improvement: add back comma

improvement: minor doc adjustment and add new page to sidebar
abac docs
2025-04-13 16:52:12 +00:00 · 2024-10-29 14:46:53 -07:00 · 2024-10-29 14:45:38 -07:00 · 2024-10-29 15:42:38 -04:00 · 2024-10-29 09:53:17 -04:00 · 2024-10-29 21:50:23 +08:00
842 changed files with 37885 additions and 12130 deletions
--- a/.env.example
+++ b/.env.example
@ -36,16 +36,22 @@ CLIENT_ID_HEROKU=
 CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
+CLIENT_ID_GITHUB_APP=
+CLIENT_SLUG_GITHUB_APP=
 CLIENT_ID_GITLAB=
 CLIENT_ID_BITBUCKET=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
+CLIENT_SECRET_GITHUB_APP=
 CLIENT_SECRET_GITLAB=
 CLIENT_SECRET_BITBUCKET=
 CLIENT_SLUG_VERCEL=

+CLIENT_PRIVATE_KEY_GITHUB_APP=
+CLIENT_APP_ID_GITHUB_APP=
+
 # Sentry (optional) for monitoring errors
 SENTRY_DSN=

--- a/.env.migration.example
+++ b/.env.migration.example
@ -1 +1,2 @@
 DB_CONNECTION_URI=
+AUDIT_LOGS_DB_CONNECTION_URI=
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -6,6 +6,7 @@

 - [ ] Bug fix
 - [ ] New feature
+- [ ] Improvement
 - [ ] Breaking change
 - [ ] Documentation

--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@ -7,7 +7,6 @@ on:
                description: "Version number"
                required: true
                type: string
-
 defaults:
    run:
        working-directory: ./backend
@ -49,9 +48,9 @@ jobs:
            - name: Package into node binary
              run: |
                  if [ "${{ matrix.os }}" != "linux" ]; then
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
+                    pkg --no-bytecode --public-packages "*" --public --compress GZip --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
                  else
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
+                    pkg --no-bytecode --public-packages "*" --public --compress GZip --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
                  fi

            # Set up .deb package structure (Debian/Ubuntu only)
@ -83,6 +82,86 @@ jobs:
                  dpkg-deb --build infisical-core
                  mv infisical-core.deb ./binary/infisical-core-${{matrix.arch}}.deb

+            ### RPM
+
+            # Set up .rpm package structure
+            - name: Set up .rpm package structure
+              if: matrix.os == 'linux'
+              run: |
+                  mkdir -p infisical-core-rpm/usr/local/bin
+                  cp ./binary/infisical-core infisical-core-rpm/usr/local/bin/
+                  chmod +x infisical-core-rpm/usr/local/bin/infisical-core
+
+            # Install RPM build tools
+            - name: Install RPM build tools
+              if: matrix.os == 'linux'
+              run: sudo apt-get update && sudo apt-get install -y rpm
+
+            # Create .spec file for RPM
+            - name: Create .spec file for RPM
+              if: matrix.os == 'linux'
+              run: |
+                  cat <<EOF > infisical-core.spec
+
+                  %global _enable_debug_package 0
+                  %global debug_package %{nil}
+                  %global __os_install_post /usr/lib/rpm/brp-compress %{nil}
+
+                  Name:           infisical-core
+                  Version:        ${{ github.event.inputs.version }}
+                  Release:        1%{?dist}
+                  Summary:        Infisical Core standalone executable
+                  License:        Proprietary
+                  URL:            https://app.infisical.com
+
+                  %description
+                  Infisical Core standalone executable (app.infisical.com)
+
+                  %install
+                  mkdir -p %{buildroot}/usr/local/bin
+                  cp %{_sourcedir}/infisical-core %{buildroot}/usr/local/bin/
+
+                  %files
+                  /usr/local/bin/infisical-core
+
+                  %pre
+
+                  %post
+
+                  %preun
+
+                  %postun
+                  EOF
+
+            # Build .rpm file
+            - name: Build .rpm package
+              if: matrix.os == 'linux'
+              run: |
+                  # Create necessary directories
+                  mkdir -p rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
+
+                  # Copy the binary directly to SOURCES
+                  cp ./binary/infisical-core rpmbuild/SOURCES/
+
+                  # Run rpmbuild with verbose output
+                  rpmbuild -vv -bb \
+                    --define "_topdir $(pwd)/rpmbuild" \
+                    --define "_sourcedir $(pwd)/rpmbuild/SOURCES" \
+                    --define "_rpmdir $(pwd)/rpmbuild/RPMS" \
+                    --target ${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }} \
+                    infisical-core.spec
+
+                  # Try to find the RPM file
+                  find rpmbuild -name "*.rpm"
+
+                  # Move the RPM file if found
+                  if [ -n "$(find rpmbuild -name '*.rpm')" ]; then
+                    mv $(find rpmbuild -name '*.rpm') ./binary/infisical-core-${{matrix.arch}}.rpm
+                  else
+                    echo "RPM file not found!"
+                    exit 1
+                  fi
+
            - uses: actions/setup-python@v4
              with:
                  python-version: "3.x" # Specify the Python version you need
@ -97,6 +176,12 @@ jobs:
              working-directory: ./backend
              run: cloudsmith push deb --republish --no-wait-for-sync --api-key=${{ secrets.CLOUDSMITH_API_KEY }} infisical/infisical-core/any-distro/any-version ./binary/infisical-core-${{ matrix.arch }}.deb

+            # Publish .rpm file to Cloudsmith (Red Hat-based systems only)
+            - name: Publish .rpm to Cloudsmith
+              if: matrix.os == 'linux'
+              working-directory: ./backend
+              run: cloudsmith push rpm --republish --no-wait-for-sync --api-key=${{ secrets.CLOUDSMITH_API_KEY }} infisical/infisical-core/any-distro/any-version ./binary/infisical-core-${{ matrix.arch }}.rpm
+
            # Publish .exe file to Cloudsmith (Windows only)
            - name: Publish to Cloudsmith (Windows)
              if: matrix.os == 'win'
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -7,12 +7,12 @@ permissions:

 jobs:
  infisical-tests:
-    name: Run tests before deployment
+    name: Integration tests
    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
    uses: ./.github/workflows/run-backend-tests.yml
    
  infisical-image:
-    name: Build backend image
+    name: Build
    runs-on: ubuntu-latest
    needs: [infisical-tests]
    steps:
@ -104,8 +104,8 @@ jobs:
          cluster: infisical-gamma-stage
          wait-for-service-stability: true

-  production-postgres-deployment:
-    name: Deploy to production
+  production-us:
+    name: US production deploy 
    runs-on: ubuntu-latest
    needs: [gamma-deployment]
    environment:
@ -127,6 +127,7 @@ jobs:
      - name: Change directory to backend and install dependencies
        env:
          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+          AUDIT_LOGS_DB_CONNECTION_URI: ${{ secrets.AUDIT_LOGS_DB_CONNECTION_URI }}
        run: |
          cd backend
          npm install
@ -158,3 +159,54 @@ jobs:
          service: infisical-core-platform
          cluster: infisical-core-platform
          wait-for-service-stability: true
+
+  production-eu:
+      name: EU production deploy
+      runs-on: ubuntu-latest
+      needs: [production-us]
+      environment:
+        name: production-eu
+      steps:
+        - uses: twingate/github-action@v1
+          with:
+            service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+        - name: Checkout code
+          uses: actions/checkout@v2
+        - name: Setup Node.js environment
+          uses: actions/setup-node@v2
+          with:
+            node-version: "20"
+        - name: Change directory to backend and install dependencies
+          env:
+            DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+          run: |
+            cd backend
+            npm install
+            npm run migration:latest
+        - name: Configure AWS Credentials 
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            audience: sts.eu-central-1.amazonaws.com
+            aws-region: eu-central-1
+            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
+        - name: Save commit hashes for tag
+          id: commit
+          uses: pr-mpt/actions-commit-hash@v2
+        - name: Download task definition
+          run: |
+            aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+        - name: Render Amazon ECS task definition
+          id: render-web-container
+          uses: aws-actions/amazon-ecs-render-task-definition@v1
+          with:
+            task-definition: task-definition.json
+            container-name: infisical-core-platform
+            image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            environment-variables: "LOG_LEVEL=info"
+        - name: Deploy to Amazon ECS service
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+          with:
+            task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+            service: infisical-core-platform
+            cluster: infisical-core-platform
+            wait-for-service-stability: true
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -95,6 +95,10 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 RUN apk add --upgrade --no-cache ca-certificates
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.31.1 && apk add --no-cache git
+
 RUN addgroup --system --gid 1001 nodejs \
  && adduser --system --uid 1001 non-root-user

--- a/README.md
+++ b/README.md
@ -73,6 +73,11 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.

+### Key Management (KMS):
+
+- **[Cryptograhic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
+- **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
+
 ### General Platform:
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
@ -130,9 +135,7 @@ Lean about Infisical's code scanning feature [here](https://infisical.com/docs/c

 This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license.

-If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our website](https://infisical.com/) or [book a meeting with us](https://infisical.cal.com/vlad/infisical-demo):
-
-<a href="[https://infisical.cal.com/vlad/infisical-demo](https://infisical.cal.com/vlad/infisical-demo)"><img alt="Schedule a meeting" src="https://cal.com/book-with-cal-dark.svg" /></a>
+If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our website](https://infisical.com/) or [book a meeting with us](https://infisical.cal.com/vlad/infisical-demo).

 ## Security

@ -158,4 +161,3 @@ Not sure where to get started? You can:
 - [Twitter](https://twitter.com/infisical) for fast news
 - [YouTube](https://www.youtube.com/@infisical_os) for videos on secret management
 - [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates
- [Roadmap](https://www.notion.so/infisical/be2d2585a6694e40889b03aef96ea36b?v=5b19a8127d1a4060b54769567a8785fa) for planned features
--- a/backend/e2e-test/routes/v1/login.spec.ts
+++ b/backend/e2e-test/routes/v1/login.spec.ts
@ -39,8 +39,6 @@ describe("Login V1 Router", async () => {
    });
    expect(res.statusCode).toBe(200);
    const payload = JSON.parse(res.payload);
-    expect(payload).toHaveProperty("mfaEnabled");
    expect(payload).toHaveProperty("token");
-    expect(payload.mfaEnabled).toBeFalsy();
  });
 });
--- a/backend/e2e-test/routes/v1/project-env.spec.ts
+++ b/backend/e2e-test/routes/v1/project-env.spec.ts
@ -123,7 +123,7 @@ describe("Project Environment Router", async () => {
        id: deletedProjectEnvironment.id,
        name: mockProjectEnv.name,
        slug: mockProjectEnv.slug,
-        position: 4,
+        position: 5,
        createdAt: expect.any(String),
        updatedAt: expect.any(String)
      })
--- a/backend/e2e-test/routes/v1/secret-approval-policy.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-approval-policy.spec.ts
@ -1,6 +1,7 @@
 import { seedData1 } from "@app/db/seed-data";
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";

-const createPolicy = async (dto: { name: string; secretPath: string; approvers: string[]; approvals: number }) => {
+const createPolicy = async (dto: { name: string; secretPath: string; approvers: {type: ApproverType.User, id: string}[]; approvals: number }) => {
  const res = await testServer.inject({
    method: "POST",
    url: `/api/v1/secret-approvals`,
@ -26,7 +27,7 @@ describe("Secret approval policy router", async () => {
    const policy = await createPolicy({
      secretPath: "/",
      approvals: 1,
-      approvers: [seedData1.id],
+      approvers: [{id:seedData1.id, type: ApproverType.User}],
      name: "test-policy"
    });

--- a/backend/e2e-test/routes/v2/service-token.spec.ts
+++ b/backend/e2e-test/routes/v2/service-token.spec.ts
@ -510,7 +510,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(fetchSecrets.statusCode).toBe(401);
+    expect(fetchSecrets.statusCode).toBe(403);
    expect(fetchSecrets.json().error).toBe("PermissionDenied");
    await deleteServiceToken();
  });
@ -532,7 +532,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(fetchSecrets.statusCode).toBe(401);
+    expect(fetchSecrets.statusCode).toBe(403);
    expect(fetchSecrets.json().error).toBe("PermissionDenied");
    await deleteServiceToken();
  });
@ -557,7 +557,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(writeSecrets.statusCode).toBe(401);
+    expect(writeSecrets.statusCode).toBe(403);
    expect(writeSecrets.json().error).toBe("PermissionDenied");

    // but read access should still work fine
--- a/backend/e2e-test/routes/v3/secret-reference.spec.ts
+++ b/backend/e2e-test/routes/v3/secret-reference.spec.ts
@ -56,7 +56,10 @@ describe("Secret expansion", () => {
      }
    ];

-    await Promise.all(secrets.map((el) => createSecretV2(el)));
+    for (const secret of secrets) {
+      // eslint-disable-next-line no-await-in-loop
+      await createSecretV2(secret);
+    }

    const expandedSecret = await getSecretByNameV2({
      environmentSlug: seedData1.environment.slug,
@ -123,7 +126,10 @@ describe("Secret expansion", () => {
      }
    ];

-    await Promise.all(secrets.map((el) => createSecretV2(el)));
+    for (const secret of secrets) {
+      // eslint-disable-next-line no-await-in-loop
+      await createSecretV2(secret);
+    }

    const expandedSecret = await getSecretByNameV2({
      environmentSlug: seedData1.environment.slug,
@ -190,7 +196,11 @@ describe("Secret expansion", () => {
      }
    ];

-    await Promise.all(secrets.map((el) => createSecretV2(el)));
+    for (const secret of secrets) {
+      // eslint-disable-next-line no-await-in-loop
+      await createSecretV2(secret);
+    }
+
    const secretImportFromProdToDev = await createSecretImport({
      environmentSlug: seedData1.environment.slug,
      workspaceId: projectId,
@ -275,7 +285,11 @@ describe("Secret expansion", () => {
        }
      ];

-      await Promise.all(secrets.map((el) => createSecretV2(el)));
+      for (const secret of secrets) {
+        // eslint-disable-next-line no-await-in-loop
+        await createSecretV2(secret);
+      }
+
      const secretImportFromProdToDev = await createSecretImport({
        environmentSlug: seedData1.environment.slug,
        workspaceId: projectId,
--- a/backend/e2e-test/routes/v3/secrets.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets.spec.ts
@ -1075,7 +1075,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: createSecretReqBody
    });
-    expect(createSecRes.statusCode).toBe(400);
+    expect(createSecRes.statusCode).toBe(404);
  });

  test("Update secret raw", async () => {
@ -1093,7 +1093,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: updateSecretReqBody
    });
-    expect(updateSecRes.statusCode).toBe(400);
+    expect(updateSecRes.statusCode).toBe(404);
  });

  test("Delete secret raw", async () => {
@ -1110,6 +1110,6 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: deletedSecretReqBody
    });
-    expect(deletedSecRes.statusCode).toBe(400);
+    expect(deletedSecRes.statusCode).toBe(404);
  });
 });
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -45,13 +45,20 @@
    "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
    "generate:component": "tsx ./scripts/create-backend-file.ts",
    "generate:schema": "tsx ./scripts/generate-schema-types.ts",
+    "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
+    "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
+    "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
+    "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
+    "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
+    "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
    "migration:new": "tsx ./scripts/create-migration.ts",
-    "migration:up": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
-    "migration:down": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
-    "migration:list": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
-    "migration:latest": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
-    "migration:status": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
-    "migration:rollback": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
+    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
+    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
+    "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
+    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
+    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migrate:org": "tsx ./scripts/migrate-organization.ts",
    "seed:new": "tsx ./scripts/create-seed-file.ts",
    "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
@ -80,6 +87,7 @@
    "@types/prompt-sync": "^4.2.3",
    "@types/resolve": "^1.20.6",
    "@types/safe-regex": "^1.1.6",
+    "@types/sjcl": "^1.0.34",
    "@types/uuid": "^9.0.7",
    "@typescript-eslint/eslint-plugin": "^6.20.0",
    "@typescript-eslint/parser": "^6.20.0",
@ -118,12 +126,14 @@
    "@fastify/etag": "^5.1.0",
    "@fastify/formbody": "^7.4.0",
    "@fastify/helmet": "^11.1.1",
+    "@fastify/multipart": "8.3.0",
    "@fastify/passport": "^2.4.0",
    "@fastify/rate-limit": "^9.0.0",
    "@fastify/session": "^10.7.0",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
    "@node-saml/passport-saml": "^4.0.4",
+    "@octokit/auth-app": "^7.1.1",
    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
    "@octokit/webhooks-types": "^7.3.1",
@ -158,6 +168,7 @@
    "jwks-rsa": "^3.1.0",
    "knex": "^3.0.1",
    "ldapjs": "^3.0.7",
+    "ldif": "0.5.1",
    "libsodium-wrappers": "^0.7.13",
    "lodash.isequal": "^4.5.0",
    "mongodb": "^6.8.1",
@ -178,10 +189,11 @@
    "pino": "^8.16.2",
    "pkijs": "^3.2.4",
    "posthog-node": "^3.6.2",
-    "probot": "^13.0.0",
+    "probot": "^13.3.8",
    "safe-regex": "^2.1.1",
    "scim-patch": "^0.8.3",
    "scim2-parse-filter": "^0.2.10",
+    "sjcl": "^1.0.8",
    "smee-client": "^2.0.0",
    "tedious": "^18.2.1",
    "tweetnacl": "^1.0.3",
--- a/backend/scripts/generate-schema-types.ts
+++ b/backend/scripts/generate-schema-types.ts
@ -90,7 +90,12 @@ const main = async () => {
      .whereRaw("table_schema =  current_schema()")
      .select<{ tableName: string }[]>("table_name as tableName")
      .orderBy("table_name")
-  ).filter((el) => !el.tableName.includes("_migrations"));
+  ).filter(
+    (el) =>
+      !el.tableName.includes("_migrations") &&
+      !el.tableName.includes("audit_logs_") &&
+      el.tableName !== "intermediate_audit_logs"
+  );

  for (let i = 0; i < tables.length; i += 1) {
    const { tableName } = tables[i];
--- a/backend/scripts/migrate-organization.ts
+++ b/backend/scripts/migrate-organization.ts
@ -0,0 +1,84 @@
+/* eslint-disable */
+import promptSync from "prompt-sync";
+import { execSync } from "child_process";
+import path from "path";
+import { existsSync } from "fs";
+
+const prompt = promptSync({
+  sigint: true
+});
+
+const exportDb = () => {
+  const exportHost = prompt("Enter your Postgres Host to migrate from: ");
+  const exportPort = prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432";
+  const exportUser = prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical";
+  const exportPassword = prompt("Enter your Postgres Password to migrate from: ");
+  const exportDatabase = prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical";
+
+  // we do not include the audit_log and secret_sharing entries
+  execSync(
+    `PGDATABASE="${exportDatabase}" PGPASSWORD="${exportPassword}" PGHOST="${exportHost}" PGPORT=${exportPort} PGUSER=${exportUser} pg_dump infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
+      __dirname,
+      "../src/db/dump.sql"
+    )}`,
+    { stdio: "inherit" }
+  );
+};
+
+const importDbForOrg = () => {
+  const importHost = prompt("Enter your Postgres Host to migrate to: ");
+  const importPort = prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432";
+  const importUser = prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical";
+  const importPassword = prompt("Enter your Postgres Password to migrate to: ");
+  const importDatabase = prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical";
+  const orgId = prompt("Enter the organization ID to migrate: ");
+
+  if (!existsSync(path.join(__dirname, "../src/db/dump.sql"))) {
+    console.log("File not found, please export the database first.");
+    return;
+  }
+
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -f ${path.join(
+      __dirname,
+      "../src/db/dump.sql"
+    )}`
+  );
+
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
+  );
+
+  // delete global/instance-level resources not relevant to the organization to migrate
+  // users
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
+  );
+
+  // identities
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
+  );
+
+  // reset slack configuration in superAdmin
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
+  );
+
+  console.log("Organization migrated successfully.");
+};
+
+const main = () => {
+  const action = prompt(
+    "Enter the action to perform\n 1. Export from existing instance.\n 2. Import org to instance.\n \n Action: "
+  );
+  if (action === "1") {
+    exportDb();
+  } else if (action === "2") {
+    importDbForOrg();
+  } else {
+    console.log("Invalid action");
+  }
+};
+
+main();
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -13,6 +13,7 @@ import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secr
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
+import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
@ -38,6 +39,9 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
+import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
+import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
+import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
@ -174,6 +178,7 @@ declare module "fastify" {
      dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
      projectUserAdditionalPrivilege: TProjectUserAdditionalPrivilegeServiceFactory;
      identityProjectAdditionalPrivilege: TIdentityProjectAdditionalPrivilegeServiceFactory;
+      identityProjectAdditionalPrivilegeV2: TIdentityProjectAdditionalPrivilegeV2ServiceFactory;
      secretSharing: TSecretSharingServiceFactory;
      rateLimit: TRateLimitServiceFactory;
      userEngagement: TUserEngagementServiceFactory;
@ -181,6 +186,9 @@ declare module "fastify" {
      orgAdmin: TOrgAdminServiceFactory;
      slack: TSlackServiceFactory;
      workflowIntegration: TWorkflowIntegrationServiceFactory;
+      cmek: TCmekServiceFactory;
+      migration: TExternalMigrationServiceFactory;
+      externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -101,6 +101,9 @@ import {
  TIdentityKubernetesAuths,
  TIdentityKubernetesAuthsInsert,
  TIdentityKubernetesAuthsUpdate,
+  TIdentityMetadata,
+  TIdentityMetadataInsert,
+  TIdentityMetadataUpdate,
  TIdentityOidcAuths,
  TIdentityOidcAuthsInsert,
  TIdentityOidcAuthsUpdate,
@ -333,6 +336,11 @@ import {
  TWorkflowIntegrationsInsert,
  TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
+import {
+  TExternalGroupOrgRoleMappings,
+  TExternalGroupOrgRoleMappingsInsert,
+  TExternalGroupOrgRoleMappingsUpdate
+} from "@app/db/schemas/external-group-org-role-mappings";
 import {
  TSecretV2TagJunction,
  TSecretV2TagJunctionInsert,
@ -546,6 +554,11 @@ declare module "knex/types/tables" {
      TIdentityUniversalAuthsInsert,
      TIdentityUniversalAuthsUpdate
    >;
+    [TableName.IdentityMetadata]: KnexOriginal.CompositeTableType<
+      TIdentityMetadata,
+      TIdentityMetadataInsert,
+      TIdentityMetadataUpdate
+    >;
    [TableName.IdentityKubernetesAuth]: KnexOriginal.CompositeTableType<
      TIdentityKubernetesAuths,
      TIdentityKubernetesAuthsInsert,
@ -800,5 +813,10 @@ declare module "knex/types/tables" {
      TWorkflowIntegrationsInsert,
      TWorkflowIntegrationsUpdate
    >;
+    [TableName.ExternalGroupOrgRoleMapping]: KnexOriginal.CompositeTableType<
+      TExternalGroupOrgRoleMappings,
+      TExternalGroupOrgRoleMappingsInsert,
+      TExternalGroupOrgRoleMappingsUpdate
+    >;
  }
 }
--- a/backend/src/@types/ldif.d.ts
+++ b/backend/src/@types/ldif.d.ts
@ -0,0 +1,4 @@
+declare module "ldif" {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Untyped, the function returns `any`.
+  function parse(input: string, ...args: any[]): any;
+}
--- a/backend/src/db/auditlog-knexfile.ts
+++ b/backend/src/db/auditlog-knexfile.ts
@ -0,0 +1,75 @@
+// eslint-disable-next-line
+import "ts-node/register";
+
+import dotenv from "dotenv";
+import type { Knex } from "knex";
+import path from "path";
+
+// Update with your config settings. .
+dotenv.config({
+  path: path.join(__dirname, "../../../.env.migration")
+});
+dotenv.config({
+  path: path.join(__dirname, "../../../.env")
+});
+
+if (!process.env.AUDIT_LOGS_DB_CONNECTION_URI && !process.env.AUDIT_LOGS_DB_HOST) {
+  console.info("Dedicated audit log database not found. No further migrations necessary");
+  process.exit(0);
+}
+
+console.info("Executing migration on audit log database...");
+
+export default {
+  development: {
+    client: "postgres",
+    connection: {
+      connectionString: process.env.AUDIT_LOGS_DB_CONNECTION_URI,
+      host: process.env.AUDIT_LOGS_DB_HOST,
+      port: process.env.AUDIT_LOGS_DB_PORT,
+      user: process.env.AUDIT_LOGS_DB_USER,
+      database: process.env.AUDIT_LOGS_DB_NAME,
+      password: process.env.AUDIT_LOGS_DB_PASSWORD,
+      ssl: process.env.AUDIT_LOGS_DB_ROOT_CERT
+        ? {
+            rejectUnauthorized: true,
+            ca: Buffer.from(process.env.AUDIT_LOGS_DB_ROOT_CERT, "base64").toString("ascii")
+          }
+        : false
+    },
+    pool: {
+      min: 2,
+      max: 10
+    },
+    seeds: {
+      directory: "./seeds"
+    },
+    migrations: {
+      tableName: "infisical_migrations"
+    }
+  },
+  production: {
+    client: "postgres",
+    connection: {
+      connectionString: process.env.AUDIT_LOGS_DB_CONNECTION_URI,
+      host: process.env.AUDIT_LOGS_DB_HOST,
+      port: process.env.AUDIT_LOGS_DB_PORT,
+      user: process.env.AUDIT_LOGS_DB_USER,
+      database: process.env.AUDIT_LOGS_DB_NAME,
+      password: process.env.AUDIT_LOGS_DB_PASSWORD,
+      ssl: process.env.AUDIT_LOGS_DB_ROOT_CERT
+        ? {
+            rejectUnauthorized: true,
+            ca: Buffer.from(process.env.AUDIT_LOGS_DB_ROOT_CERT, "base64").toString("ascii")
+          }
+        : false
+    },
+    pool: {
+      min: 2,
+      max: 10
+    },
+    migrations: {
+      tableName: "infisical_migrations"
+    }
+  }
+} as Knex.Config;
--- a/backend/src/db/index.ts
+++ b/backend/src/db/index.ts
@ -1,2 +1,2 @@
 export type { TDbClient } from "./instance";
-export { initDbConnection } from "./instance";
+export { initAuditLogDbConnection, initDbConnection } from "./instance";
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -70,3 +70,45 @@ export const initDbConnection = ({

  return db;
 };
+
+export const initAuditLogDbConnection = ({
+  dbConnectionUri,
+  dbRootCert
+}: {
+  dbConnectionUri: string;
+  dbRootCert?: string;
+}) => {
+  // akhilmhdh: the default Knex is knex.Knex<any, any[]>. but when assigned with knex({<config>}) the value is knex.Knex<any, unknown[]>
+  // this was causing issue with files like `snapshot-dal` `findRecursivelySnapshots` this i am explicitly putting the any and unknown[]
+  // eslint-disable-next-line
+  const db: Knex<any, unknown[]> = knex({
+    client: "pg",
+    connection: {
+      connectionString: dbConnectionUri,
+      host: process.env.AUDIT_LOGS_DB_HOST,
+      // @ts-expect-error I have no clue why only for the port there is a type error
+      // eslint-disable-next-line
+      port: process.env.AUDIT_LOGS_DB_PORT,
+      user: process.env.AUDIT_LOGS_DB_USER,
+      database: process.env.AUDIT_LOGS_DB_NAME,
+      password: process.env.AUDIT_LOGS_DB_PASSWORD,
+      ssl: dbRootCert
+        ? {
+            rejectUnauthorized: true,
+            ca: Buffer.from(dbRootCert, "base64").toString("ascii")
+          }
+        : false
+    }
+  });
+
+  // we add these overrides so that auditLogDb and the primary DB are interchangeable
+  db.primaryNode = () => {
+    return db;
+  };
+
+  db.replicaNode = () => {
+    return db;
+  };
+
+  return db;
+};
--- a/backend/src/db/manual-migrations/partition-audit-logs.ts
+++ b/backend/src/db/manual-migrations/partition-audit-logs.ts
@ -0,0 +1,161 @@
+import kx, { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const INTERMEDIATE_AUDIT_LOG_TABLE = "intermediate_audit_logs";
+
+const formatPartitionDate = (date: Date) => {
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, "0");
+  const day = String(date.getDate()).padStart(2, "0");
+
+  return `${year}-${month}-${day}`;
+};
+
+const createAuditLogPartition = async (knex: Knex, startDate: Date, endDate: Date) => {
+  const startDateStr = formatPartitionDate(startDate);
+  const endDateStr = formatPartitionDate(endDate);
+
+  const partitionName = `${TableName.AuditLog}_${startDateStr.replace(/-/g, "")}_${endDateStr.replace(/-/g, "")}`;
+
+  await knex.schema.raw(
+    `CREATE TABLE ${partitionName} PARTITION OF ${TableName.AuditLog} FOR VALUES FROM ('${startDateStr}') TO ('${endDateStr}')`
+  );
+};
+
+const up = async (knex: Knex): Promise<void> => {
+  console.info("Dropping primary key of audit log table...");
+  await knex.schema.alterTable(TableName.AuditLog, (t) => {
+    // remove existing keys
+    t.dropPrimary();
+  });
+
+  // Get all indices of the audit log table and drop them
+  const indexNames: { rows: { indexname: string }[] } = await knex.raw(
+    `
+    SELECT indexname
+    FROM pg_indexes
+    WHERE tablename = '${TableName.AuditLog}'
+  `
+  );
+
+  console.log(
+    "Deleting existing audit log indices:",
+    indexNames.rows.map((e) => e.indexname)
+  );
+
+  for await (const row of indexNames.rows) {
+    await knex.raw(`DROP INDEX IF EXISTS ${row.indexname}`);
+  }
+
+  // renaming audit log to intermediate table
+  console.log("Renaming audit log table to the intermediate name");
+  await knex.schema.renameTable(TableName.AuditLog, INTERMEDIATE_AUDIT_LOG_TABLE);
+
+  if (!(await knex.schema.hasTable(TableName.AuditLog))) {
+    const createTableSql = knex.schema
+      .createTable(TableName.AuditLog, (t) => {
+        t.uuid("id").defaultTo(knex.fn.uuid());
+        t.string("actor").notNullable();
+        t.jsonb("actorMetadata").notNullable();
+        t.string("ipAddress");
+        t.string("eventType").notNullable();
+        t.jsonb("eventMetadata");
+        t.string("userAgent");
+        t.string("userAgentType");
+        t.datetime("expiresAt");
+        t.timestamps(true, true, true);
+        t.uuid("orgId");
+        t.string("projectId");
+        t.string("projectName");
+        t.primary(["id", "createdAt"]);
+      })
+      .toString();
+
+    console.info("Creating partition table...");
+    await knex.schema.raw(`
+        ${createTableSql} PARTITION BY RANGE ("createdAt");
+    `);
+
+    console.log("Adding indices...");
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      t.index(["projectId", "createdAt"]);
+      t.index(["orgId", "createdAt"]);
+      t.index("expiresAt");
+      t.index("orgId");
+      t.index("projectId");
+    });
+
+    console.log("Adding GIN indices...");
+
+    await knex.raw(
+      `CREATE INDEX IF NOT EXISTS "audit_logs_actorMetadata_idx" ON ${TableName.AuditLog} USING gin("actorMetadata" jsonb_path_ops)`
+    );
+    console.log("GIN index for actorMetadata done");
+
+    await knex.raw(
+      `CREATE INDEX IF NOT EXISTS "audit_logs_eventMetadata_idx" ON ${TableName.AuditLog} USING gin("eventMetadata" jsonb_path_ops)`
+    );
+    console.log("GIN index for eventMetadata done");
+
+    // create default partition
+    console.log("Creating default partition...");
+    await knex.schema.raw(`CREATE TABLE ${TableName.AuditLog}_default PARTITION OF ${TableName.AuditLog} DEFAULT`);
+
+    const nextDate = new Date();
+    nextDate.setDate(nextDate.getDate() + 1);
+    const nextDateStr = formatPartitionDate(nextDate);
+
+    console.log("Attaching existing audit log table as a partition...");
+    await knex.schema.raw(`
+    ALTER TABLE ${INTERMEDIATE_AUDIT_LOG_TABLE} ADD CONSTRAINT audit_log_old
+    CHECK ( "createdAt" < DATE '${nextDateStr}' );
+
+    ALTER TABLE ${TableName.AuditLog} ATTACH PARTITION ${INTERMEDIATE_AUDIT_LOG_TABLE}
+    FOR VALUES FROM (MINVALUE) TO ('${nextDateStr}' );
+    `);
+
+    // create partition from now until end of month
+    console.log("Creating audit log partitions ahead of time... next date:", nextDateStr);
+    await createAuditLogPartition(knex, nextDate, new Date(nextDate.getFullYear(), nextDate.getMonth() + 1));
+
+    // create partitions 4 years ahead
+    const partitionMonths = 4 * 12;
+    const partitionPromises: Promise<void>[] = [];
+    for (let x = 1; x <= partitionMonths; x += 1) {
+      partitionPromises.push(
+        createAuditLogPartition(
+          knex,
+          new Date(nextDate.getFullYear(), nextDate.getMonth() + x, 1),
+          new Date(nextDate.getFullYear(), nextDate.getMonth() + (x + 1), 1)
+        )
+      );
+    }
+
+    await Promise.all(partitionPromises);
+    console.log("Partition migration complete");
+  }
+};
+
+export const executeMigration = async (url: string) => {
+  console.log("Executing migration...");
+  const knex = kx({
+    client: "pg",
+    connection: url
+  });
+
+  await knex.transaction(async (tx) => {
+    await up(tx);
+  });
+};
+
+const dbUrl = process.env.AUDIT_LOGS_DB_CONNECTION_URI;
+if (!dbUrl) {
+  console.error("Please provide a DB connection URL to the AUDIT_LOGS_DB_CONNECTION_URI env");
+  process.exit(1);
+}
+
+void executeMigration(dbUrl).then(() => {
+  console.log("Migration: partition-audit-logs DONE");
+  process.exit(0);
+});
--- a/backend/src/db/migrations/20240918005344_add-group-approvals.ts
+++ b/backend/src/db/migrations/20240918005344_add-group-approvals.ts
@ -0,0 +1,76 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAccessApproverGroupId = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
+  const hasSecretApproverGroupId = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
+  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
+      // add column approverGroupId to AccessApprovalPolicyApprover
+      if (!hasAccessApproverGroupId) {
+        table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      }
+
+      // make approverUserId nullable
+      if (hasAccessApproverUserId) {
+        table.uuid("approverUserId").nullable().alter();
+      }
+    });
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
+      // add column approverGroupId to SecretApprovalPolicyApprover
+      if (!hasSecretApproverGroupId) {
+        table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      }
+
+      // make approverUserId nullable
+      if (hasSecretApproverUserId) {
+        table.uuid("approverUserId").nullable().alter();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAccessApproverGroupId = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
+  const hasSecretApproverGroupId = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
+
+  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
+      if (hasAccessApproverGroupId) {
+        table.dropColumn("approverGroupId");
+      }
+      // make approverUserId not nullable
+      if (hasAccessApproverUserId) {
+        table.uuid("approverUserId").notNullable().alter();
+      }
+    });
+
+    // remove
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
+      if (hasSecretApproverGroupId) {
+        table.dropColumn("approverGroupId");
+      }
+      // make approverUserId not nullable
+      if (hasSecretApproverUserId) {
+        table.uuid("approverUserId").notNullable().alter();
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20240924100329_identity-metadata.ts
+++ b/backend/src/db/migrations/20240924100329_identity-metadata.ts
@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityMetadata))) {
+    await knex.schema.createTable(TableName.IdentityMetadata, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("key").notNullable();
+      tb.string("value").notNullable();
+      tb.uuid("orgId").notNullable();
+      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      tb.uuid("userId");
+      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      tb.uuid("identityId");
+      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      tb.timestamps(true, true, true);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityMetadata);
+}
--- a/backend/src/db/migrations/20240925100349_managed-secret-sharing.ts
+++ b/backend/src/db/migrations/20240925100349_managed-secret-sharing.ts
@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSecret = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSecret");
+    const hasIdentifier = await knex.schema.hasColumn(TableName.SecretSharing, "identifier");
+
+    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+      t.string("iv").nullable().alter();
+      t.string("tag").nullable().alter();
+      t.string("encryptedValue").nullable().alter();
+
+      if (!hasEncryptedSecret) {
+        t.binary("encryptedSecret").nullable();
+      }
+      t.string("hashedHex").nullable().alter();
+
+      if (!hasIdentifier) {
+        t.string("identifier", 64).nullable();
+        t.unique("identifier");
+        t.index("identifier");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedSecret = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSecret");
+  const hasIdentifier = await knex.schema.hasColumn(TableName.SecretSharing, "identifier");
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+      if (hasEncryptedSecret) {
+        t.dropColumn("encryptedSecret");
+      }
+
+      if (hasIdentifier) {
+        t.dropColumn("identifier");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20240930072738_add-oidc-auth-enforced-to-org.ts
+++ b/backend/src/db/migrations/20240930072738_add-oidc-auth-enforced-to-org.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.OidcConfig, "lastUsed"))) {
+    await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
+      tb.datetime("lastUsed");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "lastUsed")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
+      tb.dropColumn("lastUsed");
+    });
+  }
+}
--- a/backend/src/db/migrations/20241003220151_kms-key-cmek-alterations.ts
+++ b/backend/src/db/migrations/20241003220151_kms-key-cmek-alterations.ts
@ -0,0 +1,52 @@
+import { Knex } from "knex";
+
+import { dropConstraintIfExists } from "@app/db/migrations/utils/dropConstraintIfExists";
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
+
+    // drop constraint if exists (won't exist if rolled back, see below)
+    await dropConstraintIfExists(TableName.KmsKey, "kms_keys_orgid_slug_unique", knex);
+
+    // projectId for CMEK functionality
+    await knex.schema.alterTable(TableName.KmsKey, (table) => {
+      if (!hasProjectId) {
+        table.string("projectId").nullable().references("id").inTable(TableName.Project).onDelete("CASCADE");
+      }
+
+      if (hasOrgId && hasSlug) {
+        table.unique(["orgId", "projectId", "slug"]);
+      }
+
+      if (hasSlug) {
+        table.renameColumn("slug", "name");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+    const hasName = await knex.schema.hasColumn(TableName.KmsKey, "name");
+    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
+
+    // remove projectId for CMEK functionality
+    await knex.schema.alterTable(TableName.KmsKey, (table) => {
+      if (hasName) {
+        table.renameColumn("name", "slug");
+      }
+
+      if (hasOrgId) {
+        table.dropUnique(["orgId", "projectId", "slug"]);
+      }
+      if (hasProjectId) {
+        table.dropColumn("projectId");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20241005170802_kms-keys-temp-slug-col.ts
+++ b/backend/src/db/migrations/20241005170802_kms-keys-temp-slug-col.ts
@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (!hasSlug) {
+      // add slug back temporarily and set value equal to name
+      await knex.schema
+        .alterTable(TableName.KmsKey, (table) => {
+          table.string("slug", 32);
+        })
+        .then(() => knex(TableName.KmsKey).update("slug", knex.ref("name")));
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (hasSlug) {
+      await knex.schema.alterTable(TableName.KmsKey, (table) => {
+        table.dropColumn("slug");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20241007052025_make-audit-log-independent.ts
+++ b/backend/src/db/migrations/20241007052025_make-audit-log-independent.ts
@ -0,0 +1,48 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+    const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+    const doesProjectNameExist = await knex.schema.hasColumn(TableName.AuditLog, "projectName");
+
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesOrgIdExist) {
+        t.dropForeign("orgId");
+      }
+
+      if (doesProjectIdExist) {
+        t.dropForeign("projectId");
+      }
+
+      // add normalized field
+      if (!doesProjectNameExist) {
+        t.string("projectName");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectNameExist = await knex.schema.hasColumn(TableName.AuditLog, "projectName");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesOrgIdExist) {
+        t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      }
+      if (doesProjectIdExist) {
+        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      }
+
+      // remove normalized field
+      if (doesProjectNameExist) {
+        t.dropColumn("projectName");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20241007202149_default-org-membership-roles.ts
+++ b/backend/src/db/migrations/20241007202149_default-org-membership-roles.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // org default role
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasDefaultRoleCol = await knex.schema.hasColumn(TableName.Organization, "defaultMembershipRole");
+
+    if (!hasDefaultRoleCol) {
+      await knex.schema.alterTable(TableName.Organization, (tb) => {
+        tb.string("defaultMembershipRole").notNullable().defaultTo("member");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // org default role
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasDefaultRoleCol = await knex.schema.hasColumn(TableName.Organization, "defaultMembershipRole");
+
+    if (hasDefaultRoleCol) {
+      await knex.schema.alterTable(TableName.Organization, (tb) => {
+        tb.dropColumn("defaultMembershipRole");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20241008172622_project-permission-split.ts
+++ b/backend/src/db/migrations/20241008172622_project-permission-split.ts
@ -0,0 +1,101 @@
+/* eslint-disable no-await-in-loop */
+import { packRules, unpackRules } from "@casl/ability/extra";
+import { Knex } from "knex";
+
+import {
+  backfillPermissionV1SchemaToV2Schema,
+  ProjectPermissionSub
+} from "@app/ee/services/permission/project-permission";
+
+import { TableName } from "../schemas";
+
+const CHUNK_SIZE = 1000;
+export async function up(knex: Knex): Promise<void> {
+  const hasVersion = await knex.schema.hasColumn(TableName.ProjectRoles, "version");
+  if (!hasVersion) {
+    await knex.schema.alterTable(TableName.ProjectRoles, (t) => {
+      t.integer("version").defaultTo(1).notNullable();
+    });
+
+    const docs = await knex(TableName.ProjectRoles).select("*");
+    const updatedDocs = docs
+      .filter((i) => {
+        const permissionString = JSON.stringify(i.permissions || []);
+        return (
+          !permissionString.includes(ProjectPermissionSub.SecretImports) &&
+          !permissionString.includes(ProjectPermissionSub.DynamicSecrets)
+        );
+      })
+      .map((el) => ({
+        ...el,
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore-error this is valid ts
+        permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(unpackRules(el.permissions), true)))
+      }));
+    if (updatedDocs.length) {
+      for (let i = 0; i < updatedDocs.length; i += CHUNK_SIZE) {
+        const chunk = updatedDocs.slice(i, i + CHUNK_SIZE);
+        await knex(TableName.ProjectRoles).insert(chunk).onConflict("id").merge();
+      }
+    }
+
+    // secret permission is split into multiple ones like secrets, folders, imports and dynamic-secrets
+    // so we just find all the privileges with respective mapping and map it as needed
+    const identityPrivileges = await knex(TableName.IdentityProjectAdditionalPrivilege).select("*");
+    const updatedIdentityPrivilegesDocs = identityPrivileges
+      .filter((i) => {
+        const permissionString = JSON.stringify(i.permissions || []);
+        return (
+          !permissionString.includes(ProjectPermissionSub.SecretImports) &&
+          !permissionString.includes(ProjectPermissionSub.DynamicSecrets) &&
+          !permissionString.includes(ProjectPermissionSub.SecretFolders)
+        );
+      })
+      .map((el) => ({
+        ...el,
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore-error this is valid ts
+        permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(unpackRules(el.permissions))))
+      }));
+    if (updatedIdentityPrivilegesDocs.length) {
+      for (let i = 0; i < updatedIdentityPrivilegesDocs.length; i += CHUNK_SIZE) {
+        const chunk = updatedIdentityPrivilegesDocs.slice(i, i + CHUNK_SIZE);
+        await knex(TableName.IdentityProjectAdditionalPrivilege).insert(chunk).onConflict("id").merge();
+      }
+    }
+
+    const userPrivileges = await knex(TableName.ProjectUserAdditionalPrivilege).select("*");
+    const updatedUserPrivilegeDocs = userPrivileges
+      .filter((i) => {
+        const permissionString = JSON.stringify(i.permissions || []);
+        return (
+          !permissionString.includes(ProjectPermissionSub.SecretImports) &&
+          !permissionString.includes(ProjectPermissionSub.DynamicSecrets) &&
+          !permissionString.includes(ProjectPermissionSub.SecretFolders)
+        );
+      })
+      .map((el) => ({
+        ...el,
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore-error this is valid ts
+        permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(unpackRules(el.permissions))))
+      }));
+    if (docs.length) {
+      for (let i = 0; i < updatedUserPrivilegeDocs.length; i += CHUNK_SIZE) {
+        const chunk = updatedUserPrivilegeDocs.slice(i, i + CHUNK_SIZE);
+        await knex(TableName.ProjectUserAdditionalPrivilege).insert(chunk).onConflict("id").merge();
+      }
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasVersion = await knex.schema.hasColumn(TableName.ProjectRoles, "version");
+  if (hasVersion) {
+    await knex.schema.alterTable(TableName.ProjectRoles, (t) => {
+      t.dropColumn("version");
+    });
+
+    // permission change can be ignored
+  }
+}
--- a/backend/src/db/migrations/20241015084434_increase-identity-metadata-col-length.ts
+++ b/backend/src/db/migrations/20241015084434_increase-identity-metadata-col-length.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 1020).alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 255).alter();
+    });
+  }
+}
--- a/backend/src/db/migrations/20241015145450_external-group-org-role-mapping.ts
+++ b/backend/src/db/migrations/20241015145450_external-group-org-role-mapping.ts
@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  // add external group to org role mapping table
+  if (!(await knex.schema.hasTable(TableName.ExternalGroupOrgRoleMapping))) {
+    await knex.schema.createTable(TableName.ExternalGroupOrgRoleMapping, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("groupName").notNullable();
+      t.index("groupName");
+      t.string("role").notNullable();
+      t.uuid("roleId");
+      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+      t.unique(["orgId", "groupName"]);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.ExternalGroupOrgRoleMapping);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.ExternalGroupOrgRoleMapping)) {
+    await dropOnUpdateTrigger(knex, TableName.ExternalGroupOrgRoleMapping);
+
+    await knex.schema.dropTable(TableName.ExternalGroupOrgRoleMapping);
+  }
+}
--- a/backend/src/db/migrations/20241016183616_add-org-enforce-mfa.ts
+++ b/backend/src/db/migrations/20241016183616_add-org-enforce-mfa.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Organization, "enforceMfa"))) {
+    await knex.schema.alterTable(TableName.Organization, (tb) => {
+      tb.boolean("enforceMfa").defaultTo(false).notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Organization, "enforceMfa")) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.dropColumn("enforceMfa");
+    });
+  }
+}
--- a/backend/src/db/migrations/20241021114650_add-missing-org-cascade-references.ts
+++ b/backend/src/db/migrations/20241021114650_add-missing-org-cascade-references.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SamlConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SamlConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization);
+    });
+  }
+}
--- a/backend/src/db/migrations/utils/dropConstraintIfExists.ts
+++ b/backend/src/db/migrations/utils/dropConstraintIfExists.ts
@ -0,0 +1,6 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export const dropConstraintIfExists = (tableName: TableName, constraintName: string, knex: Knex) =>
+  knex.raw(`ALTER TABLE ${tableName} DROP CONSTRAINT IF EXISTS ${constraintName};`);
--- a/backend/src/db/migrations/utils/kms.ts
+++ b/backend/src/db/migrations/utils/kms.ts
@ -54,7 +54,7 @@ export const getSecretManagerDataKey = async (knex: Knex, projectId: string) =>
  } else {
    const [kmsDoc] = await knex(TableName.KmsKey)
      .insert({
-        slug: slugify(alphaNumericNanoId(8).toLowerCase()),
+        name: slugify(alphaNumericNanoId(8).toLowerCase()),
        orgId: project.orgId,
        isReserved: false
      })
--- a/backend/src/db/schemas/access-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/access-approval-policies-approvers.ts
@ -12,7 +12,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
  policyId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  approverUserId: z.string().uuid()
+  approverUserId: z.string().uuid().nullable().optional(),
+  approverGroupId: z.string().uuid().nullable().optional()
 });

 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/audit-logs.ts
+++ b/backend/src/db/schemas/audit-logs.ts
@ -20,7 +20,8 @@ export const AuditLogsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  orgId: z.string().uuid().nullable().optional(),
-  projectId: z.string().nullable().optional()
+  projectId: z.string().nullable().optional(),
+  projectName: z.string().nullable().optional()
 });

 export type TAuditLogs = z.infer<typeof AuditLogsSchema>;
--- a/backend/src/db/schemas/external-group-org-role-mappings.ts
+++ b/backend/src/db/schemas/external-group-org-role-mappings.ts
@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ExternalGroupOrgRoleMappingsSchema = z.object({
+  id: z.string().uuid(),
+  groupName: z.string(),
+  role: z.string(),
+  roleId: z.string().uuid().nullable().optional(),
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TExternalGroupOrgRoleMappings = z.infer<typeof ExternalGroupOrgRoleMappingsSchema>;
+export type TExternalGroupOrgRoleMappingsInsert = Omit<
+  z.input<typeof ExternalGroupOrgRoleMappingsSchema>,
+  TImmutableDBKeys
+>;
+export type TExternalGroupOrgRoleMappingsUpdate = Partial<
+  Omit<z.input<typeof ExternalGroupOrgRoleMappingsSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/identity-metadata.ts
+++ b/backend/src/db/schemas/identity-metadata.ts
@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityMetadataSchema = z.object({
+  id: z.string().uuid(),
+  key: z.string(),
+  value: z.string(),
+  orgId: z.string().uuid(),
+  userId: z.string().uuid().nullable().optional(),
+  identityId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityMetadata = z.infer<typeof IdentityMetadataSchema>;
+export type TIdentityMetadataInsert = Omit<z.input<typeof IdentityMetadataSchema>, TImmutableDBKeys>;
+export type TIdentityMetadataUpdate = Partial<Omit<z.input<typeof IdentityMetadataSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -31,6 +31,7 @@ export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-kubernetes-auths";
+export * from "./identity-metadata";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
--- a/backend/src/db/schemas/kms-keys.ts
+++ b/backend/src/db/schemas/kms-keys.ts
@ -13,9 +13,11 @@ export const KmsKeysSchema = z.object({
  isDisabled: z.boolean().default(false).nullable().optional(),
  isReserved: z.boolean().default(true).nullable().optional(),
  orgId: z.string().uuid(),
-  slug: z.string(),
+  name: z.string(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  projectId: z.string().nullable().optional(),
+  slug: z.string().nullable().optional()
 });

 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -17,6 +17,7 @@ export enum TableName {
  Groups = "groups",
  GroupProjectMembership = "group_project_memberships",
  GroupProjectMembershipRole = "group_project_membership_roles",
+  ExternalGroupOrgRoleMapping = "external_group_org_role_mappings",
  UserGroupMembership = "user_group_membership",
  UserAliases = "user_aliases",
  UserEncryptionKey = "user_encryption_keys",
@ -70,6 +71,8 @@ export enum TableName {
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
+  // used by both identity and users
+  IdentityMetadata = "identity_metadata",
  ScimToken = "scim_tokens",
  AccessApprovalPolicy = "access_approval_policies",
  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
--- a/backend/src/db/schemas/oidc-configs.ts
+++ b/backend/src/db/schemas/oidc-configs.ts
@ -26,7 +26,8 @@ export const OidcConfigsSchema = z.object({
  isActive: z.boolean(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  orgId: z.string().uuid()
+  orgId: z.string().uuid(),
+  lastUsed: z.date().nullable().optional()
 });

 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@ -19,7 +19,9 @@ export const OrganizationsSchema = z.object({
  authEnforced: z.boolean().default(false).nullable().optional(),
  scimEnabled: z.boolean().default(false).nullable().optional(),
  kmsDefaultKeyId: z.string().uuid().nullable().optional(),
-  kmsEncryptedDataKey: zodBuffer.nullable().optional()
+  kmsEncryptedDataKey: zodBuffer.nullable().optional(),
+  defaultMembershipRole: z.string().default("member"),
+  enforceMfa: z.boolean().default(false)
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/secret-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/secret-approval-policies-approvers.ts
@ -12,7 +12,8 @@ export const SecretApprovalPoliciesApproversSchema = z.object({
  policyId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  approverUserId: z.string().uuid()
+  approverUserId: z.string().uuid().nullable().optional(),
+  approverGroupId: z.string().uuid().nullable().optional()
 });

 export type TSecretApprovalPoliciesApprovers = z.infer<typeof SecretApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/secret-sharing.ts
+++ b/backend/src/db/schemas/secret-sharing.ts
@ -5,14 +5,16 @@

 import { z } from "zod";

+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";

 export const SecretSharingSchema = z.object({
  id: z.string().uuid(),
-  encryptedValue: z.string(),
-  iv: z.string(),
-  tag: z.string(),
-  hashedHex: z.string(),
+  encryptedValue: z.string().nullable().optional(),
+  iv: z.string().nullable().optional(),
+  tag: z.string().nullable().optional(),
+  hashedHex: z.string().nullable().optional(),
  expiresAt: z.date(),
  userId: z.string().uuid().nullable().optional(),
  orgId: z.string().uuid().nullable().optional(),
@ -22,7 +24,9 @@ export const SecretSharingSchema = z.object({
  accessType: z.string().default("anyone"),
  name: z.string().nullable().optional(),
  lastViewedAt: z.date().nullable().optional(),
-  password: z.string().nullable().optional()
+  password: z.string().nullable().optional(),
+  encryptedSecret: zodBuffer.nullable().optional(),
+  identifier: z.string().nullable().optional()
 });

 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@ -1,7 +1,9 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { EnforcementLevel } from "@app/lib/types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -10,28 +12,32 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
-      body: z
-        .object({
-          projectSlug: z.string().trim(),
-          name: z.string().optional(),
-          secretPath: z.string().trim().default("/"),
-          environment: z.string(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        projectSlug: z.string().trim(),
+        name: z.string().optional(),
+        secretPath: z.string().trim().default("/"),
+        environment: z.string(),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.accessApprovalPolicy.createAccessApprovalPolicy({
        actor: req.permission.type,
@ -50,6 +56,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/",
    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({
        projectSlug: z.string().trim()
@ -58,14 +67,15 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          approvals: sapPubSchema
            .extend({
-              userApprovers: z
-                .object({
-                  userId: z.string()
-                })
-                .array(),
-              secretPath: z.string().optional().nullable()
+              approvers: z
+                .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
+                .array()
+                .nullable()
+                .optional()
            })
            .array()
+            .nullable()
+            .optional()
        })
      }
    },
@ -115,33 +125,37 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:policyId",
    method: "PATCH",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        policyId: z.string()
      }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          secretPath: z
-            .string()
-            .trim()
-            .optional()
-            .transform((val) => (val === "" ? "/" : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        name: z.string().optional(),
+        secretPath: z
+          .string()
+          .trim()
+          .optional()
+          .transform((val) => (val === "" ? "/" : val)),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).optional(),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      await server.services.accessApprovalPolicy.updateAccessApprovalPolicy({
        policyId: req.params.policyId,
@ -157,6 +171,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
  server.route({
    url: "/:policyId",
    method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        policyId: z.string()
@ -167,7 +184,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.accessApprovalPolicy.deleteAccessApprovalPolicy({
        actor: req.permission.type,
@ -179,4 +196,44 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
      return { approval };
    }
  });
+
+  server.route({
+    url: "/:policyId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        policyId: z.string()
+      }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema.extend({
+            approvers: z
+              .object({
+                type: z.nativeEnum(ApproverType),
+                id: z.string().nullable().optional(),
+                name: z.string().nullable().optional()
+              })
+              .array()
+              .nullable()
+              .optional()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const approval = await server.services.accessApprovalPolicy.getAccessApprovalPolicyById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      return { approval };
+    }
+  });
 };
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@ -77,6 +77,39 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
    }
  });

+  server.route({
+    method: "POST",
+    url: "/entra-id/users",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      body: z.object({
+        tenantId: z.string().min(1).describe("The tenant ID of the Azure Entra ID"),
+        applicationId: z.string().min(1).describe("The application ID of the Azure Entra ID App Registration"),
+        clientSecret: z.string().min(1).describe("The client secret of the Azure Entra ID App Registration")
+      }),
+      response: {
+        200: z
+          .object({
+            name: z.string().min(1).describe("The name of the user"),
+            id: z.string().min(1).describe("The ID of the user"),
+            email: z.string().min(1).describe("The email of the user")
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const data = await server.services.dynamicSecret.fetchAzureEntraIdUsers({
+        tenantId: req.body.tenantId,
+        applicationId: req.body.applicationId,
+        clientSecret: req.body.clientSecret
+      });
+      return data;
+    }
+  });
+
  server.route({
    method: "PATCH",
    url: "/:name",
@ -237,7 +270,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
+      const dynamicSecretCfgs = await server.services.dynamicSecret.listDynamicSecretsByEnv({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
--- a/backend/src/ee/routes/v1/external-kms-router.ts
+++ b/backend/src/ee/routes/v1/external-kms-router.ts
@ -26,7 +26,7 @@ const sanitizedExternalSchemaForGetAll = KmsKeysSchema.pick({
  isDisabled: true,
  createdAt: true,
  updatedAt: true,
-  slug: true
+  name: true
 })
  .extend({
    externalKms: ExternalKmsSchema.pick({
@ -57,7 +57,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        slug: z.string().min(1).trim().toLowerCase(),
+        name: z.string().min(1).trim().toLowerCase(),
        description: z.string().trim().optional(),
        provider: ExternalKmsInputSchema
      }),
@ -74,7 +74,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        slug: req.body.slug,
+        name: req.body.name,
        provider: req.body.provider,
        description: req.body.description
      });
@ -87,7 +87,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
          metadata: {
            kmsId: externalKms.id,
            provider: req.body.provider.type,
-            slug: req.body.slug,
+            name: req.body.name,
            description: req.body.description
          }
        }
@ -108,7 +108,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
        id: z.string().trim().min(1)
      }),
      body: z.object({
-        slug: z.string().min(1).trim().toLowerCase().optional(),
+        name: z.string().min(1).trim().toLowerCase().optional(),
        description: z.string().trim().optional(),
        provider: ExternalKmsInputUpdateSchema
      }),
@ -125,7 +125,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        slug: req.body.slug,
+        name: req.body.name,
        provider: req.body.provider,
        description: req.body.description,
        id: req.params.id
@ -139,7 +139,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
          metadata: {
            kmsId: externalKms.id,
            provider: req.body.provider.type,
-            slug: req.body.slug,
+            name: req.body.name,
            description: req.body.description
          }
        }
@ -182,7 +182,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
          type: EventType.DELETE_KMS,
          metadata: {
            kmsId: externalKms.id,
-            slug: externalKms.slug
+            name: externalKms.name
          }
        }
      });
@ -224,7 +224,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
          type: EventType.GET_KMS,
          metadata: {
            kmsId: externalKms.id,
-            slug: externalKms.slug
+            name: externalKms.name
          }
        }
      });
@ -260,13 +260,13 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "GET",
-    url: "/slug/:slug",
+    url: "/name/:name",
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
-        slug: z.string().trim().min(1)
+        name: z.string().trim().min(1)
      }),
      response: {
        200: z.object({
@ -276,12 +276,12 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const externalKms = await server.services.externalKms.findBySlug({
+      const externalKms = await server.services.externalKms.findByName({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        slug: req.params.slug
+        name: req.params.name
      });
      return { externalKms };
    }
--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@ -10,7 +10,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "POST",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      body: z.object({
        name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
@ -43,12 +43,59 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:currentSlug",
-    method: "PATCH",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        currentSlug: z.string().trim().describe(GROUPS.UPDATE.currentSlug)
+        id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
+      }),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.getGroupById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      response: {
+        200: GroupsSchema.array()
+      }
+    },
+    handler: async (req) => {
+      const groups = await server.services.org.getOrgGroups({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return groups;
+    }
+  });
+
+  server.route({
+    url: "/:id",
+    method: "PATCH",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      params: z.object({
+        id: z.string().trim().describe(GROUPS.UPDATE.id)
      }),
      body: z
        .object({
@ -70,7 +117,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const group = await server.services.group.updateGroup({
-        currentSlug: req.params.currentSlug,
+        id: req.params.id,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@ -83,12 +130,12 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:slug",
+    url: "/:id",
    method: "DELETE",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.DELETE.slug)
+        id: z.string().trim().describe(GROUPS.DELETE.id)
      }),
      response: {
        200: GroupsSchema
@ -96,7 +143,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const group = await server.services.group.deleteGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@ -109,16 +156,17 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "GET",
-    url: "/:slug/users",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.LIST_USERS.slug)
+        id: z.string().trim().describe(GROUPS.LIST_USERS.id)
      }),
      querystring: z.object({
        offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
        limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_USERS.limit),
-        username: z.string().optional().describe(GROUPS.LIST_USERS.username)
+        username: z.string().trim().optional().describe(GROUPS.LIST_USERS.username),
+        search: z.string().trim().optional().describe(GROUPS.LIST_USERS.search)
      }),
      response: {
        200: z.object({
@ -141,24 +189,25 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const { users, totalCount } = await server.services.group.listGroupUsers({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query
      });
+
      return { users, totalCount };
    }
  });

  server.route({
    method: "POST",
-    url: "/:slug/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.ADD_USER.slug),
+        id: z.string().trim().describe(GROUPS.ADD_USER.id),
        username: z.string().trim().describe(GROUPS.ADD_USER.username)
      }),
      response: {
@ -173,7 +222,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const user = await server.services.group.addUserToGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        username: req.params.username,
        actor: req.permission.type,
        actorId: req.permission.id,
@ -187,11 +236,11 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "DELETE",
-    url: "/:slug/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.DELETE_USER.slug),
+        id: z.string().trim().describe(GROUPS.DELETE_USER.id),
        username: z.string().trim().describe(GROUPS.DELETE_USER.username)
      }),
      response: {
@ -206,7 +255,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const user = await server.services.group.removeUserFromGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        username: req.params.username,
        actor: req.permission.type,
        actorId: req.permission.id,
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@ -1,11 +1,11 @@
-import { packRules } from "@casl/ability/extra";
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";

 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
+import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
-import { BadRequestError } from "@app/lib/errors";
+import { UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -61,7 +61,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission } = req.body;
      if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
      }

      const permission = privilegePermission
@ -79,7 +79,9 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        ...req.body,
        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
        isTemporary: false,
-        permissions: JSON.stringify(packRules(permission))
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore-error this is valid ts
+        permissions: backfillPermissionV1SchemaToV2Schema(permission)
      });
      return { privilege };
    }
@ -140,7 +142,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission } = req.body;
      if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
      }

      const permission = privilegePermission
@ -159,7 +161,9 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        ...req.body,
        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
        isTemporary: true,
-        permissions: JSON.stringify(packRules(permission))
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore-error this is valid ts
+        permissions: backfillPermissionV1SchemaToV2Schema(permission)
      });
      return { privilege };
    }
@ -224,7 +228,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission, ...updatedInfo } = req.body.privilegeDetails;
      if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
      }

      const permission = privilegePermission
@ -244,7 +248,13 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        projectSlug: req.body.projectSlug,
        data: {
          ...updatedInfo,
-          permissions: permission ? JSON.stringify(packRules(permission)) : undefined
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore-error this is valid ts
+          permissions: permission
+            ? // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore-error this is valid ts
+              backfillPermissionV1SchemaToV2Schema(permission)
+            : undefined
        }
      });
      return { privilege };
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -81,9 +81,9 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerSecretVersionRouter, { prefix: "/secret" });
  await server.register(registerGroupRouter, { prefix: "/groups" });
  await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });
+  await server.register(registerUserAdditionalPrivilegeRouter, { prefix: "/user-project-additional-privilege" });
  await server.register(
    async (privilegeRouter) => {
-      await privilegeRouter.register(registerUserAdditionalPrivilegeRouter, { prefix: "/users" });
      await privilegeRouter.register(registerIdentityProjectAdditionalPrivilegeRouter, { prefix: "/identity" });
    },
    { prefix: "/additional-privilege" }
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -3,11 +3,16 @@ import slugify from "@sindresorhus/slugify";
 import { z } from "zod";

 import { ProjectMembershipRole, ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
+import {
+  backfillPermissionV1SchemaToV2Schema,
+  ProjectPermissionV1Schema
+} from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { ProjectPermissionSchema, SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
+import { SanitizedRoleSchemaV1 } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ProjectRoleServiceIdentifierType } from "@app/services/project-role/project-role-types";

 export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
@ -42,11 +47,11 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          .describe(PROJECT_ROLE.CREATE.slug),
        name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
-        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.CREATE.permissions)
+        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -57,12 +62,16 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
-        projectSlug: req.params.projectSlug,
+        filter: {
+          type: ProjectRoleServiceIdentifierType.SLUG,
+          projectSlug: req.params.projectSlug
+        },
        data: {
          ...req.body,
-          permissions: JSON.stringify(packRules(req.body.permissions))
+          permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true)))
        }
      });
+
      return { role };
    }
  });
@ -102,11 +111,11 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          }),
        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
-        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
+        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -117,11 +126,12 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
-        projectSlug: req.params.projectSlug,
        roleId: req.params.roleId,
        data: {
          ...req.body,
-          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
+          permissions: req.body.permissions
+            ? JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true)))
+            : undefined
        }
      });
      return { role };
@ -147,7 +157,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -158,7 +168,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
-        projectSlug: req.params.projectSlug,
        roleId: req.params.roleId
      });
      return { role };
@ -194,7 +203,10 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
-        projectSlug: req.params.projectSlug
+        filter: {
+          type: ProjectRoleServiceIdentifierType.SLUG,
+          projectSlug: req.params.projectSlug
+        }
      });
      return { roles };
    }
@ -213,7 +225,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -224,9 +236,13 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actor: req.permission.type,
-        projectSlug: req.params.projectSlug,
+        filter: {
+          type: ProjectRoleServiceIdentifierType.SLUG,
+          projectSlug: req.params.projectSlug
+        },
        roleSlug: req.params.slug
      });
+
      return { role };
    }
  });
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@ -87,6 +87,12 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    }
  });

+  /*
+   * Daniel: This endpoint is no longer is use.
+   * We are keeping it for now because it has been exposed in our public api docs for a while, so by removing it we are likely to break users workflows.
+   *
+   * Please refer to the new endpoint, GET /api/v1/organization/audit-logs, for the same (and more) functionality.
+   */
  server.route({
    method: "GET",
    url: "/:workspaceId/audit-logs",
@ -101,7 +107,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
+        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
      }),
      querystring: z.object({
        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
@ -122,10 +128,12 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          })
            .merge(
              z.object({
-                project: z.object({
-                  name: z.string(),
-                  slug: z.string()
-                }),
+                project: z
+                  .object({
+                    name: z.string(),
+                    slug: z.string()
+                  })
+                  .optional(),
                event: z.object({
                  type: z.string(),
                  metadata: z.any()
@ -195,7 +203,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          secretManagerKmsKey: z.object({
            id: z.string(),
-            slug: z.string(),
+            name: z.string(),
            isExternal: z.boolean()
          })
        })
@ -235,7 +243,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          secretManagerKmsKey: z.object({
            id: z.string(),
-            slug: z.string(),
+            name: z.string(),
            isExternal: z.boolean()
          })
        })
@ -260,7 +268,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          metadata: {
            secretManagerKmsKey: {
              id: secretManagerKmsKey.id,
-              slug: secretManagerKmsKey.slug
+              name: secretManagerKmsKey.name
            }
          }
        }
@ -328,7 +336,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          secretManagerKmsKey: z.object({
            id: z.string(),
-            slug: z.string(),
+            name: z.string(),
            isExternal: z.boolean()
          })
        })
--- a/backend/src/ee/routes/v1/rate-limit-router.ts
+++ b/backend/src/ee/routes/v1/rate-limit-router.ts
@ -1,7 +1,7 @@
 import { z } from "zod";

 import { RateLimitSchema } from "@app/db/schemas";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -29,7 +29,7 @@ export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
    handler: async () => {
      const rateLimit = await server.services.rateLimit.getRateLimits();
      if (!rateLimit) {
-        throw new BadRequestError({
+        throw new NotFoundError({
          name: "Get Rate Limit Error",
          message: "Rate limit configuration does not exist."
        });
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -61,7 +61,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                id: samlConfigId
              };
            } else {
-              throw new BadRequestError({ message: "Missing sso identitier or org slug" });
+              throw new BadRequestError({ message: "Missing sso identifier or org slug" });
            }

            const ssoConfig = await server.services.saml.getSaml(ssoLookupDetails);
@ -100,6 +100,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      async (req, profile, cb) => {
        try {
          if (!profile) throw new BadRequestError({ message: "Missing profile" });
+
          const email =
            profile?.email ??
            // entra sends data in this format
@ -123,6 +124,17 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
            );
          }

+          const userMetadata = Object.keys(profile.attributes || {})
+            .map((key) => {
+              // for the ones like in format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
+              const formatedKey = key.startsWith("http") ? key.split("/").at(-1) || "" : key;
+              return {
+                key: formatedKey,
+                value: String((profile.attributes as Record<string, string>)[key]).substring(0, 1020)
+              };
+            })
+            .filter((el) => el.key && !["email", "firstName", "lastName"].includes(el.key));
+
          const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
            externalId: profile.nameID,
            email,
@ -130,7 +142,8 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
            lastName: lastName as string,
            relayState: (req.body as { RelayState?: string }).RelayState,
            authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string,
-            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string
+            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string,
+            metadata: userMetadata
          });
          cb(null, { isUserCompleted, providerAuthToken });
        } catch (error) {
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@ -20,7 +20,7 @@ const ScimUserSchema = z.object({
      z.object({
        primary: z.boolean(),
        value: z.string().email(),
-        type: z.string().trim()
+        type: z.string().trim().default("work")
      })
    )
    .optional(),
@ -210,8 +210,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
          .array(
            z.object({
              primary: z.boolean(),
-              value: z.string().email(),
-              type: z.string().trim()
+              value: z.string().email()
            })
          )
          .optional(),
@ -281,8 +280,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
          .array(
            z.object({
              primary: z.boolean(),
-              value: z.string().email(),
-              type: z.string().trim()
+              value: z.string().email()
            })
          )
          .optional(),
@ -301,7 +299,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
            z.object({
              primary: z.boolean(),
              value: z.string().email(),
-              type: z.string().trim()
+              type: z.string().trim().default("work")
            })
          ),
          displayName: z.string().trim(),
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@ -16,32 +17,33 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      rateLimit: writeLimit
    },
    schema: {
-      body: z
-        .object({
-          workspaceId: z.string(),
-          name: z.string().optional(),
-          environment: z.string(),
-          secretPath: z
-            .string()
-            .optional()
-            .nullable()
-            .default("/")
-            .transform((val) => (val ? removeTrailingSlash(val) : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        workspaceId: z.string(),
+        name: z.string().optional(),
+        environment: z.string(),
+        secretPath: z
+          .string()
+          .optional()
+          .nullable()
+          .default("/")
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.secretApprovalPolicy.createSecretApprovalPolicy({
        actor: req.permission.type,
@ -67,30 +69,31 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      params: z.object({
        sapId: z.string()
      }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          secretPath: z
-            .string()
-            .optional()
-            .nullable()
-            .transform((val) => (val ? removeTrailingSlash(val) : val))
-            .transform((val) => (val === "" ? "/" : val)),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        name: z.string().optional(),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        secretPath: z
+          .string()
+          .optional()
+          .nullable()
+          .transform((val) => (val ? removeTrailingSlash(val) : val))
+          .transform((val) => (val === "" ? "/" : val)),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.secretApprovalPolicy.updateSecretApprovalPolicy({
        actor: req.permission.type,
@ -120,7 +123,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const approval = await server.services.secretApprovalPolicy.deleteSecretApprovalPolicy({
        actor: req.permission.type,
@ -147,9 +150,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          approvals: sapPubSchema
            .extend({
-              userApprovers: z
+              approvers: z
                .object({
-                  userId: z.string()
+                  id: z.string().nullable().optional(),
+                  type: z.nativeEnum(ApproverType)
                })
                .array()
            })
@ -170,6 +174,44 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
    }
  });

+  server.route({
+    url: "/:sapId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        sapId: z.string()
+      }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema.extend({
+            approvers: z
+              .object({
+                id: z.string().nullable().optional(),
+                type: z.nativeEnum(ApproverType),
+                name: z.string().nullable().optional()
+              })
+              .array()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const approval = await server.services.secretApprovalPolicy.getSecretApprovalPolicyById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      return { approval };
+    }
+  });
+
  server.route({
    url: "/board",
    method: "GET",
@ -186,7 +228,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          policy: sapPubSchema
            .extend({
-              userApprovers: z.object({ userId: z.string() }).array()
+              userApprovers: z.object({ userId: z.string().nullable().optional() }).array()
            })
            .optional()
        })
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -13,7 +13,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

-const approvalRequestUser = z.object({ userId: z.string() }).merge(
+const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
  UsersSchema.pick({
    email: true,
    firstName: true,
@ -46,7 +46,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
              id: z.string(),
              name: z.string(),
              approvals: z.number(),
-              approvers: z.string().array(),
+              approvers: z
+                .object({
+                  userId: z.string().nullable().optional()
+                })
+                .array(),
              secretPath: z.string().optional().nullable(),
              enforcementLevel: z.string()
            }),
@ -54,7 +58,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
            commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
            environment: z.string(),
            reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
-            approvers: z.string().array()
+            approvers: z
+              .object({
+                userId: z.string().nullable().optional()
+              })
+              .array()
          }).array()
        })
      }
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@ -2,6 +2,8 @@ import { z } from "zod";

 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
 import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -23,6 +25,13 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
+      const appCfg = getConfig();
+      if (!appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(req.auth.orgId)) {
+        throw new BadRequestError({
+          message: "Secret scanning is temporarily unavailable."
+        });
+      }
+
      const session = await server.services.secretScanning.createInstallationSession({
        actor: req.permission.type,
        actorId: req.permission.id,
@ -30,6 +39,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId
      });
+
      return session;
    }
  });
--- a/backend/src/ee/routes/v1/user-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/user-additional-privilege-router.ts
@ -2,17 +2,18 @@ import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";

-import { ProjectUserAdditionalPrivilegeSchema } from "@app/db/schemas";
+import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
 import { PROJECT_USER_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedUserProjectAdditionalPrivilegeSchema } from "@app/server/routes/santizedSchemas/user-additional-privilege";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/permanent",
+    url: "/",
    method: "POST",
    config: {
      rateLimit: writeLimit
@ -31,66 +32,30 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
          })
          .optional()
          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions)
-      }),
-      response: {
-        200: z.object({
-          privilege: ProjectUserAdditionalPrivilegeSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const privilege = await server.services.projectUserAdditionalPrivilege.create({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        ...req.body,
-        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
-        isTemporary: false,
-        permissions: JSON.stringify(req.body.permissions)
-      });
-      return { privilege };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/temporary",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
-        slug: z
-          .string()
-          .min(1)
-          .max(60)
-          .trim()
-          .refine((v) => v.toLowerCase() === v, "Slug must be lowercase")
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
+        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        type: z.discriminatedUnion("isTemporary", [
+          z.object({
+            isTemporary: z.literal(false)
+          }),
+          z.object({
+            isTemporary: z.literal(true),
+            temporaryMode: z
+              .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
+              .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
+            temporaryRange: z
+              .string()
+              .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+              .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryRange),
+            temporaryAccessStartTime: z
+              .string()
+              .datetime()
+              .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryAccessStartTime)
          })
-          .optional()
-          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
-        temporaryMode: z
-          .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
-          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
-        temporaryRange: z
-          .string()
-          .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
-          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryRange),
-        temporaryAccessStartTime: z
-          .string()
-          .datetime()
-          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryAccessStartTime)
+        ])
      }),
      response: {
        200: z.object({
-          privilege: ProjectUserAdditionalPrivilegeSchema
+          privilege: SanitizedUserProjectAdditionalPrivilegeSchema
        })
      }
    },
@ -101,10 +66,10 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
-        ...req.body,
-        slug: req.body.slug ? slugify(req.body.slug) : `privilege-${slugify(alphaNumericNanoId(12))}`,
-        isTemporary: true,
-        permissions: JSON.stringify(req.body.permissions)
+        projectMembershipId: req.body.projectMembershipId,
+        ...req.body.type,
+        slug: req.body.slug || slugify(alphaNumericNanoId(8)),
+        permissions: req.body.permissions
      });
      return { privilege };
    }
@ -131,24 +96,31 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
              message: "Slug must be a valid slug"
            })
            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.slug),
-          permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
-          isTemporary: z.boolean().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
-          temporaryMode: z
-            .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
-            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryMode),
-          temporaryRange: z
-            .string()
-            .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
-            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryRange),
-          temporaryAccessStartTime: z
-            .string()
-            .datetime()
-            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryAccessStartTime)
+          permissions: ProjectPermissionV2Schema.array()
+            .optional()
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+          type: z.discriminatedUnion("isTemporary", [
+            z.object({ isTemporary: z.literal(false).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary) }),
+            z.object({
+              isTemporary: z.literal(true).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
+              temporaryMode: z
+                .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
+                .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryMode),
+              temporaryRange: z
+                .string()
+                .refine((val) => typeof val === "undefined" || ms(val) > 0, "Temporary range must be a positive number")
+                .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryRange),
+              temporaryAccessStartTime: z
+                .string()
+                .datetime()
+                .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryAccessStartTime)
+            })
+          ])
        })
        .partial(),
      response: {
        200: z.object({
-          privilege: ProjectUserAdditionalPrivilegeSchema
+          privilege: SanitizedUserProjectAdditionalPrivilegeSchema
        })
      }
    },
@ -160,7 +132,12 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body,
-        permissions: req.body.permissions ? JSON.stringify(req.body.permissions) : undefined,
+        ...req.body.type,
+        permissions: req.body.permissions
+          ? // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore-error this is valid ts
+            req.body.permissions
+          : undefined,
        privilegeId: req.params.privilegeId
      });
      return { privilege };
@ -179,7 +156,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
      }),
      response: {
        200: z.object({
-          privilege: ProjectUserAdditionalPrivilegeSchema
+          privilege: SanitizedUserProjectAdditionalPrivilegeSchema
        })
      }
    },
@ -208,7 +185,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
      }),
      response: {
        200: z.object({
-          privileges: ProjectUserAdditionalPrivilegeSchema.array()
+          privileges: SanitizedUserProjectAdditionalPrivilegeSchema.omit({ permissions: true }).array()
        })
      }
    },
@ -233,11 +210,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
    },
    schema: {
      params: z.object({
-        privilegeId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.GET_BY_PRIVILEGEID.privilegeId)
+        privilegeId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.GET_BY_PRIVILEGE_ID.privilegeId)
      }),
      response: {
        200: z.object({
-          privilege: ProjectUserAdditionalPrivilegeSchema
+          privilege: SanitizedUserProjectAdditionalPrivilegeSchema
        })
      }
    },
--- a/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
@ -0,0 +1,305 @@
+import slugify from "@sindresorhus/slugify";
+import ms from "ms";
+import { z } from "zod";
+
+import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
+import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
+import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedIdentityPrivilegeSchema } from "@app/server/routes/santizedSchemas/identitiy-additional-privilege";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Add an additional privilege for identity.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.identityId),
+        projectId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.projectId),
+        slug: z
+          .string()
+          .min(1)
+          .max(60)
+          .trim()
+          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.slug),
+        permissions: ProjectPermissionV2Schema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.permission),
+        type: z.discriminatedUnion("isTemporary", [
+          z.object({
+            isTemporary: z.literal(false)
+          }),
+          z.object({
+            isTemporary: z.literal(true),
+            temporaryMode: z
+              .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.temporaryMode),
+            temporaryRange: z
+              .string()
+              .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.temporaryRange),
+            temporaryAccessStartTime: z
+              .string()
+              .datetime()
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.temporaryAccessStartTime)
+          })
+        ])
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.create({
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actor: req.permission.type,
+        projectId: req.body.projectId,
+        identityId: req.body.identityId,
+        ...req.body.type,
+        slug: req.body.slug || slugify(alphaNumericNanoId(8)),
+        permissions: req.body.permissions
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Update a specific identity privilege.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        id: z.string().trim().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.id)
+      }),
+      body: z.object({
+        slug: z
+          .string()
+          .min(1)
+          .max(60)
+          .trim()
+          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.slug),
+        permissions: ProjectPermissionV2Schema.array()
+          .optional()
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.privilegePermission),
+        type: z.discriminatedUnion("isTemporary", [
+          z.object({ isTemporary: z.literal(false).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.isTemporary) }),
+          z.object({
+            isTemporary: z.literal(true).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.isTemporary),
+            temporaryMode: z
+              .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.temporaryMode),
+            temporaryRange: z
+              .string()
+              .refine((val) => typeof val === "undefined" || ms(val) > 0, "Temporary range must be a positive number")
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.temporaryRange),
+            temporaryAccessStartTime: z
+              .string()
+              .datetime()
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.temporaryAccessStartTime)
+          })
+        ])
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.updateById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        id: req.params.id,
+        data: {
+          ...req.body,
+          ...req.body.type,
+          permissions: req.body.permissions || undefined
+        }
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Delete the specified identity privilege.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        id: z.string().trim().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.DELETE.id)
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.deleteById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Retrieve details of a specific privilege by id.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        id: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.GET_BY_ID.id)
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.getPrivilegeDetailsById({
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/slug/:privilegeSlug",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Retrieve details of a specific privilege by slug.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        privilegeSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.GET_BY_SLUG.slug)
+      }),
+      querystring: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.GET_BY_SLUG.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.GET_BY_SLUG.projectSlug)
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.getPrivilegeDetailsBySlug({
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        slug: req.params.privilegeSlug,
+        ...req.query
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List privileges for the specified identity by project.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.LIST.identityId),
+        projectId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.LIST.projectId)
+      }),
+      response: {
+        200: z.object({
+          privileges: SanitizedIdentityPrivilegeSchema.omit({ permissions: true }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privileges = await server.services.identityProjectAdditionalPrivilegeV2.listIdentityProjectPrivileges({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+      return {
+        privileges
+      };
+    }
+  });
+};
--- a/backend/src/ee/routes/v2/index.ts
+++ b/backend/src/ee/routes/v2/index.ts
@ -0,0 +1,16 @@
+import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
+import { registerProjectRoleRouter } from "./project-role-router";
+
+export const registerV2EERoutes = async (server: FastifyZodProvider) => {
+  // org role starts with organization
+  await server.register(
+    async (projectRouter) => {
+      await projectRouter.register(registerProjectRoleRouter);
+    },
+    { prefix: "/workspace" }
+  );
+
+  await server.register(registerIdentityProjectAdditionalPrivilegeRouter, {
+    prefix: "/identity-project-additional-privilege"
+  });
+};
--- a/backend/src/ee/routes/v2/project-role-router.ts
+++ b/backend/src/ee/routes/v2/project-role-router.ts
@ -0,0 +1,242 @@
+import { packRules } from "@casl/ability/extra";
+import slugify from "@sindresorhus/slugify";
+import { z } from "zod";
+
+import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
+import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
+import { PROJECT_ROLE } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { ProjectRoleServiceIdentifierType } from "@app/services/project-role/project-role-types";
+
+export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/:projectId/roles",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Create a project role",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectId: z.string().trim().describe(PROJECT_ROLE.CREATE.projectId)
+      }),
+      body: z.object({
+        slug: z
+          .string()
+          .toLowerCase()
+          .trim()
+          .min(1)
+          .refine(
+            (val) => !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
+            "Please choose a different slug, the slug you have entered is reserved"
+          )
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid"
+          })
+          .describe(PROJECT_ROLE.CREATE.slug),
+        name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
+        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
+        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
+      }),
+      response: {
+        200: z.object({
+          role: SanitizedRoleSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const role = await server.services.projectRole.createRole({
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actor: req.permission.type,
+        filter: {
+          type: ProjectRoleServiceIdentifierType.ID,
+          projectId: req.params.projectId
+        },
+        data: {
+          ...req.body,
+          permissions: JSON.stringify(packRules(req.body.permissions))
+        }
+      });
+      return { role };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:projectId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Update a project role",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectId: z.string().trim().describe(PROJECT_ROLE.UPDATE.projectId),
+        roleId: z.string().trim().describe(PROJECT_ROLE.UPDATE.roleId)
+      }),
+      body: z.object({
+        slug: z
+          .string()
+          .toLowerCase()
+          .trim()
+          .optional()
+          .describe(PROJECT_ROLE.UPDATE.slug)
+          .refine(
+            (val) =>
+              typeof val === "undefined" ||
+              !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
+            "Please choose a different slug, the slug you have entered is reserved"
+          )
+          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
+            message: "Slug must be a valid"
+          }),
+        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
+        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
+        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
+      }),
+      response: {
+        200: z.object({
+          role: SanitizedRoleSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const role = await server.services.projectRole.updateRole({
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actor: req.permission.type,
+        roleId: req.params.roleId,
+        data: {
+          ...req.body,
+          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
+        }
+      });
+      return { role };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:projectId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Delete a project role",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectId: z.string().trim().describe(PROJECT_ROLE.DELETE.projectId),
+        roleId: z.string().trim().describe(PROJECT_ROLE.DELETE.roleId)
+      }),
+      response: {
+        200: z.object({
+          role: SanitizedRoleSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const role = await server.services.projectRole.deleteRole({
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actor: req.permission.type,
+        roleId: req.params.roleId
+      });
+      return { role };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:projectId/roles",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List project role",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectId: z.string().trim().describe(PROJECT_ROLE.LIST.projectId)
+      }),
+      response: {
+        200: z.object({
+          roles: ProjectRolesSchema.omit({ permissions: true }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const roles = await server.services.projectRole.listRoles({
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actor: req.permission.type,
+        filter: {
+          type: ProjectRoleServiceIdentifierType.ID,
+          projectId: req.params.projectId
+        }
+      });
+      return { roles };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:projectId/roles/slug/:roleSlug",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        projectId: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.projectId),
+        roleSlug: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.roleSlug)
+      }),
+      response: {
+        200: z.object({
+          role: SanitizedRoleSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const role = await server.services.projectRole.getRoleBySlug({
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actor: req.permission.type,
+        filter: {
+          type: ProjectRoleServiceIdentifierType.ID,
+          projectId: req.params.projectId
+        },
+        roleSlug: req.params.roleSlug
+      });
+      return { role };
+    }
+  });
+};
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@ -5,22 +5,38 @@ import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies } from
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";

+import { ApproverType } from "./access-approval-policy-types";
+
 export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;

 export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
  const accessApprovalPolicyOrm = ormify(db, TableName.AccessApprovalPolicy);

-  const accessApprovalPolicyFindQuery = async (tx: Knex, filter: TFindFilter<TAccessApprovalPolicies>) => {
+  const accessApprovalPolicyFindQuery = async (
+    tx: Knex,
+    filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
+    customFilter?: {
+      policyId?: string;
+    }
+  ) => {
    const result = await tx(TableName.AccessApprovalPolicy)
      // eslint-disable-next-line
      .where(buildFindFilter(filter))
+      .where((qb) => {
+        if (customFilter?.policyId) {
+          void qb.where(`${TableName.AccessApprovalPolicy}.id`, "=", customFilter.policyId);
+        }
+      })
      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
      .leftJoin(
        TableName.AccessApprovalPolicyApprover,
        `${TableName.AccessApprovalPolicy}.id`,
        `${TableName.AccessApprovalPolicyApprover}.policyId`
      )
+      .leftJoin(TableName.Users, `${TableName.AccessApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
+      .select(tx.ref("username").withSchema(TableName.Users).as("approverUsername"))
      .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@ -30,10 +46,10 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
    return result;
  };

-  const findById = async (id: string, tx?: Knex) => {
+  const findById = async (policyId: string, tx?: Knex) => {
    try {
      const doc = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), {
-        [`${TableName.AccessApprovalPolicy}.id` as "id"]: id
+        [`${TableName.AccessApprovalPolicy}.id` as "id"]: policyId
      });
      const formattedDoc = sqlNestRelationships({
        data: doc,
@ -50,9 +66,18 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
        childrenMapper: [
          {
            key: "approverUserId",
-            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id }) => ({
+              id,
+              type: "user"
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              id,
+              type: "group"
            })
          }
        ]
@ -64,9 +89,15 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
    }
  };

-  const find = async (filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>, tx?: Knex) => {
+  const find = async (
+    filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
+    customFilter?: {
+      policyId?: string;
+    },
+    tx?: Knex
+  ) => {
    try {
-      const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter);
+      const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter, customFilter);

      const formattedDocs = sqlNestRelationships({
        data: docs,
@ -84,9 +115,19 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
        childrenMapper: [
          {
            key: "approverUserId",
-            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id, approverUsername }) => ({
+              id,
+              type: ApproverType.User,
+              name: approverUsername
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              id,
+              type: ApproverType.Group
            })
          }
        ]
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts
@ -1,36 +0,0 @@
-import { ForbiddenError, subject } from "@casl/ability";
-
-import { BadRequestError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
-
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TVerifyApprovers } from "./access-approval-policy-types";
-
-export const verifyApprovers = async ({
-  userIds,
-  projectId,
-  orgId,
-  envSlug,
-  actorAuthMethod,
-  secretPath,
-  permissionService
-}: TVerifyApprovers) => {
-  for await (const userId of userIds) {
-    try {
-      const { permission: approverPermission } = await permissionService.getProjectPermission(
-        ActorType.USER,
-        userId,
-        projectId,
-        actorAuthMethod,
-        orgId
-      );
-
-      ForbiddenError.from(approverPermission).throwUnlessCan(
-        ProjectPermissionActions.Create,
-        subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
-      );
-    } catch (err) {
-      throw new BadRequestError({ message: "One or more approvers doesn't have access to be specified secret path" });
-    }
-  }
-};
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -2,17 +2,20 @@ import { ForbiddenError } from "@casl/ability";

 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";

+import { TGroupDALFactory } from "../group/group-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { verifyApprovers } from "./access-approval-policy-fns";
 import {
+  ApproverType,
  TCreateAccessApprovalPolicy,
  TDeleteAccessApprovalPolicy,
+  TGetAccessApprovalPolicyByIdDTO,
  TGetAccessPolicyCountByEnvironmentDTO,
  TListAccessApprovalPoliciesDTO,
  TUpdateAccessApprovalPolicy
@ -25,6 +28,8 @@ type TSecretApprovalPolicyServiceFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
  accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
+  groupDAL: TGroupDALFactory;
+  userDAL: Pick<TUserDALFactory, "find">;
 };

 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@ -32,9 +37,11 @@ export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprov
 export const accessApprovalPolicyServiceFactory = ({
  accessApprovalPolicyDAL,
  accessApprovalPolicyApproverDAL,
+  groupDAL,
  permissionService,
  projectEnvDAL,
-  projectDAL
+  projectDAL,
+  userDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
  const createAccessApprovalPolicy = async ({
    name,
@ -50,9 +57,23 @@ export const accessApprovalPolicyServiceFactory = ({
    enforcementLevel
  }: TCreateAccessApprovalPolicy) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

-    if (approvals > approvers.length)
+    // If there is a group approver people might be added to the group later to meet the approvers quota
+    const groupApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id) as string[];
+
+    const userApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
+    if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

    const { permission } = await permissionService.getProjectPermission(
@ -67,17 +88,50 @@ export const accessApprovalPolicyServiceFactory = ({
      ProjectPermissionSub.SecretApproval
    );
    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });

-    await verifyApprovers({
-      projectId: project.id,
-      orgId: actorOrgId,
-      envSlug: environment,
-      secretPath,
-      actorAuthMethod,
-      permissionService,
-      userIds: approvers
-    });
+    let approverUserIds = userApprovers;
+    if (userApproverNames.length) {
+      const approverUsers = await userDAL.find({
+        $in: {
+          username: userApproverNames
+        }
+      });
+
+      const approverNamesFromDb = approverUsers.map((user) => user.username);
+      const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
+
+      if (invalidUsernames.length) {
+        throw new BadRequestError({
+          message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+        });
+      }
+
+      approverUserIds = approverUserIds.concat(approverUsers.map((user) => user.id));
+    }
+
+    const usersPromises: Promise<
+      {
+        id: string;
+        email: string | null | undefined;
+        username: string;
+        firstName: string | null | undefined;
+        lastName: string | null | undefined;
+        isPartOfGroup: boolean;
+      }[]
+    >[] = [];
+    const verifyAllApprovers = [...approverUserIds];
+
+    for (const groupId of groupApprovers) {
+      usersPromises.push(
+        groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }).then((group) => group.members)
+      );
+    }
+    const verifyGroupApprovers = (await Promise.all(usersPromises))
+      .flat()
+      .filter((user) => user.isPartOfGroup)
+      .map((user) => user.id);
+    verifyAllApprovers.push(...verifyGroupApprovers);

    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
      const doc = await accessApprovalPolicyDAL.create(
@ -90,13 +144,26 @@ export const accessApprovalPolicyServiceFactory = ({
        },
        tx
      );
-      await accessApprovalPolicyApproverDAL.insertMany(
-        approvers.map((userId) => ({
-          approverUserId: userId,
-          policyId: doc.id
-        })),
-        tx
-      );
+      if (approverUserIds.length) {
+        await accessApprovalPolicyApproverDAL.insertMany(
+          approverUserIds.map((userId) => ({
+            approverUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupApprovers) {
+        await accessApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((groupId) => ({
+            approverGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
      return doc;
    });
    return { ...accessApproval, environment: env, projectId: project.id };
@ -110,7 +177,7 @@ export const accessApprovalPolicyServiceFactory = ({
    projectSlug
  }: TListAccessApprovalPoliciesDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    // Anyone in the project should be able to get the policies.
    /* const { permission } = */ await permissionService.getProjectPermission(
@ -138,8 +205,32 @@ export const accessApprovalPolicyServiceFactory = ({
    approvals,
    enforcementLevel
  }: TUpdateAccessApprovalPolicy) => {
+    const groupApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id) as string[];
+
+    const userApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
    const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    const currentAppovals = approvals || accessApprovalPolicy.approvals;
+    if (
+      groupApprovers?.length === 0 &&
+      userApprovers &&
+      currentAppovals > userApprovers.length + userApproverNames.length
+    ) {
+      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
+    }
+
+    if (!accessApprovalPolicy) {
+      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
+    }
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@ -161,26 +252,49 @@ export const accessApprovalPolicyServiceFactory = ({
        },
        tx
      );
-      if (approvers) {
-        await verifyApprovers({
-          projectId: accessApprovalPolicy.projectId,
-          orgId: actorOrgId,
-          envSlug: accessApprovalPolicy.environment.slug,
-          secretPath: doc.secretPath!,
-          actorAuthMethod,
-          permissionService,
-          userIds: approvers
-        });

-        await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+      await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+
+      if (userApprovers.length || userApproverNames.length) {
+        let userApproverIds = userApprovers;
+        if (userApproverNames.length) {
+          const approverUsers = await userDAL.find({
+            $in: {
+              username: userApproverNames
+            }
+          });
+
+          const approverNamesFromDb = approverUsers.map((user) => user.username);
+          const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
+
+          if (invalidUsernames.length) {
+            throw new BadRequestError({
+              message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+            });
+          }
+
+          userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
+        }
+
        await accessApprovalPolicyApproverDAL.insertMany(
-          approvers.map((userId) => ({
+          userApproverIds.map((userId) => ({
            approverUserId: userId,
            policyId: doc.id
          })),
          tx
        );
      }
+
+      if (groupApprovers) {
+        await accessApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((groupId) => ({
+            approverGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
      return doc;
    });
    return {
@ -198,7 +312,7 @@ export const accessApprovalPolicyServiceFactory = ({
    actorOrgId
  }: TDeleteAccessApprovalPolicy) => {
    const policy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!policy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!policy) throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -226,7 +340,7 @@ export const accessApprovalPolicyServiceFactory = ({
  }: TGetAccessPolicyCountByEnvironmentDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);

-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const { membership } = await permissionService.getProjectPermission(
      actor,
@ -235,22 +349,53 @@ export const accessApprovalPolicyServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-    if (!environment) throw new BadRequestError({ message: "Environment not found" });
+    if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });

    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
-    if (!policies) throw new BadRequestError({ message: "No policies found" });
+    if (!policies) throw new NotFoundError({ message: `No policies found in environment with slug '${envSlug}'` });

    return { count: policies.length };
  };

+  const getAccessApprovalPolicyById = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    policyId
+  }: TGetAccessApprovalPolicyByIdDTO) => {
+    const [policy] = await accessApprovalPolicyDAL.find({}, { policyId });
+
+    if (!policy) {
+      throw new NotFoundError({
+        message: `Cannot find access approval policy with ID ${policyId}`
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      policy.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+
+    return policy;
+  };
+
  return {
    getAccessPolicyCountByEnvSlug,
    createAccessApprovalPolicy,
    deleteAccessApprovalPolicy,
    updateAccessApprovalPolicy,
-    getAccessApprovalPolicyByProjectSlug
+    getAccessApprovalPolicyByProjectSlug,
+    getAccessApprovalPolicyById
  };
 };
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
@ -3,7 +3,7 @@ import { ActorAuthMethod } from "@app/services/auth/auth-type";

 import { TPermissionServiceFactory } from "../permission/permission-service";

-export type TVerifyApprovers = {
+export type TIsApproversValid = {
  userIds: string[];
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  envSlug: string;
@ -13,11 +13,16 @@ export type TVerifyApprovers = {
  orgId: string;
 };

+export enum ApproverType {
+  Group = "group",
+  User = "user"
+}
+
 export type TCreateAccessApprovalPolicy = {
  approvals: number;
  secretPath: string;
  environment: string;
-  approvers: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
  projectSlug: string;
  name: string;
  enforcementLevel: EnforcementLevel;
@ -26,7 +31,7 @@ export type TCreateAccessApprovalPolicy = {
 export type TUpdateAccessApprovalPolicy = {
  policyId: string;
  approvals?: number;
-  approvers?: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
  secretPath?: string;
  name?: string;
  enforcementLevel?: EnforcementLevel;
@ -41,6 +46,10 @@ export type TGetAccessPolicyCountByEnvironmentDTO = {
  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TGetAccessApprovalPolicyByIdDTO = {
+  policyId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TListAccessApprovalPoliciesDTO = {
  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@ -39,6 +39,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.AccessApprovalPolicy}.id`,
          `${TableName.AccessApprovalPolicyApprover}.policyId`
        )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
+        .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)

        .join<TUsers>(
          db(TableName.Users).as("requestedByUser"),
@ -59,6 +65,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        )

        .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
+        .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))

        .select(
          db.ref("projectId").withSchema(TableName.Environment),
@ -142,7 +149,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
            label: "reviewers" as const,
            mapper: ({ reviewerUserId: userId, reviewerStatus: status }) => (userId ? { userId, status } : undefined)
          },
-          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
+          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => approverGroupUserId
+          }
        ]
      });

@ -172,17 +184,28 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        `requestedByUser.id`
      )

-      .join(
+      .leftJoin(
        TableName.AccessApprovalPolicyApprover,
        `${TableName.AccessApprovalPolicy}.id`,
        `${TableName.AccessApprovalPolicyApprover}.policyId`
      )

-      .join<TUsers>(
+      .leftJoin<TUsers>(
        db(TableName.Users).as("accessApprovalPolicyApproverUser"),
        `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
        "accessApprovalPolicyApproverUser.id"
      )
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("accessApprovalPolicyGroupApproverUser"),
+        `${TableName.UserGroupMembership}.userId`,
+        "accessApprovalPolicyGroupApproverUser.id"
+      )

      .leftJoin(
        TableName.AccessApprovalRequestReviewer,
@ -200,10 +223,15 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
      .select(selectAllTableCols(TableName.AccessApprovalRequest))
      .select(
        tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership),
        tx.ref("email").withSchema("accessApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("email").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
        tx.ref("username").withSchema("accessApprovalPolicyApproverUser").as("approverUsername"),
+        tx.ref("username").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupUsername"),
        tx.ref("firstName").withSchema("accessApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("firstName").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
        tx.ref("lastName").withSchema("accessApprovalPolicyApproverUser").as("approverLastName"),
+        tx.ref("lastName").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
        tx.ref("email").withSchema("requestedByUser").as("requestedByUserEmail"),
        tx.ref("username").withSchema("requestedByUser").as("requestedByUserUsername"),
        tx.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
@ -282,6 +310,23 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
              lastName,
              username
            })
+          },
+          {
+            key: "userId",
+            label: "approvers" as const,
+            mapper: ({
+              userId,
+              approverGroupEmail: email,
+              approverGroupUsername: username,
+              approverGroupLastName: lastName,
+              approverFirstName: firstName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
          }
        ]
      });
--- a/backend/src/ee/services/access-approval-request/access-approval-request-fns.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-fns.ts
@ -1,6 +1,6 @@
 import { PackRule, unpackRules } from "@casl/ability/extra";

-import { UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";

 import { TVerifyPermission } from "./access-approval-request-types";

@ -19,7 +19,7 @@ export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) =
  );

  if (!permission || !permission.length) {
-    throw new UnauthorizedError({ message: "No permission provided" });
+    throw new BadRequestError({ message: "No permission provided" });
  }

  const requestedPermissions: string[] = [];
@ -39,10 +39,10 @@ export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) =
  const permissionEnv = firstPermission.conditions?.environment;

  if (!permissionEnv || typeof permissionEnv !== "string") {
-    throw new UnauthorizedError({ message: "Permission environment is not a string" });
+    throw new BadRequestError({ message: "Permission environment is not a string" });
  }
  if (!permissionSecretPath || typeof permissionSecretPath !== "string") {
-    throw new UnauthorizedError({ message: "Permission path is not a string" });
+    throw new BadRequestError({ message: "Permission path is not a string" });
  }

  return {
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -3,7 +3,7 @@ import ms from "ms";

 import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -17,7 +17,7 @@ import { TUserDALFactory } from "@app/services/user/user-dal";

 import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
-import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
+import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
@ -57,6 +57,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
    TAccessApprovalRequestReviewerDALFactory,
    "create" | "find" | "findOne" | "transaction"
  >;
+  groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleMembers">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
  smtpService: Pick<TSmtpService, "sendMail">;
  userDAL: Pick<
@ -70,12 +71,12 @@ type TSecretApprovalRequestServiceFactoryDep = {
 export type TAccessApprovalRequestServiceFactory = ReturnType<typeof accessApprovalRequestServiceFactory>;

 export const accessApprovalRequestServiceFactory = ({
+  groupDAL,
  projectDAL,
  projectEnvDAL,
  permissionService,
  accessApprovalRequestDAL,
  accessApprovalRequestReviewerDAL,
-  projectMembershipDAL,
  accessApprovalPolicyDAL,
  accessApprovalPolicyApproverDAL,
  additionalPrivilegeDAL,
@ -96,7 +97,7 @@ export const accessApprovalRequestServiceFactory = ({
  }: TCreateAccessApprovalRequestDTO) => {
    const cfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    // Anyone can create an access approval request.
    const { membership } = await permissionService.getProjectPermission(
@ -106,31 +107,62 @@ export const accessApprovalRequestServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    const requestedByUser = await userDAL.findById(actorId);
-    if (!requestedByUser) throw new UnauthorizedError({ message: "User not found" });
+    if (!requestedByUser) throw new ForbiddenRequestError({ message: "User not found" });

    await projectDAL.checkProjectUpgradeStatus(project.id);

    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({ permissions: requestedPermissions });
    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });

-    if (!environment) throw new UnauthorizedError({ message: "Environment not found" });
+    if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });

    const policy = await accessApprovalPolicyDAL.findOne({
      envId: environment.id,
      secretPath
    });
-    if (!policy) throw new UnauthorizedError({ message: "No policy matching criteria was found." });
+    if (!policy) {
+      throw new NotFoundError({
+        message: `No policy in environment with slug '${environment.slug}' and with secret path '${secretPath}' was found.`
+      });
+    }
+
+    const approverIds: string[] = [];
+    const approverGroupIds: string[] = [];

    const approvers = await accessApprovalPolicyApproverDAL.find({
      policyId: policy.id
    });

+    approvers.forEach((approver) => {
+      if (approver.approverUserId) {
+        approverIds.push(approver.approverUserId);
+      } else if (approver.approverGroupId) {
+        approverGroupIds.push(approver.approverGroupId);
+      }
+    });
+
+    const groupUsers = (
+      await Promise.all(
+        approverGroupIds.map((groupApproverId) =>
+          groupDAL
+            .findAllGroupPossibleMembers({
+              orgId: actorOrgId,
+              groupId: groupApproverId
+            })
+            .then((group) => group.members)
+        )
+      )
+    ).flat();
+    approverIds.push(...groupUsers.filter((user) => user.isPartOfGroup).map((user) => user.id));
+
    const approverUsers = await userDAL.find({
      $in: {
-        id: approvers.map((approver) => approver.approverUserId)
+        id: [...new Set(approverIds)]
      }
    });

@ -236,7 +268,7 @@ export const accessApprovalRequestServiceFactory = ({
    actorAuthMethod
  }: TListApprovalRequestsDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const { membership } = await permissionService.getProjectPermission(
      actor,
@ -245,7 +277,9 @@ export const accessApprovalRequestServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
    let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
@ -270,7 +304,9 @@ export const accessApprovalRequestServiceFactory = ({
    actorOrgId
  }: TReviewAccessRequestDTO) => {
    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
-    if (!accessApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!accessApprovalRequest) {
+      throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
+    }

    const { policy } = accessApprovalRequest;
    const { membership, hasRole } = await permissionService.getProjectPermission(
@ -281,28 +317,18 @@ export const accessApprovalRequestServiceFactory = ({
      actorOrgId
    );

-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
      !policy.approvers.find((approver) => approver.userId === actorId) // The request isn't performed by an assigned approver
    ) {
-      throw new UnauthorizedError({ message: "You are not authorized to approve this request" });
+      throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
    }

-    const reviewerProjectMembership = await projectMembershipDAL.findById(membership.id);
-
-    await verifyApprovers({
-      projectId: accessApprovalRequest.projectId,
-      orgId: actorOrgId,
-      envSlug: accessApprovalRequest.environment,
-      secretPath: accessApprovalRequest.policy.secretPath!,
-      actorAuthMethod,
-      permissionService,
-      userIds: [reviewerProjectMembership.userId]
-    });
-
    const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
    if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
      throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
@ -385,7 +411,7 @@ export const accessApprovalRequestServiceFactory = ({

  const getCount = async ({ projectSlug, actor, actorAuthMethod, actorId, actorOrgId }: TGetAccessRequestCountDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const { membership } = await permissionService.getProjectPermission(
      actor,
@ -394,7 +420,9 @@ export const accessApprovalRequestServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }

    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });

--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@ -5,7 +5,7 @@ import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";

 import { AUDIT_LOG_STREAM_TIMEOUT } from "../audit-log/audit-log-queue";
@ -43,14 +43,15 @@ export const auditLogStreamServiceFactory = ({
    actorOrgId,
    actorAuthMethod
  }: TCreateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });

    const appCfg = getConfig();
    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan.auditLogStreams)
+    if (!plan.auditLogStreams) {
      throw new BadRequestError({
        message: "Failed to create audit log streams due to plan restriction. Upgrade plan to create group."
      });
+    }

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -120,7 +121,7 @@ export const auditLogStreamServiceFactory = ({
    actorOrgId,
    actorAuthMethod
  }: TUpdateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });

    const plan = await licenseService.getPlan(actorOrgId);
    if (!plan.auditLogStreams)
@ -129,7 +130,7 @@ export const auditLogStreamServiceFactory = ({
      });

    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: `Audit log stream with ID '${id}' not found` });

    const { orgId } = logStream;
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@ -178,10 +179,10 @@ export const auditLogStreamServiceFactory = ({
  };

  const deleteById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TDeleteAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });

    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: `Audit log stream with ID '${id}' not found` });

    const { orgId } = logStream;
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@ -193,7 +194,7 @@ export const auditLogStreamServiceFactory = ({

  const getById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetDetailsAuditLogStreamDTO) => {
    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: `Audit log stream with ID '${id}' not found` });

    const { orgId } = logStream;
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@ -1,9 +1,10 @@
-import { Knex } from "knex";
+// weird commonjs-related error in the CI requires us to do the import like this
+import knex from "knex";

 import { TDbClient } from "@app/db";
-import { AuditLogsSchema, TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols, stripUndefinedInWhere } from "@app/lib/knex";
+import { TableName } from "@app/db/schemas";
+import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
 import { ActorType } from "@app/services/auth/auth-type";
@ -46,71 +47,83 @@ export const auditLogDALFactory = (db: TDbClient) => {
      eventType?: EventType[];
      eventMetadata?: Record<string, string>;
    },
-    tx?: Knex
+    tx?: knex.Knex
  ) => {
+    if (!orgId && !projectId) {
+      throw new Error("Either orgId or projectId must be provided");
+    }
+
    try {
+      // Find statements
      const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
-        .where(
-          stripUndefinedInWhere({
-            projectId,
-            [`${TableName.AuditLog}.orgId`]: orgId,
-            userAgentType
-          })
-        )
+        // eslint-disable-next-line func-names
+        .where(function () {
+          if (orgId) {
+            void this.where(`${TableName.AuditLog}.orgId`, orgId);
+          } else if (projectId) {
+            void this.where(`${TableName.AuditLog}.projectId`, projectId);
+          }
+        });

-        .leftJoin(TableName.Project, `${TableName.AuditLog}.projectId`, `${TableName.Project}.id`)
+      if (userAgentType) {
+        void sqlQuery.where("userAgentType", userAgentType);
+      }

+      // Select statements
+      void sqlQuery
        .select(selectAllTableCols(TableName.AuditLog))
-
-        .select(
-          db.ref("name").withSchema(TableName.Project).as("projectName"),
-          db.ref("slug").withSchema(TableName.Project).as("projectSlug")
-        )
-
        .limit(limit)
        .offset(offset)
        .orderBy(`${TableName.AuditLog}.createdAt`, "desc");

+      // Special case: Filter by actor ID
      if (actorId) {
-        void sqlQuery.whereRaw(`"actorMetadata"->>'userId' = ?`, [actorId]);
+        void sqlQuery.whereRaw(`"actorMetadata" @> jsonb_build_object('userId', ?::text)`, [actorId]);
      }

+      // Special case: Filter by key/value pairs in eventMetadata field
      if (eventMetadata && Object.keys(eventMetadata).length) {
        Object.entries(eventMetadata).forEach(([key, value]) => {
-          void sqlQuery.whereRaw(`"eventMetadata"->>'${key}' = ?`, [value]);
+          void sqlQuery.whereRaw(`"eventMetadata" @> jsonb_build_object(?::text, ?::text)`, [key, value]);
        });
      }

+      // Filter by actor type
      if (actorType) {
        void sqlQuery.where("actor", actorType);
      }

+      // Filter by event types
      if (eventType?.length) {
        void sqlQuery.whereIn("eventType", eventType);
      }

+      // Filter by date range
      if (startDate) {
        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
      }
      if (endDate) {
        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
      }
-      const docs = await sqlQuery;

-      return docs.map((doc) => ({
-        ...AuditLogsSchema.parse(doc),
-        project: {
-          name: doc.projectName,
-          slug: doc.projectSlug
-        }
-      }));
+      // we timeout long running queries to prevent DB resource issues (2 minutes)
+      const docs = await sqlQuery.timeout(1000 * 120);
+
+      return docs;
    } catch (error) {
+      if (error instanceof knex.KnexTimeoutError) {
+        throw new GatewayTimeoutError({
+          error,
+          message: "Failed to fetch audit logs due to timeout. Add more search filters."
+        });
+      }
+
      throw new DatabaseError({ error });
    }
  };

  // delete all audit log that have expired
-  const pruneAuditLog = async (tx?: Knex) => {
+  const pruneAuditLog = async (tx?: knex.Knex) => {
    const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
    const MAX_RETRY_ON_FAILURE = 3;

@ -126,6 +139,7 @@ export const auditLogDALFactory = (db: TDbClient) => {
          .where("expiresAt", "<", today)
          .select("id")
          .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
+
        // eslint-disable-next-line no-await-in-loop
        deletedAuditLogIds = await (tx || db)(TableName.AuditLog)
          .whereIn("id", findExpiredLogSubQuery)
--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@ -74,6 +74,7 @@ export const auditLogQueueServiceFactory = ({
      actorMetadata: actor.metadata,
      userAgent,
      projectId,
+      projectName: project?.name,
      ipAddress,
      orgId,
      eventType: event.type,
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -24,6 +24,7 @@ export const auditLogServiceFactory = ({
  permissionService
 }: TAuditLogServiceFactoryDep) => {
  const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
+    // Filter logs for specific project
    if (filter.projectId) {
      const { permission } = await permissionService.getProjectPermission(
        actor,
@ -34,6 +35,7 @@ export const auditLogServiceFactory = ({
      );
      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    } else {
+      // Organization-wide logs
      const { permission } = await permissionService.getOrgPermission(
        actor,
        actorId,
@ -44,13 +46,12 @@ export const auditLogServiceFactory = ({

      /**
       * NOTE (dangtony98): Update this to organization-level audit log permission check once audit logs are moved
-       * to the organization level
+       * to the organization level ✅
       */
-      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
+      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
    }

    // If project ID is not provided, then we need to return all the audit logs for the organization itself.
-
    const auditLogs = await auditLogDAL.find({
      startDate: filter.startDate,
      endDate: filter.endDate,
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -1,3 +1,4 @@
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
@ -122,6 +123,7 @@ export enum EventType {
  UPDATE_WEBHOOK_STATUS = "update-webhook-status",
  DELETE_WEBHOOK = "delete-webhook",
  GET_SECRET_IMPORTS = "get-secret-imports",
+  GET_SECRET_IMPORT = "get-secret-import",
  CREATE_SECRET_IMPORT = "create-secret-import",
  UPDATE_SECRET_IMPORT = "update-secret-import",
  DELETE_SECRET_IMPORT = "delete-secret-import",
@ -182,7 +184,15 @@ export enum EventType {
  DELETE_SLACK_INTEGRATION = "delete-slack-integration",
  GET_PROJECT_SLACK_CONFIG = "get-project-slack-config",
  UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config",
-  INTEGRATION_SYNCED = "integration-synced"
+  INTEGRATION_SYNCED = "integration-synced",
+  CREATE_CMEK = "create-cmek",
+  UPDATE_CMEK = "update-cmek",
+  DELETE_CMEK = "delete-cmek",
+  GET_CMEKS = "get-cmeks",
+  CMEK_ENCRYPT = "cmek-encrypt",
+  CMEK_DECRYPT = "cmek-decrypt",
+  UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
+  GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping"
 }

 interface UserActorMetadata {
@ -1004,6 +1014,14 @@ interface GetSecretImportsEvent {
  };
 }

+interface GetSecretImportEvent {
+  type: EventType.GET_SECRET_IMPORT;
+  metadata: {
+    secretImportId: string;
+    folderId: string;
+  };
+}
+
 interface CreateSecretImportEvent {
  type: EventType.CREATE_SECRET_IMPORT;
  metadata: {
@ -1350,7 +1368,7 @@ interface CreateKmsEvent {
  metadata: {
    kmsId: string;
    provider: string;
-    slug: string;
+    name: string;
    description?: string;
  };
 }
@ -1359,7 +1377,7 @@ interface DeleteKmsEvent {
  type: EventType.DELETE_KMS;
  metadata: {
    kmsId: string;
-    slug: string;
+    name: string;
  };
 }

@ -1368,7 +1386,7 @@ interface UpdateKmsEvent {
  metadata: {
    kmsId: string;
    provider: string;
-    slug?: string;
+    name?: string;
    description?: string;
  };
 }
@ -1377,7 +1395,7 @@ interface GetKmsEvent {
  type: EventType.GET_KMS;
  metadata: {
    kmsId: string;
-    slug: string;
+    name: string;
  };
 }

@ -1386,7 +1404,7 @@ interface UpdateProjectKmsEvent {
  metadata: {
    secretManagerKmsKey: {
      id: string;
-      slug: string;
+      name: string;
    };
  };
 }
@ -1541,6 +1559,65 @@ interface IntegrationSyncedEvent {
  };
 }

+interface CreateCmekEvent {
+  type: EventType.CREATE_CMEK;
+  metadata: {
+    keyId: string;
+    name: string;
+    description?: string;
+    encryptionAlgorithm: SymmetricEncryption;
+  };
+}
+
+interface DeleteCmekEvent {
+  type: EventType.DELETE_CMEK;
+  metadata: {
+    keyId: string;
+  };
+}
+
+interface UpdateCmekEvent {
+  type: EventType.UPDATE_CMEK;
+  metadata: {
+    keyId: string;
+    name?: string;
+    description?: string;
+  };
+}
+
+interface GetCmeksEvent {
+  type: EventType.GET_CMEKS;
+  metadata: {
+    keyIds: string[];
+  };
+}
+
+interface CmekEncryptEvent {
+  type: EventType.CMEK_ENCRYPT;
+  metadata: {
+    keyId: string;
+  };
+}
+
+interface CmekDecryptEvent {
+  type: EventType.CMEK_DECRYPT;
+  metadata: {
+    keyId: string;
+  };
+}
+
+interface GetExternalGroupOrgRoleMappingsEvent {
+  type: EventType.GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS;
+  metadata?: Record<string, never>; // not needed, based off orgId
+}
+
+interface UpdateExternalGroupOrgRoleMappingsEvent {
+  type: EventType.UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS;
+  metadata: {
+    mappings: { groupName: string; roleSlug: string }[];
+  };
+}
+
 export type Event =
  | GetSecretsEvent
  | GetSecretEvent
@ -1620,6 +1697,7 @@ export type Event =
  | UpdateWebhookStatusEvent
  | DeleteWebhookEvent
  | GetSecretImportsEvent
+  | GetSecretImportEvent
  | CreateSecretImportEvent
  | UpdateSecretImportEvent
  | DeleteSecretImportEvent
@ -1680,4 +1758,12 @@ export type Event =
  | GetSlackIntegration
  | UpdateProjectSlackConfig
  | GetProjectSlackConfig
-  | IntegrationSyncedEvent;
+  | IntegrationSyncedEvent
+  | CreateCmekEvent
+  | UpdateCmekEvent
+  | DeleteCmekEvent
+  | GetCmeksEvent
+  | CmekEncryptEvent
+  | CmekDecryptEvent
+  | GetExternalGroupOrgRoleMappingsEvent
+  | UpdateExternalGroupOrgRoleMappingsEvent;
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@ -2,10 +2,9 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
-// import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -19,7 +18,6 @@ type TCertificateAuthorityCrlServiceFactoryDep = {
  projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  // licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };

 export type TCertificateAuthorityCrlServiceFactory = ReturnType<typeof certificateAuthorityCrlServiceFactory>;
@ -36,7 +34,7 @@ export const certificateAuthorityCrlServiceFactory = ({
   */
  const getCrlById = async (crlId: TGetCrlById) => {
    const caCrl = await certificateAuthorityCrlDAL.findById(crlId);
-    if (!caCrl) throw new NotFoundError({ message: "CRL not found" });
+    if (!caCrl) throw new NotFoundError({ message: `CRL with ID '${crlId}' not found` });

    const ca = await certificateAuthorityDAL.findById(caCrl.caId);

@ -66,7 +64,7 @@ export const certificateAuthorityCrlServiceFactory = ({
   */
  const getCaCrls = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@ -81,13 +79,6 @@ export const certificateAuthorityCrlServiceFactory = ({
      ProjectPermissionSub.CertificateAuthorities
    );

-    // const plan = await licenseService.getPlan(actorOrgId);
-    // if (!plan.caCrl)
-    //   throw new BadRequestError({
-    //     message:
-    //       "Failed to get CA certificate revocation lists (CRLs) due to plan restriction. Upgrade plan to get the CA CRL."
-    //   });
-
    const caCrls = await certificateAuthorityCrlDAL.find({ caId: ca.id }, { sort: [["createdAt", "desc"]] });

    const keyId = await getProjectKmsCertificateKeyId({
--- a/backend/src/ee/services/certificate-est/certificate-est-service.ts
+++ b/backend/src/ee/services/certificate-est/certificate-est-service.ts
@ -211,7 +211,7 @@ export const certificateEstServiceFactory = ({
    const certTemplate = await certificateTemplateDAL.findById(certificateTemplateId);
    if (!certTemplate) {
      throw new NotFoundError({
-        message: "Certificate template not found"
+        message: `Certificate template with ID '${certificateTemplateId}' not found`
      });
    }

@ -236,7 +236,7 @@ export const certificateEstServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(certTemplate.caId);
    if (!ca) {
      throw new NotFoundError({
-        message: "Certificate Authority not found"
+        message: `Certificate Authority with ID '${certTemplate.caId}' not found`
      });
    }

--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@ -4,10 +4,13 @@ import ms from "ms";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import {
+  ProjectPermissionDynamicSecretActions,
+  ProjectPermissionSub
+} from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
@ -61,7 +64,7 @@ export const dynamicSecretLeaseServiceFactory = ({
  }: TCreateDynamicSecretLeaseDTO) => {
    const appCfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -72,8 +75,8 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const plan = await licenseService.getPlan(actorOrgId);
@ -84,10 +87,16 @@ export const dynamicSecretLeaseServiceFactory = ({
    }

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder)
+      throw new NotFoundError({
+        message: `Folder with path '${path}' in environment with slug '${environmentSlug}' not found`
+      });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg)
+      throw new NotFoundError({
+        message: `Dynamic secret with name '${name}' in folder with path '${path}' not found`
+      });

    const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
    if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
@ -134,7 +143,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    leaseId
  }: TRenewDynamicSecretLeaseDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -145,8 +154,8 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const plan = await licenseService.getPlan(actorOrgId);
@ -157,10 +166,15 @@ export const dynamicSecretLeaseServiceFactory = ({
    }

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder)
+      throw new NotFoundError({
+        message: `Folder with path '${path}' in environment with slug '${environmentSlug}' not found`
+      });

    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) {
+      throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
+    }

    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
@ -208,7 +222,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    isForced
  }: TDeleteDynamicSecretLeaseDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -219,15 +233,19 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder)
+      throw new NotFoundError({
+        message: `Folder with path '${path}' in environment with slug '${environmentSlug}' not found`
+      });

    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease)
+      throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });

    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
@ -273,7 +291,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorAuthMethod
  }: TListDynamicSecretLeasesDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -284,15 +302,21 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder)
+      throw new NotFoundError({
+        message: `Folder with path '${path}' in environment with slug '${environmentSlug}' not found`
+      });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg)
+      throw new NotFoundError({
+        message: `Dynamic secret with name '${name}' in folder with path '${path}' not found`
+      });

    const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
    return dynamicSecretLeases;
@ -309,7 +333,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorAuthMethod
  }: TDetailsDynamicSecretLeaseDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -320,15 +344,16 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: `Folder with path '${path}' not found` });

    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease)
+      throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });

    return dynamicSecretLease;
  };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
@ -1,10 +1,70 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";

 export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory>;

 export const dynamicSecretDALFactory = (db: TDbClient) => {
  const orm = ormify(db, TableName.DynamicSecret);
-  return orm;
+
+  // find dynamic secrets for multiple environments (folder IDs are cross env, thus need to rank for pagination)
+  const listDynamicSecretsByFolderIds = async (
+    {
+      folderIds,
+      search,
+      limit,
+      offset = 0,
+      orderBy = SecretsOrderBy.Name,
+      orderDirection = OrderByDirection.ASC
+    }: {
+      folderIds: string[];
+      search?: string;
+      limit?: number;
+      offset?: number;
+      orderBy?: SecretsOrderBy;
+      orderDirection?: OrderByDirection;
+    },
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.DynamicSecret)
+        .whereIn("folderId", folderIds)
+        .where((bd) => {
+          if (search) {
+            void bd.whereILike(`${TableName.DynamicSecret}.name`, `%${search}%`);
+          }
+        })
+        .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
+        .leftJoin(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .select(
+          selectAllTableCols(TableName.DynamicSecret),
+          db.ref("slug").withSchema(TableName.Environment).as("environment"),
+          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`)
+        )
+        .orderBy(`${TableName.DynamicSecret}.${orderBy}`, orderDirection);
+
+      if (limit) {
+        const rankOffset = offset + 1;
+        return await (tx || db)
+          .with("w", query)
+          .select("*")
+          .from<Awaited<typeof query>[number]>("w")
+          .where("w.rank", ">=", rankOffset)
+          .andWhere("w.rank", "<", rankOffset + limit);
+      }
+
+      const dynamicSecrets = await query;
+
+      return dynamicSecrets;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "List dynamic secret multi env" });
+    }
+  };
+
+  return { ...orm, listDynamicSecretsByFolderIds };
 };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@ -3,9 +3,13 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import {
+  ProjectPermissionDynamicSecretActions,
+  ProjectPermissionSub
+} from "@app/ee/services/permission/project-permission";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { OrderByDirection } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";

@ -17,9 +21,12 @@ import {
  TCreateDynamicSecretDTO,
  TDeleteDynamicSecretDTO,
  TDetailsDynamicSecretDTO,
+  TGetDynamicSecretsCountDTO,
  TListDynamicSecretsDTO,
+  TListDynamicSecretsMultiEnvDTO,
  TUpdateDynamicSecretDTO
 } from "./dynamic-secret-types";
+import { AzureEntraIDProvider } from "./providers/azure-entra-id";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./providers/models";

 type TDynamicSecretServiceFactoryDep = {
@ -31,7 +38,7 @@ type TDynamicSecretServiceFactoryDep = {
    "pruneDynamicSecret" | "unsetLeaseRevocation"
  >;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
@ -62,7 +69,7 @@ export const dynamicSecretServiceFactory = ({
    actorAuthMethod
  }: TCreateDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -73,8 +80,8 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.CreateRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const plan = await licenseService.getPlan(actorOrgId);
@ -85,7 +92,9 @@ export const dynamicSecretServiceFactory = ({
    }

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) {
+      throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });
+    }

    const existingDynamicSecret = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
    if (existingDynamicSecret)
@ -130,7 +139,7 @@ export const dynamicSecretServiceFactory = ({
    actorAuthMethod
  }: TUpdateDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;

@ -142,8 +151,8 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const plan = await licenseService.getPlan(actorOrgId);
@ -154,11 +163,15 @@ export const dynamicSecretServiceFactory = ({
    }

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder)
+      throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-
+    if (!dynamicSecretCfg) {
+      throw new NotFoundError({
+        message: `Dynamic secret with name '${name}' in folder '${folder.path}' not found`
+      });
+    }
    if (newName) {
      const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
      if (existingDynamicSecret)
@ -209,7 +222,7 @@ export const dynamicSecretServiceFactory = ({
    isForced
  }: TDeleteDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;

@ -221,15 +234,18 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder)
+      throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) {
+      throw new NotFoundError({ message: `Dynamic secret with name '${name}' in folder '${folder.path}' not found` });
+    }

    const leases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
    // when not forced we check with the external system to first remove the things
@ -267,7 +283,7 @@ export const dynamicSecretServiceFactory = ({
    actor
  }: TDetailsDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@ -278,15 +294,22 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder)
+      throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });

    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) {
+      throw new NotFoundError({ message: `Dynamic secret with name '${name} in folder '${path}' not found` });
+    }
    const decryptedStoredInput = JSON.parse(
      infisicalSymmetricDecrypt({
        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
@ -300,19 +323,62 @@ export const dynamicSecretServiceFactory = ({
    return { ...dynamicSecretCfg, inputs: providerInputs };
  };

-  const list = async ({
+  // get unique dynamic secret count across multiple envs
+  const getCountMultiEnv = async ({
    actorAuthMethod,
    actorOrgId,
    actorId,
    actor,
-    projectSlug,
+    projectId,
    path,
-    environmentSlug
-  }: TListDynamicSecretsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    environmentSlugs,
+    search,
+    isInternal
+  }: TListDynamicSecretsMultiEnvDTO) => {
+    if (!isInternal) {
+      const { permission } = await permissionService.getProjectPermission(
+        actor,
+        actorId,
+        projectId,
+        actorAuthMethod,
+        actorOrgId
+      );

-    const projectId = project.id;
+      // verify user has access to each env in request
+      environmentSlugs.forEach((environmentSlug) =>
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionDynamicSecretActions.ReadRootCredential,
+          subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+        )
+      );
+    }
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
+    if (!folders.length) {
+      throw new NotFoundError({
+        message: `Folders with path '${path}' in environments with slugs '${environmentSlugs.join(", ")}' not found`
+      });
+    }
+
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { $in: { folderId: folders.map((folder) => folder.id) }, $search: search ? { name: `%${search}%` } : undefined },
+      { countDistinct: "name" }
+    );
+
+    return Number(dynamicSecretCfg[0]?.count ?? 0);
+  };
+
+  // get dynamic secret count for a single env
+  const getDynamicSecretCount = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    path,
+    environmentSlug,
+    search,
+    projectId
+  }: TGetDynamicSecretsCountDTO) => {
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@ -321,22 +387,143 @@ export const dynamicSecretServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
    );

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) {
+      throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });
+    }

-    const dynamicSecretCfg = await dynamicSecretDAL.find({ folderId: folder.id });
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
+      { count: true }
+    );
+    return Number(dynamicSecretCfg[0]?.count ?? 0);
+  };
+
+  const listDynamicSecretsByEnv = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    projectSlug,
+    path,
+    environmentSlug,
+    limit,
+    offset,
+    orderBy,
+    orderDirection = OrderByDirection.ASC,
+    search,
+    ...params
+  }: TListDynamicSecretsDTO) => {
+    let { projectId } = params;
+
+    if (!projectId) {
+      if (!projectSlug) throw new BadRequestError({ message: "Project ID or slug required" });
+      const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+      if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
+      projectId = project.id;
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder)
+      throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
+      {
+        limit,
+        offset,
+        sort: orderBy ? [[orderBy, orderDirection]] : undefined
+      }
+    );
    return dynamicSecretCfg;
  };

+  // get dynamic secrets for multiple envs
+  const listDynamicSecretsByFolderIds = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    path,
+    environmentSlugs,
+    projectId,
+    isInternal,
+    ...params
+  }: TListDynamicSecretsMultiEnvDTO) => {
+    if (!isInternal) {
+      const { permission } = await permissionService.getProjectPermission(
+        actor,
+        actorId,
+        projectId,
+        actorAuthMethod,
+        actorOrgId
+      );
+
+      // verify user has access to each env in request
+      environmentSlugs.forEach((environmentSlug) =>
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionDynamicSecretActions.ReadRootCredential,
+          subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+        )
+      );
+    }
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
+    if (!folders.length)
+      throw new NotFoundError({
+        message: `Folders with path '${path} in environments with slugs '${environmentSlugs.join(", ")}' not found`
+      });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.listDynamicSecretsByFolderIds({
+      folderIds: folders.map((folder) => folder.id),
+      ...params
+    });
+
+    return dynamicSecretCfg;
+  };
+
+  const fetchAzureEntraIdUsers = async ({
+    tenantId,
+    applicationId,
+    clientSecret
+  }: {
+    tenantId: string;
+    applicationId: string;
+    clientSecret: string;
+  }) => {
+    const azureEntraIdUsers = await AzureEntraIDProvider().fetchAzureEntraIdUsers(
+      tenantId,
+      applicationId,
+      clientSecret
+    );
+    return azureEntraIdUsers;
+  };
+
  return {
    create,
    updateByName,
    deleteByName,
    getDetails,
-    list
+    listDynamicSecretsByEnv,
+    listDynamicSecretsByFolderIds,
+    getDynamicSecretCount,
+    getCountMultiEnv,
+    fetchAzureEntraIdUsers
  };
 };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

-import { TProjectPermission } from "@app/lib/types";
+import { OrderByDirection, TProjectPermission } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";

 import { DynamicSecretProviderSchema } from "./providers/models";

@ -50,5 +51,20 @@ export type TDetailsDynamicSecretDTO = {
 export type TListDynamicSecretsDTO = {
  path: string;
  environmentSlug: string;
-  projectSlug: string;
+  projectSlug?: string;
+  projectId?: string;
+  offset?: number;
+  limit?: number;
+  orderBy?: SecretsOrderBy;
+  orderDirection?: OrderByDirection;
+  search?: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TListDynamicSecretsMultiEnvDTO = Omit<
+  TListDynamicSecretsDTO,
+  "projectId" | "environmentSlug" | "projectSlug"
+> & { projectId: string; environmentSlugs: string[]; isInternal?: boolean };
+
+export type TGetDynamicSecretsCountDTO = Omit<TListDynamicSecretsDTO, "projectSlug" | "projectId"> & {
+  projectId: string;
+};
--- a/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
@ -0,0 +1,138 @@
+import axios from "axios";
+import { customAlphabet } from "nanoid";
+
+import { BadRequestError } from "@app/lib/errors";
+
+import { AzureEntraIDSchema, TDynamicProviderFns } from "./models";
+
+const MSFT_GRAPH_API_URL = "https://graph.microsoft.com/v1.0/";
+const MSFT_LOGIN_URL = "https://login.microsoftonline.com";
+
+const generatePassword = () => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  return customAlphabet(charset, 64)();
+};
+
+type User = { name: string; id: string; email: string };
+
+export const AzureEntraIDProvider = (): TDynamicProviderFns & {
+  fetchAzureEntraIdUsers: (tenantId: string, applicationId: string, clientSecret: string) => Promise<User[]>;
+} => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await AzureEntraIDSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const getToken = async (
+    tenantId: string,
+    applicationId: string,
+    clientSecret: string
+  ): Promise<{ token?: string; success: boolean }> => {
+    const response = await axios.post<{ access_token: string }>(
+      `${MSFT_LOGIN_URL}/${tenantId}/oauth2/v2.0/token`,
+      {
+        grant_type: "client_credentials",
+        client_id: applicationId,
+        client_secret: clientSecret,
+        scope: "https://graph.microsoft.com/.default"
+      },
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        }
+      }
+    );
+
+    if (response.status === 200) {
+      return { token: response.data.access_token, success: true };
+    }
+    return { success: false };
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    return data.success;
+  };
+
+  const renew = async (inputs: unknown, entityId: string) => {
+    // Do nothing
+    return { entityId };
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    if (!data.success) {
+      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
+    }
+
+    const password = generatePassword();
+
+    const response = await axios.patch(
+      `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
+      {
+        passwordProfile: {
+          forceChangePasswordNextSignIn: false,
+          password
+        }
+      },
+      {
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${data.token}`
+        }
+      }
+    );
+    if (response.status !== 204) {
+      throw new BadRequestError({ message: "Failed to update password" });
+    }
+
+    return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    // Creates a new password
+    await create(inputs);
+    return { entityId };
+  };
+
+  const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {
+    const data = await getToken(tenantId, applicationId, clientSecret);
+    if (!data.success) {
+      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
+    }
+
+    const response = await axios.get<{ value: [{ id: string; displayName: string; userPrincipalName: string }] }>(
+      `${MSFT_GRAPH_API_URL}/users`,
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          Authorization: `Bearer ${data.token}`
+        }
+      }
+    );
+
+    if (response.status !== 200) {
+      throw new BadRequestError({ message: "Failed to fetch users" });
+    }
+
+    const users = response.data.value.map((user) => {
+      return {
+        name: user.displayName,
+        id: user.id,
+        email: user.userPrincipalName
+      };
+    });
+    return users;
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew,
+    fetchAzureEntraIdUsers
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@ -1,7 +1,9 @@
 import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
+import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
+import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
 import { MongoDBProvider } from "./mongo-db";
@ -18,5 +20,7 @@ export const buildDynamicSecretProviders = () => ({
  [DynamicSecretProviders.MongoAtlas]: MongoAtlasProvider(),
  [DynamicSecretProviders.MongoDB]: MongoDBProvider(),
  [DynamicSecretProviders.ElasticSearch]: ElasticSearchProvider(),
-  [DynamicSecretProviders.RabbitMq]: RabbitMqProvider()
+  [DynamicSecretProviders.RabbitMq]: RabbitMqProvider(),
+  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider(),
+  [DynamicSecretProviders.Ldap]: LdapProvider()
 });
--- a/backend/src/ee/services/dynamic-secret/providers/ldap.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/ldap.ts
@ -0,0 +1,235 @@
+import handlebars from "handlebars";
+import ldapjs from "ldapjs";
+import ldif from "ldif";
+import { customAlphabet } from "nanoid";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { LdapSchema, TDynamicProviderFns } from "./models";
+
+const generatePassword = () => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  return customAlphabet(charset, 64)();
+};
+
+const encodePassword = (password?: string) => {
+  const quotedPassword = `"${password}"`;
+  const utf16lePassword = Buffer.from(quotedPassword, "utf16le");
+  const base64Password = utf16lePassword.toString("base64");
+  return base64Password;
+};
+
+const generateUsername = () => {
+  return alphaNumericNanoId(20);
+};
+
+const generateLDIF = ({
+  username,
+  password,
+  ldifTemplate
+}: {
+  username: string;
+  password?: string;
+  ldifTemplate: string;
+}): string => {
+  const data = {
+    Username: username,
+    Password: password,
+    EncodedPassword: encodePassword(password)
+  };
+
+  const renderTemplate = handlebars.compile(ldifTemplate);
+  const renderedLdif = renderTemplate(data);
+
+  return renderedLdif;
+};
+
+export const LdapProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await LdapSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const getClient = async (providerInputs: z.infer<typeof LdapSchema>): Promise<ldapjs.Client> => {
+    return new Promise((resolve, reject) => {
+      const client = ldapjs.createClient({
+        url: providerInputs.url,
+        tlsOptions: {
+          ca: providerInputs.ca ? providerInputs.ca : null,
+          rejectUnauthorized: !!providerInputs.ca
+        },
+        reconnect: true,
+        bindDN: providerInputs.binddn,
+        bindCredentials: providerInputs.bindpass
+      });
+
+      client.on("error", (err: Error) => {
+        client.unbind();
+        reject(new BadRequestError({ message: err.message }));
+      });
+
+      client.bind(providerInputs.binddn, providerInputs.bindpass, (err) => {
+        if (err) {
+          client.unbind();
+          reject(new BadRequestError({ message: err.message }));
+        } else {
+          resolve(client);
+        }
+      });
+    });
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+    return client.connected;
+  };
+
+  const executeLdif = async (client: ldapjs.Client, ldif_file: string) => {
+    type TEntry = {
+      dn: string;
+      type: string;
+
+      changes: {
+        operation?: string;
+        attribute: {
+          attribute: string;
+        };
+        value: {
+          value: string;
+        };
+        values: {
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Untyped, can be any for ldapjs.Change.modification.values
+          value: any;
+        }[];
+      }[];
+    };
+
+    let parsedEntries: TEntry[];
+
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+      parsedEntries = ldif.parse(ldif_file).entries as TEntry[];
+    } catch (err) {
+      throw new BadRequestError({
+        message: "Invalid LDIF format, refer to the documentation at Dynamic secrets > LDAP > LDIF Entries."
+      });
+    }
+
+    const dnArray: string[] = [];
+
+    for await (const entry of parsedEntries) {
+      const { dn } = entry;
+      let responseDn: string;
+
+      if (entry.type === "add") {
+        const attributes: Record<string, string | string[]> = {};
+
+        entry.changes.forEach((change) => {
+          const attrName = change.attribute.attribute;
+          const attrValue = change.value.value;
+
+          attributes[attrName] = Array.isArray(attrValue) ? attrValue : [attrValue];
+        });
+
+        responseDn = await new Promise((resolve, reject) => {
+          client.add(dn, attributes, (err) => {
+            if (err) {
+              reject(new BadRequestError({ message: err.message }));
+            } else {
+              resolve(dn);
+            }
+          });
+        });
+      } else if (entry.type === "modify") {
+        const changes: ldapjs.Change[] = [];
+
+        entry.changes.forEach((change) => {
+          changes.push(
+            new ldapjs.Change({
+              operation: change.operation || "replace",
+              modification: {
+                type: change.attribute.attribute,
+                // eslint-disable-next-line @typescript-eslint/no-unsafe-return
+                values: change.values.map((value) => value.value)
+              }
+            })
+          );
+        });
+
+        responseDn = await new Promise((resolve, reject) => {
+          client.modify(dn, changes, (err) => {
+            if (err) {
+              reject(new BadRequestError({ message: err.message }));
+            } else {
+              resolve(dn);
+            }
+          });
+        });
+      } else if (entry.type === "delete") {
+        responseDn = await new Promise((resolve, reject) => {
+          client.del(dn, (err) => {
+            if (err) {
+              reject(new BadRequestError({ message: err.message }));
+            } else {
+              resolve(dn);
+            }
+          });
+        });
+      } else {
+        client.unbind();
+        throw new BadRequestError({ message: `Unsupported operation type ${entry.type}` });
+      }
+
+      dnArray.push(responseDn);
+    }
+    client.unbind();
+    return dnArray;
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+
+    const username = generateUsername();
+    const password = generatePassword();
+    const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
+
+    try {
+      const dnArray = await executeLdif(client, generatedLdif);
+
+      return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
+    } catch (err) {
+      if (providerInputs.rollbackLdif) {
+        const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
+        await executeLdif(client, rollbackLdif);
+      }
+      throw new BadRequestError({ message: (err as Error).message });
+    }
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const connection = await getClient(providerInputs);
+    const revocationLdif = generateLDIF({ username: entityId, ldifTemplate: providerInputs.revocationLdif });
+
+    await executeLdif(connection, revocationLdif);
+
+    return { entityId };
+  };
+
+  const renew = async (inputs: unknown, entityId: string) => {
+    // Do nothing
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@ -166,6 +166,25 @@ export const DynamicSecretMongoDBSchema = z.object({
    )
 });

+export const AzureEntraIDSchema = z.object({
+  tenantId: z.string().trim().min(1),
+  userId: z.string().trim().min(1),
+  email: z.string().trim().min(1),
+  applicationId: z.string().trim().min(1),
+  clientSecret: z.string().trim().min(1)
+});
+
+export const LdapSchema = z.object({
+  url: z.string().trim().min(1),
+  binddn: z.string().trim().min(1),
+  bindpass: z.string().trim().min(1),
+  ca: z.string().optional(),
+
+  creationLdif: z.string().min(1),
+  revocationLdif: z.string().min(1),
+  rollbackLdif: z.string().optional()
+});
+
 export enum DynamicSecretProviders {
  SqlDatabase = "sql-database",
  Cassandra = "cassandra",
@ -175,7 +194,9 @@ export enum DynamicSecretProviders {
  MongoAtlas = "mongo-db-atlas",
  ElasticSearch = "elastic-search",
  MongoDB = "mongo-db",
-  RabbitMq = "rabbit-mq"
+  RabbitMq = "rabbit-mq",
+  AzureEntraID = "azure-entra-id",
+  Ldap = "ldap"
 }

 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@ -187,7 +208,9 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
  z.object({ type: z.literal(DynamicSecretProviders.MongoAtlas), inputs: DynamicSecretMongoAtlasSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.ElasticSearch), inputs: DynamicSecretElasticSearchSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.MongoDB), inputs: DynamicSecretMongoDBSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema })
 ]);

 export type TDynamicProviderFns = {
--- a/backend/src/ee/services/external-kms/external-kms-dal.ts
+++ b/backend/src/ee/services/external-kms/external-kms-dal.ts
@ -30,7 +30,7 @@ export const externalKmsDALFactory = (db: TDbClient) => {
        isDisabled: el.isDisabled,
        isReserved: el.isReserved,
        orgId: el.orgId,
-        slug: el.slug,
+        name: el.name,
        createdAt: el.createdAt,
        updatedAt: el.updatedAt,
        externalKms: {
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";

-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@ -43,7 +43,7 @@ export const externalKmsServiceFactory = ({
    provider,
    description,
    actor,
-    slug,
+    name,
    actorId,
    actorOrgId,
    actorAuthMethod
@ -64,7 +64,7 @@ export const externalKmsServiceFactory = ({
      });
    }

-    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
+    const kmsName = name ? slugify(name) : slugify(alphaNumericNanoId(8).toLowerCase());

    let sanitizedProviderInput = "";
    switch (provider.type) {
@ -96,7 +96,7 @@ export const externalKmsServiceFactory = ({
        {
          isReserved: false,
          description,
-          slug: kmsSlug,
+          name: kmsName,
          orgId: actorOrgId
        },
        tx
@ -120,7 +120,7 @@ export const externalKmsServiceFactory = ({
    description,
    actor,
    id: kmsId,
-    slug,
+    name,
    actorId,
    actorOrgId,
    actorAuthMethod
@ -142,10 +142,10 @@ export const externalKmsServiceFactory = ({
      });
    }

-    const kmsSlug = slug ? slugify(slug) : undefined;
+    const kmsName = name ? slugify(name) : undefined;

    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: `External KMS with ID '${kmsId}' not found` });

    let sanitizedProviderInput = "";
    const { encryptor: orgDataKeyEncryptor, decryptor: orgDataKeyDecryptor } =
@ -188,7 +188,7 @@ export const externalKmsServiceFactory = ({
        kmsDoc.id,
        {
          description,
-          slug: kmsSlug
+          name: kmsName
        },
        tx
      );
@ -220,7 +220,7 @@ export const externalKmsServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);

    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: `External KMS with ID '${kmsId}' not found` });

    const externalKms = await externalKmsDAL.transaction(async (tx) => {
      const kms = await kmsDAL.deleteById(kmsDoc.id, tx);
@ -258,7 +258,7 @@ export const externalKmsServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);

    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: `External KMS with ID '${kmsId}' not found` });

    const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
@ -280,14 +280,14 @@ export const externalKmsServiceFactory = ({
    }
  };

-  const findBySlug = async ({
+  const findByName = async ({
    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
-    slug: kmsSlug
+    name: kmsName
  }: TGetExternalKmsBySlugDTO) => {
-    const kmsDoc = await kmsDAL.findOne({ slug: kmsSlug, orgId: actorOrgId });
+    const kmsDoc = await kmsDAL.findOne({ name: kmsName, orgId: actorOrgId });
    const { permission } = await permissionService.getOrgPermission(
      actor,
      actorId,
@ -298,7 +298,7 @@ export const externalKmsServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);

    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: `External KMS with ID '${kmsDoc.id}' not found` });

    const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
@ -327,6 +327,6 @@ export const externalKmsServiceFactory = ({
    deleteById,
    list,
    findById,
-    findBySlug
+    findByName
  };
 };
--- a/backend/src/ee/services/external-kms/external-kms-types.ts
+++ b/backend/src/ee/services/external-kms/external-kms-types.ts
@ -3,14 +3,14 @@ import { TOrgPermission } from "@app/lib/types";
 import { TExternalKmsInputSchema, TExternalKmsInputUpdateSchema } from "./providers/model";

 export type TCreateExternalKmsDTO = {
-  slug?: string;
+  name?: string;
  description?: string;
  provider: TExternalKmsInputSchema;
 } & Omit<TOrgPermission, "orgId">;

 export type TUpdateExternalKmsDTO = {
  id: string;
-  slug?: string;
+  name?: string;
  description?: string;
  provider?: TExternalKmsInputUpdateSchema;
 } & Omit<TOrgPermission, "orgId">;
@ -26,5 +26,5 @@ export type TGetExternalKmsByIdDTO = {
 } & Omit<TOrgPermission, "orgId">;

 export type TGetExternalKmsBySlugDTO = {
-  slug: string;
+  name: string;
 } & Omit<TOrgPermission, "orgId">;
--- a/backend/src/ee/services/group/group-dal.ts
+++ b/backend/src/ee/services/group/group-dal.ts
@ -60,21 +60,23 @@ export const groupDALFactory = (db: TDbClient) => {
  };

  // special query
-  const findAllGroupMembers = async ({
+  const findAllGroupPossibleMembers = async ({
    orgId,
    groupId,
    offset = 0,
    limit,
-    username
+    username, // depreciated in favor of search
+    search
  }: {
    orgId: string;
    groupId: string;
    offset?: number;
    limit?: number;
    username?: string;
+    search?: string;
  }) => {
    try {
-      let query = db
+      const query = db
        .replicaNode()(TableName.OrgMembership)
        .where(`${TableName.OrgMembership}.orgId`, orgId)
        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
@ -92,31 +94,39 @@ export const groupDALFactory = (db: TDbClient) => {
          db.ref("username").withSchema(TableName.Users),
          db.ref("firstName").withSchema(TableName.Users),
          db.ref("lastName").withSchema(TableName.Users),
-          db.ref("id").withSchema(TableName.Users).as("userId")
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.raw(`count(*) OVER() as total_count`)
        )
        .where({ isGhost: false })
-        .offset(offset);
+        .offset(offset)
+        .orderBy("firstName", "asc");

      if (limit) {
-        query = query.limit(limit);
+        void query.limit(limit);
      }

-      if (username) {
-        query = query.andWhere(`${TableName.Users}.username`, "ilike", `%${username}%`);
+      if (search) {
+        void query.andWhereRaw(`CONCAT_WS(' ', "firstName", "lastName", "username") ilike '%${search}%'`);
+      } else if (username) {
+        void query.andWhere(`${TableName.Users}.username`, "ilike", `%${username}%`);
      }

      const members = await query;

-      return members.map(
-        ({ email, username: memberUsername, firstName, lastName, userId, groupId: memberGroupId }) => ({
-          id: userId,
-          email,
-          username: memberUsername,
-          firstName,
-          lastName,
-          isPartOfGroup: !!memberGroupId
-        })
-      );
+      return {
+        members: members.map(
+          ({ email, username: memberUsername, firstName, lastName, userId, groupId: memberGroupId }) => ({
+            id: userId,
+            email,
+            username: memberUsername,
+            firstName,
+            lastName,
+            isPartOfGroup: !!memberGroupId
+          })
+        ),
+        // @ts-expect-error col select is raw and not strongly typed
+        totalCount: Number(members?.[0]?.total_count ?? 0)
+      };
    } catch (error) {
      throw new DatabaseError({ error, name: "Find all org members" });
    }
@ -125,7 +135,7 @@ export const groupDALFactory = (db: TDbClient) => {
  return {
    findGroups,
    findByOrgId,
-    findAllGroupMembers,
+    findAllGroupPossibleMembers,
    ...groupOrm
  };
 };
--- a/backend/src/ee/services/group/group-fns.ts
+++ b/backend/src/ee/services/group/group-fns.ts
@ -2,7 +2,7 @@ import { Knex } from "knex";

 import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, ScimRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, ScimRequestError } from "@app/lib/errors";

 import {
  TAddUsersToGroup,
@ -73,24 +73,24 @@ const addAcceptedUsersToGroup = async ({
      const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx);

      if (!ghostUser) {
-        throw new BadRequestError({
-          message: "Failed to find sudo user"
+        throw new NotFoundError({
+          message: `Failed to find project owner of project with ID '${projectId}'`
        });
      }

      const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, tx);

      if (!ghostUserLatestKey) {
-        throw new BadRequestError({
-          message: "Failed to find sudo user latest key"
+        throw new NotFoundError({
+          message: `Failed to find project owner's latest key in project with ID '${projectId}'`
        });
      }

      const bot = await projectBotDAL.findOne({ projectId }, tx);

      if (!bot) {
-        throw new BadRequestError({
-          message: "Failed to find bot"
+        throw new NotFoundError({
+          message: `Failed to find project bot in project with ID '${projectId}'`
        });
      }

@ -200,7 +200,7 @@ export const addUsersToGroupByUserIds = async ({

    userIds.forEach((userId) => {
      if (!existingUserOrgMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
+        throw new ForbiddenRequestError({
          message: `User with id ${userId} is not part of the organization`
        });
    });
@ -303,7 +303,7 @@ export const removeUsersFromGroupByUserIds = async ({

    userIds.forEach((userId) => {
      if (!existingUserGroupMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
+        throw new ForbiddenRequestError({
          message: `User(s) are not part of the group ${group.slug}`
        });
    });
@ -415,7 +415,7 @@ export const convertPendingGroupAdditionsToGroupMemberships = async ({
    const usersUserIdsSet = new Set(users.map((u) => u.id));
    userIds.forEach((userId) => {
      if (!usersUserIdsSet.has(userId)) {
-        throw new BadRequestError({
+        throw new NotFoundError({
          message: `Failed to find user with id ${userId}`
        });
      }
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@ -3,7 +3,7 @@ import slugify from "@sindresorhus/slugify";

 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@ -21,6 +21,7 @@ import {
  TAddUserToGroupDTO,
  TCreateGroupDTO,
  TDeleteGroupDTO,
+  TGetGroupByIdDTO,
  TListGroupUsersDTO,
  TRemoveUserFromGroupDTO,
  TUpdateGroupDTO
@ -29,7 +30,10 @@ import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";

 type TGroupServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
-  groupDAL: Pick<TGroupDALFactory, "create" | "findOne" | "update" | "delete" | "findAllGroupMembers">;
+  groupDAL: Pick<
+    TGroupDALFactory,
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
+  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
  userGroupMembershipDAL: Pick<
@ -58,7 +62,7 @@ export const groupServiceFactory = ({
  licenseService
 }: TGroupServiceFactoryDep) => {
  const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -81,7 +85,8 @@ export const groupServiceFactory = ({
    );
    const isCustomRole = Boolean(customRole);
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
-    if (!hasRequiredPriviledges) throw new BadRequestError({ message: "Failed to create a more privileged group" });
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });

    const group = await groupDAL.create({
      name,
@ -95,7 +100,7 @@ export const groupServiceFactory = ({
  };

  const updateGroup = async ({
-    currentSlug,
+    id,
    name,
    slug,
    role,
@ -104,7 +109,7 @@ export const groupServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TUpdateGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -121,8 +126,10 @@ export const groupServiceFactory = ({
        message: "Failed to update group due to plan restrictio Upgrade plan to update group."
      });

-    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: currentSlug });
-    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${currentSlug}` });
+    const group = await groupDAL.findOne({ orgId: actorOrgId, id });
+    if (!group) {
+      throw new NotFoundError({ message: `Failed to find group with ID ${id}` });
+    }

    let customRole: TOrgRoles | undefined;
    if (role) {
@ -134,14 +141,13 @@ export const groupServiceFactory = ({
      const isCustomRole = Boolean(customOrgRole);
      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
      if (!hasRequiredNewRolePermission)
-        throw new BadRequestError({ message: "Failed to create a more privileged group" });
+        throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
      if (isCustomRole) customRole = customOrgRole;
    }

    const [updatedGroup] = await groupDAL.update(
      {
-        orgId: actorOrgId,
-        slug: currentSlug
+        id: group.id
      },
      {
        name,
@ -158,8 +164,8 @@ export const groupServiceFactory = ({
    return updatedGroup;
  };

-  const deleteGroup = async ({ groupSlug, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+  const deleteGroup = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -178,24 +184,47 @@ export const groupServiceFactory = ({
      });

    const [group] = await groupDAL.delete({
-      orgId: actorOrgId,
-      slug: groupSlug
+      id,
+      orgId: actorOrgId
    });

    return group;
  };

+  const getGroupById = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TGetGroupByIdDTO) => {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+
+    const group = await groupDAL.findById(id);
+    if (!group) {
+      throw new NotFoundError({
+        message: `Cannot find group with ID ${id}`
+      });
+    }
+
+    return group;
+  };
+
  const listGroupUsers = async ({
-    groupSlug,
+    id,
    offset,
    limit,
    username,
    actor,
    actorId,
    actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    search
  }: TListGroupUsersDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -208,36 +237,28 @@ export const groupServiceFactory = ({

    const group = await groupDAL.findOne({
      orgId: actorOrgId,
-      slug: groupSlug
+      id
    });

    if (!group)
-      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+      throw new NotFoundError({
+        message: `Failed to find group with ID ${id}`
      });

-    const users = await groupDAL.findAllGroupMembers({
+    const { members, totalCount } = await groupDAL.findAllGroupPossibleMembers({
      orgId: group.orgId,
      groupId: group.id,
      offset,
      limit,
-      username
+      username,
+      search
    });

-    const count = await orgDAL.countAllOrgMembers(group.orgId);
-
-    return { users, totalCount: count };
+    return { users: members, totalCount };
  };

-  const addUserToGroup = async ({
-    groupSlug,
-    username,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TAddUserToGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+  const addUserToGroup = async ({ id, username, actor, actorId, actorAuthMethod, actorOrgId }: TAddUserToGroupDTO) => {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -251,12 +272,12 @@ export const groupServiceFactory = ({
    // check if group with slug exists
    const group = await groupDAL.findOne({
      orgId: actorOrgId,
-      slug: groupSlug
+      id
    });

    if (!group)
-      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+      throw new NotFoundError({
+        message: `Failed to find group with ID ${id}`
      });

    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
@ -267,7 +288,7 @@ export const groupServiceFactory = ({
      throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });

    const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
+    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });

    const users = await addUsersToGroupByUserIds({
      group,
@ -285,14 +306,14 @@ export const groupServiceFactory = ({
  };

  const removeUserFromGroup = async ({
-    groupSlug,
+    id,
    username,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TRemoveUserFromGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

    const { permission } = await permissionService.getOrgPermission(
      actor,
@ -306,12 +327,12 @@ export const groupServiceFactory = ({
    // check if group with slug exists
    const group = await groupDAL.findOne({
      orgId: actorOrgId,
-      slug: groupSlug
+      id
    });

    if (!group)
-      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+      throw new NotFoundError({
+        message: `Failed to find group with ID ${id}`
      });

    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
@ -322,7 +343,7 @@ export const groupServiceFactory = ({
      throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });

    const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
+    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });

    const users = await removeUsersFromGroupByUserIds({
      group,
@ -342,6 +363,7 @@ export const groupServiceFactory = ({
    deleteGroup,
    listGroupUsers,
    addUserToGroup,
-    removeUserFromGroup
+    removeUserFromGroup,
+    getGroupById
  };
 };
--- a/backend/src/ee/services/group/group-types.ts
+++ b/backend/src/ee/services/group/group-types.ts
@ -17,7 +17,7 @@ export type TCreateGroupDTO = {
 } & TGenericPermission;

 export type TUpdateGroupDTO = {
-  currentSlug: string;
+  id: string;
 } & Partial<{
  name: string;
  slug: string;
@ -26,23 +26,28 @@ export type TUpdateGroupDTO = {
  TGenericPermission;

 export type TDeleteGroupDTO = {
-  groupSlug: string;
+  id: string;
+} & TGenericPermission;
+
+export type TGetGroupByIdDTO = {
+  id: string;
 } & TGenericPermission;

 export type TListGroupUsersDTO = {
-  groupSlug: string;
+  id: string;
  offset: number;
  limit: number;
  username?: string;
+  search?: string;
 } & TGenericPermission;

 export type TAddUserToGroupDTO = {
-  groupSlug: string;
+  id: string;
  username: string;
 } & TGenericPermission;

 export type TRemoveUserFromGroupDTO = {
-  groupSlug: string;
+  id: string;
  username: string;
 } & TGenericPermission;

--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-dal.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-dal.ts
@ -0,0 +1,12 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityProjectAdditionalPrivilegeV2DALFactory = ReturnType<
+  typeof identityProjectAdditionalPrivilegeV2DALFactory
+>;
+
+export const identityProjectAdditionalPrivilegeV2DALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.IdentityProjectAdditionalPrivilege);
+  return orm;
+};
--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
@ -0,0 +1,343 @@
+import { ForbiddenError } from "@casl/ability";
+import { packRules } from "@casl/ability/extra";
+import ms from "ms";
+
+import { TableName } from "@app/db/schemas";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
+import { ActorType } from "@app/services/auth/auth-type";
+import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { TIdentityProjectAdditionalPrivilegeV2DALFactory } from "./identity-project-additional-privilege-v2-dal";
+import {
+  IdentityProjectAdditionalPrivilegeTemporaryMode,
+  TCreateIdentityPrivilegeDTO,
+  TDeleteIdentityPrivilegeByIdDTO,
+  TGetIdentityPrivilegeDetailsByIdDTO,
+  TGetIdentityPrivilegeDetailsBySlugDTO,
+  TListIdentityPrivilegesDTO,
+  TUpdateIdentityPrivilegeByIdDTO
+} from "./identity-project-additional-privilege-v2-types";
+
+type TIdentityProjectAdditionalPrivilegeV2ServiceFactoryDep = {
+  identityProjectAdditionalPrivilegeDAL: TIdentityProjectAdditionalPrivilegeV2DALFactory;
+  identityProjectDAL: Pick<TIdentityProjectDALFactory, "findOne" | "findById">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+};
+
+export type TIdentityProjectAdditionalPrivilegeV2ServiceFactory = ReturnType<
+  typeof identityProjectAdditionalPrivilegeV2ServiceFactory
+>;
+
+export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
+  identityProjectAdditionalPrivilegeDAL,
+  identityProjectDAL,
+  projectDAL,
+  permissionService
+}: TIdentityProjectAdditionalPrivilegeV2ServiceFactoryDep) => {
+  const create = async ({
+    slug,
+    actor,
+    actorId,
+    projectId,
+    actorOrgId,
+    identityId,
+    permissions: customPermission,
+    actorAuthMethod,
+    ...dto
+  }: TCreateIdentityPrivilegeDTO) => {
+    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
+    if (!identityProjectMembership)
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    // we need to validate that the privilege given is not higher than the assigning users permission
+    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
+    targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+
+    const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
+      slug,
+      projectMembershipId: identityProjectMembership.id
+    });
+    if (existingSlug) throw new BadRequestError({ message: "Additional privilege with provided slug already exists" });
+
+    const packedPermission = JSON.stringify(packRules(customPermission));
+    if (!dto.isTemporary) {
+      const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
+        projectMembershipId: identityProjectMembership.id,
+        slug,
+        permissions: packedPermission
+      });
+
+      return {
+        ...additionalPrivilege,
+        permissions: unpackPermissions(additionalPrivilege.permissions)
+      };
+    }
+
+    const relativeTempAllocatedTimeInMs = ms(dto.temporaryRange);
+    const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
+      projectMembershipId: identityProjectMembership.id,
+      slug,
+      permissions: packedPermission,
+      isTemporary: true,
+      temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative,
+      temporaryRange: dto.temporaryRange,
+      temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
+      temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
+    });
+    return {
+      ...additionalPrivilege,
+      permissions: unpackPermissions(additionalPrivilege.permissions)
+    };
+  };
+
+  const updateById = async ({
+    id,
+    data,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod
+  }: TUpdateIdentityPrivilegeByIdDTO) => {
+    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findById(id);
+    if (!identityPrivilege) throw new NotFoundError({ message: `Identity privilege with ${id} not found` });
+
+    const identityProjectMembership = await identityProjectDAL.findOne({ id: identityPrivilege.projectMembershipId });
+    if (!identityProjectMembership)
+      throw new NotFoundError({
+        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
+      });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    // we need to validate that the privilege given is not higher than the assigning users permission
+    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
+    targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+
+    if (data?.slug) {
+      const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
+        slug: data.slug,
+        projectMembershipId: identityProjectMembership.id
+      });
+      if (existingSlug && existingSlug.id !== identityPrivilege.id)
+        throw new BadRequestError({ message: "Additional privilege with provided slug already exists" });
+    }
+
+    const isTemporary = typeof data?.isTemporary !== "undefined" ? data.isTemporary : identityPrivilege.isTemporary;
+    const packedPermission = data.permissions ? JSON.stringify(packRules(data.permissions)) : undefined;
+    if (isTemporary) {
+      const temporaryAccessStartTime = data?.temporaryAccessStartTime || identityPrivilege?.temporaryAccessStartTime;
+      const temporaryRange = data?.temporaryRange || identityPrivilege?.temporaryRange;
+      const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
+        slug: data.slug,
+        permissions: packedPermission,
+        isTemporary: data.isTemporary,
+        temporaryRange: data.temporaryRange,
+        temporaryMode: data.temporaryMode,
+        temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
+        temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
+      });
+      return {
+        ...additionalPrivilege,
+        permissions: unpackPermissions(additionalPrivilege.permissions)
+      };
+    }
+
+    const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
+      slug: data.slug,
+      permissions: packedPermission,
+      isTemporary: false,
+      temporaryAccessStartTime: null,
+      temporaryAccessEndTime: null,
+      temporaryRange: null,
+      temporaryMode: null
+    });
+    return {
+      ...additionalPrivilege,
+      permissions: unpackPermissions(additionalPrivilege.permissions)
+    };
+  };
+
+  const deleteById = async ({ actorId, id, actor, actorOrgId, actorAuthMethod }: TDeleteIdentityPrivilegeByIdDTO) => {
+    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findById(id);
+    if (!identityPrivilege) throw new NotFoundError({ message: `Identity privilege with ${id} not found` });
+
+    const identityProjectMembership = await identityProjectDAL.findOne({ id: identityPrivilege.projectMembershipId });
+    if (!identityProjectMembership)
+      throw new NotFoundError({
+        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
+      });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Identity);
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+
+    const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
+    return {
+      ...deletedPrivilege,
+      permissions: unpackPermissions(deletedPrivilege.permissions)
+    };
+  };
+
+  const getPrivilegeDetailsById = async ({
+    id,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod
+  }: TGetIdentityPrivilegeDetailsByIdDTO) => {
+    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findById(id);
+    if (!identityPrivilege) throw new NotFoundError({ message: `Identity privilege with ${id} not found` });
+
+    const identityProjectMembership = await identityProjectDAL.findOne({ id: identityPrivilege.projectMembershipId });
+    if (!identityProjectMembership)
+      throw new NotFoundError({
+        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
+      });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+
+    return {
+      ...identityPrivilege,
+      permissions: unpackPermissions(identityPrivilege.permissions)
+    };
+  };
+
+  const getPrivilegeDetailsBySlug = async ({
+    identityId,
+    slug,
+    projectSlug,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod
+  }: TGetIdentityPrivilegeDetailsBySlugDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new NotFoundError({ message: `Project with slug ${slug} not found` });
+    const projectId = project.id;
+
+    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
+    if (!identityProjectMembership)
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+
+    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
+      slug,
+      projectMembershipId: identityProjectMembership.id
+    });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });
+
+    return {
+      ...identityPrivilege,
+      permissions: unpackPermissions(identityPrivilege.permissions)
+    };
+  };
+
+  const listIdentityProjectPrivileges = async ({
+    identityId,
+    actorOrgId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    projectId
+  }: TListIdentityPrivilegesDTO) => {
+    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
+    if (!identityProjectMembership)
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+
+    const identityPrivileges = await identityProjectAdditionalPrivilegeDAL.find(
+      {
+        projectMembershipId: identityProjectMembership.id
+      },
+      { sort: [[`${TableName.IdentityProjectAdditionalPrivilege}.slug` as "slug", "asc"]] }
+    );
+    return identityPrivileges;
+  };
+
+  return {
+    getPrivilegeDetailsById,
+    getPrivilegeDetailsBySlug,
+    listIdentityProjectPrivileges,
+    create,
+    updateById,
+    deleteById
+  };
+};
--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types.ts
@ -0,0 +1,55 @@
+import { TProjectPermission } from "@app/lib/types";
+
+import { TProjectPermissionV2Schema } from "../permission/project-permission";
+
+export enum IdentityProjectAdditionalPrivilegeTemporaryMode {
+  Relative = "relative"
+}
+
+export type TCreateIdentityPrivilegeDTO = {
+  permissions: TProjectPermissionV2Schema[];
+  identityId: string;
+  projectId: string;
+  slug: string;
+} & (
+  | {
+      isTemporary: false;
+    }
+  | {
+      isTemporary: true;
+      temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative;
+      temporaryRange: string;
+      temporaryAccessStartTime: string;
+    }
+) &
+  Omit<TProjectPermission, "projectId">;
+
+export type TUpdateIdentityPrivilegeByIdDTO = { id: string } & Omit<TProjectPermission, "projectId"> & {
+    data: Partial<{
+      permissions: TProjectPermissionV2Schema[];
+      slug: string;
+      isTemporary: boolean;
+      temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative;
+      temporaryRange: string;
+      temporaryAccessStartTime: string;
+    }>;
+  };
+
+export type TDeleteIdentityPrivilegeByIdDTO = Omit<TProjectPermission, "projectId"> & {
+  id: string;
+};
+
+export type TGetIdentityPrivilegeDetailsByIdDTO = Omit<TProjectPermission, "projectId"> & {
+  id: string;
+};
+
+export type TListIdentityPrivilegesDTO = Omit<TProjectPermission, "projectId"> & {
+  identityId: string;
+  projectId: string;
+};
+
+export type TGetIdentityPrivilegeDetailsBySlugDTO = Omit<TProjectPermission, "projectId"> & {
+  slug: string;
+  identityId: string;
+  projectSlug: string;
+};
--- a/Show More
+++ b/Show More