07 01:33:29 +08:00
Sheen Capadngan	596378208e	misc: privilege management transition for org	2025-03-06 23:39:39 +08:00