requested changes

fix: error improvements
Update access-approval-policy-fns.ts
2025-04-13 16:52:12 +00:00 · 2024-09-30 21:45:11 +04:00 · 2024-09-30 21:31:47 +04:00 · 2024-09-27 22:03:46 +04:00 · 2024-09-27 21:22:14 +04:00 · 2024-09-27 20:25:10 +04:00
309 changed files with 8984 additions and 3178 deletions
--- a/backend/e2e-test/routes/v1/secret-approval-policy.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-approval-policy.spec.ts
@ -1,6 +1,7 @@
 import { seedData1 } from "@app/db/seed-data";
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";

-const createPolicy = async (dto: { name: string; secretPath: string; approvers: string[]; approvals: number }) => {
+const createPolicy = async (dto: { name: string; secretPath: string; approvers: {type: ApproverType.User, id: string}[]; approvals: number }) => {
  const res = await testServer.inject({
    method: "POST",
    url: `/api/v1/secret-approvals`,
@ -26,7 +27,7 @@ describe("Secret approval policy router", async () => {
    const policy = await createPolicy({
      secretPath: "/",
      approvals: 1,
-      approvers: [seedData1.id],
+      approvers: [{id:seedData1.id, type: ApproverType.User}],
      name: "test-policy"
    });

--- a/backend/e2e-test/routes/v2/service-token.spec.ts
+++ b/backend/e2e-test/routes/v2/service-token.spec.ts
@ -510,7 +510,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(fetchSecrets.statusCode).toBe(401);
+    expect(fetchSecrets.statusCode).toBe(403);
    expect(fetchSecrets.json().error).toBe("PermissionDenied");
    await deleteServiceToken();
  });
@ -532,7 +532,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(fetchSecrets.statusCode).toBe(401);
+    expect(fetchSecrets.statusCode).toBe(403);
    expect(fetchSecrets.json().error).toBe("PermissionDenied");
    await deleteServiceToken();
  });
@ -557,7 +557,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(writeSecrets.statusCode).toBe(401);
+    expect(writeSecrets.statusCode).toBe(403);
    expect(writeSecrets.json().error).toBe("PermissionDenied");

    // but read access should still work fine
--- a/backend/e2e-test/routes/v3/secrets.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets.spec.ts
@ -1075,7 +1075,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: createSecretReqBody
    });
-    expect(createSecRes.statusCode).toBe(400);
+    expect(createSecRes.statusCode).toBe(404);
  });

  test("Update secret raw", async () => {
@ -1093,7 +1093,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: updateSecretReqBody
    });
-    expect(updateSecRes.statusCode).toBe(400);
+    expect(updateSecRes.statusCode).toBe(404);
  });

  test("Delete secret raw", async () => {
@ -1110,6 +1110,6 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: deletedSecretReqBody
    });
-    expect(deletedSecRes.statusCode).toBe(400);
+    expect(deletedSecRes.statusCode).toBe(404);
  });
 });
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -81,7 +81,7 @@
        "pino": "^8.16.2",
        "pkijs": "^3.2.4",
        "posthog-node": "^3.6.2",
-        "probot": "^13.0.0",
+        "probot": "^13.3.8",
        "safe-regex": "^2.1.1",
        "scim-patch": "^0.8.3",
        "scim2-parse-filter": "^0.2.10",
@ -8018,6 +8018,7 @@
      "version": "1.3.8",
      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
+      "license": "MIT",
      "dependencies": {
        "mime-types": "~2.1.34",
        "negotiator": "0.6.3"
@ -8336,7 +8337,8 @@
    "node_modules/array-flatten": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
-      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg=="
+      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
+      "license": "MIT"
    },
    "node_modules/array-includes": {
      "version": "3.1.7",
@ -8814,9 +8816,10 @@
      }
    },
    "node_modules/body-parser": {
-      "version": "1.20.2",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz",
-      "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==",
+      "version": "1.20.3",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz",
+      "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==",
+      "license": "MIT",
      "dependencies": {
        "bytes": "3.1.2",
        "content-type": "~1.0.5",
@ -8826,7 +8829,7 @@
        "http-errors": "2.0.0",
        "iconv-lite": "0.4.24",
        "on-finished": "2.4.1",
-        "qs": "6.11.0",
+        "qs": "6.13.0",
        "raw-body": "2.5.2",
        "type-is": "~1.6.18",
        "unpipe": "1.0.0"
@ -8840,6 +8843,7 @@
      "version": "2.6.9",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
      "dependencies": {
        "ms": "2.0.0"
      }
@ -8848,6 +8852,7 @@
      "version": "0.4.24",
      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "license": "MIT",
      "dependencies": {
        "safer-buffer": ">= 2.1.2 < 3"
      },
@ -8858,7 +8863,8 @@
    "node_modules/body-parser/node_modules/ms": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
    },
    "node_modules/bottleneck": {
      "version": "2.19.5",
@ -9006,6 +9012,7 @@
      "version": "3.1.2",
      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.8"
      }
@ -9028,13 +9035,19 @@
      }
    },
    "node_modules/call-bind": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.5.tgz",
-      "integrity": "sha512-C3nQxfFZxFRVoJoGKKI8y3MOEo129NQ+FgQ08iye+Mk4zNZZGdjfs06bVTr+DBSlA66Q2VEcMki/cUCP4SercQ==",
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.7.tgz",
+      "integrity": "sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w==",
+      "license": "MIT",
      "dependencies": {
+        "es-define-property": "^1.0.0",
+        "es-errors": "^1.3.0",
        "function-bind": "^1.1.2",
-        "get-intrinsic": "^1.2.1",
-        "set-function-length": "^1.1.1"
+        "get-intrinsic": "^1.2.4",
+        "set-function-length": "^1.2.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
      },
      "funding": {
        "url": "https://github.com/sponsors/ljharb"
@ -9379,6 +9392,7 @@
      "version": "1.0.5",
      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
@ -9543,16 +9557,20 @@
      }
    },
    "node_modules/define-data-property": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/define-data-property/-/define-data-property-1.1.1.tgz",
-      "integrity": "sha512-E7uGkTzkk1d0ByLeSc6ZsFS79Axg+m1P/VsgYsxHgiuc3tFSj+MjMIwe90FC4lOAZzNBdY7kkO2P2wKdsQ1vgQ==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/define-data-property/-/define-data-property-1.1.4.tgz",
+      "integrity": "sha512-rBMvIzlpA8v6E+SJZoo++HAYqsLrkg7MSfIinMPFhmkorw7X+dOXVJQs+QT69zGkzMyfDnIMN2Wid1+NbL3T+A==",
+      "license": "MIT",
      "dependencies": {
-        "get-intrinsic": "^1.2.1",
-        "gopd": "^1.0.1",
-        "has-property-descriptors": "^1.0.0"
+        "es-define-property": "^1.0.0",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.0.1"
      },
      "engines": {
        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
      }
    },
    "node_modules/define-lazy-prop": {
@ -9618,6 +9636,7 @@
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.8",
        "npm": "1.2.8000 || >= 1.4.16"
@ -9724,7 +9743,8 @@
    "node_modules/ee-first": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
-      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="
+      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
+      "license": "MIT"
    },
    "node_modules/electron-to-chromium": {
      "version": "1.4.816",
@ -9738,9 +9758,10 @@
      "integrity": "sha512-QpLs9D9v9kArv4lfDEgg1X/gN5XLnf/A6l9cs8SPZLRZR3ZkY9+kwIQTxm+fsSej5UMYGE8fdoaZVIBlqG0XTw=="
    },
    "node_modules/encodeurl": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
-      "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
+      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.8"
      }
@ -9827,6 +9848,27 @@
        "url": "https://github.com/sponsors/ljharb"
      }
    },
+    "node_modules/es-define-property": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.0.tgz",
+      "integrity": "sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ==",
+      "license": "MIT",
+      "dependencies": {
+        "get-intrinsic": "^1.2.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
    "node_modules/es-set-tostringtag": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.0.2.tgz",
@ -10452,6 +10494,7 @@
      "version": "1.8.1",
      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
      "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
@ -10495,36 +10538,37 @@
      }
    },
    "node_modules/express": {
-      "version": "4.19.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz",
-      "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==",
+      "version": "4.21.0",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.0.tgz",
+      "integrity": "sha512-VqcNGcj/Id5ZT1LZ/cfihi3ttTn+NJmkli2eZADigjq29qTlWi/hAQ43t/VLPq8+UX06FCEx3ByOYet6ZFblng==",
+      "license": "MIT",
      "dependencies": {
        "accepts": "~1.3.8",
        "array-flatten": "1.1.1",
-        "body-parser": "1.20.2",
+        "body-parser": "1.20.3",
        "content-disposition": "0.5.4",
        "content-type": "~1.0.4",
        "cookie": "0.6.0",
        "cookie-signature": "1.0.6",
        "debug": "2.6.9",
        "depd": "2.0.0",
-        "encodeurl": "~1.0.2",
+        "encodeurl": "~2.0.0",
        "escape-html": "~1.0.3",
        "etag": "~1.8.1",
-        "finalhandler": "1.2.0",
+        "finalhandler": "1.3.1",
        "fresh": "0.5.2",
        "http-errors": "2.0.0",
-        "merge-descriptors": "1.0.1",
+        "merge-descriptors": "1.0.3",
        "methods": "~1.1.2",
        "on-finished": "2.4.1",
        "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.7",
+        "path-to-regexp": "0.1.10",
        "proxy-addr": "~2.0.7",
-        "qs": "6.11.0",
+        "qs": "6.13.0",
        "range-parser": "~1.2.1",
        "safe-buffer": "5.2.1",
-        "send": "0.18.0",
-        "serve-static": "1.15.0",
+        "send": "0.19.0",
+        "serve-static": "1.16.2",
        "setprototypeof": "1.2.0",
        "statuses": "2.0.1",
        "type-is": "~1.6.18",
@ -10588,6 +10632,7 @@
      "version": "0.6.0",
      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
      "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
@ -10595,12 +10640,14 @@
    "node_modules/express/node_modules/cookie-signature": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
-      "integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
+      "integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==",
+      "license": "MIT"
    },
    "node_modules/express/node_modules/debug": {
      "version": "2.6.9",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
      "dependencies": {
        "ms": "2.0.0"
      }
@ -10608,7 +10655,8 @@
    "node_modules/express/node_modules/ms": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
    },
    "node_modules/extend": {
      "version": "3.0.2",
@ -10815,12 +10863,13 @@
      }
    },
    "node_modules/finalhandler": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.2.0.tgz",
-      "integrity": "sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg==",
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.1.tgz",
+      "integrity": "sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==",
+      "license": "MIT",
      "dependencies": {
        "debug": "2.6.9",
-        "encodeurl": "~1.0.2",
+        "encodeurl": "~2.0.0",
        "escape-html": "~1.0.3",
        "on-finished": "2.4.1",
        "parseurl": "~1.3.3",
@ -10835,6 +10884,7 @@
      "version": "2.6.9",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
      "dependencies": {
        "ms": "2.0.0"
      }
@ -10842,7 +10892,8 @@
    "node_modules/finalhandler/node_modules/ms": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
    },
    "node_modules/find-my-way": {
      "version": "8.1.0",
@ -11008,6 +11059,7 @@
      "version": "0.5.2",
      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
@ -11365,15 +11417,20 @@
      }
    },
    "node_modules/get-intrinsic": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.2.tgz",
-      "integrity": "sha512-0gSo4ml/0j98Y3lngkFEot/zhiCeWsbYIlZ+uZOVgzLyLaUw7wxUL+nCTP0XJvJg1AXulJRI3UJi8GsbDuxdGA==",
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.4.tgz",
+      "integrity": "sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==",
+      "license": "MIT",
      "dependencies": {
+        "es-errors": "^1.3.0",
        "function-bind": "^1.1.2",
        "has-proto": "^1.0.1",
        "has-symbols": "^1.0.3",
        "hasown": "^2.0.0"
      },
+      "engines": {
+        "node": ">= 0.4"
+      },
      "funding": {
        "url": "https://github.com/sponsors/ljharb"
      }
@ -11719,11 +11776,12 @@
      }
    },
    "node_modules/has-property-descriptors": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.1.tgz",
-      "integrity": "sha512-VsX8eaIewvas0xnvinAe9bw4WfIeODpGYikiWYLH+dma0Jw6KHYqWiWfhQlgOVK8D6PvjubK5Uc4P0iIhIcNVg==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.2.tgz",
+      "integrity": "sha512-55JNKuIW+vq4Ke1BjOTjM2YctQIvCT7GFzHwmfZPGo5wnrgkid0YQtnAleFSqumZm4az3n2BS+erby5ipJdgrg==",
+      "license": "MIT",
      "dependencies": {
-        "get-intrinsic": "^1.2.2"
+        "es-define-property": "^1.0.0"
      },
      "funding": {
        "url": "https://github.com/sponsors/ljharb"
@ -13276,6 +13334,7 @@
      "version": "0.3.0",
      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
      "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
@ -13286,9 +13345,13 @@
      "integrity": "sha512-ZS4Bp4r/Zoeq6+NLJpP+0Zzm0pR8whtGPf1XExKLJBAczGMnSi3It14OiNCStjQjM6NU1okjQGSxgEZN8eBYKg=="
    },
    "node_modules/merge-descriptors": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz",
-      "integrity": "sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w=="
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
+      "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
    },
    "node_modules/merge-stream": {
      "version": "2.0.0",
@ -13309,6 +13372,7 @@
      "version": "1.1.2",
      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
      "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
@ -13748,6 +13812,7 @@
      "version": "0.6.3",
      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
@ -14099,6 +14164,7 @@
      "version": "2.4.1",
      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
      "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
+      "license": "MIT",
      "dependencies": {
        "ee-first": "1.1.1"
      },
@ -14511,9 +14577,10 @@
      }
    },
    "node_modules/path-to-regexp": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
-      "integrity": "sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ=="
+      "version": "0.1.10",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
+      "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==",
+      "license": "MIT"
    },
    "node_modules/path-type": {
      "version": "4.0.0",
@ -14716,20 +14783,78 @@
      }
    },
    "node_modules/pino-http": {
-      "version": "8.6.1",
-      "resolved": "https://registry.npmjs.org/pino-http/-/pino-http-8.6.1.tgz",
-      "integrity": "sha512-J0hiJgUExtBXP2BjrK4VB305tHXS31sCmWJ9XJo2wPkLHa1NFPuW4V9wjG27PAc2fmBCigiNhQKpvrx+kntBPA==",
+      "version": "10.3.0",
+      "resolved": "https://registry.npmjs.org/pino-http/-/pino-http-10.3.0.tgz",
+      "integrity": "sha512-kaHQqt1i5S9LXWmyuw6aPPqYW/TjoDPizPs4PnDW4hSpajz2Uo/oisNliLf7We1xzpiLacdntmw8yaZiEkppQQ==",
+      "license": "MIT",
      "dependencies": {
        "get-caller-file": "^2.0.5",
-        "pino": "^8.17.1",
-        "pino-std-serializers": "^6.2.2",
-        "process-warning": "^3.0.0"
+        "pino": "^9.0.0",
+        "pino-std-serializers": "^7.0.0",
+        "process-warning": "^4.0.0"
      }
    },
+    "node_modules/pino-http/node_modules/pino": {
+      "version": "9.4.0",
+      "resolved": "https://registry.npmjs.org/pino/-/pino-9.4.0.tgz",
+      "integrity": "sha512-nbkQb5+9YPhQRz/BeQmrWpEknAaqjpAqRK8NwJpmrX/JHu7JuZC5G1CeAwJDJfGes4h+YihC6in3Q2nGb+Y09w==",
+      "license": "MIT",
+      "dependencies": {
+        "atomic-sleep": "^1.0.0",
+        "fast-redact": "^3.1.1",
+        "on-exit-leak-free": "^2.1.0",
+        "pino-abstract-transport": "^1.2.0",
+        "pino-std-serializers": "^7.0.0",
+        "process-warning": "^4.0.0",
+        "quick-format-unescaped": "^4.0.3",
+        "real-require": "^0.2.0",
+        "safe-stable-stringify": "^2.3.1",
+        "sonic-boom": "^4.0.1",
+        "thread-stream": "^3.0.0"
+      },
+      "bin": {
+        "pino": "bin.js"
+      }
+    },
+    "node_modules/pino-http/node_modules/pino-abstract-transport": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/pino-abstract-transport/-/pino-abstract-transport-1.2.0.tgz",
+      "integrity": "sha512-Guhh8EZfPCfH+PMXAb6rKOjGQEoy0xlAIn+irODG5kgfYV+BQ0rGYYWTIel3P5mmyXqkYkPmdIkywsn6QKUR1Q==",
+      "license": "MIT",
+      "dependencies": {
+        "readable-stream": "^4.0.0",
+        "split2": "^4.0.0"
+      }
+    },
+    "node_modules/pino-http/node_modules/pino-std-serializers": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/pino-std-serializers/-/pino-std-serializers-7.0.0.tgz",
+      "integrity": "sha512-e906FRY0+tV27iq4juKzSYPbUj2do2X2JX4EzSca1631EB2QJQUqGbDuERal7LCtOpxl6x3+nvo9NPZcmjkiFA==",
+      "license": "MIT"
+    },
    "node_modules/pino-http/node_modules/process-warning": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/process-warning/-/process-warning-3.0.0.tgz",
-      "integrity": "sha512-mqn0kFRl0EoqhnL0GQ0veqFHyIN1yig9RHh/InzORTUiZHFRAur+aMtRkELNwGs9aNwKS6tg/An4NYBPGwvtzQ=="
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/process-warning/-/process-warning-4.0.0.tgz",
+      "integrity": "sha512-/MyYDxttz7DfGMMHiysAsFE4qF+pQYAA8ziO/3NcRVrQ5fSk+Mns4QZA/oRPFzvcqNoVJXQNWNAsdwBXLUkQKw==",
+      "license": "MIT"
+    },
+    "node_modules/pino-http/node_modules/sonic-boom": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-4.1.0.tgz",
+      "integrity": "sha512-NGipjjRicyJJ03rPiZCJYjwlsuP2d1/5QUviozRXC7S3WdVWNK5e3Ojieb9CCyfhq2UC+3+SRd9nG3I2lPRvUw==",
+      "license": "MIT",
+      "dependencies": {
+        "atomic-sleep": "^1.0.0"
+      }
+    },
+    "node_modules/pino-http/node_modules/thread-stream": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/thread-stream/-/thread-stream-3.1.0.tgz",
+      "integrity": "sha512-OqyPZ9u96VohAyMfJykzmivOrY2wfMSf3C5TtFJVgN+Hm6aj+voFhlK+kZEIv2FBh1X6Xp3DlnCOfEQ3B2J86A==",
+      "license": "MIT",
+      "dependencies": {
+        "real-require": "^0.2.0"
+      }
    },
    "node_modules/pino-pretty": {
      "version": "10.2.3",
@ -15096,9 +15221,10 @@
      }
    },
    "node_modules/probot": {
-      "version": "13.0.0",
-      "resolved": "https://registry.npmjs.org/probot/-/probot-13.0.0.tgz",
-      "integrity": "sha512-3ht9kAJ+ISjLyWLLCKVdrLE5xs/x+zUx07J5kYTxAyIxUvwF6Acr8xT5fiNihbBHAsEl4+A4CMYZQvZ5hx5bgw==",
+      "version": "13.3.8",
+      "resolved": "https://registry.npmjs.org/probot/-/probot-13.3.8.tgz",
+      "integrity": "sha512-xc+KBC0mp1JKFMsPbMyj1SpmN0B7Q8uFO7ze4PBbNv74q8AyPGqYL3TmkZSOmcOjFTeFrZTnMYEoXi+z1anyLA==",
+      "license": "ISC",
      "dependencies": {
        "@octokit/core": "^5.0.2",
        "@octokit/plugin-enterprise-compatibility": "^4.0.1",
@ -15113,19 +15239,18 @@
        "@probot/octokit-plugin-config": "^2.0.1",
        "@probot/pino": "^2.3.5",
        "@types/express": "^4.17.21",
-        "commander": "^11.1.0",
+        "bottleneck": "^2.19.5",
+        "commander": "^12.0.0",
        "deepmerge": "^4.3.1",
        "dotenv": "^16.3.1",
-        "eventsource": "^2.0.2",
-        "express": "^4.18.2",
+        "express": "^4.21.0",
        "ioredis": "^5.3.2",
        "js-yaml": "^4.1.0",
        "lru-cache": "^10.0.3",
        "octokit-auth-probot": "^2.0.0",
-        "pino": "^8.16.1",
-        "pino-http": "^8.5.1",
+        "pino": "^9.0.0",
+        "pino-http": "^10.0.0",
        "pkg-conf": "^3.1.0",
-        "resolve": "^1.22.8",
        "update-dotenv": "^1.1.1"
      },
      "bin": {
@ -15152,11 +15277,12 @@
      }
    },
    "node_modules/probot/node_modules/commander": {
-      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-11.1.0.tgz",
-      "integrity": "sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==",
+      "version": "12.1.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz",
+      "integrity": "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==",
+      "license": "MIT",
      "engines": {
-        "node": ">=16"
+        "node": ">=18"
      }
    },
    "node_modules/probot/node_modules/lru-cache": {
@ -15167,6 +15293,68 @@
        "node": "14 || >=16.14"
      }
    },
+    "node_modules/probot/node_modules/pino": {
+      "version": "9.4.0",
+      "resolved": "https://registry.npmjs.org/pino/-/pino-9.4.0.tgz",
+      "integrity": "sha512-nbkQb5+9YPhQRz/BeQmrWpEknAaqjpAqRK8NwJpmrX/JHu7JuZC5G1CeAwJDJfGes4h+YihC6in3Q2nGb+Y09w==",
+      "license": "MIT",
+      "dependencies": {
+        "atomic-sleep": "^1.0.0",
+        "fast-redact": "^3.1.1",
+        "on-exit-leak-free": "^2.1.0",
+        "pino-abstract-transport": "^1.2.0",
+        "pino-std-serializers": "^7.0.0",
+        "process-warning": "^4.0.0",
+        "quick-format-unescaped": "^4.0.3",
+        "real-require": "^0.2.0",
+        "safe-stable-stringify": "^2.3.1",
+        "sonic-boom": "^4.0.1",
+        "thread-stream": "^3.0.0"
+      },
+      "bin": {
+        "pino": "bin.js"
+      }
+    },
+    "node_modules/probot/node_modules/pino-abstract-transport": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/pino-abstract-transport/-/pino-abstract-transport-1.2.0.tgz",
+      "integrity": "sha512-Guhh8EZfPCfH+PMXAb6rKOjGQEoy0xlAIn+irODG5kgfYV+BQ0rGYYWTIel3P5mmyXqkYkPmdIkywsn6QKUR1Q==",
+      "license": "MIT",
+      "dependencies": {
+        "readable-stream": "^4.0.0",
+        "split2": "^4.0.0"
+      }
+    },
+    "node_modules/probot/node_modules/pino-std-serializers": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/pino-std-serializers/-/pino-std-serializers-7.0.0.tgz",
+      "integrity": "sha512-e906FRY0+tV27iq4juKzSYPbUj2do2X2JX4EzSca1631EB2QJQUqGbDuERal7LCtOpxl6x3+nvo9NPZcmjkiFA==",
+      "license": "MIT"
+    },
+    "node_modules/probot/node_modules/process-warning": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/process-warning/-/process-warning-4.0.0.tgz",
+      "integrity": "sha512-/MyYDxttz7DfGMMHiysAsFE4qF+pQYAA8ziO/3NcRVrQ5fSk+Mns4QZA/oRPFzvcqNoVJXQNWNAsdwBXLUkQKw==",
+      "license": "MIT"
+    },
+    "node_modules/probot/node_modules/sonic-boom": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-4.1.0.tgz",
+      "integrity": "sha512-NGipjjRicyJJ03rPiZCJYjwlsuP2d1/5QUviozRXC7S3WdVWNK5e3Ojieb9CCyfhq2UC+3+SRd9nG3I2lPRvUw==",
+      "license": "MIT",
+      "dependencies": {
+        "atomic-sleep": "^1.0.0"
+      }
+    },
+    "node_modules/probot/node_modules/thread-stream": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/thread-stream/-/thread-stream-3.1.0.tgz",
+      "integrity": "sha512-OqyPZ9u96VohAyMfJykzmivOrY2wfMSf3C5TtFJVgN+Hm6aj+voFhlK+kZEIv2FBh1X6Xp3DlnCOfEQ3B2J86A==",
+      "license": "MIT",
+      "dependencies": {
+        "real-require": "^0.2.0"
+      }
+    },
    "node_modules/process": {
      "version": "0.11.10",
      "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz",
@ -15282,11 +15470,12 @@
      }
    },
    "node_modules/qs": {
-      "version": "6.11.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
-      "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
+      "version": "6.13.0",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz",
+      "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==",
+      "license": "BSD-3-Clause",
      "dependencies": {
-        "side-channel": "^1.0.4"
+        "side-channel": "^1.0.6"
      },
      "engines": {
        "node": ">=0.6"
@ -15359,6 +15548,7 @@
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
@ -15367,6 +15557,7 @@
      "version": "2.5.2",
      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
      "integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==",
+      "license": "MIT",
      "dependencies": {
        "bytes": "3.1.2",
        "http-errors": "2.0.0",
@ -15381,6 +15572,7 @@
      "version": "0.4.24",
      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "license": "MIT",
      "dependencies": {
        "safer-buffer": ">= 2.1.2 < 3"
      },
@ -15961,9 +16153,10 @@
      }
    },
    "node_modules/send": {
-      "version": "0.18.0",
-      "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz",
-      "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==",
+      "version": "0.19.0",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.19.0.tgz",
+      "integrity": "sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==",
+      "license": "MIT",
      "dependencies": {
        "debug": "2.6.9",
        "depd": "2.0.0",
@ -15987,6 +16180,7 @@
      "version": "2.6.9",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
      "dependencies": {
        "ms": "2.0.0"
      }
@ -15994,12 +16188,23 @@
    "node_modules/send/node_modules/debug/node_modules/ms": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
+    },
+    "node_modules/send/node_modules/encodeurl": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
+      "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
    },
    "node_modules/send/node_modules/mime": {
      "version": "1.6.0",
      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
+      "license": "MIT",
      "bin": {
        "mime": "cli.js"
      },
@ -16013,14 +16218,15 @@
      "integrity": "sha512-hr3Wtp/GZIc/6DAGPDcV4/9WoZhjrkXsi5B/07QgX8tsdc6ilr7BFM6PM6rbdAX1kFSDYeZGLipIZZKyQP0O5Q=="
    },
    "node_modules/serve-static": {
-      "version": "1.15.0",
-      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz",
-      "integrity": "sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==",
+      "version": "1.16.2",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.2.tgz",
+      "integrity": "sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==",
+      "license": "MIT",
      "dependencies": {
-        "encodeurl": "~1.0.2",
+        "encodeurl": "~2.0.0",
        "escape-html": "~1.0.3",
        "parseurl": "~1.3.3",
-        "send": "0.18.0"
+        "send": "0.19.0"
      },
      "engines": {
        "node": ">= 0.8.0"
@ -16037,14 +16243,17 @@
      "integrity": "sha512-RVnVQxTXuerk653XfuliOxBP81Sf0+qfQE73LIYKcyMYHG94AuH0kgrQpRDuTZnSmjpysHmzxJXKNfa6PjFhyQ=="
    },
    "node_modules/set-function-length": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.1.1.tgz",
-      "integrity": "sha512-VoaqjbBJKiWtg4yRcKBQ7g7wnGnLV3M8oLvVWwOk2PdYY6PEFegR1vezXR0tw6fZGF9csVakIRjrJiy2veSBFQ==",
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.2.2.tgz",
+      "integrity": "sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==",
+      "license": "MIT",
      "dependencies": {
-        "define-data-property": "^1.1.1",
-        "get-intrinsic": "^1.2.1",
+        "define-data-property": "^1.1.4",
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2",
+        "get-intrinsic": "^1.2.4",
        "gopd": "^1.0.1",
-        "has-property-descriptors": "^1.0.0"
+        "has-property-descriptors": "^1.0.2"
      },
      "engines": {
        "node": ">= 0.4"
@ -16103,13 +16312,18 @@
      }
    },
    "node_modules/side-channel": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.4.tgz",
-      "integrity": "sha512-q5XPytqFEIKHkGdiMIrY10mvLRvnQh42/+GoBlFW3b2LXLE2xxJpZFdm94we0BaoV3RwJyGqg5wS7epxTv0Zvw==",
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.6.tgz",
+      "integrity": "sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA==",
+      "license": "MIT",
      "dependencies": {
-        "call-bind": "^1.0.0",
-        "get-intrinsic": "^1.0.2",
-        "object-inspect": "^1.9.0"
+        "call-bind": "^1.0.7",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.4",
+        "object-inspect": "^1.13.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
      },
      "funding": {
        "url": "https://github.com/sponsors/ljharb"
@ -17704,6 +17918,7 @@
      "version": "1.6.18",
      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
+      "license": "MIT",
      "dependencies": {
        "media-typer": "0.3.0",
        "mime-types": "~2.1.24"
@ -17927,6 +18142,7 @@
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.8"
      }
@ -18051,6 +18267,7 @@
      "version": "1.1.2",
      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
+      "license": "MIT",
      "engines": {
        "node": ">= 0.8"
      }
--- a/backend/package.json
+++ b/backend/package.json
@ -178,7 +178,7 @@
    "pino": "^8.16.2",
    "pkijs": "^3.2.4",
    "posthog-node": "^3.6.2",
-    "probot": "^13.0.0",
+    "probot": "^13.3.8",
    "safe-regex": "^2.1.1",
    "scim-patch": "^0.8.3",
    "scim2-parse-filter": "^0.2.10",
--- a/backend/src/db/migrations/20240918005344_add-group-approvals.ts
+++ b/backend/src/db/migrations/20240918005344_add-group-approvals.ts
@ -0,0 +1,36 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
+    // add column approverGroupId to AccessApprovalPolicyApprover
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
+      // make nullable
+      table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      // make approverUserId nullable
+      table.uuid("approverUserId").nullable().alter();
+    });
+    // add column approverGroupId to SecretApprovalPolicyApprover
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
+      table.uuid("approverGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      table.uuid("approverUserId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
+    // remove
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
+      table.dropColumn("approverGroupId");
+      table.uuid("approverUserId").notNullable().alter();
+    });
+
+    // remove
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
+      table.dropColumn("approverGroupId");
+      table.uuid("approverUserId").notNullable().alter();
+    });
+  }
+}
--- a/backend/src/db/schemas/access-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/access-approval-policies-approvers.ts
@ -12,7 +12,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
  policyId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  approverUserId: z.string().uuid()
+  approverUserId: z.string().uuid().nullable().optional(),
+  approverGroupId: z.string().uuid().nullable().optional()
 });

 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/secret-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/secret-approval-policies-approvers.ts
@ -12,7 +12,8 @@ export const SecretApprovalPoliciesApproversSchema = z.object({
  policyId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  approverUserId: z.string().uuid()
+  approverUserId: z.string().uuid().nullable().optional(),
+  approverGroupId: z.string().uuid().nullable().optional()
 });

 export type TSecretApprovalPoliciesApprovers = z.infer<typeof SecretApprovalPoliciesApproversSchema>;
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@ -1,7 +1,9 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { EnforcementLevel } from "@app/lib/types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -10,28 +12,32 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
-      body: z
-        .object({
-          projectSlug: z.string().trim(),
-          name: z.string().optional(),
-          secretPath: z.string().trim().default("/"),
-          environment: z.string(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        projectSlug: z.string().trim(),
+        name: z.string().optional(),
+        secretPath: z.string().trim().default("/"),
+        environment: z.string(),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.accessApprovalPolicy.createAccessApprovalPolicy({
        actor: req.permission.type,
@ -50,6 +56,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        projectSlug: z.string().trim()
@ -58,14 +67,15 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          approvals: sapPubSchema
            .extend({
-              userApprovers: z
-                .object({
-                  userId: z.string()
-                })
-                .array(),
-              secretPath: z.string().optional().nullable()
+              approvers: z
+                .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
+                .array()
+                .nullable()
+                .optional()
            })
            .array()
+            .nullable()
+            .optional()
        })
      }
    },
@ -115,33 +125,37 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:policyId",
    method: "PATCH",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        policyId: z.string()
      }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          secretPath: z
-            .string()
-            .trim()
-            .optional()
-            .transform((val) => (val === "" ? "/" : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        name: z.string().optional(),
+        secretPath: z
+          .string()
+          .trim()
+          .optional()
+          .transform((val) => (val === "" ? "/" : val)),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).optional(),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      await server.services.accessApprovalPolicy.updateAccessApprovalPolicy({
        policyId: req.params.policyId,
@ -157,6 +171,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:policyId",
    method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        policyId: z.string()
@ -167,7 +184,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.accessApprovalPolicy.deleteAccessApprovalPolicy({
        actor: req.permission.type,
@ -179,4 +196,44 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
      return { approval };
    }
  });
+
+  server.route({
+    url: "/:policyId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        policyId: z.string()
+      }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema.extend({
+            approvers: z
+              .object({
+                type: z.nativeEnum(ApproverType),
+                id: z.string().nullable().optional(),
+                name: z.string().nullable().optional()
+              })
+              .array()
+              .nullable()
+              .optional()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const approval = await server.services.accessApprovalPolicy.getAccessApprovalPolicyById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      return { approval };
+    }
+  });
 };
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@ -77,6 +77,39 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
    }
  });

+  server.route({
+    method: "POST",
+    url: "/entra-id/users",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      body: z.object({
+        tenantId: z.string().min(1).describe("The tenant ID of the Azure Entra ID"),
+        applicationId: z.string().min(1).describe("The application ID of the Azure Entra ID App Registration"),
+        clientSecret: z.string().min(1).describe("The client secret of the Azure Entra ID App Registration")
+      }),
+      response: {
+        200: z
+          .object({
+            name: z.string().min(1).describe("The name of the user"),
+            id: z.string().min(1).describe("The ID of the user"),
+            email: z.string().min(1).describe("The email of the user")
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const data = await server.services.dynamicSecret.fetchAzureEntraIdUsers({
+        tenantId: req.body.tenantId,
+        applicationId: req.body.applicationId,
+        clientSecret: req.body.clientSecret
+      });
+      return data;
+    }
+  });
+
  server.route({
    method: "PATCH",
    url: "/:name",
@ -237,7 +270,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
+      const dynamicSecretCfgs = await server.services.dynamicSecret.listDynamicSecretsByEnv({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@ -10,7 +10,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "POST",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      body: z.object({
        name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
@ -43,12 +43,59 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:currentSlug",
-    method: "PATCH",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        currentSlug: z.string().trim().describe(GROUPS.UPDATE.currentSlug)
+        id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
+      }),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.getGroupById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      response: {
+        200: GroupsSchema.array()
+      }
+    },
+    handler: async (req) => {
+      const groups = await server.services.org.getOrgGroups({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return groups;
+    }
+  });
+
+  server.route({
+    url: "/:id",
+    method: "PATCH",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      params: z.object({
+        id: z.string().trim().describe(GROUPS.UPDATE.id)
      }),
      body: z
        .object({
@ -70,7 +117,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const group = await server.services.group.updateGroup({
-        currentSlug: req.params.currentSlug,
+        id: req.params.id,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@ -83,12 +130,12 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:slug",
+    url: "/:id",
    method: "DELETE",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.DELETE.slug)
+        id: z.string().trim().describe(GROUPS.DELETE.id)
      }),
      response: {
        200: GroupsSchema
@ -96,7 +143,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const group = await server.services.group.deleteGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@ -109,11 +156,11 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "GET",
-    url: "/:slug/users",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.LIST_USERS.slug)
+        id: z.string().trim().describe(GROUPS.LIST_USERS.id)
      }),
      querystring: z.object({
        offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
@ -141,24 +188,25 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const { users, totalCount } = await server.services.group.listGroupUsers({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query
      });
+
      return { users, totalCount };
    }
  });

  server.route({
    method: "POST",
-    url: "/:slug/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.ADD_USER.slug),
+        id: z.string().trim().describe(GROUPS.ADD_USER.id),
        username: z.string().trim().describe(GROUPS.ADD_USER.username)
      }),
      response: {
@ -173,7 +221,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const user = await server.services.group.addUserToGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        username: req.params.username,
        actor: req.permission.type,
        actorId: req.permission.id,
@ -187,11 +235,11 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "DELETE",
-    url: "/:slug/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.DELETE_USER.slug),
+        id: z.string().trim().describe(GROUPS.DELETE_USER.id),
        username: z.string().trim().describe(GROUPS.DELETE_USER.username)
      }),
      response: {
@ -206,7 +254,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const user = await server.services.group.removeUserFromGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        username: req.params.username,
        actor: req.permission.type,
        actorId: req.permission.id,
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@ -5,7 +5,7 @@ import { z } from "zod";

 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
-import { BadRequestError } from "@app/lib/errors";
+import { UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -61,7 +61,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission } = req.body;
      if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
      }

      const permission = privilegePermission
@ -140,7 +140,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission } = req.body;
      if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
      }

      const permission = privilegePermission
@ -224,7 +224,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission, ...updatedInfo } = req.body.privilegeDetails;
      if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
      }

      const permission = privilegePermission
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@ -87,6 +87,12 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    }
  });

+  /*
+   * Daniel: This endpoint is no longer is use.
+   * We are keeping it for now because it has been exposed in our public api docs for a while, so by removing it we are likely to break users workflows.
+   *
+   * Please refer to the new endpoint, GET /api/v1/organization/audit-logs, for the same (and more) functionality.
+   */
  server.route({
    method: "GET",
    url: "/:workspaceId/audit-logs",
@ -101,7 +107,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
+        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
      }),
      querystring: z.object({
        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
@ -122,10 +128,12 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          })
            .merge(
              z.object({
-                project: z.object({
-                  name: z.string(),
-                  slug: z.string()
-                }),
+                project: z
+                  .object({
+                    name: z.string(),
+                    slug: z.string()
+                  })
+                  .optional(),
                event: z.object({
                  type: z.string(),
                  metadata: z.any()
--- a/backend/src/ee/routes/v1/rate-limit-router.ts
+++ b/backend/src/ee/routes/v1/rate-limit-router.ts
@ -1,7 +1,7 @@
 import { z } from "zod";

 import { RateLimitSchema } from "@app/db/schemas";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -29,7 +29,7 @@ export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
    handler: async () => {
      const rateLimit = await server.services.rateLimit.getRateLimits();
      if (!rateLimit) {
-        throw new BadRequestError({
+        throw new NotFoundError({
          name: "Get Rate Limit Error",
          message: "Rate limit configuration does not exist."
        });
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -61,7 +61,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                id: samlConfigId
              };
            } else {
-              throw new BadRequestError({ message: "Missing sso identitier or org slug" });
+              throw new BadRequestError({ message: "Missing sso identifier or org slug" });
            }

            const ssoConfig = await server.services.saml.getSaml(ssoLookupDetails);
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@ -16,32 +17,33 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      rateLimit: writeLimit
    },
    schema: {
-      body: z
-        .object({
-          workspaceId: z.string(),
-          name: z.string().optional(),
-          environment: z.string(),
-          secretPath: z
-            .string()
-            .optional()
-            .nullable()
-            .default("/")
-            .transform((val) => (val ? removeTrailingSlash(val) : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        workspaceId: z.string(),
+        name: z.string().optional(),
+        environment: z.string(),
+        secretPath: z
+          .string()
+          .optional()
+          .nullable()
+          .default("/")
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.secretApprovalPolicy.createSecretApprovalPolicy({
        actor: req.permission.type,
@ -67,30 +69,31 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      params: z.object({
        sapId: z.string()
      }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          secretPath: z
-            .string()
-            .optional()
-            .nullable()
-            .transform((val) => (val ? removeTrailingSlash(val) : val))
-            .transform((val) => (val === "" ? "/" : val)),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        name: z.string().optional(),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        secretPath: z
+          .string()
+          .optional()
+          .nullable()
+          .transform((val) => (val ? removeTrailingSlash(val) : val))
+          .transform((val) => (val === "" ? "/" : val)),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.secretApprovalPolicy.updateSecretApprovalPolicy({
        actor: req.permission.type,
@ -120,7 +123,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.secretApprovalPolicy.deleteSecretApprovalPolicy({
        actor: req.permission.type,
@ -147,9 +150,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          approvals: sapPubSchema
            .extend({
-              userApprovers: z
+              approvers: z
                .object({
-                  userId: z.string()
+                  id: z.string().nullable().optional(),
+                  type: z.nativeEnum(ApproverType)
                })
                .array()
            })
@ -170,6 +174,44 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
    }
  });

+  server.route({
+    url: "/:sapId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        sapId: z.string()
+      }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema.extend({
+            approvers: z
+              .object({
+                id: z.string().nullable().optional(),
+                type: z.nativeEnum(ApproverType),
+                name: z.string().nullable().optional()
+              })
+              .array()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const approval = await server.services.secretApprovalPolicy.getSecretApprovalPolicyById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      return { approval };
+    }
+  });
+
  server.route({
    url: "/board",
    method: "GET",
@ -186,7 +228,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          policy: sapPubSchema
            .extend({
-              userApprovers: z.object({ userId: z.string() }).array()
+              userApprovers: z.object({ userId: z.string().nullable().optional() }).array()
            })
            .optional()
        })
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -13,7 +13,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

-const approvalRequestUser = z.object({ userId: z.string() }).merge(
+const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
  UsersSchema.pick({
    email: true,
    firstName: true,
@ -46,7 +46,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
              id: z.string(),
              name: z.string(),
              approvals: z.number(),
-              approvers: z.string().array(),
+              approvers: z
+                .object({
+                  userId: z.string().nullable().optional()
+                })
+                .array(),
              secretPath: z.string().optional().nullable(),
              enforcementLevel: z.string()
            }),
@ -54,7 +58,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
            commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
            environment: z.string(),
            reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
-            approvers: z.string().array()
+            approvers: z
+              .object({
+                userId: z.string().nullable().optional()
+              })
+              .array()
          }).array()
        })
      }
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@ -5,22 +5,38 @@ import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies } from
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";

+import { ApproverType } from "./access-approval-policy-types";
+
 export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;

 export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
  const accessApprovalPolicyOrm = ormify(db, TableName.AccessApprovalPolicy);

-  const accessApprovalPolicyFindQuery = async (tx: Knex, filter: TFindFilter<TAccessApprovalPolicies>) => {
+  const accessApprovalPolicyFindQuery = async (
+    tx: Knex,
+    filter: TFindFilter<TAccessApprovalPolicies>,
+    customFilter?: {
+      policyId?: string;
+    }
+  ) => {
    const result = await tx(TableName.AccessApprovalPolicy)
      // eslint-disable-next-line
      .where(buildFindFilter(filter))
+      .where((qb) => {
+        if (customFilter?.policyId) {
+          void qb.where(`${TableName.AccessApprovalPolicy}.id`, "=", customFilter.policyId);
+        }
+      })
      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
      .leftJoin(
        TableName.AccessApprovalPolicyApprover,
        `${TableName.AccessApprovalPolicy}.id`,
        `${TableName.AccessApprovalPolicyApprover}.policyId`
      )
+      .leftJoin(TableName.Users, `${TableName.AccessApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
+      .select(tx.ref("username").withSchema(TableName.Users).as("approverUsername"))
      .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@ -30,10 +46,10 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
    return result;
  };

-  const findById = async (id: string, tx?: Knex) => {
+  const findById = async (policyId: string, tx?: Knex) => {
    try {
      const doc = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), {
-        [`${TableName.AccessApprovalPolicy}.id` as "id"]: id
+        [`${TableName.AccessApprovalPolicy}.id` as "id"]: policyId
      });
      const formattedDoc = sqlNestRelationships({
        data: doc,
@ -50,9 +66,18 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
        childrenMapper: [
          {
            key: "approverUserId",
-            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id }) => ({
+              id,
+              type: "user"
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              id,
+              type: "group"
            })
          }
        ]
@ -64,9 +89,15 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
    }
  };

-  const find = async (filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>, tx?: Knex) => {
+  const find = async (
+    filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
+    customFilter?: {
+      policyId?: string;
+    },
+    tx?: Knex
+  ) => {
    try {
-      const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter);
+      const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter, customFilter);

      const formattedDocs = sqlNestRelationships({
        data: docs,
@ -84,9 +115,19 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
        childrenMapper: [
          {
            key: "approverUserId",
-            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id, approverUsername }) => ({
+              id,
+              type: ApproverType.User,
+              name: approverUsername
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              id,
+              type: ApproverType.Group
            })
          }
        ]
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts
@ -1,12 +1,11 @@
 import { ForbiddenError, subject } from "@casl/ability";

-import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";

 import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TVerifyApprovers } from "./access-approval-policy-types";
+import { TIsApproversValid } from "./access-approval-policy-types";

-export const verifyApprovers = async ({
+export const isApproversValid = async ({
  userIds,
  projectId,
  orgId,
@ -14,9 +13,9 @@ export const verifyApprovers = async ({
  actorAuthMethod,
  secretPath,
  permissionService
-}: TVerifyApprovers) => {
-  for await (const userId of userIds) {
-    try {
+}: TIsApproversValid) => {
+  try {
+    for await (const userId of userIds) {
      const { permission: approverPermission } = await permissionService.getProjectPermission(
        ActorType.USER,
        userId,
@ -29,8 +28,9 @@ export const verifyApprovers = async ({
        ProjectPermissionActions.Create,
        subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
      );
-    } catch (err) {
-      throw new BadRequestError({ message: "One or more approvers doesn't have access to be specified secret path" });
    }
+  } catch {
+    return false;
  }
+  return true;
 };
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -2,17 +2,21 @@ import { ForbiddenError } from "@casl/ability";

 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";

+import { TGroupDALFactory } from "../group/group-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { verifyApprovers } from "./access-approval-policy-fns";
+import { isApproversValid } from "./access-approval-policy-fns";
 import {
+  ApproverType,
  TCreateAccessApprovalPolicy,
  TDeleteAccessApprovalPolicy,
+  TGetAccessApprovalPolicyByIdDTO,
  TGetAccessPolicyCountByEnvironmentDTO,
  TListAccessApprovalPoliciesDTO,
  TUpdateAccessApprovalPolicy
@ -25,6 +29,8 @@ type TSecretApprovalPolicyServiceFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
  accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
+  groupDAL: TGroupDALFactory;
+  userDAL: Pick<TUserDALFactory, "find">;
 };

 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@ -32,9 +38,11 @@ export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprov
 export const accessApprovalPolicyServiceFactory = ({
  accessApprovalPolicyDAL,
  accessApprovalPolicyApproverDAL,
+  groupDAL,
  permissionService,
  projectEnvDAL,
-  projectDAL
+  projectDAL,
+  userDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
  const createAccessApprovalPolicy = async ({
    name,
@ -50,9 +58,23 @@ export const accessApprovalPolicyServiceFactory = ({
    enforcementLevel
  }: TCreateAccessApprovalPolicy) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

-    if (approvals > approvers.length)
+    // If there is a group approver people might be added to the group later to meet the approvers quota
+    const groupApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id) as string[];
+
+    const userApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
+    if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

    const { permission } = await permissionService.getProjectPermission(
@ -67,18 +89,65 @@ export const accessApprovalPolicyServiceFactory = ({
      ProjectPermissionSub.SecretApproval
    );
    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: "Environment not found" });

-    await verifyApprovers({
+    let approverUserIds = userApprovers;
+    if (userApproverNames.length) {
+      const approverUsers = await userDAL.find({
+        $in: {
+          username: userApproverNames
+        }
+      });
+
+      const approverNamesFromDb = approverUsers.map((user) => user.username);
+      const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
+
+      if (invalidUsernames.length) {
+        throw new BadRequestError({
+          message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+        });
+      }
+
+      approverUserIds = approverUserIds.concat(approverUsers.map((user) => user.id));
+    }
+
+    const usersPromises: Promise<
+      {
+        id: string;
+        email: string | null | undefined;
+        username: string;
+        firstName: string | null | undefined;
+        lastName: string | null | undefined;
+        isPartOfGroup: boolean;
+      }[]
+    >[] = [];
+    const verifyAllApprovers = [...approverUserIds];
+
+    for (const groupId of groupApprovers) {
+      usersPromises.push(groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }));
+    }
+    const verifyGroupApprovers = (await Promise.all(usersPromises))
+      .flat()
+      .filter((user) => user.isPartOfGroup)
+      .map((user) => user.id);
+    verifyAllApprovers.push(...verifyGroupApprovers);
+
+    const approversValid = await isApproversValid({
      projectId: project.id,
      orgId: actorOrgId,
      envSlug: environment,
      secretPath,
      actorAuthMethod,
      permissionService,
-      userIds: approvers
+      userIds: verifyAllApprovers
    });

+    if (!approversValid) {
+      throw new BadRequestError({
+        message: "One or more approvers doesn't have access to be specified secret path"
+      });
+    }
+
    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
      const doc = await accessApprovalPolicyDAL.create(
        {
@ -90,13 +159,26 @@ export const accessApprovalPolicyServiceFactory = ({
        },
        tx
      );
-      await accessApprovalPolicyApproverDAL.insertMany(
-        approvers.map((userId) => ({
-          approverUserId: userId,
-          policyId: doc.id
-        })),
-        tx
-      );
+      if (approverUserIds.length) {
+        await accessApprovalPolicyApproverDAL.insertMany(
+          approverUserIds.map((userId) => ({
+            approverUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupApprovers) {
+        await accessApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((groupId) => ({
+            approverGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
      return doc;
    });
    return { ...accessApproval, environment: env, projectId: project.id };
@ -110,7 +192,7 @@ export const accessApprovalPolicyServiceFactory = ({
    projectSlug
  }: TListAccessApprovalPoliciesDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    // Anyone in the project should be able to get the policies.
    /* const { permission } = */ await permissionService.getProjectPermission(
@ -138,8 +220,30 @@ export const accessApprovalPolicyServiceFactory = ({
    approvals,
    enforcementLevel
  }: TUpdateAccessApprovalPolicy) => {
+    const groupApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id) as string[];
+
+    const userApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
    const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    const currentAppovals = approvals || accessApprovalPolicy.approvals;
+    if (
+      groupApprovers?.length === 0 &&
+      userApprovers &&
+      currentAppovals > userApprovers.length + userApproverNames.length
+    ) {
+      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
+    }
+
+    if (!accessApprovalPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@ -161,26 +265,100 @@ export const accessApprovalPolicyServiceFactory = ({
        },
        tx
      );
-      if (approvers) {
-        await verifyApprovers({
+
+      await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+
+      if (userApprovers.length || userApproverNames.length) {
+        let userApproverIds = userApprovers;
+        if (userApproverNames.length) {
+          const approverUsers = await userDAL.find({
+            $in: {
+              username: userApproverNames
+            }
+          });
+
+          const approverNamesFromDb = approverUsers.map((user) => user.username);
+          const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
+
+          if (invalidUsernames.length) {
+            throw new BadRequestError({
+              message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+            });
+          }
+
+          userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
+        }
+
+        const approversValid = await isApproversValid({
          projectId: accessApprovalPolicy.projectId,
          orgId: actorOrgId,
          envSlug: accessApprovalPolicy.environment.slug,
          secretPath: doc.secretPath!,
          actorAuthMethod,
          permissionService,
-          userIds: approvers
+          userIds: userApproverIds
        });

-        await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+        if (!approversValid) {
+          throw new BadRequestError({
+            message: "One or more approvers doesn't have access to be specified secret path"
+          });
+        }
+
        await accessApprovalPolicyApproverDAL.insertMany(
-          approvers.map((userId) => ({
+          userApproverIds.map((userId) => ({
            approverUserId: userId,
            policyId: doc.id
          })),
          tx
        );
      }
+
+      if (groupApprovers) {
+        const usersPromises: Promise<
+          {
+            id: string;
+            email: string | null | undefined;
+            username: string;
+            firstName: string | null | undefined;
+            lastName: string | null | undefined;
+            isPartOfGroup: boolean;
+          }[]
+        >[] = [];
+
+        for (const groupId of groupApprovers) {
+          usersPromises.push(groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }));
+        }
+        const verifyGroupApprovers = (await Promise.all(usersPromises))
+          .flat()
+          .filter((user) => user.isPartOfGroup)
+          .map((user) => user.id);
+
+        const approversValid = await isApproversValid({
+          projectId: accessApprovalPolicy.projectId,
+          orgId: actorOrgId,
+          envSlug: accessApprovalPolicy.environment.slug,
+          secretPath: doc.secretPath!,
+          actorAuthMethod,
+          permissionService,
+          userIds: verifyGroupApprovers
+        });
+
+        if (!approversValid) {
+          throw new BadRequestError({
+            message: "One or more approvers doesn't have access to be specified secret path"
+          });
+        }
+
+        await accessApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((groupId) => ({
+            approverGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
      return doc;
    });
    return {
@ -198,7 +376,7 @@ export const accessApprovalPolicyServiceFactory = ({
    actorOrgId
  }: TDeleteAccessApprovalPolicy) => {
    const policy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!policy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!policy) throw new NotFoundError({ message: "Secret approval policy not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -226,7 +404,7 @@ export const accessApprovalPolicyServiceFactory = ({
  }: TGetAccessPolicyCountByEnvironmentDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);

-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const { membership } = await permissionService.getProjectPermission(
      actor,
@ -235,22 +413,53 @@ export const accessApprovalPolicyServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-    if (!environment) throw new BadRequestError({ message: "Environment not found" });
+    if (!environment) throw new NotFoundError({ message: "Environment not found" });

    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
-    if (!policies) throw new BadRequestError({ message: "No policies found" });
+    if (!policies) throw new NotFoundError({ message: "No policies found" });

    return { count: policies.length };
  };

+  const getAccessApprovalPolicyById = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    policyId
+  }: TGetAccessApprovalPolicyByIdDTO) => {
+    const [policy] = await accessApprovalPolicyDAL.find({}, { policyId });
+
+    if (!policy) {
+      throw new NotFoundError({
+        message: "Cannot find access approval policy"
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      policy.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+
+    return policy;
+  };
+
  return {
    getAccessPolicyCountByEnvSlug,
    createAccessApprovalPolicy,
    deleteAccessApprovalPolicy,
    updateAccessApprovalPolicy,
-    getAccessApprovalPolicyByProjectSlug
+    getAccessApprovalPolicyByProjectSlug,
+    getAccessApprovalPolicyById
  };
 };
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
@ -3,7 +3,7 @@ import { ActorAuthMethod } from "@app/services/auth/auth-type";

 import { TPermissionServiceFactory } from "../permission/permission-service";

-export type TVerifyApprovers = {
+export type TIsApproversValid = {
  userIds: string[];
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  envSlug: string;
@ -13,11 +13,16 @@ export type TVerifyApprovers = {
  orgId: string;
 };

+export enum ApproverType {
+  Group = "group",
+  User = "user"
+}
+
 export type TCreateAccessApprovalPolicy = {
  approvals: number;
  secretPath: string;
  environment: string;
-  approvers: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
  projectSlug: string;
  name: string;
  enforcementLevel: EnforcementLevel;
@ -26,7 +31,7 @@ export type TCreateAccessApprovalPolicy = {
 export type TUpdateAccessApprovalPolicy = {
  policyId: string;
  approvals?: number;
-  approvers?: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
  secretPath?: string;
  name?: string;
  enforcementLevel?: EnforcementLevel;
@ -41,6 +46,10 @@ export type TGetAccessPolicyCountByEnvironmentDTO = {
  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TGetAccessApprovalPolicyByIdDTO = {
+  policyId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TListAccessApprovalPoliciesDTO = {
  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@ -39,6 +39,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.AccessApprovalPolicy}.id`,
          `${TableName.AccessApprovalPolicyApprover}.policyId`
        )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
+        .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)

        .join<TUsers>(
          db(TableName.Users).as("requestedByUser"),
@ -59,6 +65,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        )

        .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
+        .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))

        .select(
          db.ref("projectId").withSchema(TableName.Environment),
@ -142,7 +149,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
            label: "reviewers" as const,
            mapper: ({ reviewerUserId: userId, reviewerStatus: status }) => (userId ? { userId, status } : undefined)
          },
-          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
+          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => approverGroupUserId
+          }
        ]
      });

@ -172,17 +184,28 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        `requestedByUser.id`
      )

-      .join(
+      .leftJoin(
        TableName.AccessApprovalPolicyApprover,
        `${TableName.AccessApprovalPolicy}.id`,
        `${TableName.AccessApprovalPolicyApprover}.policyId`
      )

-      .join<TUsers>(
+      .leftJoin<TUsers>(
        db(TableName.Users).as("accessApprovalPolicyApproverUser"),
        `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
        "accessApprovalPolicyApproverUser.id"
      )
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("accessApprovalPolicyGroupApproverUser"),
+        `${TableName.UserGroupMembership}.userId`,
+        "accessApprovalPolicyGroupApproverUser.id"
+      )

      .leftJoin(
        TableName.AccessApprovalRequestReviewer,
@ -200,10 +223,15 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
      .select(selectAllTableCols(TableName.AccessApprovalRequest))
      .select(
        tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership),
        tx.ref("email").withSchema("accessApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("email").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
        tx.ref("username").withSchema("accessApprovalPolicyApproverUser").as("approverUsername"),
+        tx.ref("username").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupUsername"),
        tx.ref("firstName").withSchema("accessApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("firstName").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
        tx.ref("lastName").withSchema("accessApprovalPolicyApproverUser").as("approverLastName"),
+        tx.ref("lastName").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
        tx.ref("email").withSchema("requestedByUser").as("requestedByUserEmail"),
        tx.ref("username").withSchema("requestedByUser").as("requestedByUserUsername"),
        tx.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
@ -282,6 +310,23 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
              lastName,
              username
            })
+          },
+          {
+            key: "userId",
+            label: "approvers" as const,
+            mapper: ({
+              userId,
+              approverGroupEmail: email,
+              approverGroupUsername: username,
+              approverGroupLastName: lastName,
+              approverFirstName: firstName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
          }
        ]
      });
--- a/backend/src/ee/services/access-approval-request/access-approval-request-fns.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-fns.ts
@ -1,6 +1,6 @@
 import { PackRule, unpackRules } from "@casl/ability/extra";

-import { UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";

 import { TVerifyPermission } from "./access-approval-request-types";

@ -19,7 +19,7 @@ export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) =
  );

  if (!permission || !permission.length) {
-    throw new UnauthorizedError({ message: "No permission provided" });
+    throw new BadRequestError({ message: "No permission provided" });
  }

  const requestedPermissions: string[] = [];
@ -39,10 +39,10 @@ export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) =
  const permissionEnv = firstPermission.conditions?.environment;

  if (!permissionEnv || typeof permissionEnv !== "string") {
-    throw new UnauthorizedError({ message: "Permission environment is not a string" });
+    throw new BadRequestError({ message: "Permission environment is not a string" });
  }
  if (!permissionSecretPath || typeof permissionSecretPath !== "string") {
-    throw new UnauthorizedError({ message: "Permission path is not a string" });
+    throw new BadRequestError({ message: "Permission path is not a string" });
  }

  return {
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -3,7 +3,7 @@ import ms from "ms";

 import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -17,7 +17,8 @@ import { TUserDALFactory } from "@app/services/user/user-dal";

 import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
-import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
+import { isApproversValid } from "../access-approval-policy/access-approval-policy-fns";
+import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
@ -57,6 +58,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
    TAccessApprovalRequestReviewerDALFactory,
    "create" | "find" | "findOne" | "transaction"
  >;
+  groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleMembers">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
  smtpService: Pick<TSmtpService, "sendMail">;
  userDAL: Pick<
@ -70,6 +72,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
 export type TAccessApprovalRequestServiceFactory = ReturnType<typeof accessApprovalRequestServiceFactory>;

 export const accessApprovalRequestServiceFactory = ({
+  groupDAL,
  projectDAL,
  projectEnvDAL,
  permissionService,
@ -96,7 +99,7 @@ export const accessApprovalRequestServiceFactory = ({
  }: TCreateAccessApprovalRequestDTO) => {
    const cfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    // Anyone can create an access approval request.
    const { membership } = await permissionService.getProjectPermission(
@ -106,31 +109,56 @@ export const accessApprovalRequestServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    const requestedByUser = await userDAL.findById(actorId);
-    if (!requestedByUser) throw new UnauthorizedError({ message: "User not found" });
+    if (!requestedByUser) throw new ForbiddenRequestError({ message: "User not found" });

    await projectDAL.checkProjectUpgradeStatus(project.id);

    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({ permissions: requestedPermissions });
    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });

-    if (!environment) throw new UnauthorizedError({ message: "Environment not found" });
+    if (!environment) throw new NotFoundError({ message: "Environment not found" });

    const policy = await accessApprovalPolicyDAL.findOne({
      envId: environment.id,
      secretPath
    });
-    if (!policy) throw new UnauthorizedError({ message: "No policy matching criteria was found." });
+    if (!policy) throw new NotFoundError({ message: "No policy matching criteria was found." });
+
+    const approverIds: string[] = [];
+    const approverGroupIds: string[] = [];

    const approvers = await accessApprovalPolicyApproverDAL.find({
      policyId: policy.id
    });

+    approvers.forEach((approver) => {
+      if (approver.approverUserId) {
+        approverIds.push(approver.approverUserId);
+      } else if (approver.approverGroupId) {
+        approverGroupIds.push(approver.approverGroupId);
+      }
+    });
+
+    const groupUsers = (
+      await Promise.all(
+        approverGroupIds.map((groupApproverId) =>
+          groupDAL.findAllGroupPossibleMembers({
+            orgId: actorOrgId,
+            groupId: groupApproverId
+          })
+        )
+      )
+    ).flat();
+    approverIds.push(...groupUsers.filter((user) => user.isPartOfGroup).map((user) => user.id));
+
    const approverUsers = await userDAL.find({
      $in: {
-        id: approvers.map((approver) => approver.approverUserId)
+        id: [...new Set(approverIds)]
      }
    });

@ -236,7 +264,7 @@ export const accessApprovalRequestServiceFactory = ({
    actorAuthMethod
  }: TListApprovalRequestsDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const { membership } = await permissionService.getProjectPermission(
      actor,
@ -245,7 +273,9 @@ export const accessApprovalRequestServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
    let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
@ -270,7 +300,7 @@ export const accessApprovalRequestServiceFactory = ({
    actorOrgId
  }: TReviewAccessRequestDTO) => {
    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
-    if (!accessApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!accessApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });

    const { policy } = accessApprovalRequest;
    const { membership, hasRole } = await permissionService.getProjectPermission(
@ -281,19 +311,21 @@ export const accessApprovalRequestServiceFactory = ({
      actorOrgId
    );

-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
      !policy.approvers.find((approver) => approver.userId === actorId) // The request isn't performed by an assigned approver
    ) {
-      throw new UnauthorizedError({ message: "You are not authorized to approve this request" });
+      throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
    }

    const reviewerProjectMembership = await projectMembershipDAL.findById(membership.id);

-    await verifyApprovers({
+    const approversValid = await isApproversValid({
      projectId: accessApprovalRequest.projectId,
      orgId: actorOrgId,
      envSlug: accessApprovalRequest.environment,
@ -303,6 +335,10 @@ export const accessApprovalRequestServiceFactory = ({
      userIds: [reviewerProjectMembership.userId]
    });

+    if (!approversValid) {
+      throw new ForbiddenRequestError({ message: "You don't have access to approve this request" });
+    }
+
    const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
    if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
      throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
@ -385,7 +421,7 @@ export const accessApprovalRequestServiceFactory = ({

  const getCount = async ({ projectSlug, actor, actorAuthMethod, actorId, actorOrgId }: TGetAccessRequestCountDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const { membership } = await permissionService.getProjectPermission(
      actor,
@ -394,7 +430,9 @@ export const accessApprovalRequestServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });

--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@ -5,7 +5,7 @@ import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";

 import { AUDIT_LOG_STREAM_TIMEOUT } from "../audit-log/audit-log-queue";
@ -43,14 +43,15 @@ export const auditLogStreamServiceFactory = ({
    actorOrgId,
    actorAuthMethod
  }: TCreateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });

    const appCfg = getConfig();
    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan.auditLogStreams)
+    if (!plan.auditLogStreams) {
      throw new BadRequestError({
        message: "Failed to create audit log streams due to plan restriction. Upgrade plan to create group."
      });
+    }

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -120,7 +121,7 @@ export const auditLogStreamServiceFactory = ({
    actorOrgId,
    actorAuthMethod
  }: TUpdateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });

    const plan = await licenseService.getPlan(actorOrgId);
    if (!plan.auditLogStreams)
@ -129,7 +130,7 @@ export const auditLogStreamServiceFactory = ({
      });

    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: "Audit log stream not found" });

    const { orgId } = logStream;
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@ -178,10 +179,10 @@ export const auditLogStreamServiceFactory = ({
  };

  const deleteById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TDeleteAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });

    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: "Audit log stream not found" });

    const { orgId } = logStream;
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@ -193,7 +194,7 @@ export const auditLogStreamServiceFactory = ({

  const getById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetDetailsAuditLogStreamDTO) => {
    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: "Audit log stream not found" });

    const { orgId } = logStream;
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@ -3,7 +3,7 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { AuditLogsSchema, TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols, stripUndefinedInWhere } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
 import { ActorType } from "@app/services/auth/auth-type";
@ -48,47 +48,61 @@ export const auditLogDALFactory = (db: TDbClient) => {
    },
    tx?: Knex
  ) => {
+    if (!orgId && !projectId) {
+      throw new Error("Either orgId or projectId must be provided");
+    }
+
    try {
+      // Find statements
      const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
-        .where(
-          stripUndefinedInWhere({
-            projectId,
-            [`${TableName.AuditLog}.orgId`]: orgId,
-            userAgentType
-          })
-        )
-
        .leftJoin(TableName.Project, `${TableName.AuditLog}.projectId`, `${TableName.Project}.id`)
+        // eslint-disable-next-line func-names
+        .where(function () {
+          if (orgId) {
+            void this.where(`${TableName.Project}.orgId`, orgId).orWhere(`${TableName.AuditLog}.orgId`, orgId);
+          } else if (projectId) {
+            void this.where(`${TableName.AuditLog}.projectId`, projectId);
+          }
+        });

+      if (userAgentType) {
+        void sqlQuery.where("userAgentType", userAgentType);
+      }
+
+      // Select statements
+      void sqlQuery
        .select(selectAllTableCols(TableName.AuditLog))
-
        .select(
          db.ref("name").withSchema(TableName.Project).as("projectName"),
          db.ref("slug").withSchema(TableName.Project).as("projectSlug")
        )
-
        .limit(limit)
        .offset(offset)
        .orderBy(`${TableName.AuditLog}.createdAt`, "desc");

+      // Special case: Filter by actor ID
      if (actorId) {
        void sqlQuery.whereRaw(`"actorMetadata"->>'userId' = ?`, [actorId]);
      }

+      // Special case: Filter by key/value pairs in eventMetadata field
      if (eventMetadata && Object.keys(eventMetadata).length) {
        Object.entries(eventMetadata).forEach(([key, value]) => {
          void sqlQuery.whereRaw(`"eventMetadata"->>'${key}' = ?`, [value]);
        });
      }

+      // Filter by actor type
      if (actorType) {
        void sqlQuery.where("actor", actorType);
      }

+      // Filter by event types
      if (eventType?.length) {
        void sqlQuery.whereIn("eventType", eventType);
      }

+      // Filter by date range
      if (startDate) {
        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
      }
@ -97,13 +111,21 @@ export const auditLogDALFactory = (db: TDbClient) => {
      }
      const docs = await sqlQuery;

-      return docs.map((doc) => ({
-        ...AuditLogsSchema.parse(doc),
-        project: {
-          name: doc.projectName,
-          slug: doc.projectSlug
-        }
-      }));
+      return docs.map((doc) => {
+        // Our type system refuses to acknowledge that the project name and slug are present in the doc, due to the disjointed query structure above.
+        // This is a quick and dirty way to get around the types.
+        const projectDoc = doc as unknown as { projectName: string; projectSlug: string };
+
+        return {
+          ...AuditLogsSchema.parse(doc),
+          ...(projectDoc?.projectSlug && {
+            project: {
+              name: projectDoc.projectName,
+              slug: projectDoc.projectSlug
+            }
+          })
+        };
+      });
    } catch (error) {
      throw new DatabaseError({ error });
    }
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -24,6 +24,7 @@ export const auditLogServiceFactory = ({
  permissionService
 }: TAuditLogServiceFactoryDep) => {
  const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
+    // Filter logs for specific project
    if (filter.projectId) {
      const { permission } = await permissionService.getProjectPermission(
        actor,
@ -34,6 +35,7 @@ export const auditLogServiceFactory = ({
      );
      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    } else {
+      // Organization-wide logs
      const { permission } = await permissionService.getOrgPermission(
        actor,
        actorId,
@ -44,13 +46,12 @@ export const auditLogServiceFactory = ({

      /**
       * NOTE (dangtony98): Update this to organization-level audit log permission check once audit logs are moved
-       * to the organization level
+       * to the organization level ✅
       */
-      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
+      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
    }

    // If project ID is not provided, then we need to return all the audit logs for the organization itself.
-
    const auditLogs = await auditLogDAL.find({
      startDate: filter.startDate,
      endDate: filter.endDate,
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@ -2,10 +2,9 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
-// import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -19,7 +18,6 @@ type TCertificateAuthorityCrlServiceFactoryDep = {
  projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  // licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };

 export type TCertificateAuthorityCrlServiceFactory = ReturnType<typeof certificateAuthorityCrlServiceFactory>;
@ -66,7 +64,7 @@ export const certificateAuthorityCrlServiceFactory = ({
   */
  const getCaCrls = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -81,13 +79,6 @@ export const certificateAuthorityCrlServiceFactory = ({
      ProjectPermissionSub.CertificateAuthorities
    );

-    // const plan = await licenseService.getPlan(actorOrgId);
-    // if (!plan.caCrl)
-    //   throw new BadRequestError({
-    //     message:
-    //       "Failed to get CA certificate revocation lists (CRLs) due to plan restriction. Upgrade plan to get the CA CRL."
-    //   });
-
    const caCrls = await certificateAuthorityCrlDAL.find({ caId: ca.id }, { sort: [["createdAt", "desc"]] });

    const keyId = await getProjectKmsCertificateKeyId({
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@ -7,7 +7,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
@ -61,7 +61,7 @@ export const dynamicSecretLeaseServiceFactory = ({
  }: TCreateDynamicSecretLeaseDTO) => {
    const appCfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -84,10 +84,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    }

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });

    const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
    if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
@ -134,7 +134,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    leaseId
  }: TRenewDynamicSecretLeaseDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -157,10 +157,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    }

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) throw new NotFoundError({ message: "Dynamic secret lease not found" });

    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
@ -208,7 +208,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    isForced
  }: TDeleteDynamicSecretLeaseDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -224,10 +224,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) throw new NotFoundError({ message: "Dynamic secret lease not found" });

    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
@ -273,7 +273,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorAuthMethod
  }: TListDynamicSecretLeasesDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -289,10 +289,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });

    const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
    return dynamicSecretLeases;
@ -309,7 +309,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorAuthMethod
  }: TDetailsDynamicSecretLeaseDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -325,10 +325,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) throw new NotFoundError({ message: "Dynamic secret lease not found" });

    return dynamicSecretLease;
  };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
@ -1,10 +1,70 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";

 export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory>;

 export const dynamicSecretDALFactory = (db: TDbClient) => {
  const orm = ormify(db, TableName.DynamicSecret);
-  return orm;
+
+  // find dynamic secrets for multiple environments (folder IDs are cross env, thus need to rank for pagination)
+  const listDynamicSecretsByFolderIds = async (
+    {
+      folderIds,
+      search,
+      limit,
+      offset = 0,
+      orderBy = SecretsOrderBy.Name,
+      orderDirection = OrderByDirection.ASC
+    }: {
+      folderIds: string[];
+      search?: string;
+      limit?: number;
+      offset?: number;
+      orderBy?: SecretsOrderBy;
+      orderDirection?: OrderByDirection;
+    },
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.DynamicSecret)
+        .whereIn("folderId", folderIds)
+        .where((bd) => {
+          if (search) {
+            void bd.whereILike(`${TableName.DynamicSecret}.name`, `%${search}%`);
+          }
+        })
+        .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
+        .leftJoin(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .select(
+          selectAllTableCols(TableName.DynamicSecret),
+          db.ref("slug").withSchema(TableName.Environment).as("environment"),
+          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`)
+        )
+        .orderBy(`${TableName.DynamicSecret}.${orderBy}`, orderDirection);
+
+      if (limit) {
+        const rankOffset = offset + 1;
+        return await (tx || db)
+          .with("w", query)
+          .select("*")
+          .from<Awaited<typeof query>[number]>("w")
+          .where("w.rank", ">=", rankOffset)
+          .andWhere("w.rank", "<", rankOffset + limit);
+      }
+
+      const dynamicSecrets = await query;
+
+      return dynamicSecrets;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "List dynamic secret multi env" });
+    }
+  };
+
+  return { ...orm, listDynamicSecretsByFolderIds };
 };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@ -5,7 +5,8 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { OrderByDirection } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";

@ -17,9 +18,12 @@ import {
  TCreateDynamicSecretDTO,
  TDeleteDynamicSecretDTO,
  TDetailsDynamicSecretDTO,
+  TGetDynamicSecretsCountDTO,
  TListDynamicSecretsDTO,
+  TListDynamicSecretsMultiEnvDTO,
  TUpdateDynamicSecretDTO
 } from "./dynamic-secret-types";
+import { AzureEntraIDProvider } from "./providers/azure-entra-id";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./providers/models";

 type TDynamicSecretServiceFactoryDep = {
@ -31,7 +35,7 @@ type TDynamicSecretServiceFactoryDep = {
    "pruneDynamicSecret" | "unsetLeaseRevocation"
  >;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
@ -62,7 +66,7 @@ export const dynamicSecretServiceFactory = ({
    actorAuthMethod
  }: TCreateDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -85,7 +89,7 @@ export const dynamicSecretServiceFactory = ({
    }

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const existingDynamicSecret = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
    if (existingDynamicSecret)
@ -130,7 +134,7 @@ export const dynamicSecretServiceFactory = ({
    actorAuthMethod
  }: TUpdateDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const projectId = project.id;

@ -154,10 +158,10 @@ export const dynamicSecretServiceFactory = ({
    }

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });

    if (newName) {
      const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
@ -209,7 +213,7 @@ export const dynamicSecretServiceFactory = ({
    isForced
  }: TDeleteDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const projectId = project.id;

@ -226,7 +230,7 @@ export const dynamicSecretServiceFactory = ({
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
@ -267,7 +271,7 @@ export const dynamicSecretServiceFactory = ({
    actor
  }: TDetailsDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -283,10 +287,10 @@ export const dynamicSecretServiceFactory = ({
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });
    const decryptedStoredInput = JSON.parse(
      infisicalSymmetricDecrypt({
        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
@ -300,19 +304,58 @@ export const dynamicSecretServiceFactory = ({
    return { ...dynamicSecretCfg, inputs: providerInputs };
  };

-  const list = async ({
+  // get unique dynamic secret count across multiple envs
+  const getCountMultiEnv = async ({
    actorAuthMethod,
    actorOrgId,
    actorId,
    actor,
-    projectSlug,
+    projectId,
    path,
-    environmentSlug
-  }: TListDynamicSecretsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    environmentSlugs,
+    search,
+    isInternal
+  }: TListDynamicSecretsMultiEnvDTO) => {
+    if (!isInternal) {
+      const { permission } = await permissionService.getProjectPermission(
+        actor,
+        actorId,
+        projectId,
+        actorAuthMethod,
+        actorOrgId
+      );

-    const projectId = project.id;
+      // verify user has access to each env in request
+      environmentSlugs.forEach((environmentSlug) =>
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+        )
+      );
+    }
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
+    if (!folders.length) throw new NotFoundError({ message: "Folders not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { $in: { folderId: folders.map((folder) => folder.id) }, $search: search ? { name: `%${search}%` } : undefined },
+      { countDistinct: "name" }
+    );
+
+    return Number(dynamicSecretCfg[0]?.count ?? 0);
+  };
+
+  // get dynamic secret count for a single env
+  const getDynamicSecretCount = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    path,
+    environmentSlug,
+    search,
+    projectId
+  }: TGetDynamicSecretsCountDTO) => {
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@ -326,17 +369,132 @@ export const dynamicSecretServiceFactory = ({
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

-    const dynamicSecretCfg = await dynamicSecretDAL.find({ folderId: folder.id });
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
+      { count: true }
+    );
+    return Number(dynamicSecretCfg[0]?.count ?? 0);
+  };
+
+  const listDynamicSecretsByEnv = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    projectSlug,
+    path,
+    environmentSlug,
+    limit,
+    offset,
+    orderBy,
+    orderDirection = OrderByDirection.ASC,
+    search,
+    ...params
+  }: TListDynamicSecretsDTO) => {
+    let { projectId } = params;
+
+    if (!projectId) {
+      if (!projectSlug) throw new BadRequestError({ message: "Project ID or slug required" });
+      const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+      if (!project) throw new NotFoundError({ message: "Project not found" });
+      projectId = project.id;
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
+      {
+        limit,
+        offset,
+        sort: orderBy ? [[orderBy, orderDirection]] : undefined
+      }
+    );
    return dynamicSecretCfg;
  };

+  // get dynamic secrets for multiple envs
+  const listDynamicSecretsByFolderIds = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    path,
+    environmentSlugs,
+    projectId,
+    isInternal,
+    ...params
+  }: TListDynamicSecretsMultiEnvDTO) => {
+    if (!isInternal) {
+      const { permission } = await permissionService.getProjectPermission(
+        actor,
+        actorId,
+        projectId,
+        actorAuthMethod,
+        actorOrgId
+      );
+
+      // verify user has access to each env in request
+      environmentSlugs.forEach((environmentSlug) =>
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+        )
+      );
+    }
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
+    if (!folders.length) throw new NotFoundError({ message: "Folders not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.listDynamicSecretsByFolderIds({
+      folderIds: folders.map((folder) => folder.id),
+      ...params
+    });
+
+    return dynamicSecretCfg;
+  };
+
+  const fetchAzureEntraIdUsers = async ({
+    tenantId,
+    applicationId,
+    clientSecret
+  }: {
+    tenantId: string;
+    applicationId: string;
+    clientSecret: string;
+  }) => {
+    const azureEntraIdUsers = await AzureEntraIDProvider().fetchAzureEntraIdUsers(
+      tenantId,
+      applicationId,
+      clientSecret
+    );
+    return azureEntraIdUsers;
+  };
+
  return {
    create,
    updateByName,
    deleteByName,
    getDetails,
-    list
+    listDynamicSecretsByEnv,
+    listDynamicSecretsByFolderIds,
+    getDynamicSecretCount,
+    getCountMultiEnv,
+    fetchAzureEntraIdUsers
  };
 };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

-import { TProjectPermission } from "@app/lib/types";
+import { OrderByDirection, TProjectPermission } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";

 import { DynamicSecretProviderSchema } from "./providers/models";

@ -50,5 +51,20 @@ export type TDetailsDynamicSecretDTO = {
 export type TListDynamicSecretsDTO = {
  path: string;
  environmentSlug: string;
-  projectSlug: string;
+  projectSlug?: string;
+  projectId?: string;
+  offset?: number;
+  limit?: number;
+  orderBy?: SecretsOrderBy;
+  orderDirection?: OrderByDirection;
+  search?: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TListDynamicSecretsMultiEnvDTO = Omit<
+  TListDynamicSecretsDTO,
+  "projectId" | "environmentSlug" | "projectSlug"
+> & { projectId: string; environmentSlugs: string[]; isInternal?: boolean };
+
+export type TGetDynamicSecretsCountDTO = Omit<TListDynamicSecretsDTO, "projectSlug" | "projectId"> & {
+  projectId: string;
+};
--- a/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
@ -0,0 +1,138 @@
+import axios from "axios";
+import { customAlphabet } from "nanoid";
+
+import { BadRequestError } from "@app/lib/errors";
+
+import { AzureEntraIDSchema, TDynamicProviderFns } from "./models";
+
+const MSFT_GRAPH_API_URL = "https://graph.microsoft.com/v1.0/";
+const MSFT_LOGIN_URL = "https://login.microsoftonline.com";
+
+const generatePassword = () => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  return customAlphabet(charset, 64)();
+};
+
+type User = { name: string; id: string; email: string };
+
+export const AzureEntraIDProvider = (): TDynamicProviderFns & {
+  fetchAzureEntraIdUsers: (tenantId: string, applicationId: string, clientSecret: string) => Promise<User[]>;
+} => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await AzureEntraIDSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const getToken = async (
+    tenantId: string,
+    applicationId: string,
+    clientSecret: string
+  ): Promise<{ token?: string; success: boolean }> => {
+    const response = await axios.post<{ access_token: string }>(
+      `${MSFT_LOGIN_URL}/${tenantId}/oauth2/v2.0/token`,
+      {
+        grant_type: "client_credentials",
+        client_id: applicationId,
+        client_secret: clientSecret,
+        scope: "https://graph.microsoft.com/.default"
+      },
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        }
+      }
+    );
+
+    if (response.status === 200) {
+      return { token: response.data.access_token, success: true };
+    }
+    return { success: false };
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    return data.success;
+  };
+
+  const renew = async (inputs: unknown, entityId: string) => {
+    // Do nothing
+    return { entityId };
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    if (!data.success) {
+      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
+    }
+
+    const password = generatePassword();
+
+    const response = await axios.patch(
+      `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
+      {
+        passwordProfile: {
+          forceChangePasswordNextSignIn: false,
+          password
+        }
+      },
+      {
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${data.token}`
+        }
+      }
+    );
+    if (response.status !== 204) {
+      throw new BadRequestError({ message: "Failed to update password" });
+    }
+
+    return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    // Creates a new password
+    await create(inputs);
+    return { entityId };
+  };
+
+  const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {
+    const data = await getToken(tenantId, applicationId, clientSecret);
+    if (!data.success) {
+      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
+    }
+
+    const response = await axios.get<{ value: [{ id: string; displayName: string; userPrincipalName: string }] }>(
+      `${MSFT_GRAPH_API_URL}/users`,
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          Authorization: `Bearer ${data.token}`
+        }
+      }
+    );
+
+    if (response.status !== 200) {
+      throw new BadRequestError({ message: "Failed to fetch users" });
+    }
+
+    const users = response.data.value.map((user) => {
+      return {
+        name: user.displayName,
+        id: user.id,
+        email: user.userPrincipalName
+      };
+    });
+    return users;
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew,
+    fetchAzureEntraIdUsers
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@ -1,5 +1,6 @@
 import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
+import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
 import { DynamicSecretProviders } from "./models";
@ -18,5 +19,6 @@ export const buildDynamicSecretProviders = () => ({
  [DynamicSecretProviders.MongoAtlas]: MongoAtlasProvider(),
  [DynamicSecretProviders.MongoDB]: MongoDBProvider(),
  [DynamicSecretProviders.ElasticSearch]: ElasticSearchProvider(),
-  [DynamicSecretProviders.RabbitMq]: RabbitMqProvider()
+  [DynamicSecretProviders.RabbitMq]: RabbitMqProvider(),
+  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider()
 });
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@ -166,6 +166,14 @@ export const DynamicSecretMongoDBSchema = z.object({
    )
 });

+export const AzureEntraIDSchema = z.object({
+  tenantId: z.string().trim().min(1),
+  userId: z.string().trim().min(1),
+  email: z.string().trim().min(1),
+  applicationId: z.string().trim().min(1),
+  clientSecret: z.string().trim().min(1)
+});
+
 export enum DynamicSecretProviders {
  SqlDatabase = "sql-database",
  Cassandra = "cassandra",
@ -175,7 +183,8 @@ export enum DynamicSecretProviders {
  MongoAtlas = "mongo-db-atlas",
  ElasticSearch = "elastic-search",
  MongoDB = "mongo-db",
-  RabbitMq = "rabbit-mq"
+  RabbitMq = "rabbit-mq",
+  AzureEntraID = "azure-entra-id"
 }

 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@ -187,7 +196,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
  z.object({ type: z.literal(DynamicSecretProviders.MongoAtlas), inputs: DynamicSecretMongoAtlasSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.ElasticSearch), inputs: DynamicSecretElasticSearchSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.MongoDB), inputs: DynamicSecretMongoDBSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema })
 ]);

 export type TDynamicProviderFns = {
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";

-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@ -145,7 +145,7 @@ export const externalKmsServiceFactory = ({
    const kmsSlug = slug ? slugify(slug) : undefined;

    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });

    let sanitizedProviderInput = "";
    const { encryptor: orgDataKeyEncryptor, decryptor: orgDataKeyDecryptor } =
@ -220,7 +220,7 @@ export const externalKmsServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);

    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });

    const externalKms = await externalKmsDAL.transaction(async (tx) => {
      const kms = await kmsDAL.deleteById(kmsDoc.id, tx);
@ -258,7 +258,7 @@ export const externalKmsServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);

    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });

    const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
@ -298,7 +298,7 @@ export const externalKmsServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);

    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });

    const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
--- a/backend/src/ee/services/group/group-dal.ts
+++ b/backend/src/ee/services/group/group-dal.ts
@ -60,7 +60,7 @@ export const groupDALFactory = (db: TDbClient) => {
  };

  // special query
-  const findAllGroupMembers = async ({
+  const findAllGroupPossibleMembers = async ({
    orgId,
    groupId,
    offset = 0,
@ -125,7 +125,7 @@ export const groupDALFactory = (db: TDbClient) => {
  return {
    findGroups,
    findByOrgId,
-    findAllGroupMembers,
+    findAllGroupPossibleMembers,
    ...groupOrm
  };
 };
--- a/backend/src/ee/services/group/group-fns.ts
+++ b/backend/src/ee/services/group/group-fns.ts
@ -2,7 +2,7 @@ import { Knex } from "knex";

 import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, ScimRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, ScimRequestError } from "@app/lib/errors";

 import {
  TAddUsersToGroup,
@ -73,24 +73,24 @@ const addAcceptedUsersToGroup = async ({
      const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx);

      if (!ghostUser) {
-        throw new BadRequestError({
-          message: "Failed to find sudo user"
+        throw new NotFoundError({
+          message: "Failed to find project owner"
        });
      }

      const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, tx);

      if (!ghostUserLatestKey) {
-        throw new BadRequestError({
-          message: "Failed to find sudo user latest key"
+        throw new NotFoundError({
+          message: "Failed to find project owner's latest key"
        });
      }

      const bot = await projectBotDAL.findOne({ projectId }, tx);

      if (!bot) {
-        throw new BadRequestError({
-          message: "Failed to find bot"
+        throw new NotFoundError({
+          message: "Failed to find project bot"
        });
      }

@ -200,7 +200,7 @@ export const addUsersToGroupByUserIds = async ({

    userIds.forEach((userId) => {
      if (!existingUserOrgMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
+        throw new ForbiddenRequestError({
          message: `User with id ${userId} is not part of the organization`
        });
    });
@ -303,7 +303,7 @@ export const removeUsersFromGroupByUserIds = async ({

    userIds.forEach((userId) => {
      if (!existingUserGroupMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
+        throw new ForbiddenRequestError({
          message: `User(s) are not part of the group ${group.slug}`
        });
    });
@ -415,7 +415,7 @@ export const convertPendingGroupAdditionsToGroupMemberships = async ({
    const usersUserIdsSet = new Set(users.map((u) => u.id));
    userIds.forEach((userId) => {
      if (!usersUserIdsSet.has(userId)) {
-        throw new BadRequestError({
+        throw new NotFoundError({
          message: `Failed to find user with id ${userId}`
        });
      }
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@ -3,7 +3,7 @@ import slugify from "@sindresorhus/slugify";

 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@ -21,6 +21,7 @@ import {
  TAddUserToGroupDTO,
  TCreateGroupDTO,
  TDeleteGroupDTO,
+  TGetGroupByIdDTO,
  TListGroupUsersDTO,
  TRemoveUserFromGroupDTO,
  TUpdateGroupDTO
@ -29,7 +30,10 @@ import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";

 type TGroupServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
-  groupDAL: Pick<TGroupDALFactory, "create" | "findOne" | "update" | "delete" | "findAllGroupMembers">;
+  groupDAL: Pick<
+    TGroupDALFactory,
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
+  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
  userGroupMembershipDAL: Pick<
@ -58,7 +62,7 @@ export const groupServiceFactory = ({
  licenseService
 }: TGroupServiceFactoryDep) => {
  const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -81,7 +85,8 @@ export const groupServiceFactory = ({
    );
    const isCustomRole = Boolean(customRole);
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
-    if (!hasRequiredPriviledges) throw new BadRequestError({ message: "Failed to create a more privileged group" });
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });

    const group = await groupDAL.create({
      name,
@ -95,7 +100,7 @@ export const groupServiceFactory = ({
  };

  const updateGroup = async ({
-    currentSlug,
+    id,
    name,
    slug,
    role,
@ -104,7 +109,7 @@ export const groupServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TUpdateGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -121,8 +126,10 @@ export const groupServiceFactory = ({
        message: "Failed to update group due to plan restrictio Upgrade plan to update group."
      });

-    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: currentSlug });
-    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${currentSlug}` });
+    const group = await groupDAL.findOne({ orgId: actorOrgId, id });
+    if (!group) {
+      throw new NotFoundError({ message: `Failed to find group with ID ${id}` });
+    }

    let customRole: TOrgRoles | undefined;
    if (role) {
@ -134,14 +141,13 @@ export const groupServiceFactory = ({
      const isCustomRole = Boolean(customOrgRole);
      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
      if (!hasRequiredNewRolePermission)
-        throw new BadRequestError({ message: "Failed to create a more privileged group" });
+        throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
      if (isCustomRole) customRole = customOrgRole;
    }

    const [updatedGroup] = await groupDAL.update(
      {
-        orgId: actorOrgId,
-        slug: currentSlug
+        id: group.id
      },
      {
        name,
@ -158,8 +164,8 @@ export const groupServiceFactory = ({
    return updatedGroup;
  };

-  const deleteGroup = async ({ groupSlug, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+  const deleteGroup = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -178,15 +184,37 @@ export const groupServiceFactory = ({
      });

    const [group] = await groupDAL.delete({
-      orgId: actorOrgId,
-      slug: groupSlug
+      id,
+      orgId: actorOrgId
    });

    return group;
  };

+  const getGroupById = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TGetGroupByIdDTO) => {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+
+    const group = await groupDAL.findById(id);
+    if (!group) {
+      throw new NotFoundError({
+        message: `Cannot find group with ID ${id}`
+      });
+    }
+
+    return group;
+  };
+
  const listGroupUsers = async ({
-    groupSlug,
+    id,
    offset,
    limit,
    username,
@ -195,7 +223,7 @@ export const groupServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TListGroupUsersDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -208,15 +236,15 @@ export const groupServiceFactory = ({

    const group = await groupDAL.findOne({
      orgId: actorOrgId,
-      slug: groupSlug
+      id
    });

    if (!group)
-      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+      throw new NotFoundError({
+        message: `Failed to find group with ID ${id}`
      });

-    const users = await groupDAL.findAllGroupMembers({
+    const users = await groupDAL.findAllGroupPossibleMembers({
      orgId: group.orgId,
      groupId: group.id,
      offset,
@ -229,15 +257,8 @@ export const groupServiceFactory = ({
    return { users, totalCount: count };
  };

-  const addUserToGroup = async ({
-    groupSlug,
-    username,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TAddUserToGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+  const addUserToGroup = async ({ id, username, actor, actorId, actorAuthMethod, actorOrgId }: TAddUserToGroupDTO) => {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -251,12 +272,12 @@ export const groupServiceFactory = ({
    // check if group with slug exists
    const group = await groupDAL.findOne({
      orgId: actorOrgId,
-      slug: groupSlug
+      id
    });

    if (!group)
-      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+      throw new NotFoundError({
+        message: `Failed to find group with ID ${id}`
      });

    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
@ -267,7 +288,7 @@ export const groupServiceFactory = ({
      throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });

    const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
+    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });

    const users = await addUsersToGroupByUserIds({
      group,
@ -285,14 +306,14 @@ export const groupServiceFactory = ({
  };

  const removeUserFromGroup = async ({
-    groupSlug,
+    id,
    username,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TRemoveUserFromGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -306,12 +327,12 @@ export const groupServiceFactory = ({
    // check if group with slug exists
    const group = await groupDAL.findOne({
      orgId: actorOrgId,
-      slug: groupSlug
+      id
    });

    if (!group)
-      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+      throw new NotFoundError({
+        message: `Failed to find group with ID ${id}`
      });

    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
@ -322,7 +343,7 @@ export const groupServiceFactory = ({
      throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });

    const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
+    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });

    const users = await removeUsersFromGroupByUserIds({
      group,
@ -342,6 +363,7 @@ export const groupServiceFactory = ({
    deleteGroup,
    listGroupUsers,
    addUserToGroup,
-    removeUserFromGroup
+    removeUserFromGroup,
+    getGroupById
  };
 };
--- a/backend/src/ee/services/group/group-types.ts
+++ b/backend/src/ee/services/group/group-types.ts
@ -17,7 +17,7 @@ export type TCreateGroupDTO = {
 } & TGenericPermission;

 export type TUpdateGroupDTO = {
-  currentSlug: string;
+  id: string;
 } & Partial<{
  name: string;
  slug: string;
@ -26,23 +26,27 @@ export type TUpdateGroupDTO = {
  TGenericPermission;

 export type TDeleteGroupDTO = {
-  groupSlug: string;
+  id: string;
+} & TGenericPermission;
+
+export type TGetGroupByIdDTO = {
+  id: string;
 } & TGenericPermission;

 export type TListGroupUsersDTO = {
-  groupSlug: string;
+  id: string;
  offset: number;
  limit: number;
  username?: string;
 } & TGenericPermission;

 export type TAddUserToGroupDTO = {
-  groupSlug: string;
+  id: string;
  username: string;
 } & TGenericPermission;

 export type TRemoveUserFromGroupDTO = {
-  groupSlug: string;
+  id: string;
  username: string;
 } & TGenericPermission;

--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@ -4,7 +4,7 @@ import ms from "ms";
 import { z } from "zod";

 import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -71,12 +71,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    ...dto
  }: TCreateIdentityPrivilegeDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;

    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -143,12 +143,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TUpdateIdentityPrivilegeDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;

    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -173,7 +173,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      slug,
      projectMembershipId: identityProjectMembership.id
    });
-    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });
    if (data?.slug) {
      const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
        slug: data.slug,
@ -224,12 +224,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TDeleteIdentityPrivilegeDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;

    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -254,7 +254,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      slug,
      projectMembershipId: identityProjectMembership.id
    });
-    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });

    const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
    return {
@ -274,12 +274,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TGetIdentityPrivilegeDetailsDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;

    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@ -293,7 +293,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      slug,
      projectMembershipId: identityProjectMembership.id
    });
-    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });

    return {
      ...identityPrivilege,
@ -310,12 +310,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    projectSlug
  }: TListIdentityPrivilegesDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;

    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -21,7 +21,7 @@ import {
  infisicalSymmetricDecrypt,
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
@ -253,7 +253,7 @@ export const ldapConfigServiceFactory = ({
    };

    const orgBot = await orgBotDAL.findOne({ orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
      iv: orgBot.symmetricKeyIV,
@ -289,10 +289,10 @@ export const ldapConfigServiceFactory = ({

  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean; id?: string }) => {
    const ldapConfig = await ldapConfigDAL.findOne(filter);
-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+    if (!ldapConfig) throw new NotFoundError({ message: "Failed to find organization LDAP data" });

    const orgBot = await orgBotDAL.findOne({ orgId: ldapConfig.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });

    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
@ -375,7 +375,7 @@ export const ldapConfigServiceFactory = ({

  const bootLdap = async (organizationSlug: string) => {
    const organization = await orgDAL.findOne({ slug: organizationSlug });
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });

    const ldapConfig = await getLdapCfg({
      orgId: organization.id,
@ -420,7 +420,7 @@ export const ldapConfigServiceFactory = ({
    const serverCfg = await getServerCfg();

    if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.LDAP)) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
        message: "Login with LDAP is disabled by administrator."
      });
    }
@ -432,7 +432,7 @@ export const ldapConfigServiceFactory = ({
    });

    const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });

    if (userAlias) {
      await userDAL.transaction(async (tx) => {
@ -700,7 +700,7 @@ export const ldapConfigServiceFactory = ({
      orgId
    });

-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+    if (!ldapConfig) throw new NotFoundError({ message: "Failed to find organization LDAP data" });

    const groupMaps = await ldapGroupMapDAL.findLdapGroupMapsByLdapConfigId(ldapConfigId);

@ -741,13 +741,13 @@ export const ldapConfigServiceFactory = ({
    const groups = await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase);

    if (!groups.some((g) => g.cn === ldapGroupCN)) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Failed to find LDAP Group CN"
      });
    }

    const group = await groupDAL.findOne({ slug: groupSlug, orgId });
-    if (!group) throw new BadRequestError({ message: "Failed to find group" });
+    if (!group) throw new NotFoundError({ message: "Failed to find group" });

    const groupMap = await ldapGroupMapDAL.create({
      ldapConfigId,
@ -781,7 +781,7 @@ export const ldapConfigServiceFactory = ({
      orgId
    });

-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+    if (!ldapConfig) throw new NotFoundError({ message: "Failed to find organization LDAP data" });

    const [deletedGroupMap] = await ldapGroupMapDAL.delete({
      ldapConfigId: ldapConfig.id,
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@ -10,7 +10,7 @@ import { Knex } from "knex";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { verifyOfflineLicense } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TOrgDALFactory } from "@app/services/org/org-dal";

@ -145,7 +145,7 @@ export const licenseServiceFactory = ({
        if (cachedPlan) return JSON.parse(cachedPlan) as TFeatureSet;

        const org = await orgDAL.findOrgById(orgId);
-        if (!org) throw new BadRequestError({ message: "Org not found" });
+        if (!org) throw new NotFoundError({ message: "Organization not found" });
        const {
          data: { currentPlan }
        } = await licenseServerCloudApi.request.get<{ currentPlan: TFeatureSet }>(
@ -204,7 +204,7 @@ export const licenseServiceFactory = ({
  const updateSubscriptionOrgMemberCount = async (orgId: string, tx?: Knex) => {
    if (instanceType === InstanceType.Cloud) {
      const org = await orgDAL.findOrgById(orgId);
-      if (!org) throw new BadRequestError({ message: "Org not found" });
+      if (!org) throw new NotFoundError({ message: "Organization not found" });

      const quantity = await licenseDAL.countOfOrgMembers(orgId, tx);
      const quantityIdentities = await licenseDAL.countOrgUsersAndIdentities(orgId, tx);
@ -266,8 +266,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }

@ -294,8 +294,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }

@ -340,8 +340,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }
    const { data } = await licenseServerCloudApi.request.get(
@ -357,8 +357,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }
    const { data } = await licenseServerCloudApi.request.get(
@ -373,8 +373,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }

@ -398,8 +398,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }
    const { data } = await licenseServerCloudApi.request.patch(
@ -418,8 +418,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }

@ -445,8 +445,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }
    const {
@ -474,8 +474,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }

@ -491,8 +491,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }
    const {
@ -509,8 +509,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }

@ -530,8 +530,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }

@ -547,8 +547,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }

@ -564,8 +564,8 @@ export const licenseServiceFactory = ({

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
      });
    }

--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@ -17,7 +17,7 @@ import {
  infisicalSymmetricDecrypt,
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
@ -77,7 +77,7 @@ export const oidcConfigServiceFactory = ({
  const getOidc = async (dto: TGetOidcCfgDTO) => {
    const org = await orgDAL.findOne({ slug: dto.orgSlug });
    if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Organization not found",
        name: "OrgNotFound"
      });
@ -98,7 +98,7 @@ export const oidcConfigServiceFactory = ({
    });

    if (!oidcCfg) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Failed to find organization OIDC configuration"
      });
    }
@ -106,7 +106,7 @@ export const oidcConfigServiceFactory = ({
    // decrypt and return cfg
    const orgBot = await orgBotDAL.findOne({ orgId: oidcCfg.orgId });
    if (!orgBot) {
-      throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+      throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    }

    const key = infisicalSymmetricDecrypt({
@ -160,7 +160,7 @@ export const oidcConfigServiceFactory = ({
    const serverCfg = await getServerCfg();

    if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.OIDC)) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
        message: "Login with OIDC is disabled by administrator."
      });
    }
@ -173,7 +173,7 @@ export const oidcConfigServiceFactory = ({
    });

    const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });

    let user: TUsers;
    if (userAlias) {
@ -356,7 +356,7 @@ export const oidcConfigServiceFactory = ({
    });

    if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Organization not found"
      });
    }
@ -378,7 +378,7 @@ export const oidcConfigServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Sso);

    const orgBot = await orgBotDAL.findOne({ orgId: org.id });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
      iv: orgBot.symmetricKeyIV,
@ -443,7 +443,7 @@ export const oidcConfigServiceFactory = ({
      slug: orgSlug
    });
    if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Organization not found"
      });
    }
@ -549,7 +549,7 @@ export const oidcConfigServiceFactory = ({
    });

    if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Organization not found."
      });
    }
@ -560,7 +560,7 @@ export const oidcConfigServiceFactory = ({
    });

    if (!oidcCfg || !oidcCfg.isActive) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
        message: "Failed to authenticate with OIDC SSO"
      });
    }
@ -617,7 +617,7 @@ export const oidcConfigServiceFactory = ({
        if (oidcCfg.allowedEmailDomains) {
          const allowedDomains = oidcCfg.allowedEmailDomains.split(", ");
          if (!allowedDomains.includes(claims.email.split("@")[1])) {
-            throw new BadRequestError({
+            throw new ForbiddenRequestError({
              message: "Email not allowed."
            });
          }
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@ -1,7 +1,5 @@
 import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";

-import { conditionsMatcher } from "@app/lib/casl";
-
 export enum OrgPermissionActions {
  Read = "read",
  Create = "create",
@ -27,7 +25,8 @@ export enum OrgPermissionSubjects {
  SecretScanning = "secret-scanning",
  Identity = "identity",
  Kms = "kms",
-  AdminConsole = "organization-admin-console"
+  AdminConsole = "organization-admin-console",
+  AuditLogs = "audit-logs"
 }

 export type OrgPermissionSet =
@ -45,10 +44,11 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
  | [OrgPermissionActions, OrgPermissionSubjects.Identity]
  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
+  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];

 const buildAdminPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
+  const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
  // ws permissions
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
@ -113,15 +113,20 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Kms);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AuditLogs);
+
  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);

-  return build({ conditionsMatcher });
+  return rules;
 };

 export const orgAdminPermissions = buildAdminPermission();

 const buildMemberPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
+  const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);

  can(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
@ -142,14 +147,16 @@ const buildMemberPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);

-  return build({ conditionsMatcher });
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+
+  return rules;
 };

 export const orgMemberPermissions = buildMemberPermission();

 const buildNoAccessPermission = () => {
-  const { build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
-  return build({ conditionsMatcher });
+  const { rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
+  return rules;
 };

 export const orgNoAccessPermissions = buildNoAccessPermission();
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@ -1,7 +1,13 @@
 import { z } from "zod";

 import { TDbClient } from "@app/db";
-import { IdentityProjectMembershipRoleSchema, ProjectUserMembershipRolesSchema, TableName } from "@app/db/schemas";
+import {
+  IdentityProjectMembershipRoleSchema,
+  OrgMembershipsSchema,
+  TableName,
+  TProjectRoles,
+  TProjects
+} from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";

@ -10,18 +16,92 @@ export type TPermissionDALFactory = ReturnType<typeof permissionDALFactory>;
 export const permissionDALFactory = (db: TDbClient) => {
  const getOrgPermission = async (userId: string, orgId: string) => {
    try {
+      const groupSubQuery = db(TableName.Groups)
+        .where(`${TableName.Groups}.orgId`, orgId)
+        .join(TableName.UserGroupMembership, (queryBuilder) => {
+          queryBuilder
+            .on(`${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
+            .andOn(`${TableName.UserGroupMembership}.userId`, db.raw("?", [userId]));
+        })
+        .leftJoin(TableName.OrgRoles, `${TableName.Groups}.roleId`, `${TableName.OrgRoles}.id`)
+        .select(
+          db.ref("id").withSchema(TableName.Groups).as("groupId"),
+          db.ref("orgId").withSchema(TableName.Groups).as("groupOrgId"),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("slug").withSchema(TableName.Groups).as("groupSlug"),
+          db.ref("role").withSchema(TableName.Groups).as("groupRole"),
+          db.ref("roleId").withSchema(TableName.Groups).as("groupRoleId"),
+          db.ref("createdAt").withSchema(TableName.Groups).as("groupCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.Groups).as("groupUpdatedAt"),
+          db.ref("permissions").withSchema(TableName.OrgRoles).as("groupCustomRolePermission")
+        );
+
      const membership = await db
        .replicaNode()(TableName.OrgMembership)
-        .leftJoin(TableName.OrgRoles, `${TableName.OrgMembership}.roleId`, `${TableName.OrgRoles}.id`)
-        .join(TableName.Organization, `${TableName.OrgMembership}.orgId`, `${TableName.Organization}.id`)
-        .where("userId", userId)
        .where(`${TableName.OrgMembership}.orgId`, orgId)
-        .select(db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"))
-        .select("permissions")
-        .select(selectAllTableCols(TableName.OrgMembership))
-        .first();
+        .where(`${TableName.OrgMembership}.userId`, userId)
+        .leftJoin(TableName.OrgRoles, `${TableName.OrgRoles}.id`, `${TableName.OrgMembership}.roleId`)
+        .leftJoin<Awaited<typeof groupSubQuery>[0]>(
+          groupSubQuery.as("userGroups"),
+          "userGroups.groupOrgId",
+          db.raw("?", [orgId])
+        )
+        .join(TableName.Organization, `${TableName.Organization}.id`, `${TableName.OrgMembership}.orgId`)
+        .select(
+          selectAllTableCols(TableName.OrgMembership),
+          db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
+          db.ref("permissions").withSchema(TableName.OrgRoles),
+          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("groupId").withSchema("userGroups"),
+          db.ref("groupOrgId").withSchema("userGroups"),
+          db.ref("groupName").withSchema("userGroups"),
+          db.ref("groupSlug").withSchema("userGroups"),
+          db.ref("groupRole").withSchema("userGroups"),
+          db.ref("groupRoleId").withSchema("userGroups"),
+          db.ref("groupCreatedAt").withSchema("userGroups"),
+          db.ref("groupUpdatedAt").withSchema("userGroups"),
+          db.ref("groupCustomRolePermission").withSchema("userGroups")
+        );

-      return membership;
+      const [formatedDoc] = sqlNestRelationships({
+        data: membership,
+        key: "id",
+        parentMapper: (el) =>
+          OrgMembershipsSchema.extend({
+            permissions: z.unknown(),
+            orgAuthEnforced: z.boolean().optional().nullable(),
+            customRoleSlug: z.string().optional().nullable()
+          }).parse(el),
+        childrenMapper: [
+          {
+            key: "groupId",
+            label: "groups" as const,
+            mapper: ({
+              groupId,
+              groupUpdatedAt,
+              groupCreatedAt,
+              groupRole,
+              groupRoleId,
+              groupCustomRolePermission,
+              groupName,
+              groupSlug,
+              groupOrgId
+            }) => ({
+              id: groupId,
+              updatedAt: groupUpdatedAt,
+              createdAt: groupCreatedAt,
+              role: groupRole,
+              roleId: groupRoleId,
+              customRolePermission: groupCustomRolePermission,
+              name: groupName,
+              slug: groupSlug,
+              orgId: groupOrgId
+            })
+          }
+        ]
+      });
+
+      return formatedDoc;
    } catch (error) {
      throw new DatabaseError({ error, name: "GetOrgPermission" });
    }
@ -47,74 +127,31 @@ export const permissionDALFactory = (db: TDbClient) => {

  const getProjectPermission = async (userId: string, projectId: string) => {
    try {
-      const groups: string[] = await db
-        .replicaNode()(TableName.GroupProjectMembership)
-        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
-        .pluck(`${TableName.GroupProjectMembership}.groupId`);
-
-      const groupDocs = await db
-        .replicaNode()(TableName.UserGroupMembership)
-        .where(`${TableName.UserGroupMembership}.userId`, userId)
-        .whereIn(`${TableName.UserGroupMembership}.groupId`, groups)
-        .join(
-          TableName.GroupProjectMembership,
-          `${TableName.GroupProjectMembership}.groupId`,
-          `${TableName.UserGroupMembership}.groupId`
-        )
-        .join(
+      const docs = await db
+        .replicaNode()(TableName.Users)
+        .where(`${TableName.Users}.id`, userId)
+        .leftJoin(TableName.UserGroupMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.GroupProjectMembership}.groupId`, `${TableName.UserGroupMembership}.groupId`);
+        })
+        .leftJoin(
          TableName.GroupProjectMembershipRole,
          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
          `${TableName.GroupProjectMembership}.id`
        )
-
-        .leftJoin(
-          TableName.ProjectRoles,
+        .leftJoin<TProjectRoles>(
+          { groupCustomRoles: TableName.ProjectRoles },
          `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
+          `groupCustomRoles.id`
        )
-        .join(TableName.Project, `${TableName.GroupProjectMembership}.projectId`, `${TableName.Project}.id`)
-        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-
+        .leftJoin(TableName.ProjectMembership, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
+        })
        .leftJoin(
-          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.GroupProjectMembership}.projectId`,
-          `${TableName.Project}.id`
-        )
-        .select(selectAllTableCols(TableName.GroupProjectMembershipRole))
-        .select(
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
-          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("membershipUpdatedAt"),
-          db.ref("projectId").withSchema(TableName.GroupProjectMembership),
-          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-
-          db.ref("permissions").withSchema(TableName.ProjectRoles).as("permissions"),
-          // db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("apPermissions")
-          // Additional Privileges
-          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApId"),
-          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApPermissions"),
-          db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryMode"),
-          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApIsTemporary"),
-          db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryRange"),
-
-          db.ref("projectId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApProjectId"),
-          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApUserId"),
-
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessEndTime")
-        );
-      // .select(`${TableName.ProjectRoles}.permissions`);
-
-      const docs = await db(TableName.ProjectMembership)
-        .join(
          TableName.ProjectUserMembershipRole,
          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
          `${TableName.ProjectMembership}.id`
@ -124,176 +161,229 @@ export const permissionDALFactory = (db: TDbClient) => {
          `${TableName.ProjectUserMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
-        .leftJoin(
-          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.ProjectUserAdditionalPrivilege}.projectId`,
-          `${TableName.ProjectMembership}.projectId`
-        )
-
-        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
+        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
+        })
+        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-        .where(`${TableName.ProjectMembership}.userId`, userId)
-        .where(`${TableName.ProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.ProjectUserMembershipRole))
        .select(
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          // groups specific
+          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
+          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
+          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
+          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
+          db
+            .ref("customRoleId")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleCustomRoleId"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
+          // user specific
          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
-          db.ref("projectId").withSchema(TableName.ProjectMembership),
-          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles),
-          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApId"),
-          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApPermissions"),
-          db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryMode"),
-          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApIsTemporary"),
-          db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryRange"),
-
-          db.ref("projectId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApProjectId"),
-          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApUserId"),
-
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
+          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
+          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
+          db
+            .ref("permissions")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesPermissions"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryRange"),
+          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
          db
            .ref("temporaryAccessStartTime")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessStartTime"),
+            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
          db
            .ref("temporaryAccessEndTime")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessEndTime")
+            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
+          // general
+          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("orgId").withSchema(TableName.Project),
+          db.ref("id").withSchema(TableName.Project).as("projectId")
        );

-      const permission = sqlNestRelationships({
+      const [userPermission] = sqlNestRelationships({
        data: docs,
        key: "projectId",
-        parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
+        parentMapper: ({
+          orgId,
+          orgAuthEnforced,
+          membershipId,
+          groupMembershipId,
+          membershipCreatedAt,
+          groupMembershipCreatedAt,
+          groupMembershipUpdatedAt,
+          membershipUpdatedAt
+        }) => ({
          orgId,
          orgAuthEnforced,
          userId,
-          id: membershipId,
          projectId,
-          createdAt: membershipCreatedAt,
-          updatedAt: membershipUpdatedAt
+          id: membershipId || groupMembershipId,
+          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
+          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
        }),
        childrenMapper: [
          {
-            key: "id",
-            label: "roles" as const,
-            mapper: (data) =>
-              ProjectUserMembershipRolesSchema.extend({
-                permissions: z.unknown(),
-                customRoleSlug: z.string().optional().nullable()
-              }).parse(data)
+            key: "userGroupProjectMembershipRoleId",
+            label: "userGroupRoles" as const,
+            mapper: ({
+              userGroupProjectMembershipRoleId,
+              userGroupProjectMembershipRole,
+              userGroupProjectMembershipRolePermission,
+              userGroupProjectMembershipRoleCustomRoleSlug,
+              userGroupProjectMembershipRoleIsTemporary,
+              userGroupProjectMembershipRoleTemporaryMode,
+              userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              userGroupProjectMembershipRoleTemporaryRange
+            }) => ({
+              id: userGroupProjectMembershipRoleId,
+              role: userGroupProjectMembershipRole,
+              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
+              permissions: userGroupProjectMembershipRolePermission,
+              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
+              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userGroupProjectMembershipRoleIsTemporary
+            })
          },
          {
-            key: "userApId",
+            key: "userProjectMembershipRoleId",
+            label: "projecMembershiptRoles" as const,
+            mapper: ({
+              userProjectMembershipRoleId,
+              userProjectMembershipRole,
+              userProjectCustomRolePermission,
+              userProjectMembershipRoleIsTemporary,
+              userProjectMembershipRoleTemporaryMode,
+              userProjectMembershipRoleTemporaryRange,
+              userProjectMembershipRoleTemporaryAccessEndTime,
+              userProjectMembershipRoleTemporaryAccessStartTime,
+              userProjectMembershipRoleCustomRoleSlug
+            }) => ({
+              id: userProjectMembershipRoleId,
+              role: userProjectMembershipRole,
+              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
+              permissions: userProjectCustomRolePermission,
+              temporaryRange: userProjectMembershipRoleTemporaryRange,
+              temporaryMode: userProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userProjectMembershipRoleIsTemporary
+            })
+          },
+          {
+            key: "userAdditionalPrivilegesId",
            label: "additionalPrivileges" as const,
            mapper: ({
-              userApId,
-              userApPermissions,
-              userApIsTemporary,
-              userApTemporaryMode,
-              userApTemporaryRange,
-              userApTemporaryAccessEndTime,
-              userApTemporaryAccessStartTime
+              userAdditionalPrivilegesId,
+              userAdditionalPrivilegesPermissions,
+              userAdditionalPrivilegesIsTemporary,
+              userAdditionalPrivilegesTemporaryMode,
+              userAdditionalPrivilegesTemporaryRange,
+              userAdditionalPrivilegesTemporaryAccessEndTime,
+              userAdditionalPrivilegesTemporaryAccessStartTime
            }) => ({
-              id: userApId,
-              permissions: userApPermissions,
-              temporaryRange: userApTemporaryRange,
-              temporaryMode: userApTemporaryMode,
-              temporaryAccessEndTime: userApTemporaryAccessEndTime,
-              temporaryAccessStartTime: userApTemporaryAccessStartTime,
-              isTemporary: userApIsTemporary
+              id: userAdditionalPrivilegesId,
+              permissions: userAdditionalPrivilegesPermissions,
+              temporaryRange: userAdditionalPrivilegesTemporaryRange,
+              temporaryMode: userAdditionalPrivilegesTemporaryMode,
+              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
+              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
+              isTemporary: userAdditionalPrivilegesIsTemporary
            })
          }
        ]
      });

-      const groupPermission = groupDocs.length
-        ? sqlNestRelationships({
-            data: groupDocs,
-            key: "projectId",
-            parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
-              orgId,
-              orgAuthEnforced,
-              userId,
-              id: membershipId,
-              projectId,
-              createdAt: membershipCreatedAt,
-              updatedAt: membershipUpdatedAt
-            }),
-            childrenMapper: [
-              {
-                key: "id",
-                label: "roles" as const,
-                mapper: (data) =>
-                  ProjectUserMembershipRolesSchema.extend({
-                    permissions: z.unknown(),
-                    customRoleSlug: z.string().optional().nullable()
-                  }).parse(data)
-              },
-              {
-                key: "userApId",
-                label: "additionalPrivileges" as const,
-                mapper: ({
-                  userApId,
-                  userApProjectId,
-                  userApUserId,
-                  userApPermissions,
-                  userApIsTemporary,
-                  userApTemporaryMode,
-                  userApTemporaryRange,
-                  userApTemporaryAccessEndTime,
-                  userApTemporaryAccessStartTime
-                }) => ({
-                  id: userApId,
-                  userId: userApUserId,
-                  projectId: userApProjectId,
-                  permissions: userApPermissions,
-                  temporaryRange: userApTemporaryRange,
-                  temporaryMode: userApTemporaryMode,
-                  temporaryAccessEndTime: userApTemporaryAccessEndTime,
-                  temporaryAccessStartTime: userApTemporaryAccessStartTime,
-                  isTemporary: userApIsTemporary
-                })
-              }
-            ]
-          })
-        : [];
-
-      if (!permission?.[0] && !groupPermission[0]) return undefined;
+      if (!userPermission) return undefined;
+      if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projecMembershiptRoles?.[0]) return undefined;

      // when introducting cron mode change it here
      const activeRoles =
-        permission?.[0]?.roles?.filter(
+        userPermission?.projecMembershiptRoles?.filter(
          ({ isTemporary, temporaryAccessEndTime }) =>
            !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
        ) ?? [];

      const activeGroupRoles =
-        groupPermission?.[0]?.roles?.filter(
+        userPermission?.userGroupRoles?.filter(
          ({ isTemporary, temporaryAccessEndTime }) =>
            !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
        ) ?? [];

      const activeAdditionalPrivileges =
-        permission?.[0]?.additionalPrivileges?.filter(
+        userPermission?.additionalPrivileges?.filter(
          ({ isTemporary, temporaryAccessEndTime }) =>
            !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
        ) ?? [];

-      const activeGroupAdditionalPrivileges =
-        groupPermission?.[0]?.additionalPrivileges?.filter(
-          ({ isTemporary, temporaryAccessEndTime, userId: apUserId, projectId: apProjectId }) =>
-            apProjectId === projectId &&
-            apUserId === userId &&
-            (!isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime))
-        ) ?? [];
-
      return {
-        ...(permission[0] || groupPermission[0]),
+        ...userPermission,
        roles: [...activeRoles, ...activeGroupRoles],
-        additionalPrivileges: [...activeAdditionalPrivileges, ...activeGroupAdditionalPrivileges]
+        additionalPrivileges: activeAdditionalPrivileges
      };
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectPermission" });
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@ -1,5 +1,5 @@
 import { TOrganizations } from "@app/db/schemas";
-import { UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";

 function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
@ -20,7 +20,7 @@ function validateOrgSAML(actorAuthMethod: ActorAuthMethod, isSamlEnforced: TOrga
  }

  if (isSamlEnforced && actorAuthMethod !== null && !isAuthMethodSaml(actorAuthMethod)) {
-    throw new UnauthorizedError({ name: "Cannot access org-scoped resource" });
+    throw new ForbiddenRequestError({ name: "SAML auth enforced, cannot access org-scoped resource" });
  }
 }

--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@ -10,7 +10,7 @@ import {
  TProjectMemberships
 } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -20,7 +20,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
 import { validateOrgSAML } from "./permission-fns";
-import { TBuildProjectPermissionDTO } from "./permission-types";
+import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-types";
 import {
  buildServiceTokenProjectPermission,
  projectAdminPermissions,
@ -47,26 +47,29 @@ export const permissionServiceFactory = ({
  serviceTokenDAL,
  projectDAL
 }: TPermissionServiceFactoryDep) => {
-  const buildOrgPermission = (role: string, permission?: unknown) => {
-    switch (role) {
-      case OrgMembershipRole.Admin:
-        return orgAdminPermissions;
-      case OrgMembershipRole.Member:
-        return orgMemberPermissions;
-      case OrgMembershipRole.NoAccess:
-        return orgNoAccessPermissions;
-      case OrgMembershipRole.Custom:
-        return createMongoAbility<OrgPermissionSet>(
-          unpackRules<RawRuleOf<MongoAbility<OrgPermissionSet>>>(
-            permission as PackRule<RawRuleOf<MongoAbility<OrgPermissionSet>>>[]
-          ),
-          {
-            conditionsMatcher
-          }
-        );
-      default:
-        throw new BadRequestError({ name: "OrgRoleInvalid", message: "Org role not found" });
-    }
+  const buildOrgPermission = (orgUserRoles: TBuildOrgPermissionDTO) => {
+    const rules = orgUserRoles
+      .map(({ role, permissions }) => {
+        switch (role) {
+          case OrgMembershipRole.Admin:
+            return orgAdminPermissions;
+          case OrgMembershipRole.Member:
+            return orgMemberPermissions;
+          case OrgMembershipRole.NoAccess:
+            return orgNoAccessPermissions;
+          case OrgMembershipRole.Custom:
+            return unpackRules<RawRuleOf<MongoAbility<OrgPermissionSet>>>(
+              permissions as PackRule<RawRuleOf<MongoAbility<OrgPermissionSet>>>[]
+            );
+          default:
+            throw new NotFoundError({ name: "OrgRoleInvalid", message: "Organization role not found" });
+        }
+      })
+      .reduce((curr, prev) => prev.concat(curr), []);
+
+    return createMongoAbility<OrgPermissionSet>(rules, {
+      conditionsMatcher
+    });
  };

  const buildProjectPermission = (projectUserRoles: TBuildProjectPermissionDTO) => {
@ -87,7 +90,7 @@ export const permissionServiceFactory = ({
            );
          }
          default:
-            throw new BadRequestError({
+            throw new NotFoundError({
              name: "ProjectRoleInvalid",
              message: "Project role not found"
            });
@ -111,11 +114,11 @@ export const permissionServiceFactory = ({
  ) => {
    // when token is scoped, ensure the passed org id is same as user org id
    if (userOrgId && userOrgId !== orgId)
-      throw new BadRequestError({ message: "Invalid user token. Scoped to different organization." });
+      throw new ForbiddenRequestError({ message: "Invalid user token. Scoped to different organization." });
    const membership = await permissionDAL.getOrgPermission(userId, orgId);
-    if (!membership) throw new UnauthorizedError({ name: "User not in org" });
+    if (!membership) throw new ForbiddenRequestError({ name: "You are not apart of this organization" });
    if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new BadRequestError({ name: "Custom organization permission not found" });
    }

    // If the org ID is API_KEY, the request is being made with an API Key.
@ -124,21 +127,30 @@ export const permissionServiceFactory = ({
    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
    if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
-      throw new UnauthorizedError({ name: "You are not logged into this organization" });
+      throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
    }

    validateOrgSAML(authMethod, membership.orgAuthEnforced);

-    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
+    const finalPolicyRoles = [{ role: membership.role, permissions: membership.permissions }].concat(
+      membership?.groups?.map(({ role, customRolePermission }) => ({
+        role,
+        permissions: customRolePermission
+      })) || []
+    );
+    return { permission: buildOrgPermission(finalPolicyRoles), membership };
  };

  const getIdentityOrgPermission = async (identityId: string, orgId: string) => {
    const membership = await permissionDAL.getOrgIdentityPermission(identityId, orgId);
-    if (!membership) throw new UnauthorizedError({ name: "Identity not in org" });
+    if (!membership) throw new ForbiddenRequestError({ name: "Identity is not apart of this organization" });
    if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new NotFoundError({ name: "Custom organization permission not found" });
    }
-    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
+    return {
+      permission: buildOrgPermission([{ role: membership.role, permissions: membership.permissions }]),
+      membership
+    };
  };

  const getOrgPermission = async (
@ -154,8 +166,8 @@ export const permissionServiceFactory = ({
      case ActorType.IDENTITY:
        return getIdentityOrgPermission(id, orgId);
      default:
-        throw new UnauthorizedError({
-          message: "Permission not defined",
+        throw new BadRequestError({
+          message: "Invalid actor provided",
          name: "Get org permission"
        });
    }
@ -167,13 +179,13 @@ export const permissionServiceFactory = ({
    const isCustomRole = !Object.values(OrgMembershipRole).includes(role as OrgMembershipRole);
    if (isCustomRole) {
      const orgRole = await orgRoleDAL.findOne({ slug: role, orgId });
-      if (!orgRole) throw new BadRequestError({ message: "Role not found" });
+      if (!orgRole) throw new NotFoundError({ message: "Specified role was not found" });
      return {
-        permission: buildOrgPermission(OrgMembershipRole.Custom, orgRole.permissions),
+        permission: buildOrgPermission([{ role: OrgMembershipRole.Custom, permissions: orgRole.permissions }]),
        role: orgRole
      };
    }
-    return { permission: buildOrgPermission(role, []) };
+    return { permission: buildOrgPermission([{ role, permissions: [] }]) };
  };

  // user permission for a project in an organization
@ -184,12 +196,12 @@ export const permissionServiceFactory = ({
    userOrgId?: string
  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
-    if (!userProjectPermission) throw new UnauthorizedError({ name: "User not in project" });
+    if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });

    if (
      userProjectPermission.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)
    ) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new NotFoundError({ name: "The permission was not found" });
    }

    // If the org ID is API_KEY, the request is being made with an API Key.
@ -198,7 +210,7 @@ export const permissionServiceFactory = ({
    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
    if (userOrgId !== "API_KEY" && userProjectPermission.orgId !== userOrgId) {
-      throw new UnauthorizedError({ name: "You are not logged into this organization" });
+      throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
    }

    validateOrgSAML(authMethod, userProjectPermission.orgAuthEnforced);
@ -227,18 +239,19 @@ export const permissionServiceFactory = ({
    identityOrgId: string | undefined
  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
-    if (!identityProjectPermission) throw new UnauthorizedError({ name: "Identity not in project" });
+    if (!identityProjectPermission)
+      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified project" });

    if (
      identityProjectPermission.roles.some(
        ({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions
      )
    ) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new NotFoundError({ name: "Custom permission not found" });
    }

    if (identityProjectPermission.orgId !== identityOrgId) {
-      throw new UnauthorizedError({ name: "You are not a member of this organization" });
+      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
    }

    const rolePermissions =
@ -265,25 +278,23 @@ export const permissionServiceFactory = ({
    actorOrgId: string | undefined
  ) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
-    if (!serviceToken) throw new BadRequestError({ message: "Service token not found" });
+    if (!serviceToken) throw new NotFoundError({ message: "Service token not found" });

    const serviceTokenProject = await projectDAL.findById(serviceToken.projectId);

    if (!serviceTokenProject) throw new BadRequestError({ message: "Service token not linked to a project" });

    if (serviceTokenProject.orgId !== actorOrgId) {
-      throw new UnauthorizedError({ message: "Service token not a part of this organization" });
+      throw new ForbiddenRequestError({ message: "Service token not a part of the specified organization" });
    }

-    if (serviceToken.projectId !== projectId)
-      throw new UnauthorizedError({
-        message: "Failed to find service authorization for given project"
-      });
+    if (serviceToken.projectId !== projectId) {
+      throw new ForbiddenRequestError({ name: "Service token not a part of the specified project" });
+    }

-    if (serviceTokenProject.orgId !== actorOrgId)
-      throw new UnauthorizedError({
-        message: "Failed to find service authorization for given project"
-      });
+    if (serviceTokenProject.orgId !== actorOrgId) {
+      throw new ForbiddenRequestError({ message: "Service token not a part of the specified organization" });
+    }

    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
@ -323,8 +334,8 @@ export const permissionServiceFactory = ({
      case ActorType.IDENTITY:
        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      default:
-        throw new UnauthorizedError({
-          message: "Permission not defined",
+        throw new BadRequestError({
+          message: "Invalid actor provided",
          name: "Get project permission"
        });
    }
@ -334,7 +345,7 @@ export const permissionServiceFactory = ({
    const isCustomRole = !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole);
    if (isCustomRole) {
      const projectRole = await projectRoleDAL.findOne({ slug: role, projectId });
-      if (!projectRole) throw new BadRequestError({ message: "Role not found" });
+      if (!projectRole) throw new NotFoundError({ message: `Specified role was not found: ${role}` });
      return {
        permission: buildProjectPermission([
          { role: ProjectMembershipRole.Custom, permissions: projectRole.permissions }
--- a/backend/src/ee/services/permission/permission-types.ts
+++ b/backend/src/ee/services/permission/permission-types.ts
@ -2,3 +2,8 @@ export type TBuildProjectPermissionDTO = {
  permissions?: unknown;
  role: string;
 }[];
+
+export type TBuildOrgPermissionDTO = {
+  permissions?: unknown;
+  role: string;
+}[];
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@ -145,6 +145,8 @@ export const fullProjectPermissionSet: [ProjectPermissionActions, ProjectPermiss
  [ProjectPermissionActions.Edit, ProjectPermissionSub.Tags],
  [ProjectPermissionActions.Delete, ProjectPermissionSub.Tags],

+  // TODO(Daniel): Remove the audit logs permissions from project-level permissions.
+  // TODO: We haven't done this yet because it might break existing roles, since those roles will become "invalid" since the audit log permission defined on those roles, no longer exist in the project-level defined permissions.
  [ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs],
  [ProjectPermissionActions.Create, ProjectPermissionSub.AuditLogs],
  [ProjectPermissionActions.Edit, ProjectPermissionSub.AuditLogs],
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";

-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";

 import { TPermissionServiceFactory } from "../permission/permission-service";
@ -42,7 +42,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    ...dto
  }: TCreateUserPrivilegeDTO) => {
    const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -94,14 +94,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    ...dto
  }: TUpdateUserPrivilegeDTO) => {
    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
-    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+    if (!userPrivilege) throw new NotFoundError({ message: "User additional privilege not found" });

    const projectMembership = await projectMembershipDAL.findOne({
      userId: userPrivilege.userId,
      projectId: userPrivilege.projectId
    });

-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -147,13 +147,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({

  const deleteById = async ({ actorId, actor, actorOrgId, actorAuthMethod, privilegeId }: TDeleteUserPrivilegeDTO) => {
    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
-    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+    if (!userPrivilege) throw new NotFoundError({ message: "User additional privilege not found" });

    const projectMembership = await projectMembershipDAL.findOne({
      userId: userPrivilege.userId,
      projectId: userPrivilege.projectId
    });
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -176,13 +176,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TGetUserPrivilegeDetailsDTO) => {
    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
-    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+    if (!userPrivilege) throw new NotFoundError({ message: "User additional privilege not found" });

    const projectMembership = await projectMembershipDAL.findOne({
      userId: userPrivilege.userId,
      projectId: userPrivilege.projectId
    });
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -204,7 +204,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TListUserPrivilegesDTO) => {
    const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@ -19,7 +19,7 @@ import {
  infisicalSymmetricDecrypt,
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
@ -187,7 +187,7 @@ export const samlConfigServiceFactory = ({

    const updateQuery: TSamlConfigsUpdate = { authProvider, isActive, lastUsed: null };
    const orgBot = await orgBotDAL.findOne({ orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
      iv: orgBot.symmetricKeyIV,
@ -253,7 +253,7 @@ export const samlConfigServiceFactory = ({

      ssoConfig = await samlConfigDAL.findById(id);
    }
-    if (!ssoConfig) throw new BadRequestError({ message: "Failed to find organization SSO data" });
+    if (!ssoConfig) throw new NotFoundError({ message: "Failed to find organization SSO data" });

    // when dto is type id means it's internally used
    if (dto.type === "org") {
@ -279,7 +279,7 @@ export const samlConfigServiceFactory = ({
    } = ssoConfig;

    const orgBot = await orgBotDAL.findOne({ orgId: ssoConfig.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
      iv: orgBot.symmetricKeyIV,
@ -338,7 +338,7 @@ export const samlConfigServiceFactory = ({
    const serverCfg = await getServerCfg();

    if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.SAML)) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
        message: "Login with SAML is disabled by administrator."
      });
    }
@ -350,7 +350,7 @@ export const samlConfigServiceFactory = ({
    });

    const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });

    let user: TUsers;
    if (userAlias) {
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@ -9,7 +9,7 @@ import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthTokenType } from "@app/services/auth/auth-type";
@ -75,7 +75,14 @@ type TScimServiceFactoryDep = {
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
  groupDAL: Pick<
    TGroupDALFactory,
-    "create" | "findOne" | "findAllGroupMembers" | "delete" | "findGroups" | "transaction" | "updateById" | "update"
+    | "create"
+    | "findOne"
+    | "findAllGroupPossibleMembers"
+    | "delete"
+    | "findGroups"
+    | "transaction"
+    | "updateById"
+    | "update"
  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  userGroupMembershipDAL: Pick<
@ -169,7 +176,7 @@ export const scimServiceFactory = ({

  const deleteScimToken = async ({ scimTokenId, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteScimTokenDTO) => {
    let scimToken = await scimDAL.findById(scimTokenId);
-    if (!scimToken) throw new BadRequestError({ message: "Failed to find SCIM token to delete" });
+    if (!scimToken) throw new NotFoundError({ message: "Failed to find SCIM token to delete" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -775,7 +782,7 @@ export const scimServiceFactory = ({
      });
    }

-    const users = await groupDAL.findAllGroupMembers({
+    const users = await groupDAL.findAllGroupPossibleMembers({
      orgId: group.orgId,
      groupId: group.id
    });
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts
@ -1,33 +1,62 @@
 import { Knex } from "knex";

 import { TDbClient } from "@app/db";
-import { SecretApprovalPoliciesSchema, TableName, TSecretApprovalPolicies } from "@app/db/schemas";
+import { SecretApprovalPoliciesSchema, TableName, TSecretApprovalPolicies, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";

+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
+
 export type TSecretApprovalPolicyDALFactory = ReturnType<typeof secretApprovalPolicyDALFactory>;

 export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
  const secretApprovalPolicyOrm = ormify(db, TableName.SecretApprovalPolicy);

-  const secretApprovalPolicyFindQuery = (tx: Knex, filter: TFindFilter<TSecretApprovalPolicies>) =>
+  const secretApprovalPolicyFindQuery = (
+    tx: Knex,
+    filter: TFindFilter<TSecretApprovalPolicies>,
+    customFilter?: {
+      sapId?: string;
+    }
+  ) =>
    tx(TableName.SecretApprovalPolicy)
      // eslint-disable-next-line
      .where(buildFindFilter(filter))
+      .where((qb) => {
+        if (customFilter?.sapId) {
+          void qb.where(`${TableName.SecretApprovalPolicy}.id`, "=", customFilter.sapId);
+        }
+      })
      .join(TableName.Environment, `${TableName.SecretApprovalPolicy}.envId`, `${TableName.Environment}.id`)
      .leftJoin(
        TableName.SecretApprovalPolicyApprover,
        `${TableName.SecretApprovalPolicy}.id`,
        `${TableName.SecretApprovalPolicyApprover}.policyId`
      )
-
-      .leftJoin(TableName.Users, `${TableName.SecretApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
-
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("secretApprovalPolicyApproverUser"),
+        `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
+        "secretApprovalPolicyApproverUser.id"
+      )
+      .leftJoin<TUsers>(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
      .select(
-        tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
-        tx.ref("email").withSchema(TableName.Users).as("approverEmail"),
-        tx.ref("firstName").withSchema(TableName.Users).as("approverFirstName"),
-        tx.ref("lastName").withSchema(TableName.Users).as("approverLastName")
+        tx.ref("id").withSchema("secretApprovalPolicyApproverUser").as("approverUserId"),
+        tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("firstName").withSchema("secretApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
+        tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName")
+      )
+      .select(
+        tx.ref("approverGroupId").withSchema(TableName.SecretApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
+        tx.ref("email").withSchema(TableName.Users).as("approverGroupEmail"),
+        tx.ref("firstName").withSchema(TableName.Users).as("approverGroupFirstName"),
+        tx.ref("lastName").withSchema(TableName.Users).as("approverGroupLastName")
      )
      .select(
        tx.ref("name").withSchema(TableName.Environment).as("envName"),
@ -55,11 +84,31 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
          {
            key: "approverUserId",
            label: "userApprovers" as const,
-            mapper: ({ approverUserId, approverEmail, approverFirstName, approverLastName }) => ({
-              userId: approverUserId,
-              email: approverEmail,
-              firstName: approverFirstName,
-              lastName: approverLastName
+            mapper: ({
+              approverUserId: userId,
+              approverEmail: email,
+              approverFirstName: firstName,
+              approverLastName: lastName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName
+            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "userApprovers" as const,
+            mapper: ({
+              approverGroupUserId: userId,
+              approverGroupEmail: email,
+              approverGroupFirstName: firstName,
+              approverGroupLastName: lastName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName
            })
          }
        ]
@ -71,9 +120,15 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
    }
  };

-  const find = async (filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>, tx?: Knex) => {
+  const find = async (
+    filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>,
+    customFilter?: {
+      sapId?: string;
+    },
+    tx?: Knex
+  ) => {
    try {
-      const docs = await secretApprovalPolicyFindQuery(tx || db.replicaNode(), filter);
+      const docs = await secretApprovalPolicyFindQuery(tx || db.replicaNode(), filter, customFilter);
      const formatedDoc = sqlNestRelationships({
        data: docs,
        key: "id",
@ -83,11 +138,35 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
          ...SecretApprovalPoliciesSchema.parse(data)
        }),
        childrenMapper: [
+          {
+            key: "approverUserId",
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id, approverUsername }) => ({
+              type: ApproverType.User,
+              name: approverUsername,
+              id
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              type: ApproverType.Group,
+              id
+            })
+          },
          {
            key: "approverUserId",
            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            mapper: ({ approverUserId: userId }) => ({
+              userId
+            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "userApprovers" as const,
+            mapper: ({ approverGroupUserId: userId }) => ({
+              userId
            })
          }
        ]
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@ -3,11 +3,13 @@ import picomatch from "picomatch";

 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";

+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TSecretApprovalPolicyApproverDALFactory } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
@ -15,6 +17,7 @@ import {
  TCreateSapDTO,
  TDeleteSapDTO,
  TGetBoardSapDTO,
+  TGetSapByIdDTO,
  TListSapDTO,
  TUpdateSapDTO
 } from "./secret-approval-policy-types";
@ -28,6 +31,7 @@ type TSecretApprovalPolicyServiceFactoryDep = {
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  secretApprovalPolicyDAL: TSecretApprovalPolicyDALFactory;
  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  userDAL: Pick<TUserDALFactory, "find">;
  secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@ -39,6 +43,7 @@ export const secretApprovalPolicyServiceFactory = ({
  permissionService,
  secretApprovalPolicyApproverDAL,
  projectEnvDAL,
+  userDAL,
  licenseService
 }: TSecretApprovalPolicyServiceFactoryDep) => {
  const createSecretApprovalPolicy = async ({
@ -54,7 +59,19 @@ export const secretApprovalPolicyServiceFactory = ({
    environment,
    enforcementLevel
  }: TCreateSapDTO) => {
-    if (approvals > approvers.length)
+    const groupApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id);
+    const userApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
+    if (!groupApprovers.length && approvals > approvers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

    const { permission } = await permissionService.getProjectPermission(
@ -78,7 +95,7 @@ export const secretApprovalPolicyServiceFactory = ({
    }

    const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: "Environment not found" });

    const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
      const doc = await secretApprovalPolicyDAL.create(
@ -91,15 +108,48 @@ export const secretApprovalPolicyServiceFactory = ({
        },
        tx
      );
+
+      let userApproverIds = userApprovers;
+      if (userApproverNames.length) {
+        const approverUsers = await userDAL.find(
+          {
+            $in: {
+              username: userApproverNames
+            }
+          },
+          { tx }
+        );
+
+        const approverNamesFromDb = approverUsers.map((user) => user.username);
+        const invalidUsernames = userApproverNames?.filter((username) => !approverNamesFromDb.includes(username));
+
+        if (invalidUsernames?.length) {
+          throw new BadRequestError({
+            message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+          });
+        }
+
+        userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
+      }
+
      await secretApprovalPolicyApproverDAL.insertMany(
-        approvers.map((approverUserId) => ({
+        userApproverIds.map((approverUserId) => ({
          approverUserId,
          policyId: doc.id
        })),
        tx
      );
+
+      await secretApprovalPolicyApproverDAL.insertMany(
+        groupApprovers.map((approverGroupId) => ({
+          approverGroupId,
+          policyId: doc.id
+        })),
+        tx
+      );
      return doc;
    });
+
    return { ...secretApproval, environment: env, projectId };
  };

@ -115,8 +165,20 @@ export const secretApprovalPolicyServiceFactory = ({
    secretPolicyId,
    enforcementLevel
  }: TUpdateSapDTO) => {
+    const groupApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id);
+    const userApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
    const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
-    if (!secretApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!secretApprovalPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -146,16 +208,52 @@ export const secretApprovalPolicyServiceFactory = ({
        },
        tx
      );
+
+      await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+
      if (approvers) {
-        await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+        let userApproverIds = userApprovers;
+        if (userApproverNames) {
+          const approverUsers = await userDAL.find(
+            {
+              $in: {
+                username: userApproverNames
+              }
+            },
+            { tx }
+          );
+
+          const approverNamesFromDb = approverUsers.map((user) => user.username);
+          const invalidUsernames = userApproverNames?.filter((username) => !approverNamesFromDb.includes(username));
+
+          if (invalidUsernames?.length) {
+            throw new BadRequestError({
+              message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+            });
+          }
+
+          userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
+        }
+
        await secretApprovalPolicyApproverDAL.insertMany(
-          approvers.map((approverUserId) => ({
+          userApproverIds.map((approverUserId) => ({
            approverUserId,
            policyId: doc.id
          })),
          tx
        );
      }
+
+      if (groupApprovers) {
+        await secretApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((approverGroupId) => ({
+            approverGroupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
      return doc;
    });
    return {
@ -173,7 +271,7 @@ export const secretApprovalPolicyServiceFactory = ({
    actorOrgId
  }: TDeleteSapDTO) => {
    const sapPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
-    if (!sapPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!sapPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -222,7 +320,7 @@ export const secretApprovalPolicyServiceFactory = ({
  const getSecretApprovalPolicy = async (projectId: string, environment: string, path: string) => {
    const secretPath = removeTrailingSlash(path);
    const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: "Environment not found" });

    const policies = await secretApprovalPolicyDAL.find({ envId: env.id });
    if (!policies.length) return;
@ -260,12 +358,41 @@ export const secretApprovalPolicyServiceFactory = ({
    return getSecretApprovalPolicy(projectId, environment, secretPath);
  };

+  const getSecretApprovalPolicyById = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    sapId
+  }: TGetSapByIdDTO) => {
+    const [sapPolicy] = await secretApprovalPolicyDAL.find({}, { sapId });
+
+    if (!sapPolicy) {
+      throw new NotFoundError({
+        message: "Cannot find secret approval policy"
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      sapPolicy.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+
+    return sapPolicy;
+  };
+
  return {
    createSecretApprovalPolicy,
    updateSecretApprovalPolicy,
    deleteSecretApprovalPolicy,
    getSecretApprovalPolicy,
    getSecretApprovalPolicyByProjectId,
-    getSecretApprovalPolicyOfFolder
+    getSecretApprovalPolicyOfFolder,
+    getSecretApprovalPolicyById
  };
 };
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts
@ -1,10 +1,12 @@
 import { EnforcementLevel, TProjectPermission } from "@app/lib/types";

+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
+
 export type TCreateSapDTO = {
  approvals: number;
  secretPath?: string | null;
  environment: string;
-  approvers: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
  projectId: string;
  name: string;
  enforcementLevel: EnforcementLevel;
@ -14,7 +16,7 @@ export type TUpdateSapDTO = {
  secretPolicyId: string;
  approvals?: number;
  secretPath?: string | null;
-  approvers: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
  name?: string;
  enforcementLevel?: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
@ -25,6 +27,8 @@ export type TDeleteSapDTO = {

 export type TListSapDTO = TProjectPermission;

+export type TGetSapByIdDTO = Omit<TProjectPermission, "projectId"> & { sapId: string };
+
 export type TGetBoardSapDTO = {
  projectId: string;
  environment: string;
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@ -48,16 +48,26 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        `${TableName.SecretApprovalRequest}.committerUserId`,
        `committerUser.id`
      )
-      .join(
+      .leftJoin(
        TableName.SecretApprovalPolicyApprover,
        `${TableName.SecretApprovalPolicy}.id`,
        `${TableName.SecretApprovalPolicyApprover}.policyId`
      )
-      .join<TUsers>(
+      .leftJoin<TUsers>(
        db(TableName.Users).as("secretApprovalPolicyApproverUser"),
        `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
        "secretApprovalPolicyApproverUser.id"
      )
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("secretApprovalPolicyGroupApproverUser"),
+        `${TableName.UserGroupMembership}.userId`,
+        `secretApprovalPolicyGroupApproverUser.id`
+      )
      .leftJoin(
        TableName.SecretApprovalRequestReviewer,
        `${TableName.SecretApprovalRequest}.id`,
@ -71,10 +81,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
      .select(selectAllTableCols(TableName.SecretApprovalRequest))
      .select(
        tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
        tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("email").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
        tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
+        tx.ref("username").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupUsername"),
        tx.ref("firstName").withSchema("secretApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("firstName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
        tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName"),
+        tx.ref("lastName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
        tx.ref("email").withSchema("statusChangedByUser").as("statusChangedByUserEmail"),
        tx.ref("username").withSchema("statusChangedByUser").as("statusChangedByUserUsername"),
        tx.ref("firstName").withSchema("statusChangedByUser").as("statusChangedByUserFirstName"),
@ -152,13 +167,30 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            key: "approverUserId",
            label: "approvers" as const,
            mapper: ({
-              approverUserId,
+              approverUserId: userId,
              approverEmail: email,
              approverUsername: username,
              approverLastName: lastName,
              approverFirstName: firstName
            }) => ({
-              userId: approverUserId,
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({
+              approverGroupUserId: userId,
+              approverGroupEmail: email,
+              approverGroupUsername: username,
+              approverGroupLastName: lastName,
+              approverGroupFirstName: firstName
+            }) => ({
+              userId,
              email,
              firstName,
              lastName,
@ -236,11 +268,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.SecretApprovalRequest}.policyId`,
          `${TableName.SecretApprovalPolicy}.id`
        )
-        .join(
+        .leftJoin(
          TableName.SecretApprovalPolicyApprover,
          `${TableName.SecretApprovalPolicy}.id`,
          `${TableName.SecretApprovalPolicyApprover}.policyId`
        )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
        .join<TUsers>(
          db(TableName.Users).as("committerUser"),
          `${TableName.SecretApprovalRequest}.committerUserId`,
@ -269,6 +306,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            void bd
              .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
              .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
+              .orWhere(`${TableName.UserGroupMembership}.userId`, userId)
        )
        .select(selectAllTableCols(TableName.SecretApprovalRequest))
        .select(
@ -289,6 +327,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
          db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
          db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
+          db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
          db.ref("email").withSchema("committerUser").as("committerUserEmail"),
          db.ref("username").withSchema("committerUser").as("committerUserUsername"),
          db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@ -334,7 +373,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          {
            key: "approverUserId",
            label: "approvers" as const,
-            mapper: ({ approverUserId }) => approverUserId
+            mapper: ({ approverUserId }) => ({ userId: approverUserId })
          },
          {
            key: "commitId",
@ -344,6 +383,11 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              id,
              secretId
            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => ({ userId: approverGroupUserId })
          }
        ]
      });
@ -371,11 +415,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.SecretApprovalRequest}.policyId`,
          `${TableName.SecretApprovalPolicy}.id`
        )
-        .join(
+        .leftJoin(
          TableName.SecretApprovalPolicyApprover,
          `${TableName.SecretApprovalPolicy}.id`,
          `${TableName.SecretApprovalPolicyApprover}.policyId`
        )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
        .join<TUsers>(
          db(TableName.Users).as("committerUser"),
          `${TableName.SecretApprovalRequest}.committerUserId`,
@ -404,6 +453,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            void bd
              .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
              .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
+              .orWhere(`${TableName.UserGroupMembership}.userId`, userId)
        )
        .select(selectAllTableCols(TableName.SecretApprovalRequest))
        .select(
@ -424,6 +474,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
          db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
+          db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
          db.ref("email").withSchema("committerUser").as("committerUserEmail"),
          db.ref("username").withSchema("committerUser").as("committerUserUsername"),
          db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@ -469,7 +520,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          {
            key: "approverUserId",
            label: "approvers" as const,
-            mapper: ({ approverUserId }) => approverUserId
+            mapper: ({ approverUserId }) => ({ userId: approverUserId })
          },
          {
            key: "commitId",
@ -479,6 +530,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              id,
              secretId
            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => ({
+              userId: approverGroupUserId
+            })
          }
        ]
      });
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
@ -8,7 +8,7 @@ import {
  TSecretApprovalRequestsSecrets,
  TSecretTags
 } from "@app/db/schemas";
-import { BadRequestError, DatabaseError } from "@app/lib/errors";
+import { DatabaseError, NotFoundError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";

 export type TSecretApprovalRequestSecretDALFactory = ReturnType<typeof secretApprovalRequestSecretDALFactory>;
@ -31,7 +31,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
      );

      if (existingApprovalSecrets.length !== data.length) {
-        throw new BadRequestError({ message: "Some of the secret approvals do not exist" });
+        throw new NotFoundError({ message: "Some of the secret approvals do not exist" });
      }

      if (data.length === 0) return [];
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@ -10,7 +10,7 @@ import {
 } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { setKnexStringValue } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@ -204,7 +204,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

    const secretApprovalRequest = await secretApprovalRequestDAL.findById(id);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });

    const { projectId } = secretApprovalRequest;
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@ -222,7 +222,7 @@ export const secretApprovalRequestServiceFactory = ({
      secretApprovalRequest.committerUserId !== actorId &&
      !policy.approvers.find(({ userId }) => userId === actorId)
    ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }

    let secrets;
@ -271,7 +271,7 @@ export const secretApprovalRequestServiceFactory = ({
          : undefined
      }));
    } else {
-      if (!botKey) throw new BadRequestError({ message: "Bot key not found" });
+      if (!botKey) throw new NotFoundError({ message: "Project bot key not found" });
      const encrypedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
      secrets = encrypedSecrets.map((el) => ({
        ...el,
@ -307,7 +307,7 @@ export const secretApprovalRequestServiceFactory = ({
    actorOrgId
  }: TReviewRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const plan = await licenseService.getPlan(actorOrgId);
@ -331,7 +331,7 @@ export const secretApprovalRequestServiceFactory = ({
      secretApprovalRequest.committerUserId !== actorId &&
      !policy.approvers.find(({ userId }) => userId === actorId)
    ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
    const reviewStatus = await secretApprovalRequestReviewerDAL.transaction(async (tx) => {
      const review = await secretApprovalRequestReviewerDAL.findOne(
@ -365,7 +365,7 @@ export const secretApprovalRequestServiceFactory = ({
    actorAuthMethod
  }: TStatusChangeDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const plan = await licenseService.getPlan(actorOrgId);
@ -389,7 +389,7 @@ export const secretApprovalRequestServiceFactory = ({
      secretApprovalRequest.committerUserId !== actorId &&
      !policy.approvers.find(({ userId }) => userId === actorId)
    ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }

    if (secretApprovalRequest.hasMerged) throw new BadRequestError({ message: "Approval request has been merged" });
@ -414,7 +414,7 @@ export const secretApprovalRequestServiceFactory = ({
    bypassReason
  }: TMergeSecretApprovalRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const plan = await licenseService.getPlan(actorOrgId);
@ -439,7 +439,7 @@ export const secretApprovalRequestServiceFactory = ({
      secretApprovalRequest.committerUserId !== actorId &&
      !policy.approvers.find(({ userId }) => userId === actorId)
    ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
    const reviewers = secretApprovalRequest.reviewers.reduce<Record<string, ApprovalStatus>>(
      (prev, curr) => ({ ...prev, [curr.userId.toString()]: curr.status as ApprovalStatus }),
@ -447,8 +447,8 @@ export const secretApprovalRequestServiceFactory = ({
    );
    const hasMinApproval =
      secretApprovalRequest.policy.approvals <=
-      secretApprovalRequest.policy.approvers.filter(
-        ({ userId: approverId }) => reviewers[approverId.toString()] === ApprovalStatus.APPROVED
+      secretApprovalRequest.policy.approvers.filter(({ userId: approverId }) =>
+        approverId ? reviewers[approverId] === ApprovalStatus.APPROVED : false
      ).length;
    const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;

@ -462,7 +462,7 @@ export const secretApprovalRequestServiceFactory = ({
      const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestIdBridgeSecretV2(
        secretApprovalRequest.id
      );
-      if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
+      if (!secretApprovalSecrets) throw new NotFoundError({ message: "No secrets found" });

      const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
        type: KmsDataKey.SecretManager,
@ -602,7 +602,7 @@ export const secretApprovalRequestServiceFactory = ({
      });
    } else {
      const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
-      if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
+      if (!secretApprovalSecrets) throw new NotFoundError({ message: "No secrets found" });

      const conflicts: Array<{ secretId: string; op: SecretOperations }> = [];
      let secretCreationCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Create);
@ -612,8 +612,8 @@ export const secretApprovalRequestServiceFactory = ({
          secretDAL,
          inputSecrets: secretCreationCommits.map(({ secretBlindIndex }) => {
            if (!secretBlindIndex) {
-              throw new BadRequestError({
-                message: "Missing secret blind index"
+              throw new NotFoundError({
+                message: "Secret blind index not found"
              });
            }
            return { secretBlindIndex };
@ -639,8 +639,8 @@ export const secretApprovalRequestServiceFactory = ({
            .filter(({ secretBlindIndex, secret }) => secret && secret.secretBlindIndex !== secretBlindIndex)
            .map(({ secretBlindIndex }) => {
              if (!secretBlindIndex) {
-                throw new BadRequestError({
-                  message: "Missing secret blind index"
+                throw new NotFoundError({
+                  message: "Secret blind index not found"
                });
              }
              return { secretBlindIndex };
@ -762,8 +762,8 @@ export const secretApprovalRequestServiceFactory = ({
              secretQueueService,
              inputSecrets: secretDeletionCommits.map(({ secretBlindIndex }) => {
                if (!secretBlindIndex) {
-                  throw new BadRequestError({
-                    message: "Missing secret blind index"
+                  throw new NotFoundError({
+                    message: "Secret blind index not found"
                  });
                }
                return { secretBlindIndex, type: SecretType.Shared };
@ -789,7 +789,7 @@ export const secretApprovalRequestServiceFactory = ({

    await snapshotService.performSnapshot(folderId);
    const [folder] = await folderDAL.findSecretPathByFolderIds(projectId, [folderId]);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    await secretQueueService.syncSecrets({
      projectId,
      secretPath: folder.path,
@ -805,7 +805,7 @@ export const secretApprovalRequestServiceFactory = ({
      const requestedByUser = await userDAL.findOne({ id: actorId });
      const approverUsers = await userDAL.find({
        $in: {
-          id: policy.approvers.map((approver: { userId: string }) => approver.userId)
+          id: policy.approvers.map((approver: { userId: string | null | undefined }) => approver.userId!)
        }
      });

@ -860,14 +860,14 @@ export const secretApprovalRequestServiceFactory = ({

    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Folder not found for the given environment slug & secret path",
        name: "GenSecretApproval"
      });
    const folderId = folder.id;

    const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });
-    if (!blindIndexCfg) throw new BadRequestError({ message: "Blind index not found", name: "Update secret" });
+    if (!blindIndexCfg) throw new NotFoundError({ message: "Blind index not found", name: "Update secret" });

    const commits: Omit<TSecretApprovalRequestsSecretsInsert, "requestId">[] = [];
    const commitTagIds: Record<string, string[]> = {};
@ -961,7 +961,7 @@ export const secretApprovalRequestServiceFactory = ({
        secretDAL
      });
      const secretsGroupedByBlindIndex = groupBy(secrets, (i) => {
-        if (!i.secretBlindIndex) throw new BadRequestError({ message: "Missing secret blind index" });
+        if (!i.secretBlindIndex) throw new NotFoundError({ message: "Secret blind index not found" });
        return i.secretBlindIndex;
      });
      const deletedSecretIds = deletedSecrets.map(
@ -972,7 +972,7 @@ export const secretApprovalRequestServiceFactory = ({
        ...deletedSecrets.map((el) => {
          const secretId = secretsGroupedByBlindIndex[keyName2BlindIndex[el.secretName]][0].id;
          if (!latestSecretVersions[secretId].secretBlindIndex)
-            throw new BadRequestError({ message: "Failed to find secret blind index" });
+            throw new NotFoundError({ message: "Secret blind index not found" });
          return {
            op: SecretOperations.Delete as const,
            ...latestSecretVersions[secretId],
@ -988,7 +988,7 @@ export const secretApprovalRequestServiceFactory = ({

    const tagIds = unique(Object.values(commitTagIds).flat());
    const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
-    if (tagIds.length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
+    if (tagIds.length !== tags.length) throw new NotFoundError({ message: "Tag not found" });

    const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
      const doc = await secretApprovalRequestDAL.create(
@ -1054,7 +1054,7 @@ export const secretApprovalRequestServiceFactory = ({

      const commitsGroupByBlindIndex = groupBy(approvalCommits, (i) => {
        if (!i.secretBlindIndex) {
-          throw new BadRequestError({ message: "Missing secret blind index" });
+          throw new NotFoundError({ message: "Secret blind index not found" });
        }
        return i.secretBlindIndex;
      });
@ -1132,7 +1132,7 @@ export const secretApprovalRequestServiceFactory = ({

    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Folder not found for the given environment slug & secret path",
        name: "GenSecretApproval"
      });
@ -1191,8 +1191,8 @@ export const secretApprovalRequestServiceFactory = ({
        }))
      );
      if (secretsToUpdateStoredInDB.length !== secretsToUpdate.length)
-        throw new BadRequestError({
-          message: `Secret not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
+        throw new NotFoundError({
+          message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
        });

      // now find any secret that needs to update its name
@ -1207,8 +1207,8 @@ export const secretApprovalRequestServiceFactory = ({
          }))
        );
        if (secrets.length)
-          throw new BadRequestError({
-            message: `Secret not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
+          throw new NotFoundError({
+            message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
          });
      }

@ -1267,8 +1267,8 @@ export const secretApprovalRequestServiceFactory = ({
        }))
      );
      if (secretsToDeleteInDB.length !== deletedSecrets.length)
-        throw new BadRequestError({
-          message: `Secret not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
+        throw new NotFoundError({
+          message: `Secret does not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
        });
      const secretsGroupedByKey = groupBy(secretsToDeleteInDB, (i) => i.key);
      const deletedSecretIds = deletedSecrets.map((el) => secretsGroupedByKey[el.secretKey][0].id);
@ -1291,7 +1291,7 @@ export const secretApprovalRequestServiceFactory = ({

    const tagIds = unique(Object.values(commitTagIds).flat());
    const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
-    if (tagIds.length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
+    if (tagIds.length !== tags.length) throw new NotFoundError({ message: "Tag not found" });

    const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
      const doc = await secretApprovalRequestDAL.create(
--- a/backend/src/ee/services/secret-replication/secret-replication-service.ts
+++ b/backend/src/ee/services/secret-replication/secret-replication-service.ts
@ -4,7 +4,7 @@ import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approv
 import { TSecretApprovalRequestSecretDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-secret-dal";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { groupBy, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@ -295,7 +295,7 @@ export const secretReplicationServiceFactory = ({
            const [destinationFolder] = await folderDAL.findSecretPathByFolderIds(projectId, [
              destinationSecretImport.folderId
            ]);
-            if (!destinationFolder) throw new BadRequestError({ message: "Imported folder not found" });
+            if (!destinationFolder) throw new NotFoundError({ message: "Imported folder not found" });

            let destinationReplicationFolder = await folderDAL.findOne({
              parentId: destinationFolder.id,
@ -506,7 +506,7 @@ export const secretReplicationServiceFactory = ({
      return;
    }

-    if (!botKey) throw new BadRequestError({ message: "Bot not found" });
+    if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
    // these are the secrets to be added in replicated folders
    const sourceLocalSecrets = await secretDAL.find({ folderId: folder.id, type: SecretType.Shared });
    const sourceSecretImports = await secretImportDAL.find({ folderId: folder.id });
@ -545,7 +545,7 @@ export const secretReplicationServiceFactory = ({
          const [destinationFolder] = await folderDAL.findSecretPathByFolderIds(projectId, [
            destinationSecretImport.folderId
          ]);
-          if (!destinationFolder) throw new BadRequestError({ message: "Imported folder not found" });
+          if (!destinationFolder) throw new NotFoundError({ message: "Imported folder not found" });

          let destinationReplicationFolder = await folderDAL.findOne({
            parentId: destinationFolder.id,
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@ -13,7 +13,7 @@ import {
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
@ -332,7 +332,7 @@ export const secretRotationQueueFactory = ({
          );
        });
      } else {
-        if (!botKey) throw new BadRequestError({ message: "Bot not found" });
+        if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
        const encryptedSecrets = rotationOutputs.map(({ key: outputKey, secretId }) => ({
          secretId,
          value: encryptSymmetric128BitHexKeyUTF8(
@ -372,7 +372,7 @@ export const secretRotationQueueFactory = ({
          );
          await secretVersionDAL.insertMany(
            updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => {
-              if (!el.secretBlindIndex) throw new BadRequestError({ message: "Missing blind index" });
+              if (!el.secretBlindIndex) throw new NotFoundError({ message: "Secret blind index not found" });
              return {
                ...el,
                secretId: id,
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@ -3,7 +3,7 @@ import Ajv from "ajv";

 import { ProjectVersion } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@ -94,7 +94,7 @@ export const secretRotationServiceFactory = ({
    );

    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder) throw new BadRequestError({ message: "Secret path not found" });
+    if (!folder) throw new NotFoundError({ message: "Secret path not found" });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
@ -108,14 +108,14 @@ export const secretRotationServiceFactory = ({
        $in: { id: Object.values(outputs) }
      });
      if (selectedSecrets.length !== Object.values(outputs).length)
-        throw new BadRequestError({ message: "Secrets not found" });
+        throw new NotFoundError({ message: "Secrets not found" });
    } else {
      const selectedSecrets = await secretDAL.find({
        folderId: folder.id,
        $in: { id: Object.values(outputs) }
      });
      if (selectedSecrets.length !== Object.values(outputs).length)
-        throw new BadRequestError({ message: "Secrets not found" });
+        throw new NotFoundError({ message: "Secrets not found" });
    }

    const plan = await licenseService.getPlan(project.orgId);
@ -125,7 +125,7 @@ export const secretRotationServiceFactory = ({
      });

    const selectedTemplate = rotationTemplates.find(({ name }) => name === provider);
-    if (!selectedTemplate) throw new BadRequestError({ message: "Provider not found" });
+    if (!selectedTemplate) throw new NotFoundError({ message: "Provider not found" });
    const formattedInputs: Record<string, unknown> = {};
    Object.entries(inputs).forEach(([key, value]) => {
      const { type } = selectedTemplate.template.inputs.properties[key];
@ -198,7 +198,7 @@ export const secretRotationServiceFactory = ({
      return docs;
    }

-    if (!botKey) throw new BadRequestError({ message: "bot not found" });
+    if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
    const docs = await secretRotationDAL.find({ projectId });
    return docs.map((el) => ({
      ...el,
@ -220,7 +220,7 @@ export const secretRotationServiceFactory = ({

  const restartById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TRestartDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
-    if (!doc) throw new BadRequestError({ message: "Rotation not found" });
+    if (!doc) throw new NotFoundError({ message: "Rotation not found" });

    const project = await projectDAL.findById(doc.projectId);
    const plan = await licenseService.getPlan(project.orgId);
@ -244,7 +244,7 @@ export const secretRotationServiceFactory = ({

  const deleteById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TDeleteDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
-    if (!doc) throw new BadRequestError({ message: "Rotation not found" });
+    if (!doc) throw new NotFoundError({ message: "Rotation not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@ -7,7 +7,7 @@ import { ProbotOctokit } from "probot";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { getConfig } from "@app/lib/config/env";
-import { UnauthorizedError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";

 import { TGitAppDALFactory } from "./git-app-dal";
 import { TGitAppInstallSessionDALFactory } from "./git-app-install-session-dal";
@ -63,7 +63,7 @@ export const secretScanningServiceFactory = ({
    actorOrgId
  }: TLinkInstallSessionDTO) => {
    const session = await gitAppInstallSessionDAL.findOne({ sessionId });
-    if (!session) throw new UnauthorizedError({ message: "Session not found" });
+    if (!session) throw new NotFoundError({ message: "Session was not found" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";

 import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@ -99,7 +99,7 @@ export const secretSnapshotServiceFactory = ({
    );

    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    return snapshotDAL.countOfSnapshotsByFolderId(folder.id);
  };
@ -131,7 +131,7 @@ export const secretSnapshotServiceFactory = ({
    );

    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });

    const snapshots = await snapshotDAL.find({ folderId: folder.id }, { limit, offset, sort: [["createdAt", "desc"]] });
    return snapshots;
@ -139,7 +139,7 @@ export const secretSnapshotServiceFactory = ({

  const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
    const snapshot = await snapshotDAL.findById(id);
-    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
+    if (!snapshot) throw new NotFoundError({ message: "Snapshot not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@ -173,7 +173,7 @@ export const secretSnapshotServiceFactory = ({
    } else {
      const encryptedSnapshotDetails = await snapshotDAL.findSecretSnapshotDataById(id);
      const { botKey } = await projectBotService.getBotKey(snapshot.projectId);
-      if (!botKey) throw new BadRequestError({ message: "bot not found" });
+      if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
      snapshotDetails = {
        ...encryptedSnapshotDetails,
        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => ({
@ -225,7 +225,7 @@ export const secretSnapshotServiceFactory = ({
    try {
      if (!licenseService.isValidLicense) throw new InternalServerError({ message: "Invalid license" });
      const folder = await folderDAL.findById(folderId);
-      if (!folder) throw new BadRequestError({ message: "Folder not found" });
+      if (!folder) throw new NotFoundError({ message: "Folder not found" });
      const shouldUseSecretV2Bridge = folder.projectVersion === 3;

      if (shouldUseSecretV2Bridge) {
@ -309,7 +309,7 @@ export const secretSnapshotServiceFactory = ({
    actorOrgId
  }: TRollbackSnapshotDTO) => {
    const snapshot = await snapshotDAL.findById(snapshotId);
-    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
+    if (!snapshot) throw new NotFoundError({ message: "Snapshot not found" });
    const shouldUseBridge = snapshot.projectVersion === 3;

    const { permission } = await permissionService.getProjectPermission(
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -5,26 +5,30 @@ export const GROUPS = {
    role: "The role of the group to create."
  },
  UPDATE: {
-    currentSlug: "The current slug of the group to update.",
+    id: "The id of the group to update",
    name: "The new name of the group to update to.",
    slug: "The new slug of the group to update to.",
    role: "The new role of the group to update to."
  },
  DELETE: {
+    id: "The id of the group to delete",
    slug: "The slug of the group to delete"
  },
  LIST_USERS: {
-    slug: "The slug of the group to list users for",
+    id: "The id of the group to list users for",
    offset: "The offset to start from. If you enter 10, it will start from the 10th user.",
    limit: "The number of users to return.",
    username: "The username to search for."
  },
  ADD_USER: {
-    slug: "The slug of the group to add the user to.",
+    id: "The id of the group to add the user to.",
    username: "The username of the user to add to the group."
  },
+  GET_BY_ID: {
+    id: "The id of the group to fetch"
+  },
  DELETE_USER: {
-    slug: "The slug of the group to remove the user from.",
+    id: "The id of the group to remove the user from.",
    username: "The username of the user to remove from the group."
  }
 } as const;
@ -409,21 +413,21 @@ export const PROJECTS = {
    secretSnapshotId: "The ID of the snapshot to rollback to."
  },
  ADD_GROUP_TO_PROJECT: {
-    projectSlug: "The slug of the project to add the group to.",
-    groupSlug: "The slug of the group to add to the project.",
+    projectId: "The ID of the project to add the group to.",
+    groupId: "The ID of the group to add to the project.",
    role: "The role for the group to assume in the project."
  },
  UPDATE_GROUP_IN_PROJECT: {
-    projectSlug: "The slug of the project to update the group in.",
-    groupSlug: "The slug of the group to update in the project.",
+    projectId: "The ID of the project to update the group in.",
+    groupId: "The ID of the group to update in the project.",
    roles: "A list of roles to update the group to."
  },
  REMOVE_GROUP_FROM_PROJECT: {
-    projectSlug: "The slug of the project to delete the group from.",
-    groupSlug: "The slug of the group to delete from the project."
+    projectId: "The ID of the project to delete the group from.",
+    groupId: "The ID of the group to delete from the project."
  },
  LIST_GROUPS_IN_PROJECT: {
-    projectSlug: "The slug of the project to list groups for."
+    projectId: "The ID of the project to list groups for."
  },
  LIST_INTEGRATION: {
    workspaceId: "The ID of the project to list integrations for."
@ -697,11 +701,46 @@ export const SECRET_IMPORTS = {
  }
 } as const;

+export const DASHBOARD = {
+  SECRET_OVERVIEW_LIST: {
+    projectId: "The ID of the project to list secrets/folders from.",
+    environments:
+      "The slugs of the environments to list secrets/folders from (comma separated, ie 'environments=dev,staging,prod').",
+    secretPath: "The secret path to list secrets/folders from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th secret/folder.",
+    limit: "The number of secrets/folders to return.",
+    orderBy: "The column to order secrets/folders by.",
+    orderDirection: "The direction to order secrets/folders in.",
+    search: "The text string to filter secret keys and folder names by.",
+    includeSecrets: "Whether to include project secrets in the response.",
+    includeFolders: "Whether to include project folders in the response.",
+    includeDynamicSecrets: "Whether to include dynamic project secrets in the response."
+  },
+  SECRET_DETAILS_LIST: {
+    projectId: "The ID of the project to list secrets/folders from.",
+    environment: "The slug of the environment to list secrets/folders from.",
+    secretPath: "The secret path to list secrets/folders from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th secret/folder.",
+    limit: "The number of secrets/folders to return.",
+    orderBy: "The column to order secrets/folders by.",
+    orderDirection: "The direction to order secrets/folders in.",
+    search: "The text string to filter secret keys and folder names by.",
+    tags: "The tags to filter secrets by (comma separated, ie 'tags=billing,engineering').",
+    includeSecrets: "Whether to include project secrets in the response.",
+    includeFolders: "Whether to include project folders in the response.",
+    includeImports: "Whether to include project secret imports in the response.",
+    includeDynamicSecrets: "Whether to include dynamic project secrets in the response."
+  }
+} as const;
+
 export const AUDIT_LOGS = {
  EXPORT: {
-    workspaceId: "The ID of the project to export audit logs from.",
+    projectId:
+      "Optionally filter logs by project ID. If not provided, logs from the entire organization will be returned.",
    eventType: "The type of the event to export.",
    userAgentType: "Choose which consuming application to export audit logs for.",
+    eventMetadata:
+      "Filter by event metadata key-value pairs. Formatted as `key1=value1,key2=value2`, with comma-separation.",
    startDate: "The date to start the export from.",
    endDate: "The date to end the export at.",
    offset: "The offset to start from. If you enter 10, it will start from the 10th audit log.",
--- a/backend/src/lib/errors/index.ts
+++ b/backend/src/lib/errors/index.ts
@ -40,9 +40,9 @@ export class ForbiddenRequestError extends Error {

  error: unknown;

-  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
+  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown } = {}) {
    super(message ?? "You are not allowed to access this resource");
-    this.name = name || "ForbideenError";
+    this.name = name || "ForbiddenError";
    this.error = error;
  }
 }
--- a/backend/src/lib/fn/string.ts
+++ b/backend/src/lib/fn/string.ts
@ -9,3 +9,8 @@ export const removeTrailingSlash = (str: string) => {

  return str.endsWith("/") ? str.slice(0, -1) : str;
 };
+
+export const prefixWithSlash = (str: string) => {
+  if (str.startsWith("/")) return str;
+  return `/${str}`;
+};
--- a/backend/src/lib/ip/index.ts
+++ b/backend/src/lib/ip/index.ts
@ -1,6 +1,6 @@
 import net from "node:net";

-import { UnauthorizedError } from "../errors";
+import { ForbiddenRequestError } from "../errors";

 export enum IPType {
  IPV4 = "ipv4",
@ -126,7 +126,7 @@ export const checkIPAgainstBlocklist = ({ ipAddress, trustedIps }: { ipAddress:
  const check = blockList.check(ipAddress, type);

  if (!check)
-    throw new UnauthorizedError({
-      message: "Failed to authenticate"
+    throw new ForbiddenRequestError({
+      message: "You are not allowed to access this resource from the current IP address"
    });
 };
--- a/backend/src/lib/knex/index.ts
+++ b/backend/src/lib/knex/index.ts
@ -51,11 +51,17 @@ export type TFindReturn<TQuery extends Knex.QueryBuilder, TCount extends boolean
      : unknown)
 >;

-export type TFindOpt<R extends object = object, TCount extends boolean = boolean> = {
+export type TFindOpt<
+  R extends object = object,
+  TCount extends boolean = boolean,
+  TCountDistinct extends keyof R | undefined = undefined
+> = {
  limit?: number;
  offset?: number;
  sort?: Array<[keyof R, "asc" | "desc"] | [keyof R, "asc" | "desc", "first" | "last"]>;
+  groupBy?: keyof R;
  count?: TCount;
+  countDistinct?: TCountDistinct;
  tx?: Knex;
 };

@ -86,13 +92,18 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
      throw new DatabaseError({ error, name: "Find one" });
    }
  },
-  find: async <TCount extends boolean = false>(
+  find: async <
+    TCount extends boolean = false,
+    TCountDistinct extends keyof Tables[Tname]["base"] | undefined = undefined
+  >(
    filter: TFindFilter<Tables[Tname]["base"]>,
-    { offset, limit, sort, count, tx }: TFindOpt<Tables[Tname]["base"], TCount> = {}
+    { offset, limit, sort, count, tx, countDistinct }: TFindOpt<Tables[Tname]["base"], TCount, TCountDistinct> = {}
  ) => {
    try {
      const query = (tx || db.replicaNode())(tableName).where(buildFindFilter(filter));
-      if (count) {
+      if (countDistinct) {
+        void query.countDistinct(countDistinct);
+      } else if (count) {
        void query.select(db.raw("COUNT(*) OVER() AS count"));
        void query.select("*");
      }
@ -101,7 +112,8 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
      if (sort) {
        void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
      }
-      const res = (await query) as TFindReturn<typeof query, TCount>;
+
+      const res = (await query) as TFindReturn<typeof query, TCountDistinct extends undefined ? TCount : true>;
      return res;
    } catch (error) {
      throw new DatabaseError({ error, name: "Find one" });
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@ -7,7 +7,11 @@ import {
  TScanFullRepoEventPayload,
  TScanPushEventPayload
 } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
-import { TSyncSecretsDTO } from "@app/services/secret/secret-types";
+import {
+  TFailedIntegrationSyncEmailsPayload,
+  TIntegrationSyncPayload,
+  TSyncSecretsDTO
+} from "@app/services/secret/secret-types";

 export enum QueueName {
  SecretRotation = "secret-rotation",
@ -42,6 +46,7 @@ export enum QueueJobs {
  SecWebhook = "secret-webhook-trigger",
  TelemetryInstanceStats = "telemetry-self-hosted-stats",
  IntegrationSync = "secret-integration-pull",
+  SendFailedIntegrationSyncEmails = "send-failed-integration-sync-emails",
  SecretScan = "secret-scan",
  UpgradeProjectToGhost = "upgrade-project-to-ghost-job",
  DynamicSecretRevocation = "dynamic-secret-revocation",
@ -88,18 +93,26 @@ export type TQueueJobTypes = {
    name: QueueJobs.SecWebhook;
    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
  };
-  [QueueName.IntegrationSync]: {
-    name: QueueJobs.IntegrationSync;
-    payload: {
-      isManual?: boolean;
-      actorId?: string;
-      projectId: string;
-      environment: string;
-      secretPath: string;
-      depth?: number;
-      deDupeQueue?: Record<string, boolean>;
-    };
-  };
+
+  [QueueName.AccessTokenStatusUpdate]:
+    | {
+        name: QueueJobs.IdentityAccessTokenStatusUpdate;
+        payload: { identityAccessTokenId: string; numberOfUses: number };
+      }
+    | {
+        name: QueueJobs.ServiceTokenStatusUpdate;
+        payload: { serviceTokenId: string };
+      };
+
+  [QueueName.IntegrationSync]:
+    | {
+        name: QueueJobs.IntegrationSync;
+        payload: TIntegrationSyncPayload;
+      }
+    | {
+        name: QueueJobs.SendFailedIntegrationSyncEmails;
+        payload: TFailedIntegrationSyncEmailsPayload;
+      };
  [QueueName.SecretFullRepoScan]: {
    name: QueueJobs.SecretScan;
    payload: TScanFullRepoEventPayload;
@ -153,15 +166,6 @@ export type TQueueJobTypes = {
    name: QueueJobs.ProjectV3Migration;
    payload: { projectId: string };
  };
-  [QueueName.AccessTokenStatusUpdate]:
-    | {
-        name: QueueJobs.IdentityAccessTokenStatusUpdate;
-        payload: { identityAccessTokenId: string; numberOfUses: number };
-      }
-    | {
-        name: QueueJobs.ServiceTokenStatusUpdate;
-        payload: { serviceTokenId: string };
-      };
 };

 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
--- a/backend/src/server/app.ts
+++ b/backend/src/server/app.ts
@ -20,6 +20,7 @@ import { TQueueServiceFactory } from "@app/queue";
 import { TSmtpService } from "@app/services/smtp/smtp-service";

 import { globalRateLimiterCfg } from "./config/rateLimiter";
+import { addErrorsToResponseSchemas } from "./plugins/add-errors-to-response-schemas";
 import { fastifyErrHandler } from "./plugins/error-handler";
 import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
@ -75,6 +76,8 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
      credentials: true,
      origin: appCfg.SITE_URL || true
    });
+
+    await server.register(addErrorsToResponseSchemas);
    // pull ip based on various proxy headers
    await server.register(fastifyIp);

--- a/backend/src/server/plugins/add-errors-to-response-schemas.ts
+++ b/backend/src/server/plugins/add-errors-to-response-schemas.ts
@ -0,0 +1,15 @@
+/* eslint-disable no-param-reassign */
+import fp from "fastify-plugin";
+
+import { DefaultResponseErrorsSchema } from "../routes/sanitizedSchemas";
+
+export const addErrorsToResponseSchemas = fp(async (server) => {
+  server.addHook("onRoute", (routeOptions) => {
+    if (routeOptions.schema && routeOptions.schema.response) {
+      routeOptions.schema.response = {
+        ...DefaultResponseErrorsSchema,
+        ...routeOptions.schema.response
+      };
+    }
+  });
+});
--- a/backend/src/server/plugins/audit-log.ts
+++ b/backend/src/server/plugins/audit-log.ts
@ -70,7 +70,7 @@ export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
        metadata: {}
      };
    } else {
-      throw new BadRequestError({ message: "Missing logic for other actor" });
+      throw new BadRequestError({ message: "Invalid actor type provided" });
    }
    req.auditLogInfo = payload;
  });
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@ -5,7 +5,7 @@ import jwt, { JwtPayload } from "jsonwebtoken";
 import { TServiceTokens, TUsers } from "@app/db/schemas";
 import { TScimTokenJwtPayload } from "@app/ee/services/scim/scim-types";
 import { getConfig } from "@app/lib/config/env";
-import { UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { ActorType, AuthMethod, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
 import { TIdentityAccessTokenJwtPayload } from "@app/services/identity-access-token/identity-access-token-types";

@ -167,7 +167,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
        break;
      }
      default:
-        throw new UnauthorizedError({ name: "Unknown token strategy" });
+        throw new BadRequestError({ message: "Invalid token strategy provided" });
    }
  });
 });
--- a/backend/src/server/plugins/auth/superAdmin.ts
+++ b/backend/src/server/plugins/auth/superAdmin.ts
@ -1,6 +1,6 @@
 import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";

-import { UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";

 export const verifySuperAdmin = <T extends FastifyRequest>(
@ -9,9 +9,8 @@ export const verifySuperAdmin = <T extends FastifyRequest>(
  done: HookHandlerDoneFunction
 ) => {
  if (req.auth.actor !== ActorType.USER || !req.auth.user.superAdmin)
-    throw new UnauthorizedError({
-      name: "Unauthorized access",
-      message: "Requires superadmin access"
+    throw new ForbiddenRequestError({
+      message: "Requires elevated super admin privileges"
    });
  done();
 };
--- a/backend/src/server/plugins/auth/verify-auth.ts
+++ b/backend/src/server/plugins/auth/verify-auth.ts
@ -1,6 +1,6 @@
 import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";

-import { UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { AuthMode } from "@app/services/auth/auth-type";

 interface TAuthOptions {
@ -11,11 +11,11 @@ export const verifyAuth =
  <T extends FastifyRequest>(authStrategies: AuthMode[], options: TAuthOptions = { requireOrg: true }) =>
  (req: T, _res: FastifyReply, done: HookHandlerDoneFunction) => {
    if (!Array.isArray(authStrategies)) throw new Error("Auth strategy must be array");
-    if (!req.auth) throw new UnauthorizedError({ name: "Unauthorized access", message: "Token missing" });
+    if (!req.auth) throw new UnauthorizedError({ message: "Token missing" });

    const isAccessAllowed = authStrategies.some((strategy) => strategy === req.auth.authMode);
    if (!isAccessAllowed) {
-      throw new UnauthorizedError({ name: `${req.url} Unauthorized Access` });
+      throw new ForbiddenRequestError({ name: `Forbidden access to ${req.url}` });
    }

    // New optional option. There are some routes which do not require an organization ID to be present on the request.
--- a/backend/src/server/plugins/error-handler.ts
+++ b/backend/src/server/plugins/error-handler.ts
@ -1,41 +1,95 @@
 import { ForbiddenError } from "@casl/ability";
 import fastifyPlugin from "fastify-plugin";
+import jwt from "jsonwebtoken";
 import { ZodError } from "zod";

 import {
  BadRequestError,
  DatabaseError,
+  ForbiddenRequestError,
  InternalServerError,
  NotFoundError,
  ScimRequestError,
  UnauthorizedError
 } from "@app/lib/errors";

+enum JWTErrors {
+  JwtExpired = "jwt expired",
+  JwtMalformed = "jwt malformed",
+  InvalidAlgorithm = "invalid algorithm"
+}
+
+enum HttpStatusCodes {
+  BadRequest = 400,
+  NotFound = 404,
+  Unauthorized = 401,
+  Forbidden = 403,
+  // eslint-disable-next-line @typescript-eslint/no-shadow
+  InternalServerError = 500
+}
+
 export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider) => {
  server.setErrorHandler((error, req, res) => {
    req.log.error(error);
    if (error instanceof BadRequestError) {
-      void res.status(400).send({ statusCode: 400, message: error.message, error: error.name });
+      void res
+        .status(HttpStatusCodes.BadRequest)
+        .send({ statusCode: HttpStatusCodes.BadRequest, message: error.message, error: error.name });
    } else if (error instanceof NotFoundError) {
-      void res.status(404).send({ statusCode: 404, message: error.message, error: error.name });
+      void res
+        .status(HttpStatusCodes.NotFound)
+        .send({ statusCode: HttpStatusCodes.NotFound, message: error.message, error: error.name });
    } else if (error instanceof UnauthorizedError) {
-      void res.status(403).send({ statusCode: 403, message: error.message, error: error.name });
+      void res
+        .status(HttpStatusCodes.Unauthorized)
+        .send({ statusCode: HttpStatusCodes.Unauthorized, message: error.message, error: error.name });
    } else if (error instanceof DatabaseError || error instanceof InternalServerError) {
-      void res.status(500).send({ statusCode: 500, message: "Something went wrong", error: error.name });
+      void res
+        .status(HttpStatusCodes.InternalServerError)
+        .send({ statusCode: HttpStatusCodes.InternalServerError, message: "Something went wrong", error: error.name });
    } else if (error instanceof ZodError) {
-      void res.status(403).send({ statusCode: 403, error: "ValidationFailure", message: error.issues });
+      void res
+        .status(HttpStatusCodes.Unauthorized)
+        .send({ statusCode: HttpStatusCodes.Unauthorized, error: "ValidationFailure", message: error.issues });
    } else if (error instanceof ForbiddenError) {
-      void res.status(401).send({
-        statusCode: 401,
+      void res.status(HttpStatusCodes.Forbidden).send({
+        statusCode: HttpStatusCodes.Forbidden,
        error: "PermissionDenied",
        message: `You are not allowed to ${error.action} on ${error.subjectType}`
      });
+    } else if (error instanceof ForbiddenRequestError) {
+      void res.status(HttpStatusCodes.Forbidden).send({
+        statusCode: HttpStatusCodes.Forbidden,
+        message: error.message,
+        error: error.name
+      });
    } else if (error instanceof ScimRequestError) {
      void res.status(error.status).send({
        schemas: error.schemas,
        status: error.status,
        detail: error.detail
      });
+      // Handle JWT errors and make them more human-readable for the end-user.
+    } else if (error instanceof jwt.JsonWebTokenError) {
+      const message = (() => {
+        if (error.message === JWTErrors.JwtExpired) {
+          return "Your token has expired. Please re-authenticate.";
+        }
+        if (error.message === JWTErrors.JwtMalformed) {
+          return "The provided access token is malformed. Please use a valid token or generate a new one and try again.";
+        }
+        if (error.message === JWTErrors.InvalidAlgorithm) {
+          return "The access token is signed with an invalid algorithm. Please provide a valid token and try again.";
+        }
+
+        return error.message;
+      })();
+
+      void res.status(HttpStatusCodes.Forbidden).send({
+        statusCode: HttpStatusCodes.Forbidden,
+        error: "TokenError",
+        message
+      });
    } else {
      void res.send(error);
    }
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -380,7 +380,8 @@ export const registerRoutes = async (
    secretApprovalPolicyApproverDAL: sapApproverDAL,
    permissionService,
    secretApprovalPolicyDAL,
-    licenseService
+    licenseService,
+    userDAL
  });
  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL, orgMembershipDAL });

@ -923,10 +924,12 @@ export const registerRoutes = async (
  const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
    accessApprovalPolicyDAL,
    accessApprovalPolicyApproverDAL,
+    groupDAL,
    permissionService,
    projectEnvDAL,
    projectMembershipDAL,
-    projectDAL
+    projectDAL,
+    userDAL
  });

  const accessApprovalRequestService = accessApprovalRequestServiceFactory({
@ -942,7 +945,8 @@ export const registerRoutes = async (
    smtpService,
    accessApprovalPolicyApproverDAL,
    projectSlackConfigDAL,
-    kmsService
+    kmsService,
+    groupDAL
  });

  const secretReplicationService = secretReplicationServiceFactory({
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@ -27,6 +27,34 @@ export const integrationAuthPubSchema = IntegrationAuthsSchema.pick({
  updatedAt: true
 });

+export const DefaultResponseErrorsSchema = {
+  400: z.object({
+    statusCode: z.literal(400),
+    message: z.string(),
+    error: z.string()
+  }),
+  404: z.object({
+    statusCode: z.literal(404),
+    message: z.string(),
+    error: z.string()
+  }),
+  401: z.object({
+    statusCode: z.literal(401),
+    message: z.any(),
+    error: z.string()
+  }),
+  403: z.object({
+    statusCode: z.literal(403),
+    message: z.string(),
+    error: z.string()
+  }),
+  500: z.object({
+    statusCode: z.literal(500),
+    message: z.string(),
+    error: z.string()
+  })
+};
+
 export const sapPubSchema = SecretApprovalPoliciesSchema.merge(
  z.object({
    environment: z.object({
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@ -2,7 +2,7 @@ import { z } from "zod";

 import { OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -227,8 +227,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
    handler: async (req, res) => {
      const appCfg = getConfig();
      const serverCfg = await getServerCfg();
-      if (serverCfg.initialized)
-        throw new UnauthorizedError({ name: "Admin sign up", message: "Admin has been created" });
+      if (serverCfg.initialized) throw new BadRequestError({ message: "Admin account has already been set up" });
      const { user, token, organization } = await server.services.superAdmin.adminSignUp({
        ...req.body,
        ip: req.realIp,
--- a/backend/src/server/routes/v1/auth-router.ts
+++ b/backend/src/server/routes/v1/auth-router.ts
@ -2,7 +2,7 @@ import jwt from "jsonwebtoken";
 import { z } from "zod";

 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { authRateLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode, AuthModeRefreshJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
@ -71,23 +71,34 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
      const refreshToken = req.cookies.jid;
      const appCfg = getConfig();
      if (!refreshToken)
-        throw new BadRequestError({
-          name: "Auth token route",
-          message: "Failed  to find refresh token"
+        throw new NotFoundError({
+          name: "AuthTokenNotFound",
+          message: "Failed to find refresh token"
        });

      const decodedToken = jwt.verify(refreshToken, appCfg.AUTH_SECRET) as AuthModeRefreshJwtTokenPayload;
      if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN)
-        throw new UnauthorizedError({ message: "Invalid token", name: "Auth token route" });
+        throw new UnauthorizedError({
+          message: "The token provided is not a refresh token",
+          name: "InvalidToken"
+        });

      const tokenVersion = await server.services.authToken.getUserTokenSessionById(
        decodedToken.tokenVersionId,
        decodedToken.userId
      );
-      if (!tokenVersion) throw new UnauthorizedError({ message: "Invalid token", name: "Auth token route" });
+      if (!tokenVersion)
+        throw new UnauthorizedError({
+          message: "Valid token version not found",
+          name: "InvalidToken"
+        });

-      if (decodedToken.refreshVersion !== tokenVersion.refreshVersion)
-        throw new UnauthorizedError({ message: "Invalid token", name: "Auth token route" });
+      if (decodedToken.refreshVersion !== tokenVersion.refreshVersion) {
+        throw new UnauthorizedError({
+          message: "Token version mismatch",
+          name: "InvalidToken"
+        });
+      }

      const token = jwt.sign(
        {
--- a/backend/src/server/routes/v1/identity-azure-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-azure-auth-router.ts
@ -9,6 +9,8 @@ import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { validateAzureAuthField } from "@app/services/identity-azure-auth/identity-azure-auth-validators";

+import {} from "../sanitizedSchemas";
+
 export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@ -11,6 +11,8 @@ import { AuthMode } from "@app/services/auth/auth-type";
 import { IntegrationMetadataSchema } from "@app/services/integration/integration-schema";
 import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";

+import {} from "../sanitizedSchemas";
+
 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@ -11,6 +11,8 @@ import {
 } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
 import { getLastMidnightDateISO } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -74,7 +76,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
    schema: {
      description: "Get all audit logs for an organization",
      querystring: z.object({
-        projectId: z.string().optional(),
+        projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
        actorType: z.nativeEnum(ActorType).optional(),
        // eventType is split with , for multiple values, we need to transform it to array
        eventType: z
@ -102,7 +104,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
              },
              {} as Record<string, string>
            );
-          }),
+          })
+          .describe(AUDIT_LOGS.EXPORT.eventMetadata),
        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
@ -120,10 +123,12 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
          })
            .merge(
              z.object({
-                project: z.object({
-                  name: z.string(),
-                  slug: z.string()
-                }),
+                project: z
+                  .object({
+                    name: z.string(),
+                    slug: z.string()
+                  })
+                  .optional(),
                event: z.object({
                  type: z.string(),
                  metadata: z.any()
@ -140,6 +145,11 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
+      const appCfg = getConfig();
+      if (appCfg.isCloud) {
+        throw new BadRequestError({ message: "Infisical cloud audit log is in maintenance mode." });
+      }
+
      const auditLogs = await server.services.auditLog.listAuditLogs({
        filter: {
          ...req.query,
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@ -3,7 +3,7 @@ import { z } from "zod";
 import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { FOLDERS } from "@app/lib/api-docs";
-import { removeTrailingSlash } from "@app/lib/fn";
+import { prefixWithSlash, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -26,9 +26,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
        environment: z.string().trim().describe(FOLDERS.CREATE.environment),
        name: z.string().trim().describe(FOLDERS.CREATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.CREATE.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.CREATE.directory)
      }),
      response: {
        200: z.object({
@ -86,9 +98,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
        environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
        name: z.string().trim().describe(FOLDERS.UPDATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.UPDATE.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.UPDATE.directory)
      }),
      response: {
        200: z.object({
@ -147,7 +171,13 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
            id: z.string().describe(FOLDERS.UPDATE.folderId),
            environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
            name: z.string().trim().describe(FOLDERS.UPDATE.name),
-            path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path)
+            path: z
+              .string()
+              .trim()
+              .default("/")
+              .transform(prefixWithSlash)
+              .transform(removeTrailingSlash)
+              .describe(FOLDERS.UPDATE.path)
          })
          .array()
          .min(1)
@ -211,9 +241,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      body: z.object({
        workspaceId: z.string().trim().describe(FOLDERS.DELETE.workspaceId),
        environment: z.string().trim().describe(FOLDERS.DELETE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.DELETE.path),
        // keep this here as cli need directory
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.DELETE.directory)
      }),
      response: {
        200: z.object({
@ -267,9 +309,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      querystring: z.object({
        workspaceId: z.string().trim().describe(FOLDERS.LIST.workspaceId),
        environment: z.string().trim().describe(FOLDERS.LIST.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.LIST.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.LIST.directory)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/sso-router.ts
+++ b/backend/src/server/routes/v1/sso-router.ts
@ -14,7 +14,7 @@ import { Strategy as GoogleStrategy } from "passport-google-oauth20";
 import { z } from "zod";

 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { fetchGithubEmails } from "@app/lib/requests/github";
 import { AuthMethod } from "@app/services/auth/auth-type";
@ -42,9 +42,9 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
          try {
            const email = profile?.emails?.[0]?.value;
            if (!email)
-              throw new BadRequestError({
+              throw new NotFoundError({
                message: "Email not found",
-                name: "Oauth Google Register"
+                name: "OauthGoogleRegister"
              });

            const { isUserCompleted, providerAuthToken } = await server.services.login.oauth2Login({
--- a/backend/src/server/routes/v2/group-project-router.ts
+++ b/backend/src/server/routes/v2/group-project-router.ts
@ -8,6 +8,7 @@ import {
  ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@ -15,8 +16,11 @@ import { ProjectUserMembershipTemporaryMode } from "@app/services/project-member
 export const registerGroupProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
-    url: "/:projectSlug/groups/:groupSlug",
+    url: "/:projectId/groups/:groupId",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Add group to project",
      security: [
@ -25,17 +29,39 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.projectSlug),
-        groupSlug: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupSlug)
-      }),
-      body: z.object({
-        role: z
-          .string()
-          .trim()
-          .min(1)
-          .default(ProjectMembershipRole.NoAccess)
-          .describe(PROJECTS.ADD_GROUP_TO_PROJECT.role)
+        projectId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.projectId),
+        groupId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupId)
      }),
+      body: z
+        .object({
+          role: z
+            .string()
+            .trim()
+            .min(1)
+            .default(ProjectMembershipRole.NoAccess)
+            .describe(PROJECTS.ADD_GROUP_TO_PROJECT.role),
+          roles: z
+            .array(
+              z.union([
+                z.object({
+                  role: z.string(),
+                  isTemporary: z.literal(false).default(false)
+                }),
+                z.object({
+                  role: z.string(),
+                  isTemporary: z.literal(true),
+                  temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
+                  temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
+                  temporaryAccessStartTime: z.string().datetime()
+                })
+              ])
+            )
+            .optional()
+        })
+        .refine((data) => data.role || data.roles, {
+          message: "Either role or roles must be present",
+          path: ["role", "roles"]
+        }),
      response: {
        200: z.object({
          groupMembership: GroupProjectMembershipsSchema
@ -48,17 +74,18 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        groupSlug: req.params.groupSlug,
-        projectSlug: req.params.projectSlug,
-        role: req.body.role
+        roles: req.body.roles || [{ role: req.body.role }],
+        projectId: req.params.projectId,
+        groupId: req.params.groupId
      });
+
      return { groupMembership };
    }
  });

  server.route({
    method: "PATCH",
-    url: "/:projectSlug/groups/:groupSlug",
+    url: "/:projectId/groups/:groupId",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Update group in project",
@ -68,8 +95,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.projectSlug),
-        groupSlug: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.groupSlug)
+        projectId: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.projectId),
+        groupId: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.groupId)
      }),
      body: z.object({
        roles: z
@ -103,18 +130,22 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        groupSlug: req.params.groupSlug,
-        projectSlug: req.params.projectSlug,
+        projectId: req.params.projectId,
+        groupId: req.params.groupId,
        roles: req.body.roles
      });
+
      return { roles };
    }
  });

  server.route({
    method: "DELETE",
-    url: "/:projectSlug/groups/:groupSlug",
+    url: "/:projectId/groups/:groupId",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Remove group from project",
      security: [
@ -123,8 +154,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.projectSlug),
-        groupSlug: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.groupSlug)
+        projectId: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.projectId),
+        groupId: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.groupId)
      }),
      response: {
        200: z.object({
@ -138,17 +169,21 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        groupSlug: req.params.groupSlug,
-        projectSlug: req.params.projectSlug
+        groupId: req.params.groupId,
+        projectId: req.params.projectId
      });
+
      return { groupMembership };
    }
  });

  server.route({
    method: "GET",
-    url: "/:projectSlug/groups",
+    url: "/:projectId/groups",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return list of groups in project",
      security: [
@ -157,7 +192,7 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.LIST_GROUPS_IN_PROJECT.projectSlug)
+        projectId: z.string().trim().describe(PROJECTS.LIST_GROUPS_IN_PROJECT.projectId)
      }),
      response: {
        200: z.object({
@ -193,9 +228,67 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        projectSlug: req.params.projectSlug
+        projectId: req.params.projectId
      });
+
      return { groupMemberships };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/:projectId/groups/:groupId",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Return project group",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectId: z.string().trim(),
+        groupId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          groupMembership: z.object({
+            id: z.string(),
+            groupId: z.string(),
+            createdAt: z.date(),
+            updatedAt: z.date(),
+            roles: z.array(
+              z.object({
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
+              })
+            ),
+            group: GroupsSchema.pick({ name: true, id: true, slug: true })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const groupMembership = await server.services.groupProject.getGroupInProject({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      return { groupMembership };
+    }
+  });
 };
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@ -69,7 +69,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
-      description: "Return projects in organization that user is part of",
+      description: "Return projects in organization that user is apart of",
      security: [
        {
          bearerAuth: []
--- a/backend/src/server/routes/v3/dashboard-router.ts
+++ b/backend/src/server/routes/v3/dashboard-router.ts
@ -0,0 +1,647 @@
+import { ForbiddenError, subject } from "@casl/ability";
+import { z } from "zod";
+
+import { SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
+import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { DASHBOARD } from "@app/lib/api-docs";
+import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { OrderByDirection } from "@app/lib/types";
+import { secretsLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
+import { getUserAgentType } from "@app/server/plugins/audit-log";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedDynamicSecretSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
+
+export const registerDashboardRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/secrets-overview",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "List project secrets overview",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        projectId: z.string().trim().describe(DASHBOARD.SECRET_OVERVIEW_LIST.projectId),
+        environments: z
+          .string()
+          .trim()
+          .transform(decodeURIComponent)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.environments),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.secretPath),
+        offset: z.coerce.number().min(0).optional().default(0).describe(DASHBOARD.SECRET_OVERVIEW_LIST.offset),
+        limit: z.coerce.number().min(1).max(100).optional().default(100).describe(DASHBOARD.SECRET_OVERVIEW_LIST.limit),
+        orderBy: z
+          .nativeEnum(SecretsOrderBy)
+          .default(SecretsOrderBy.Name)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.orderBy)
+          .optional(),
+        orderDirection: z
+          .nativeEnum(OrderByDirection)
+          .default(OrderByDirection.ASC)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.orderDirection)
+          .optional(),
+        search: z.string().trim().describe(DASHBOARD.SECRET_OVERVIEW_LIST.search).optional(),
+        includeSecrets: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeSecrets),
+        includeFolders: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeFolders),
+        includeDynamicSecrets: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeDynamicSecrets)
+      }),
+      response: {
+        200: z.object({
+          folders: SecretFoldersSchema.extend({ environment: z.string() }).array().optional(),
+          dynamicSecrets: SanitizedDynamicSecretSchema.extend({ environment: z.string() }).array().optional(),
+          secrets: secretRawSchema
+            .extend({
+              secretPath: z.string().optional(),
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
+            })
+            .array()
+            .optional(),
+          totalFolderCount: z.number().optional(),
+          totalDynamicSecretCount: z.number().optional(),
+          totalSecretCount: z.number().optional(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        secretPath,
+        projectId,
+        limit,
+        offset,
+        search,
+        orderBy,
+        orderDirection,
+        includeFolders,
+        includeSecrets,
+        includeDynamicSecrets
+      } = req.query;
+
+      const environments = req.query.environments.split(",");
+
+      if (!projectId || environments.length === 0)
+        throw new BadRequestError({ message: "Missing workspace id or environment(s)" });
+
+      const { shouldUseSecretV2Bridge } = await server.services.projectBot.getBotKey(projectId);
+
+      // prevent older projects from accessing endpoint
+      if (!shouldUseSecretV2Bridge) throw new BadRequestError({ message: "Project version not supported" });
+
+      let remainingLimit = limit;
+      let adjustedOffset = offset;
+
+      let folders: Awaited<ReturnType<typeof server.services.folder.getFoldersMultiEnv>> | undefined;
+      let secrets: Awaited<ReturnType<typeof server.services.secret.getSecretsRawMultiEnv>> | undefined;
+      let dynamicSecrets:
+        | Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByFolderIds>>
+        | undefined;
+
+      let totalFolderCount: number | undefined;
+      let totalDynamicSecretCount: number | undefined;
+      let totalSecretCount: number | undefined;
+
+      if (includeFolders) {
+        // this is the unique count, ie duplicate folders across envs only count as 1
+        totalFolderCount = await server.services.folder.getProjectFolderCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId: req.query.projectId,
+          path: secretPath,
+          environments,
+          search
+        });
+
+        if (remainingLimit > 0 && totalFolderCount > adjustedOffset) {
+          folders = await server.services.folder.getFoldersMultiEnv({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            environments,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          // get the count of unique folder names to properly adjust remaining limit
+          const uniqueFolderCount = new Set(folders.map((folder) => folder.name)).size;
+
+          remainingLimit -= uniqueFolderCount;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalFolderCount);
+        }
+      }
+
+      if (!includeDynamicSecrets && !includeSecrets)
+        return {
+          folders,
+          totalFolderCount,
+          totalCount: totalFolderCount ?? 0
+        };
+
+      const { permission } = await server.services.permission.getProjectPermission(
+        req.permission.type,
+        req.permission.id,
+        projectId,
+        req.permission.authMethod,
+        req.permission.orgId
+      );
+
+      const permissiveEnvs = // filter envs user has access to
+        environments.filter((environment) =>
+          permission.can(
+            ProjectPermissionActions.Read,
+            subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+          )
+        );
+
+      if (includeDynamicSecrets) {
+        // this is the unique count, ie duplicate secrets across envs only count as 1
+        totalDynamicSecretCount = await server.services.dynamicSecret.getCountMultiEnv({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          search,
+          environmentSlugs: permissiveEnvs,
+          path: secretPath,
+          isInternal: true
+        });
+
+        if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
+          dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByFolderIds({
+            actor: req.permission.type,
+            actorId: req.permission.id,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            search,
+            orderBy,
+            orderDirection,
+            environmentSlugs: permissiveEnvs,
+            path: secretPath,
+            limit: remainingLimit,
+            offset: adjustedOffset,
+            isInternal: true
+          });
+
+          // get the count of unique dynamic secret names to properly adjust remaining limit
+          const uniqueDynamicSecretsCount = new Set(dynamicSecrets.map((dynamicSecret) => dynamicSecret.name)).size;
+
+          remainingLimit -= uniqueDynamicSecretsCount;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalDynamicSecretCount);
+        }
+      }
+
+      if (includeSecrets) {
+        // this is the unique count, ie duplicate secrets across envs only count as 1
+        totalSecretCount = await server.services.secret.getSecretsCountMultiEnv({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorOrgId: req.permission.orgId,
+          environments: permissiveEnvs,
+          actorAuthMethod: req.permission.authMethod,
+          projectId,
+          path: secretPath,
+          search,
+          isInternal: true
+        });
+
+        if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
+          secrets = await server.services.secret.getSecretsRawMultiEnv({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorOrgId: req.permission.orgId,
+            environments: permissiveEnvs,
+            actorAuthMethod: req.permission.authMethod,
+            projectId,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset,
+            isInternal: true
+          });
+
+          for await (const environment of permissiveEnvs) {
+            const secretCountFromEnv = secrets.filter((secret) => secret.environment === environment).length;
+
+            if (secretCountFromEnv) {
+              await server.services.auditLog.createAuditLog({
+                projectId,
+                ...req.auditLogInfo,
+                event: {
+                  type: EventType.GET_SECRETS,
+                  metadata: {
+                    environment,
+                    secretPath,
+                    numberOfSecrets: secretCountFromEnv
+                  }
+                }
+              });
+
+              if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+                await server.services.telemetry.sendPostHogEvents({
+                  event: PostHogEventTypes.SecretPulled,
+                  distinctId: getTelemetryDistinctId(req),
+                  properties: {
+                    numberOfSecrets: secretCountFromEnv,
+                    workspaceId: projectId,
+                    environment,
+                    secretPath,
+                    channel: getUserAgentType(req.headers["user-agent"]),
+                    ...req.auditLogInfo
+                  }
+                });
+              }
+            }
+          }
+        }
+      }
+
+      return {
+        folders,
+        dynamicSecrets,
+        secrets,
+        totalFolderCount,
+        totalDynamicSecretCount,
+        totalSecretCount,
+        totalCount: (totalFolderCount ?? 0) + (totalDynamicSecretCount ?? 0) + (totalSecretCount ?? 0)
+      };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/secrets-details",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "List project secrets details",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        projectId: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.projectId),
+        environment: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.secretPath),
+        offset: z.coerce.number().min(0).optional().default(0).describe(DASHBOARD.SECRET_DETAILS_LIST.offset),
+        limit: z.coerce.number().min(1).max(100).optional().default(100).describe(DASHBOARD.SECRET_DETAILS_LIST.limit),
+        orderBy: z
+          .nativeEnum(SecretsOrderBy)
+          .default(SecretsOrderBy.Name)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.orderBy)
+          .optional(),
+        orderDirection: z
+          .nativeEnum(OrderByDirection)
+          .default(OrderByDirection.ASC)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.orderDirection)
+          .optional(),
+        search: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.search).optional(),
+        tags: z.string().trim().transform(decodeURIComponent).describe(DASHBOARD.SECRET_DETAILS_LIST.tags).optional(),
+        includeSecrets: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeSecrets),
+        includeFolders: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeFolders),
+        includeDynamicSecrets: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeDynamicSecrets),
+        includeImports: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeImports)
+      }),
+      response: {
+        200: z.object({
+          imports: SecretImportsSchema.omit({ importEnv: true })
+            .extend({
+              importEnv: z.object({ name: z.string(), slug: z.string(), id: z.string() })
+            })
+            .array()
+            .optional(),
+          folders: SecretFoldersSchema.array().optional(),
+          dynamicSecrets: SanitizedDynamicSecretSchema.array().optional(),
+          secrets: secretRawSchema
+            .extend({
+              secretPath: z.string().optional(),
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
+            })
+            .array()
+            .optional(),
+          totalImportCount: z.number().optional(),
+          totalFolderCount: z.number().optional(),
+          totalDynamicSecretCount: z.number().optional(),
+          totalSecretCount: z.number().optional(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        secretPath,
+        environment,
+        projectId,
+        limit,
+        offset,
+        search,
+        orderBy,
+        orderDirection,
+        includeFolders,
+        includeSecrets,
+        includeDynamicSecrets,
+        includeImports
+      } = req.query;
+
+      if (!projectId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
+
+      const { shouldUseSecretV2Bridge } = await server.services.projectBot.getBotKey(projectId);
+
+      // prevent older projects from accessing endpoint
+      if (!shouldUseSecretV2Bridge) throw new BadRequestError({ message: "Project version not supported" });
+
+      const tags = req.query.tags?.split(",") ?? [];
+
+      let remainingLimit = limit;
+      let adjustedOffset = offset;
+
+      let imports: Awaited<ReturnType<typeof server.services.secretImport.getImports>> | undefined;
+      let folders: Awaited<ReturnType<typeof server.services.folder.getFolders>> | undefined;
+      let secrets: Awaited<ReturnType<typeof server.services.secret.getSecretsRaw>>["secrets"] | undefined;
+      let dynamicSecrets: Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByEnv>> | undefined;
+
+      let totalImportCount: number | undefined;
+      let totalFolderCount: number | undefined;
+      let totalDynamicSecretCount: number | undefined;
+      let totalSecretCount: number | undefined;
+
+      if (includeImports) {
+        totalImportCount = await server.services.secretImport.getProjectImportCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          environment,
+          path: secretPath,
+          search
+        });
+
+        if (remainingLimit > 0 && totalImportCount > adjustedOffset) {
+          imports = await server.services.secretImport.getImports({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            environment,
+            path: secretPath,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          await server.services.auditLog.createAuditLog({
+            ...req.auditLogInfo,
+            projectId: req.query.projectId,
+            event: {
+              type: EventType.GET_SECRET_IMPORTS,
+              metadata: {
+                environment,
+                folderId: imports?.[0]?.folderId,
+                numberOfImports: imports.length
+              }
+            }
+          });
+
+          remainingLimit -= imports.length;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalImportCount);
+        }
+      }
+
+      if (includeFolders) {
+        totalFolderCount = await server.services.folder.getProjectFolderCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          path: secretPath,
+          environments: [environment],
+          search
+        });
+
+        if (remainingLimit > 0 && totalFolderCount > adjustedOffset) {
+          folders = await server.services.folder.getFolders({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            environment,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          remainingLimit -= folders.length;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalFolderCount);
+        }
+      }
+
+      try {
+        if (includeDynamicSecrets) {
+          totalDynamicSecretCount = await server.services.dynamicSecret.getDynamicSecretCount({
+            actor: req.permission.type,
+            actorId: req.permission.id,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            search,
+            environmentSlug: environment,
+            path: secretPath
+          });
+
+          if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
+            dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByEnv({
+              actor: req.permission.type,
+              actorId: req.permission.id,
+              actorAuthMethod: req.permission.authMethod,
+              actorOrgId: req.permission.orgId,
+              projectId,
+              search,
+              orderBy,
+              orderDirection,
+              environmentSlug: environment,
+              path: secretPath,
+              limit: remainingLimit,
+              offset: adjustedOffset
+            });
+
+            remainingLimit -= dynamicSecrets.length;
+            adjustedOffset = 0;
+          } else {
+            adjustedOffset = Math.max(0, adjustedOffset - totalDynamicSecretCount);
+          }
+        }
+
+        if (includeSecrets) {
+          totalSecretCount = await server.services.secret.getSecretsCount({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorOrgId: req.permission.orgId,
+            environment,
+            actorAuthMethod: req.permission.authMethod,
+            projectId,
+            path: secretPath,
+            search,
+            tagSlugs: tags
+          });
+
+          if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
+            const secretsRaw = await server.services.secret.getSecretsRaw({
+              actorId: req.permission.id,
+              actor: req.permission.type,
+              actorOrgId: req.permission.orgId,
+              environment,
+              actorAuthMethod: req.permission.authMethod,
+              projectId,
+              path: secretPath,
+              orderBy,
+              orderDirection,
+              search,
+              limit: remainingLimit,
+              offset: adjustedOffset,
+              tagSlugs: tags
+            });
+
+            secrets = secretsRaw.secrets;
+
+            await server.services.auditLog.createAuditLog({
+              projectId,
+              ...req.auditLogInfo,
+              event: {
+                type: EventType.GET_SECRETS,
+                metadata: {
+                  environment,
+                  secretPath,
+                  numberOfSecrets: secrets.length
+                }
+              }
+            });
+
+            if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+              await server.services.telemetry.sendPostHogEvents({
+                event: PostHogEventTypes.SecretPulled,
+                distinctId: getTelemetryDistinctId(req),
+                properties: {
+                  numberOfSecrets: secrets.length,
+                  workspaceId: projectId,
+                  environment,
+                  secretPath,
+                  channel: getUserAgentType(req.headers["user-agent"]),
+                  ...req.auditLogInfo
+                }
+              });
+            }
+          }
+        }
+      } catch (error) {
+        if (!(error instanceof ForbiddenError)) {
+          throw error;
+        }
+      }
+
+      return {
+        imports,
+        folders,
+        dynamicSecrets,
+        secrets,
+        totalImportCount,
+        totalFolderCount,
+        totalDynamicSecretCount,
+        totalSecretCount,
+        totalCount:
+          (totalImportCount ?? 0) + (totalFolderCount ?? 0) + (totalDynamicSecretCount ?? 0) + (totalSecretCount ?? 0)
+      };
+    }
+  });
+};
--- a/backend/src/server/routes/v3/index.ts
+++ b/backend/src/server/routes/v3/index.ts
@ -1,3 +1,4 @@
+import { registerDashboardRouter } from "./dashboard-router";
 import { registerLoginRouter } from "./login-router";
 import { registerSecretBlindIndexRouter } from "./secret-blind-index-router";
 import { registerSecretRouter } from "./secret-router";
@ -10,4 +11,5 @@ export const registerV3Routes = async (server: FastifyZodProvider) => {
  await server.register(registerUserRouter, { prefix: "/users" });
  await server.register(registerSecretRouter, { prefix: "/secrets" });
  await server.register(registerSecretBlindIndexRouter, { prefix: "/workspaces" });
+  await server.register(registerDashboardRouter, { prefix: "/dashboard" });
 };
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@ -10,7 +10,7 @@ import {
 } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { secretsLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@ -240,7 +240,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          actorOrgId: req.permission.orgId
        });

-        if (!workspace) throw new BadRequestError({ message: `No project found with slug ${req.query.workspaceSlug}` });
+        if (!workspace) throw new NotFoundError({ message: `No project found with slug ${req.query.workspaceSlug}` });

        workspaceId = workspace.id;
      }
--- a/backend/src/server/routes/v3/signup-router.ts
+++ b/backend/src/server/routes/v3/signup-router.ts
@ -2,7 +2,7 @@ import { z } from "zod";

 import { UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
+import { ForbiddenRequestError } from "@app/lib/errors";
 import { authRateLimit } from "@app/server/config/rateLimiter";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@ -29,8 +29,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {

      const serverCfg = await getServerCfg();
      if (!serverCfg.allowSignUp) {
-        throw new BadRequestError({
-          message: "Sign up is disabled"
+        throw new ForbiddenRequestError({
+          message: "Signup's are disabled"
        });
      }

@ -38,7 +38,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        const domain = email.split("@")[1];
        const allowedDomains = serverCfg.allowedSignUpDomain.split(",").map((e) => e.trim());
        if (!allowedDomains.includes(domain)) {
-          throw new BadRequestError({
+          throw new ForbiddenRequestError({
            message: `Email with a domain (@${domain}) is not supported`
          });
        }
@ -70,13 +70,13 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const serverCfg = await getServerCfg();
      if (!serverCfg.allowSignUp) {
-        throw new BadRequestError({
-          message: "Sign up is disabled"
+        throw new ForbiddenRequestError({
+          message: "Signup's are disabled"
        });
      }

      const { token, user } = await server.services.signup.verifyEmailSignup(req.body.email, req.body.code);
-      return { message: "Successfuly verified email", token, user };
+      return { message: "Successfully verified email", token, user };
    }
  });

@ -121,8 +121,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {

      const serverCfg = await getServerCfg();
      if (!serverCfg.allowSignUp) {
-        throw new BadRequestError({
-          message: "Sign up is disabled"
+        throw new ForbiddenRequestError({
+          message: "Signup's are disabled"
        });
      }

--- a/backend/src/services/api-key/api-key-service.ts
+++ b/backend/src/services/api-key/api-key-service.ts
@ -4,7 +4,7 @@ import bcrypt from "bcrypt";

 import { TApiKeys } from "@app/db/schemas/api-keys";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { NotFoundError, UnauthorizedError } from "@app/lib/errors";

 import { TUserDALFactory } from "../user/user-dal";
 import { TApiKeyDALFactory } from "./api-key-dal";
@ -45,7 +45,7 @@ export const apiKeyServiceFactory = ({ apiKeyDAL, userDAL }: TApiKeyServiceFacto

  const deleteApiKey = async (userId: string, apiKeyId: string) => {
    const [apiKeyData] = await apiKeyDAL.delete({ id: apiKeyId, userId });
-    if (!apiKeyData) throw new BadRequestError({ message: "Failed to find api key", name: "delete api key" });
+    if (!apiKeyData) throw new NotFoundError({ message: "API key not found" });
    return formatApiKey(apiKeyData);
  };

--- a/backend/src/services/auth-token/auth-token-service.ts
+++ b/backend/src/services/auth-token/auth-token-service.ts
@ -4,7 +4,7 @@ import bcrypt from "bcrypt";

 import { TAuthTokens, TAuthTokenSessions } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";

 import { AuthModeJwtTokenPayload } from "../auth/auth-type";
@ -150,11 +150,13 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
      id: token.tokenVersionId,
      userId: token.userId
    });
-    if (!session) throw new UnauthorizedError({ name: "Session not found" });
-    if (token.accessVersion !== session.accessVersion) throw new UnauthorizedError({ name: "Stale session" });
+    if (!session) throw new NotFoundError({ name: "Session not found" });
+    if (token.accessVersion !== session.accessVersion) {
+      throw new UnauthorizedError({ name: "StaleSession", message: "User session is stale, please re-authenticate" });
+    }

    const user = await userDAL.findById(session.userId);
-    if (!user || !user.isAccepted) throw new UnauthorizedError({ name: "Token user not found" });
+    if (!user || !user.isAccepted) throw new NotFoundError({ message: "User not found" });

    if (token.organizationId) {
      const orgMembership = await orgMembershipDAL.findOne({
@ -162,8 +164,12 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
        orgId: token.organizationId
      });

-      if (!orgMembership) throw new ForbiddenRequestError({ message: "User not member of organization" });
-      if (!orgMembership.isActive) throw new ForbiddenRequestError({ message: "User not active in organization" });
+      if (!orgMembership) {
+        throw new ForbiddenRequestError({ message: "User not member of organization" });
+      }
+      if (!orgMembership.isActive) {
+        throw new ForbiddenRequestError({ message: "User organization membership is inactive" });
+      }
    }

    return { user, tokenVersionId: token.tokenVersionId, orgId: token.organizationId };
--- a/backend/src/services/auth/auth-fns.ts
+++ b/backend/src/services/auth/auth-fns.ts
@ -1,7 +1,7 @@
 import jwt from "jsonwebtoken";

 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";

 import { AuthModeProviderJwtTokenPayload, AuthModeProviderSignUpTokenPayload, AuthTokenType } from "./auth-type";

@ -25,15 +25,15 @@ export const validateSignUpAuthorization = (token: string, userId: string, valid
  const appCfg = getConfig();
  const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>token?.split(" ", 2) ?? [null, null];
  if (AUTH_TOKEN_TYPE === null) {
-    throw new BadRequestError({ message: "Missing Authorization Header in the request header." });
+    throw new UnauthorizedError({ message: "Missing Authorization Header in the request header." });
  }
  if (AUTH_TOKEN_TYPE.toLowerCase() !== "bearer") {
-    throw new BadRequestError({
+    throw new UnauthorizedError({
      message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`
    });
  }
  if (AUTH_TOKEN_VALUE === null) {
-    throw new BadRequestError({
+    throw new UnauthorizedError({
      message: "Missing Authorization Body in the request header"
    });
  }
@ -47,8 +47,8 @@ export const validateSignUpAuthorization = (token: string, userId: string, valid

 export const enforceUserLockStatus = (isLocked: boolean, temporaryLockDateEnd?: Date | null) => {
  if (isLocked) {
-    throw new UnauthorizedError({
-      name: "User Locked",
+    throw new ForbiddenRequestError({
+      name: "UserLocked",
      message:
        "User is locked due to multiple failed login attempts. An email has been sent to you in order to unlock your account. You can also reset your password to unlock your account."
    });
@ -61,8 +61,8 @@ export const enforceUserLockStatus = (isLocked: boolean, temporaryLockDateEnd?:
      const timeDisplay =
        secondsDiff > 60 ? `${Math.ceil(secondsDiff / 60)} minutes` : `${Math.ceil(secondsDiff)} seconds`;

-      throw new UnauthorizedError({
-        name: "User Locked",
+      throw new ForbiddenRequestError({
+        name: "UserLocked",
        message: `User is temporary locked due to multiple failed login attempts. Try again after ${timeDisplay}. You can also reset your password now to proceed.`
      });
    }
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@ -8,7 +8,7 @@ import { request } from "@app/lib/config/request";
 import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { getUserPrivateKey } from "@app/lib/crypto/srp";
-import { BadRequestError, DatabaseError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, DatabaseError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";

@ -350,7 +350,7 @@ export const authLoginServiceFactory = ({
    const cfg = getConfig();

    if (!authJwtToken) throw new UnauthorizedError({ name: "Authorization header is required" });
-    if (!userAgent) throw new UnauthorizedError({ name: "user agent header is required" });
+    if (!userAgent) throw new UnauthorizedError({ name: "User-Agent header is required" });

    // eslint-disable-next-line no-param-reassign
    authJwtToken = authJwtToken.replace("Bearer ", ""); // remove bearer from token
@ -368,7 +368,7 @@ export const authLoginServiceFactory = ({
    const selectedOrg = await orgDAL.findById(organizationId);

    if (!hasOrganizationMembership) {
-      throw new UnauthorizedError({
+      throw new ForbiddenRequestError({
        message: `User does not have access to the organization named ${selectedOrg?.name}`
      });
    }
--- a/backend/src/services/auth/auth-signup-service.ts
+++ b/backend/src/services/auth/auth-signup-service.ts
@ -9,7 +9,7 @@ import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { isDisposableEmail } from "@app/lib/validator";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -380,7 +380,7 @@ export const authSignupServiceFactory = ({
      status: OrgMembershipStatus.Invited
    });
    if (!orgMembership)
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Failed to find invitation for email",
        name: "complete account invite"
      });
--- a/backend/src/services/certificate-authority/certificate-authority-queue.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-queue.ts
@ -3,7 +3,7 @@ import crypto from "crypto";

 import { getConfig } from "@app/lib/config/env";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
@ -76,7 +76,7 @@ export const certificateAuthorityQueueFactory = ({
    logger.info(`secretReminderQueue.process: [secretDocument=${caId}]`);

    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const caSecret = await certificateAuthoritySecretDAL.findOne({ caId: ca.id });

--- a/backend/src/services/certificate-authority/certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-service.ts
@ -122,7 +122,7 @@ export const certificateAuthorityServiceFactory = ({
    actorOrgId
  }: TCreateCaDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -290,7 +290,7 @@ export const certificateAuthorityServiceFactory = ({
   */
  const getCaById = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -321,7 +321,7 @@ export const certificateAuthorityServiceFactory = ({
    actorOrgId
  }: TUpdateCaDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -346,7 +346,7 @@ export const certificateAuthorityServiceFactory = ({
   */
  const deleteCaById = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TDeleteCaDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -371,7 +371,7 @@ export const certificateAuthorityServiceFactory = ({
   */
  const getCaCsr = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCsrDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -430,7 +430,7 @@ export const certificateAuthorityServiceFactory = ({
   */
  const renewCaCert = async ({ caId, notAfter, actorId, actorAuthMethod, actor, actorOrgId }: TRenewCaCertDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });

@ -702,7 +702,7 @@ export const certificateAuthorityServiceFactory = ({

  const getCaCerts = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCertsDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -736,7 +736,7 @@ export const certificateAuthorityServiceFactory = ({
   */
  const getCaCert = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCertDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });
    if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });

    const { permission } = await permissionService.getProjectPermission(
@ -817,7 +817,7 @@ export const certificateAuthorityServiceFactory = ({
  }: TSignIntermediateDTO) => {
    const appCfg = getConfig();
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -963,7 +963,7 @@ export const certificateAuthorityServiceFactory = ({
    certificateChain
  }: TImportCertToCaDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -1124,7 +1124,7 @@ export const certificateAuthorityServiceFactory = ({
    }

    if (!ca) {
-      throw new BadRequestError({ message: "CA not found" });
+      throw new NotFoundError({ message: "CA not found" });
    }

    const { permission } = await permissionService.getProjectPermission(
@ -1451,7 +1451,7 @@ export const certificateAuthorityServiceFactory = ({
    }

    if (!ca) {
-      throw new BadRequestError({ message: "CA not found" });
+      throw new NotFoundError({ message: "CA not found" });
    }

    if (!dto.isInternal) {
@ -1810,7 +1810,7 @@ export const certificateAuthorityServiceFactory = ({
    actorOrgId
  }: TGetCaCertificateTemplatesDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });

    const { permission } = await permissionService.getProjectPermission(
      actor,
--- a/backend/src/services/group-project/group-project-dal.ts
+++ b/backend/src/services/group-project/group-project-dal.ts
@ -10,10 +10,15 @@ export type TGroupProjectDALFactory = ReturnType<typeof groupProjectDALFactory>;
 export const groupProjectDALFactory = (db: TDbClient) => {
  const groupProjectOrm = ormify(db, TableName.GroupProjectMembership);

-  const findByProjectId = async (projectId: string, tx?: Knex) => {
+  const findByProjectId = async (projectId: string, filter?: { groupId?: string }, tx?: Knex) => {
    try {
      const docs = await (tx || db.replicaNode())(TableName.GroupProjectMembership)
        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
+        .where((qb) => {
+          if (filter?.groupId) {
+            void qb.where(`${TableName.Groups}.id`, "=", filter.groupId);
+          }
+        })
        .join(TableName.Groups, `${TableName.GroupProjectMembership}.groupId`, `${TableName.Groups}.id`)
        .join(
          TableName.GroupProjectMembershipRole,
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Daniel Hougaard	7885a3b0ff	requested changes	2024-09-30 21:45:11 +04:00
Daniel Hougaard	66485f0464	fix: error improvements	2024-09-30 21:31:47 +04:00
Daniel Hougaard	032197ee9f	Update access-approval-policy-fns.ts	2024-09-27 22:03:46 +04:00
Daniel Hougaard	d5a4eb609a	fix: error improvements	2024-09-27 21:22:14 +04:00
Daniel Hougaard	d430293c66	Merge pull request #2494 from Infisical/daniel/api-errors feat(api): better errors and documentation	2024-09-27 20:25:10 +04:00
Daniel Hougaard	180d2692cd	Re-trigger tests	2024-09-27 20:17:17 +04:00
Daniel Hougaard	433e58655a	Update add-errors-to-response-schemas.ts	2024-09-27 20:12:08 +04:00
Daniel Hougaard	5ffb6b7232	fixed tests	2024-09-27 20:02:43 +04:00
Daniel Hougaard	55ca9149d5	Re-trigger tests	2024-09-27 20:02:43 +04:00
Daniel Hougaard	4ea57ca9a0	requested changes	2024-09-27 20:02:43 +04:00
Daniel Hougaard	7ac4b0b79f	feat(api-docs): add error responses to API documentation	2024-09-27 20:02:43 +04:00
Daniel Hougaard	2d51ed317f	feat(api): improve errors and error handling	2024-09-27 20:02:43 +04:00
Maidul Islam	02c51b05b6	Update login.mdx to remove sentence	2024-09-27 10:33:36 -04:00
Maidul Islam	441b008709	Merge pull request #2500 from Infisical/fix/addressed-modal-close-unresponsive fix: address modal close unresponsive	2024-09-27 10:15:27 -04:00
Daniel Hougaard	4d81a0251e	Merge pull request #2478 from Infisical/misc/approval-policy-tf-resource-prereq-1 misc: approval policy modifications for TF resource	2024-09-27 16:42:04 +04:00
Sheen Capadngan	59da513481	fix: address modal close unresponsive	2024-09-27 20:30:28 +08:00
Akhil Mohan	c17047a193	Merge pull request #2499 from akhilmhdh/doc/auth-method-fix docs: added oidc method in login command method argument and changed order to make auth section first	2024-09-27 15:45:03 +05:30
=	f50a881273	docs: added oidc method in login command method argument and changed order to make auth section first	2024-09-27 15:32:24 +05:30
Scott Wilson	c011d99b8b	Merge pull request #2493 from scott-ray-wilson/secrets-overview-fix Fix: Secrets Overview Endpoint Filter Secrets for Read Permissive Environments	2024-09-26 11:32:37 -07:00
Maidul Islam	adc3542750	Merge pull request #2495 from akhilmhdh/chore/disable-audit-log-in-cloud feat: disabled audit log for cloud due to maintainence mode	2024-09-26 13:25:04 -04:00
=	82e3241f1b	feat: disabled audit log for cloud due to maintainence mode	2024-09-26 22:32:16 +05:30
Sheen	2bca46886a	Merge pull request #2466 from Infisical/misc/addressed-invalid-redirect-condition-signup-page misc: addressed invalid redirect condition in signup invite page	2024-09-27 00:54:58 +08:00
Scott Wilson	971987c786	fix: display all envs in secrets overview header	2024-09-26 09:32:15 -07:00
Scott Wilson	cd71a13bb7	fix: refactor secrets overview endpoint to filter envs for secrets with read permissions	2024-09-26 09:24:29 -07:00
Maidul Islam	98290fe31b	remove audit logs	2024-09-26 12:23:11 -04:00
Akhil Mohan	9f15fb1474	Merge pull request #2491 from akhilmhdh/feat/error-dashboard fix: resolved permission not defined for custom org role	2024-09-26 21:36:50 +05:30
=	301a867f8b	refactor: remove console	2024-09-26 21:13:31 +05:30
Maidul Islam	658a044e85	Merge pull request #2492 from Infisical/maidul-gdfvdfkw hide audit log filter in prod	2024-09-26 11:42:37 -04:00
Maidul Islam	2c1e29445d	hide audit log filter in prod	2024-09-26 11:34:30 -04:00
=	3f4c4f7418	fix: resolved permission not defined for custom org role	2024-09-26 20:43:08 +05:30
Maidul Islam	592cc13b1f	Merge pull request #2488 from akhilmhdh/feat/fix-ui-paginated-secret fix: dashboard not showing when root accessn not provided	2024-09-26 10:01:33 -04:00
Maidul Islam	e70c2f3d10	Merge pull request #2489 from akhilmhdh/feat/error-dashboard feat: added error feedback on secret items saving for debugging	2024-09-26 07:35:37 -04:00
=	bac865eab1	feat: added error feedback on secret items saving for debugging	2024-09-26 16:42:31 +05:30
=	3d8fbc0a58	fix: dashboard not showing when root accessn not provided	2024-09-26 15:13:07 +05:30
Maidul Islam	a1f2629366	Merge pull request #2481 from Infisical/doc/add-groups-endpoints-to-api-reference doc: add groups endpoints to api reference documentation	2024-09-25 09:50:40 -04:00
Sheen Capadngan	bf8e1f2bfd	misc: added missing filter	2024-09-25 21:36:28 +08:00
Sheen Capadngan	f7d10ceeda	Merge remote-tracking branch 'origin/main' into misc/approval-policy-tf-resource-prereq-1	2024-09-25 21:15:46 +08:00
Meet Shah	095883a94e	Merge pull request #2483 from Infisical/meet/fix-group-members-fetch check user group membership correctly	2024-09-25 18:24:14 +05:30
Meet	51638b7c71	fix: check user group membership correctly	2024-09-25 18:02:32 +05:30
Sheen Capadngan	adaddad370	misc: added rate limiting	2024-09-25 18:46:44 +08:00
Sheen Capadngan	cf6ff58f16	misc: access approval prerequisites	2024-09-25 18:38:06 +08:00
Sheen Capadngan	3e3f42a8f7	doc: add groups endpoints to api reference documentation	2024-09-25 15:31:54 +08:00
Sheen Capadngan	974e21d856	fix: addressed bugs	2024-09-25 14:30:22 +08:00
Daniel Hougaard	da86338bfe	Merge pull request #2480 from Infisical/daniel/fix-better-not-found-error fix: throw not found when entity is not found	2024-09-24 21:08:42 +04:00
Daniel Hougaard	3a9a6767a0	fix: throw not found when entity is not found	2024-09-24 21:01:09 +04:00
Vlad Matsiiako	fe8a1e6ce6	Merge pull request #2476 from Infisical/daniel/fix-missing-vars-count fix(dashboard): fix imports missing secrets counter	2024-09-24 09:46:31 -07:00
Maidul Islam	55aa3f7b58	Merge pull request #2479 from Infisical/misc/audit-log-page-warning-and-auto-select misc: added maintenance notice to audit log page	2024-09-24 12:41:49 -04:00
Sheen Capadngan	59f3581370	misc: made it specific for cloud	2024-09-25 00:31:13 +08:00
Sheen Capadngan	ccae63936c	misc: added maintenance notice to audit log page and handled project auto-select	2024-09-25 00:27:36 +08:00
Sheen Capadngan	6733349af0	misc: updated secret approval policy api to support TF usecase	2024-09-25 00:07:11 +08:00
Daniel Hougaard	50b51f1810	Merge pull request #2475 from Infisical/daniel/prefix-secret-folders fix(folders-api): prefix paths	2024-09-24 17:30:47 +04:00
Daniel Hougaard	fc39b3b0dd	fix(dashboard): fix imports missing secrets counter	2024-09-24 17:24:38 +04:00
Daniel Hougaard	5964976e47	fix(folders-api): prefix paths	2024-09-24 15:49:27 +04:00
Daniel Hougaard	677a87150b	Merge pull request #2474 from meetcshah19/meet/fix-group-fetch fix: group fetch using project id	2024-09-24 01:01:58 +04:00
Meet	2469c8d0c6	fix: group listing using project id	2024-09-24 02:24:37 +05:30
Maidul Islam	dafb89d1dd	Merge pull request #2473 from scott-ray-wilson/project-upgrade-banner-revision Improvement: Project Upgrade Banner Revisions	2024-09-23 15:48:02 -04:00
Scott Wilson	8da01445e5	improvement: revise project upgrade banner to refer to secret engine version, state that upgrading is free and use lighter text for improved legibility	2024-09-23 12:36:10 -07:00
Maidul Islam	6b2273d314	update message	2024-09-23 15:32:11 -04:00
Maidul Islam	b886e66ee9	Remove service token notice	2024-09-23 15:25:36 -04:00
Scott Wilson	3afcb19727	Merge pull request #2464 from scott-ray-wilson/entra-mfa-docs Docs: Microsoft Entra ID / Azure AD MFA	2024-09-23 12:10:38 -07:00
Meet Shah	06d2480f30	Merge pull request #2472 from meetcshah19/meet/fix-create-policy-ui fix: group selection on create policy	2024-09-23 23:02:22 +05:30
Meet	fd7d8ddf2d	fix: group selection on create policy	2024-09-23 20:59:05 +05:30
Maidul Islam	1dc0f4e5b8	Merge pull request #2431 from Infisical/misc/terraform-project-group-prereq misc: setup prerequisites for terraform project group	2024-09-23 11:21:46 -04:00
Maidul Islam	fa64a88c24	Merge pull request #2470 from akhilmhdh/fix/inline-reference-permission feat: added validation check for secret references made in v2 engine	2024-09-23 10:07:07 -04:00
Meet Shah	385ec05e57	Merge pull request #2458 from meetcshah19/meet/eng-1443-add-groups-as-eligible-approvers feat: allow access approvals with user groups	2024-09-23 19:14:52 +05:30
Meet	3a38e1e413	chore: refactor	2024-09-23 19:04:57 +05:30
=	7f04e9e97d	feat: added validation check for secret references made in v2 engine	2024-09-23 16:29:01 +05:30
Sheen Capadngan	839f0c7e1c	misc: moved the rest of project group methods to IDs	2024-09-23 17:59:10 +08:00
Sheen Capadngan	2352e29902	Merge remote-tracking branch 'origin/main' into misc/terraform-project-group-prereq	2024-09-23 15:09:56 +08:00
Meet	fcbc7fcece	chore: fix test	2024-09-23 10:53:58 +05:30
Meet	c2252c65a4	chore: lint fix	2024-09-23 10:30:49 +05:30
Meet	e150673de4	chore: Refactor and remove new tables	2024-09-23 10:26:58 +05:30
Maidul Islam	4f5c49a529	Merge pull request #2467 from akhilmhdh/fix/scim-enform-org-invite feat: moved check for org invite specifc operation inside the creation if	2024-09-22 11:48:24 -04:00
Maidul Islam	7107089ad3	update var name	2024-09-22 15:44:07 +00:00
=	967818f57d	feat: moved check for org invite specifc operation inside the creation if	2024-09-22 18:42:20 +05:30
Sheen Capadngan	14c89c9be5	misc: addressed invalid redirect condition in signup invite page	2024-09-22 20:32:55 +08:00
Sheen Capadngan	02111c2dc2	misc: moved to group project v3 for get with ID based	2024-09-22 19:46:36 +08:00
Scott Wilson	ebea74b607	fix: address capitalization	2024-09-21 19:41:58 -07:00
Scott Wilson	5bbe5421bf	docs: add images	2024-09-20 17:32:14 -07:00
Scott Wilson	279289989f	docs: add entra / azure mfa docs	2024-09-20 17:31:32 -07:00
Daniel Hougaard	bb4a16cf7c	Merge pull request #2448 from Infisical/daniel/org-level-audit-logs feat(audit-logs): moved audit logs to organization-level	2024-09-21 02:54:06 +04:00
Maidul Islam	309db49f1b	Merge pull request #2451 from scott-ray-wilson/secrets-pagination-ss Feature: Server-side Pagination for Secrets Overview and Main Pages	2024-09-20 15:38:29 -04:00
Scott Wilson	62a582ef17	Merge pull request #2459 from Infisical/daniel/better-next-error feat: next.js error boundary	2024-09-20 12:23:12 -07:00
Scott Wilson	d6b389760d	chore: resolve merge conflict	2024-09-20 12:20:13 -07:00
Daniel Hougaard	bd4deb02b0	feat: added error boundary	2024-09-20 23:17:09 +04:00
Daniel Hougaard	449e7672f9	Requested changes	2024-09-20 23:08:20 +04:00
Daniel Hougaard	31ff6d3c17	Cleanup	2024-09-20 23:08:20 +04:00
Daniel Hougaard	cfcc32271f	Update project-router.ts	2024-09-20 23:08:20 +04:00
Daniel Hougaard	e2ea84f28a	Update project-router.ts	2024-09-20 23:08:20 +04:00
Daniel Hougaard	6885ef2e54	docs(api-reference): updated audit log endpoint	2024-09-20 23:08:20 +04:00
Daniel Hougaard	8fa9f476e3	fix: allow org members to read audit logs	2024-09-20 23:08:20 +04:00
Daniel Hougaard	1cf8d1e3fa	Fix: Added missing event cases	2024-09-20 23:07:53 +04:00
Daniel Hougaard	9f61177b62	feat: project-independent log support	2024-09-20 23:07:53 +04:00
Daniel Hougaard	59b8e83476	updated imports	2024-09-20 23:07:53 +04:00
Daniel Hougaard	eee4d00a08	fix: removed audit logs from project-level	2024-09-20 23:07:53 +04:00
Daniel Hougaard	51c0598b50	feat: audit log permissions	2024-09-20 23:07:53 +04:00
Daniel Hougaard	69311f058b	Update BackfillSecretReferenceSection.tsx	2024-09-20 23:07:52 +04:00
Daniel Hougaard	0f70c3ea9a	Moved audit logs to org-level entirely	2024-09-20 23:07:52 +04:00
Daniel Hougaard	b5660c87a0	feat(dashboard): organization-level audit logs	2024-09-20 23:07:52 +04:00
Daniel Hougaard	2a686e65cd	feat: added error boundary	2024-09-20 23:05:23 +04:00
Scott Wilson	2bb0386220	improvements: address change requests	2024-09-20 11:52:25 -07:00
Scott Wilson	526605a0bb	fix: remove container class to keep project upgrade card centered	2024-09-20 11:52:25 -07:00
Daniel Hougaard	5b9903a226	Merge pull request #2455 from Infisical/daniel/emails-on-sync-failed feat(integrations): email when integration sync fails	2024-09-20 22:52:15 +04:00
Daniel Hougaard	3fc60bf596	Update keystore.ts	2024-09-20 22:29:44 +04:00
Meet Shah	7815d6538f	Merge pull request #2442 from meetcshah19/meet/eng-1495-dynamic-secrets-with-ad feat: Add dynamic secrets for Azure Entra ID	2024-09-20 23:51:45 +05:30
Daniel Hougaard	4c4d525655	fix: moved away from keystore since its not needed	2024-09-20 22:20:32 +04:00
Daniel Hougaard	e44213a8a9	feat: added error boundary	2024-09-20 21:29:03 +04:00
Maidul Islam	e87656631c	update upgrade message	2024-09-20 12:56:49 -04:00
Daniel Hougaard	e102ccf9f0	Merge pull request #2462 from Infisical/daniel/node-docs-redirect docs: redirect node docs to new sdk	2024-09-20 20:00:20 +04:00
Daniel Hougaard	63af75a330	redirected node docs	2024-09-20 19:57:54 +04:00
Maidul Islam	8a10af9b62	Merge pull request #2461 from Infisical/misc/removed-teams-from-cloud-plans misc: removed teams from cloud plans	2024-09-20 11:15:14 -04:00
Sheen Capadngan	18308950d1	misc: removed teams from cloud plans	2024-09-20 22:48:41 +08:00
Scott Wilson	86a9676a9c	fix: invalidate workspace query after project upgrade	2024-09-20 05:34:01 -07:00
Scott Wilson	aa12a71ff3	fix: correct secret import count by filtering replicas	2024-09-20 05:24:05 -07:00
Daniel Hougaard	aee46d1902	cleanup	2024-09-20 15:17:20 +04:00
Daniel Hougaard	279a1791f6	feat: added error boundary	2024-09-20 15:16:19 +04:00
Sheen Capadngan	8d71b295ea	misc: add copy group ID to clipboard	2024-09-20 17:24:46 +08:00
Sheen Capadngan	f72cedae10	misc: added groups endpoint	2024-09-20 16:24:22 +08:00
Meet	864cf23416	chore: Fix types	2024-09-20 12:31:34 +05:30
Meet	10574bfe26	chore: Refactor and improve UI	2024-09-20 12:29:26 +05:30
Sheen Capadngan	02085ce902	fix: addressed overlooked update	2024-09-20 14:45:43 +08:00
Sheen Capadngan	4eeea0b27c	misc: added endpoint for fetching group details by ID	2024-09-20 14:05:22 +08:00
Sheen Capadngan	93b7f56337	misc: migrated groups API to use ids instead of slug	2024-09-20 13:30:38 +08:00
Meet	12ecefa832	chore: remove logs	2024-09-20 09:31:18 +05:30
Meet	dd9a00679d	chore: fix type	2024-09-20 09:03:43 +05:30
Meet	081502848d	feat: allow secret approvals with user groups	2024-09-20 08:51:48 +05:30
Scott Wilson	0fa9fa20bc	improvement: update project upgrade text	2024-09-19 19:41:55 -07:00
Scott Wilson	0a1f25a659	fix: hide pagination if table empty and add optional chaining operator to fix invalid imports	2024-09-19 19:28:09 -07:00
Scott Wilson	bc74c44f97	refactor: move overview resource env determination logic to the client side to preserve ordering of resources	2024-09-19 16:36:11 -07:00
Daniel Hougaard	c50e325f53	feat: added error boundary	2024-09-20 01:29:01 +04:00
Daniel Hougaard	0225e6fabb	feat: added error boundary	2024-09-20 01:20:54 +04:00
Daniel Hougaard	3caa46ade8	feat: added error boundary	2024-09-20 01:19:10 +04:00
Daniel Hougaard	998bbe92f7	feat: failed integration sync emails debouncer	2024-09-20 00:07:09 +04:00
Meet	009be0ded8	feat: allow access approvals with user groups	2024-09-20 01:24:30 +05:30
Daniel Hougaard	c9f6207e32	fix: bundle integration emails by secret path	2024-09-19 21:19:41 +04:00
Maidul Islam	36adc5e00e	Merge pull request #2447 from Infisical/snyk-fix-3012804bab30e5c3032cbdd8bc609cd4 [Snyk] Security upgrade jspdf from 2.5.1 to 2.5.2	2024-09-19 13:12:09 -04:00
Maidul Islam	cb24b2aac8	Merge pull request #2454 from Infisical/snyk-fix-2add6b839c34e787d4e3ffca4fa7b9b6 [Snyk] Security upgrade probot from 13.0.0 to 13.3.8	2024-09-19 13:11:54 -04:00
Maidul Islam	1e0eb26dce	Merge pull request #2456 from Infisical/daniel/unblock-gamma Update error-handler.ts	2024-09-19 12:21:40 -04:00
Daniel Hougaard	f8161c8c72	Update error-handler.ts	2024-09-19 20:06:19 +04:00
Maidul Islam	862e2e9d65	Merge pull request #2449 from akhilmhdh/fix/user-group-permission User group permission fixes	2024-09-19 10:37:54 -04:00
Daniel Hougaard	0e734bd638	fix: change variable name `qb` -> `queryBuilder`	2024-09-19 18:24:59 +04:00
Daniel Hougaard	a35054f6ba	fix: change variable name `qb` -> `queryBuilder`	2024-09-19 18:23:51 +04:00
Sheen	e0ace85d6e	Merge pull request #2453 from Infisical/misc/slack-doc-and-admin-page-updates misc: updates to admin slack integration page and docs	2024-09-19 22:12:44 +08:00
Sheen	7867587884	Merge pull request #2452 from Infisical/misc/finalized-expired-status-code-oidc-auth misc: finalized error codes for oidc login	2024-09-19 21:51:13 +08:00
Daniel Hougaard	0564d06923	feat(integrations): email when integration sync fails	2024-09-19 17:35:52 +04:00
Daniel Hougaard	8ace72d134	Merge pull request #2445 from Infisical/daniel/better-api-errors feat(cli/api): more descriptive api errors & CLI warning when using token auth while being logged in	2024-09-19 16:40:41 +04:00
snyk-bot	491331e9e3	fix: backend/package.json & backend/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106 - https://snyk.io/vuln/SNYK-JS-BODYPARSER-7926860 - https://snyk.io/vuln/SNYK-JS-EXPRESS-7926867 - https://snyk.io/vuln/SNYK-JS-SEND-7926862 - https://snyk.io/vuln/SNYK-JS-SERVESTATIC-7926865	2024-09-19 12:08:28 +00:00
Sheen Capadngan	4a324eafd8	misc: added text type conversion for admin slack fields	2024-09-19 19:38:55 +08:00
Sheen Capadngan	173cf0238d	doc: add guide for using slack integration in private channels	2024-09-19 19:38:13 +08:00
Sheen Capadngan	fd792e7e1d	misc: finalized error codes for oidc login	2024-09-19 15:00:52 +08:00
Scott Wilson	d0656358a2	feature: server-side pagination/filtering/sorting for secrets overview and main pages	2024-09-18 21:17:48 -07:00
Meet	040fa511f6	feat: add docs	2024-09-19 07:49:39 +05:30
Meet	75099f159f	feat: switch to custom app installation flow	2024-09-19 07:35:23 +05:30
Meet	e4a83ad2e2	feat: add docs	2024-09-19 06:09:46 +05:30
Meet	760f9d487c	chore: UI improvements	2024-09-19 01:23:24 +05:30
Meet	a02e73e2a4	chore: refactor frontend and UI improvements	2024-09-19 01:01:18 +05:30
=	d4c95ab1a7	fix: broken custom role in group	2024-09-18 22:38:38 +05:30
Sheen Capadngan	fbebeaf38f	misc: added rate limiter	2024-09-19 01:08:11 +08:00
Sheen Capadngan	97245c740e	misc: added as least as privileged check to update	2024-09-19 01:05:31 +08:00
=	03c4c2056a	fix: user group permission due to additional privileges and org permission not considering groups	2024-09-18 22:20:39 +05:30
Daniel Hougaard	cee982754b	Requested changes	2024-09-18 20:41:21 +04:00
Maidul Islam	a6497b844a	remove unneeded comments	2024-09-18 09:22:58 -04:00
Maidul Islam	788dcf2c73	Update warning message	2024-09-18 09:21:11 -04:00
snyk-bot	6d9f80805e	fix: frontend/package.json & frontend/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-DOMPURIFY-7984421 - https://snyk.io/vuln/SNYK-JS-DOMPURIFY-6474511	2024-09-18 12:12:04 +00:00
Daniel Hougaard	7f055450df	Update root.go	2024-09-18 12:55:03 +04:00
Daniel Hougaard	9234213c62	Requested changes	2024-09-18 12:50:28 +04:00
Sheen Capadngan	5a40b5a1cf	Merge branch 'misc/terraform-project-group-prereq' of https://github.com/Infisical/infisical into misc/terraform-project-group-prereq	2024-09-18 14:43:59 +08:00
Sheen Capadngan	19e4a6de4d	misc: added helpful error message	2024-09-18 14:43:25 +08:00
Maidul Islam	0daca059c7	fix small typo	2024-09-17 20:53:23 -04:00
Daniel Hougaard	e7278c4cd9	Requested changes	2024-09-18 01:35:01 +04:00
Daniel Hougaard	3e79dbb3f5	feat(cli): warning when logged in and using token at the same time	2024-09-18 01:34:01 +04:00
Meet	0fd193f8e0	chore: Remove unused import	2024-09-18 01:40:37 +05:30
Meet	342c713805	feat: Add callback and edit dynamic secret for Azure Entra ID	2024-09-18 01:33:04 +05:30
Daniel Hougaard	9b2565e387	Update error-handler.ts	2024-09-17 22:57:43 +04:00
Daniel Hougaard	1c5a8cabe9	feat: better api errors	2024-09-17 22:53:51 +04:00
Sheen Capadngan	613b97c93d	misc: added handling of not found group membership	2024-09-18 00:29:50 +08:00
Sheen Capadngan	335f3f7d37	misc: removed hacky approach	2024-09-17 18:52:30 +08:00
Meet	b3f0d36ddc	feat: Add dynamic secrets for Azure Entra ID	2024-09-17 10:29:19 +05:30
Sheen Capadngan	dbb8617180	misc: setup prerequisites for terraform project group	2024-09-16 02:12:24 +08:00