feat: idp attributes mapping

* fix(apikey): batch last seen sql update for api-key middleware

* fix(apikey): remove debug statement

* fix(apikey): remove debug statement

.github/CODEOWNERS

@@ -2,7 +2,7 @@
 # Owners are automatically requested for review for PRs that changes code
 # that they own.
 
-/frontend/ @YounixM @aks07
+/frontend/ @SigNoz/frontend-maintainers
 
 # Onboarding
 /frontend/src/container/OnboardingV2Container/onboarding-configs/onboarding-config-with-links.json @makeavish

.github/workflows/integrationci.yaml

@@ -9,6 +9,29 @@ on:
       - labeled
 
 jobs:
+  fmtlint:
+    if: |
+      ((github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
+      (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))) && contains(github.event.pull_request.labels.*.name, 'safe-to-integrate')
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.13
+      - name: poetry
+        run: |
+          python -m pip install poetry==2.1.2
+          python -m poetry config virtualenvs.in-project true
+          cd tests/integration && poetry install --no-root
+      - name: fmt
+        run: |
+          make py-fmt
+      - name: lint
+        run: |
+          make py-lint
   test:
     strategy:
       fail-fast: false
@@ -21,6 +44,7 @@ jobs:
           - dashboard
           - querier
           - ttl
+          - preference
         sqlstore-provider:
           - postgres
           - sqlite

cmd/enterprise/Dockerfile.integration

@@ -1,11 +1,3 @@
-FROM node:18-bullseye AS build
-
-WORKDIR /opt/
-COPY ./frontend/ ./
-ENV NODE_OPTIONS=--max-old-space-size=8192
-RUN CI=1 yarn install
-RUN CI=1 yarn build
-
 FROM golang:1.24-bullseye
 
 ARG OS="linux"
@@ -40,8 +32,6 @@ COPY Makefile Makefile
 RUN TARGET_DIR=/root ARCHS=${TARGETARCH} ZEUS_URL=${ZEUSURL} LICENSE_URL=${ZEUSURL}/api/v1 make go-build-enterprise-race
 RUN mv /root/linux-${TARGETARCH}/signoz /root/signoz
 
-COPY --from=build /opt/build ./web/
-
 RUN chmod 755 /root /root/signoz
 
 ENTRYPOINT ["/root/signoz", "server"]

cmd/enterprise/Dockerfile.with-web.integration

@@ -0,0 +1,47 @@
+FROM node:18-bullseye AS build
+
+WORKDIR /opt/
+COPY ./frontend/ ./
+ENV NODE_OPTIONS=--max-old-space-size=8192
+RUN CI=1 yarn install
+RUN CI=1 yarn build
+
+FROM golang:1.24-bullseye
+
+ARG OS="linux"
+ARG TARGETARCH
+ARG ZEUSURL
+
+# This path is important for stacktraces
+WORKDIR $GOPATH/src/github.com/signoz/signoz
+WORKDIR /root
+
+RUN set -eux; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		g++ \
+		gcc \
+		libc6-dev \
+		make \
+		pkg-config \
+	; \
+	rm -rf /var/lib/apt/lists/*
+
+COPY go.mod go.sum ./
+
+RUN go mod download
+
+COPY ./cmd/ ./cmd/
+COPY ./ee/ ./ee/
+COPY ./pkg/ ./pkg/
+COPY ./templates/email /root/templates
+
+COPY Makefile Makefile
+RUN TARGET_DIR=/root ARCHS=${TARGETARCH} ZEUS_URL=${ZEUSURL} LICENSE_URL=${ZEUSURL}/api/v1 make go-build-enterprise-race
+RUN mv /root/linux-${TARGETARCH}/signoz /root/signoz
+
+COPY --from=build /opt/build ./web/
+
+RUN chmod 755 /root /root/signoz
+
+ENTRYPOINT ["/root/signoz", "server"]

conf/example.yaml

@@ -3,6 +3,13 @@
 # Do not modify this file
 #
 
+##################### Global #####################
+global:
+  # the url under which the signoz apiserver is externally reachable.
+  external_url: <unset>
+  # the url where the SigNoz backend receives telemetry data (traces, metrics, logs) from instrumented applications.
+  ingestion_url: <unset>
+
 ##################### Version #####################
 version:
   banner:

docs/api/openapi.yml

@@ -473,6 +473,49 @@ paths:
       summary: Get reset password token
       tags:
       - users
+  /api/v1/global/config:
+    get:
+      deprecated: false
+      description: This endpoints returns global config
+      operationId: GetGlobalConfig
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/TypesGettableGlobalConfig'
+                  status:
+                    type: string
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - EDITOR
+      - tokenizer:
+        - EDITOR
+      summary: Get global config
+      tags:
+      - global
   /api/v1/invite:
     get:
       deprecated: false
@@ -2145,6 +2188,13 @@ components:
         userId:
           type: string
       type: object
+    TypesGettableGlobalConfig:
+      properties:
+        external_url:
+          type: string
+        ingestion_url:
+          type: string
+      type: object
     TypesInvite:
       properties:
         createdAt:

docs/contributing/go/handler.md

@@ -0,0 +1,179 @@
+# Handler
+
+Handlers in SigNoz are responsible for exposing module functionality over HTTP. They are thin adapters that:
+
+- Decode incoming HTTP requests
+- Call the appropriate module layer
+- Return structured responses (or errors) in a consistent format
+- Describe themselves for OpenAPI generation
+
+They are **not** the place for complex business logic; that belongs in modules (for example, `pkg/modules/user`, `pkg/modules/session`, etc).
+
+## How are handlers structured?
+
+At a high level, a typical flow looks like this:
+
+1. A `Handler` interface is defined in the module (for example, `user.Handler`, `session.Handler`, `organization.Handler`).
+2. The `apiserver` provider wires those handlers into HTTP routes using Gorilla `mux.Router`.
+
+Each route wraps a module handler method with the following:
+- Authorization middleware (from `pkg/http/middleware`)
+- A generic HTTP `handler.Handler` (from `pkg/http/handler`)
+- An `OpenAPIDef` that describes the operation for OpenAPI generation
+
+For example, in `pkg/apiserver/signozapiserver`:
+
+```go
+if err := router.Handle("/api/v1/invite", handler.New(
+    provider.authZ.AdminAccess(provider.userHandler.CreateInvite),
+    handler.OpenAPIDef{
+        ID:                  "CreateInvite",
+        Tags:                []string{"users"},
+        Summary:             "Create invite",
+        Description:         "This endpoint creates an invite for a user",
+        Request:             new(types.PostableInvite),
+        RequestContentType:  "application/json",
+        Response:            new(types.Invite),
+        ResponseContentType: "application/json",
+        SuccessStatusCode:   http.StatusCreated,
+        ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+        Deprecated:          false,
+        SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+    },
+)).Methods(http.MethodPost).GetError(); err != nil {
+    return err
+}
+```
+
+In this pattern:
+
+- `provider.userHandler.CreateInvite` is a handler method.
+- `provider.authZ.AdminAccess(...)` wraps that method with authorization checks and context setup.
+- `handler.New` converts it into an HTTP handler and wires it to OpenAPI via the `OpenAPIDef`.
+
+## How to write a new handler method?
+
+When adding a new endpoint:
+
+1. Add a method to the appropriate module `Handler` interface.
+2. Implement that method in the module.
+3. Register the method in `signozapiserver` with the correct route, HTTP method, auth, and `OpenAPIDef`.
+
+### 1. Extend an existing `Handler` interface or create a new one
+
+Find the module in `pkg/modules/<name>` and extend its `Handler` interface with a new method that receives an `http.ResponseWriter` and `*http.Request`. For example:
+
+```go
+type Handler interface {
+    // existing methods...
+    CreateThing(rw http.ResponseWriter, req *http.Request)
+}
+```
+
+Keep the method focused on HTTP concerns and delegate business logic to the module.
+
+### 2. Implement the handler method
+
+In the module implementation, implement the new method. A typical implementation:
+
+- Extracts authentication and organization context from `req.Context()`
+- Decodes the request body into a `types.*` struct using the `binding` package
+- Calls module functions
+- Uses the `render` package to write responses or errors
+
+```go
+func (h *handler) CreateThing(rw http.ResponseWriter, req *http.Request) {
+    // Extract authentication and organization context from req.Context()
+    claims, err := authtypes.ClaimsFromContext(req.Context())
+    if err != nil {
+        render.Error(rw, err)
+        return
+    }
+
+    // Decode the request body into a `types.*` struct using the `binding` package
+    var in types.PostableThing
+    if err := binding.JSON.BindBody(req.Body, &in); err != nil {
+        render.Error(rw, err)
+        return
+    }
+    
+    // Call module functions
+    out, err := h.module.CreateThing(req.Context(), claims.OrgID, &in)
+    if err != nil {
+        render.Error(rw, err)
+        return
+    }
+
+    // Use the `render` package to write responses or errors
+    render.Success(rw, http.StatusCreated, out)
+}
+```
+
+### 3. Register the handler in `signozapiserver`
+
+In `pkg/apiserver/signozapiserver`, add a route in the appropriate `add*Routes` function (`addUserRoutes`, `addSessionRoutes`, `addOrgRoutes`, etc.). The pattern is:
+
+```go
+if err := router.Handle("/api/v1/things", handler.New(
+    provider.authZ.AdminAccess(provider.thingHandler.CreateThing),
+    handler.OpenAPIDef{
+        ID:                  "CreateThing",
+        Tags:                []string{"things"},
+        Summary:             "Create thing",
+        Description:         "This endpoint creates a thing",
+        Request:             new(types.PostableThing),
+        RequestContentType:  "application/json",
+        Response:            new(types.GettableThing),
+        ResponseContentType: "application/json",
+        SuccessStatusCode:   http.StatusCreated,
+        ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+        Deprecated:          false,
+        SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+    },
+)).Methods(http.MethodPost).GetError(); err != nil {
+    return err
+}
+```
+
+### 4. Update the OpenAPI spec
+
+Run the following command to update the OpenAPI spec:
+
+```bash
+go run cmd/enterprise/*.go generate openapi
+```
+
+This will update the OpenAPI spec in `docs/api/openapi.yml` to reflect the new endpoint.
+
+## How does OpenAPI integration work?
+
+The `handler.New` function ties the HTTP handler to OpenAPI metadata via `OpenAPIDef`. This drives the generated OpenAPI document.
+
+- **ID**: A unique identifier for the operation (used as the `operationId`).
+- **Tags**: Logical grouping for the operation (for example, `"users"`, `"sessions"`, `"orgs"`).
+- **Summary / Description**: Human-friendly documentation.
+- **Request / RequestContentType**:
+  - `Request` is a Go type that describes the request body or form.
+  - `RequestContentType` is usually `"application/json"` or `"application/x-www-form-urlencoded"` (for callbacks like SAML).
+- **Response / ResponseContentType**:
+  - `Response` is the Go type for the successful response payload.
+  - `ResponseContentType` is usually `"application/json"`; use `""` for responses without a body.
+- **SuccessStatusCode**: The HTTP status for successful responses (for example, `http.StatusOK`, `http.StatusCreated`, `http.StatusNoContent`).
+- **ErrorStatusCodes**: Additional error status codes beyond the standard ones automatically added by `handler.New`.
+- **SecuritySchemes**: Auth mechanisms and scopes required by the operation.
+
+The generic handler:
+
+- Automatically appends `401`, `403`, and `500` to `ErrorStatusCodes` when appropriate.
+- Registers request and response schemas with the OpenAPI reflector so they appear in `docs/api/openapi.yml`.
+
+See existing examples in:
+
+- `addUserRoutes` (for typical JSON request/response)
+- `addSessionRoutes` (for form-encoded and redirect flows)
+
+## What should I remember?
+
+- **Keep handlers thin**: focus on HTTP concerns and delegate logic to modules/services.
+- **Always register routes through `signozapiserver`** using `handler.New` and a complete `OpenAPIDef`.
+- **Choose accurate request/response types** from the `types` packages so OpenAPI schemas are correct.

ee/authn/callbackauthn/oidccallbackauthn/authn.go

@@ -2,6 +2,7 @@ package oidccallbackauthn
 
 import (
 	"context"
+	"fmt"
 	"net/url"
 
 	"github.com/SigNoz/signoz/pkg/authn"
@@ -20,7 +21,7 @@ const (
 )
 
 var (
-	scopes []string = []string{"email", oidc.ScopeOpenID}
+	scopes []string = []string{"email", "profile", oidc.ScopeOpenID}
 )
 
 var _ authn.CallbackAuthN = (*AuthN)(nil)
@@ -126,7 +127,39 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		}
 	}
 
-	return authtypes.NewCallbackIdentity("", email, authDomain.StorableAuthDomain().OrgID, state), nil
+	// DEBUG: Print all assertion values to see what's being received
+	fmt.Printf("\n=== DEBUG: All assertion values ===\n")
+	for key, attr := range claims {
+		fmt.Printf("  Key: %q, Value: %v\n", key, attr)
+	}
+	fmt.Printf("=================================\n\n")
+
+	name := ""
+	if nameClaim := authDomain.AuthDomainConfig().OIDC.ClaimMapping.Name; nameClaim != "" {
+		if n, ok := claims[nameClaim].(string); ok {
+			name = n
+		}
+	}
+
+	var groups []string
+	if groupsClaim := authDomain.AuthDomainConfig().OIDC.ClaimMapping.Groups; groupsClaim != "" {
+		if g, ok := claims[groupsClaim].([]interface{}); ok {
+			for _, group := range g {
+				if gs, ok := group.(string); ok {
+					groups = append(groups, gs)
+				}
+			}
+		}
+	}
+
+	role := ""
+	if roleClaim := authDomain.AuthDomainConfig().OIDC.ClaimMapping.Role; roleClaim != "" {
+		if r, ok := claims[roleClaim].(string); ok {
+			role = r
+		}
+	}
+
+	return authtypes.NewCallbackIdentity(name, email, authDomain.StorableAuthDomain().OrgID, state, groups, role), nil
 }
 
 func (a *AuthN) ProviderInfo(ctx context.Context, authDomain *authtypes.AuthDomain) *authtypes.AuthNProviderInfo {

ee/authn/callbackauthn/samlcallbackauthn/authn.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
+	"fmt"
 	"net/url"
 	"strings"
 
@@ -87,6 +88,14 @@ func (a *AuthN) HandleCallback(ctx context.Context, formValues url.Values) (*aut
 		return nil, err
 	}
 
+	// DEBUG: Print all assertion values to see what's being received
+	fmt.Printf("\n=== DEBUG: All assertion values ===\n")
+	for key, attr := range assertionInfo.Values {
+		fmt.Printf("  Key: %q, Name: %q, FriendlyName: %q, Values: %v\n",
+			key, attr.Name, attr.FriendlyName, attr.Values)
+	}
+	fmt.Printf("=================================\n\n")
+
 	if assertionInfo.WarningInfo.InvalidTime {
 		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "saml: expired saml response")
 	}
@@ -96,7 +105,30 @@ func (a *AuthN) HandleCallback(ctx context.Context, formValues url.Values) (*aut
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "saml: invalid email").WithAdditional("The nameID assertion is used to retrieve the email address, please check your IDP configuration and try again.")
 	}
 
-	return authtypes.NewCallbackIdentity("", email, authDomain.StorableAuthDomain().OrgID, state), nil
+	name := ""
+	var groups []string
+	role := ""
+
+	attributeMapping := authDomain.AuthDomainConfig().SAML.AttributeMapping
+	if attributeMapping != nil {
+		if attributeMapping.Name != "" {
+			if val := assertionInfo.Values.Get(attributeMapping.Name); val != "" {
+				name = val
+			}
+		}
+
+		if attributeMapping.Groups != "" {
+			groups = assertionInfo.Values.GetAll(attributeMapping.Groups)
+		}
+
+		if attributeMapping.Role != "" {
+			if val := assertionInfo.Values.Get(attributeMapping.Role); val != "" {
+				role = val
+			}
+		}
+	}
+
+	return authtypes.NewCallbackIdentity(name, email, authDomain.StorableAuthDomain().OrgID, state, groups, role), nil
 }
 
 func (a *AuthN) ProviderInfo(ctx context.Context, authDomain *authtypes.AuthDomain) *authtypes.AuthNProviderInfo {

ee/query-service/app/server.go

@@ -3,13 +3,14 @@ package app
 import (
 	"context"
 	"fmt"
-	"log/slog"
 	"net"
 	"net/http"
 	_ "net/http/pprof" // http profiler
 	"slices"
 
 	"github.com/SigNoz/signoz/pkg/cache/memorycache"
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/ruler/rulestore/sqlrulestore"
 	"go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux"
 	"go.opentelemetry.io/otel/propagation"
@@ -106,7 +107,8 @@ func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {
 		signoz.Prometheus,
 		signoz.Modules.OrgGetter,
 		signoz.Querier,
-		signoz.Instrumentation.Logger(),
+		signoz.Instrumentation.ToProviderSettings(),
+		signoz.QueryParser,
 	)
 
 	if err != nil {
@@ -353,8 +355,8 @@ func (s *Server) Stop(ctx context.Context) error {
 	return nil
 }
 
-func makeRulesManager(ch baseint.Reader, cache cache.Cache, alertmanager alertmanager.Alertmanager, sqlstore sqlstore.SQLStore, telemetryStore telemetrystore.TelemetryStore, prometheus prometheus.Prometheus, orgGetter organization.Getter, querier querier.Querier, logger *slog.Logger) (*baserules.Manager, error) {
-	ruleStore := sqlrulestore.NewRuleStore(sqlstore)
+func makeRulesManager(ch baseint.Reader, cache cache.Cache, alertmanager alertmanager.Alertmanager, sqlstore sqlstore.SQLStore, telemetryStore telemetrystore.TelemetryStore, prometheus prometheus.Prometheus, orgGetter organization.Getter, querier querier.Querier, providerSettings factory.ProviderSettings, queryParser queryparser.QueryParser) (*baserules.Manager, error) {
+	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)
 	maintenanceStore := sqlrulestore.NewMaintenanceStore(sqlstore)
 	// create manager opts
 	managerOpts := &baserules.ManagerOptions{
@@ -364,7 +366,7 @@ func makeRulesManager(ch baseint.Reader, cache cache.Cache, alertmanager alertma
 		Logger:              zap.L(),
 		Reader:              ch,
 		Querier:             querier,
-		SLogger:             logger,
+		SLogger:             providerSettings.Logger,
 		Cache:               cache,
 		EvalDelay:           baseconst.GetEvalDelay(),
 		PrepareTaskFunc:     rules.PrepareTaskFunc,

frontend/src/components/QueryBuilderV2/QueryV2/QueryAddOns/QueryAddOns.tsx

@@ -300,7 +300,7 @@ function QueryAddOns({
 	);
 
 	return (
-		<div className="query-add-ons">
+		<div className="query-add-ons" data-testid="query-add-ons">
 			{selectedViews.length > 0 && (
 				<div className="selected-add-ons-content">
 					{selectedViews.find((view) => view.key === 'group_by') && (

frontend/src/components/QueryBuilderV2/QueryV2/QueryAggregation/QueryAggregation.tsx

@@ -43,7 +43,10 @@ function QueryAggregationOptions({
 	};
 
 	return (
-		<div className="query-aggregation-container">
+		<div
+			className="query-aggregation-container"
+			data-testid="query-aggregation-container"
+		>
 			<div className="aggregation-container">
 				<QueryAggregationSelect
 					onChange={onChange}

frontend/src/components/QueryBuilderV2/utils.ts

@@ -163,6 +163,10 @@ function formatSingleValueForFilter(
 		if (trimmed === 'true' || trimmed === 'false') {
 			return trimmed === 'true';
 		}
+
+		if (isQuoted(value)) {
+			return unquote(value);
+		}
 	}
 
 	// Return non-string values as-is, or string values that couldn't be converted

frontend/src/components/ValueGraph/__tests__/ValueGraph.test.tsx

@@ -0,0 +1,205 @@
+import { screen } from '@testing-library/react';
+import { render } from 'tests/test-utils';
+
+import ValueGraph from '../index';
+import { getBackgroundColorAndThresholdCheck } from '../utils';
+
+// Mock the utils module
+jest.mock('../utils', () => ({
+	getBackgroundColorAndThresholdCheck: jest.fn(() => ({
+		threshold: {} as any,
+		isConflictingThresholds: false,
+	})),
+}));
+
+const mockGetBackgroundColorAndThresholdCheck = getBackgroundColorAndThresholdCheck as jest.MockedFunction<
+	typeof getBackgroundColorAndThresholdCheck
+>;
+
+const TEST_ID_VALUE_GRAPH_TEXT = 'value-graph-text';
+const TEST_ID_VALUE_GRAPH_PREFIX_UNIT = 'value-graph-prefix-unit';
+const TEST_ID_VALUE_GRAPH_SUFFIX_UNIT = 'value-graph-suffix-unit';
+
+describe('ValueGraph', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+	});
+
+	it('renders the numeric value correctly', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="42" rawValue={42} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('42');
+	});
+
+	it('renders value with suffix unit', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="42ms" rawValue={42} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('42');
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_SUFFIX_UNIT)).toHaveTextContent('ms');
+	});
+
+	it('renders value with prefix unit', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="$100" rawValue={100} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('100');
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_PREFIX_UNIT)).toHaveTextContent('$');
+	});
+
+	it('renders value with both prefix and suffix units', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="$100USD" rawValue={100} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('100');
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_PREFIX_UNIT)).toHaveTextContent('$');
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_SUFFIX_UNIT)).toHaveTextContent('USD');
+	});
+
+	it('renders value with K suffix', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="1.5K" rawValue={1500} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('1.5K');
+	});
+
+	it('applies text color when threshold format is Text', () => {
+		mockGetBackgroundColorAndThresholdCheck.mockReturnValue({
+			threshold: {
+				thresholdFormat: 'Text',
+				thresholdColor: 'red',
+			} as any,
+			isConflictingThresholds: false,
+		});
+
+		const { getByTestId } = render(
+			<ValueGraph value="42" rawValue={42} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveStyle({ color: 'red' });
+	});
+
+	it('applies background color when threshold format is Background', () => {
+		mockGetBackgroundColorAndThresholdCheck.mockReturnValue({
+			threshold: {
+				thresholdFormat: 'Background',
+				thresholdColor: 'blue',
+			} as any,
+			isConflictingThresholds: false,
+		});
+
+		const { container } = render(
+			<ValueGraph value="42" rawValue={42} thresholds={[]} />,
+		);
+
+		const containerElement = container.querySelector('.value-graph-container');
+		expect(containerElement).toHaveStyle({ backgroundColor: 'blue' });
+	});
+
+	it('displays conflicting thresholds indicator when multiple thresholds match', () => {
+		mockGetBackgroundColorAndThresholdCheck.mockReturnValue({
+			threshold: {
+				thresholdFormat: 'Text',
+				thresholdColor: 'red',
+			} as any,
+			isConflictingThresholds: true,
+		});
+
+		const { getByTestId } = render(
+			<ValueGraph value="42" rawValue={42} thresholds={[]} />,
+		);
+
+		expect(getByTestId('conflicting-thresholds')).toBeInTheDocument();
+	});
+
+	it('does not display conflicting thresholds indicator when no conflict', () => {
+		mockGetBackgroundColorAndThresholdCheck.mockReturnValue({
+			threshold: {} as any,
+			isConflictingThresholds: false,
+		});
+
+		render(<ValueGraph value="42" rawValue={42} thresholds={[]} />);
+
+		expect(
+			screen.queryByTestId('conflicting-thresholds'),
+		).not.toBeInTheDocument();
+	});
+
+	it('applies text color to units when threshold format is Text', () => {
+		mockGetBackgroundColorAndThresholdCheck.mockReturnValue({
+			threshold: {
+				thresholdFormat: 'Text',
+				thresholdColor: 'green',
+			} as any,
+			isConflictingThresholds: false,
+		});
+
+		render(<ValueGraph value="42ms" rawValue={42} thresholds={[]} />);
+
+		const unitElement = screen.getByText('ms');
+		expect(unitElement).toHaveStyle({ color: 'green' });
+	});
+
+	it('renders decimal values correctly', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="42.5" rawValue={42.5} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('42.5');
+	});
+
+	it('handles values with M suffix', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="1.2M" rawValue={1200000} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('1.2M');
+	});
+
+	it('handles values with B suffix', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="2.3B" rawValue={2300000000} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('2.3B');
+	});
+
+	it('handles scientific notation values', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="1e-9" rawValue={1e-9} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('1e-9');
+	});
+
+	it('handles scientific notation with suffix unit', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="1e-9%" rawValue={1e-9} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('1e-9');
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_SUFFIX_UNIT)).toHaveTextContent('%');
+	});
+
+	it('handles scientific notation with uppercase E', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="1E-9" rawValue={1e-9} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('1E-9');
+	});
+
+	it('handles scientific notation with positive exponent', () => {
+		const { getByTestId } = render(
+			<ValueGraph value="1e+9" rawValue={1e9} thresholds={[]} />,
+		);
+
+		expect(getByTestId(TEST_ID_VALUE_GRAPH_TEXT)).toHaveTextContent('1e+9');
+	});
+});

frontend/src/components/ValueGraph/index.tsx

@@ -3,11 +3,39 @@ import './ValueGraph.styles.scss';
 import { ExclamationCircleFilled } from '@ant-design/icons';
 import { Tooltip, Typography } from 'antd';
 import { ThresholdProps } from 'container/NewWidget/RightContainer/Threshold/types';
-import { useEffect, useRef, useState } from 'react';
+import { useEffect, useMemo, useRef, useState } from 'react';
 import { useTranslation } from 'react-i18next';
 
 import { getBackgroundColorAndThresholdCheck } from './utils';
 
+function Unit({
+	type,
+	unit,
+	threshold,
+	fontSize,
+}: {
+	type: 'prefix' | 'suffix';
+	unit: string;
+	threshold: ThresholdProps;
+	fontSize: string;
+}): JSX.Element {
+	return (
+		<Typography.Text
+			className="value-graph-unit"
+			data-testid={`value-graph-${type}-unit`}
+			style={{
+				color:
+					threshold.thresholdFormat === 'Text'
+						? threshold.thresholdColor
+						: undefined,
+				fontSize: `calc(${fontSize} * 0.7)`,
+			}}
+		>
+			{unit}
+		</Typography.Text>
+	);
+}
+
 function ValueGraph({
 	value,
 	rawValue,
@@ -17,10 +45,16 @@ function ValueGraph({
 	const containerRef = useRef<HTMLDivElement>(null);
 	const [fontSize, setFontSize] = useState('2.5vw');
 
-	// Parse value to separate number and unit (assuming unit is at the end)
-	const matches = value.match(/([\d.]+[KMB]?)(.*)$/);
-	const numericValue = matches?.[1] || value;
-	const unit = matches?.[2]?.trim() || '';
+	const { numericValue, prefixUnit, suffixUnit } = useMemo(() => {
+		const matches = value.match(
+			/^([^\d.]*)?([\d.]+(?:[eE][+-]?[\d]+)?[KMB]?)([^\d.]*)?$/,
+		);
+		return {
+			numericValue: matches?.[2] || value,
+			prefixUnit: matches?.[1]?.trim() || '',
+			suffixUnit: matches?.[3]?.trim() || '',
+		};
+	}, [value]);
 
 	// Adjust font size based on container size
 	useEffect(() => {
@@ -65,8 +99,17 @@ function ValueGraph({
 			}}
 		>
 			<div className="value-text-container">
+				{prefixUnit && (
+					<Unit
+						type="prefix"
+						unit={prefixUnit}
+						threshold={threshold}
+						fontSize={fontSize}
+					/>
+				)}
 				<Typography.Text
 					className="value-graph-text"
+					data-testid="value-graph-text"
 					style={{
 						color:
 							threshold.thresholdFormat === 'Text'
@@ -77,19 +120,13 @@ function ValueGraph({
 				>
 					{numericValue}
 				</Typography.Text>
-				{unit && (
-					<Typography.Text
-						className="value-graph-unit"
-						style={{
-							color:
-								threshold.thresholdFormat === 'Text'
-									? threshold.thresholdColor
-									: undefined,
-							fontSize: `calc(${fontSize} * 0.7)`,
-						}}
-					>
-						{unit}
-					</Typography.Text>
+				{suffixUnit && (
+					<Unit
+						type="suffix"
+						unit={suffixUnit}
+						threshold={threshold}
+						fontSize={fontSize}
+					/>
 				)}
 			</div>
 			{isConflictingThresholds && (

frontend/src/container/GridCardLayout/WidgetHeader/__tests__/WidgetHeader.test.tsx

@@ -0,0 +1,469 @@
+import { render as rtlRender, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { PANEL_TYPES } from 'constants/queryBuilder';
+import { RowData } from 'lib/query/createTableColumnsFromQuery';
+import { AppContext } from 'providers/App/App';
+import { IAppContext } from 'providers/App/types';
+import React, { MutableRefObject } from 'react';
+import { QueryClient, QueryClientProvider, UseQueryResult } from 'react-query';
+import { Provider } from 'react-redux';
+import { MemoryRouter } from 'react-router-dom';
+import configureStore from 'redux-mock-store';
+import thunk from 'redux-thunk';
+import { SuccessResponse, Warning } from 'types/api';
+import { Widgets } from 'types/api/dashboard/getAll';
+import { MetricRangePayloadProps } from 'types/api/metrics/getQueryRange';
+import { EQueryType } from 'types/common/dashboard';
+import { ROLES } from 'types/roles';
+
+import { MenuItemKeys } from '../contants';
+import WidgetHeader from '../index';
+
+const TEST_WIDGET_TITLE = 'Test Widget';
+const TABLE_WIDGET_TITLE = 'Table Widget';
+const WIDGET_HEADER_SEARCH = 'widget-header-search';
+const WIDGET_HEADER_SEARCH_INPUT = 'widget-header-search-input';
+const TEST_WIDGET_TITLE_RESOLVED = 'Test Widget Title';
+
+const mockStore = configureStore([thunk]);
+const createMockStore = (): ReturnType<typeof mockStore> =>
+	mockStore({
+		app: {
+			role: 'ADMIN',
+			user: {
+				userId: 'test-user-id',
+				email: 'test@signoz.io',
+				name: 'TestUser',
+			},
+			isLoggedIn: true,
+			org: [],
+		},
+		globalTime: {
+			minTime: '2023-01-01T00:00:00Z',
+			maxTime: '2023-01-02T00:00:00Z',
+		},
+	});
+
+const queryClient = new QueryClient({
+	defaultOptions: {
+		queries: {
+			refetchOnWindowFocus: false,
+			retry: false,
+		},
+	},
+});
+
+const createMockAppContext = (): Partial<IAppContext> => ({
+	user: {
+		accessJwt: '',
+		refreshJwt: '',
+		id: '',
+		email: '',
+		displayName: '',
+		createdAt: 0,
+		organization: '',
+		orgId: '',
+		role: 'ADMIN' as ROLES,
+	},
+});
+
+const render = (ui: React.ReactElement): ReturnType<typeof rtlRender> =>
+	rtlRender(
+		<MemoryRouter>
+			<QueryClientProvider client={queryClient}>
+				<Provider store={createMockStore()}>
+					<AppContext.Provider value={createMockAppContext() as IAppContext}>
+						{ui}
+					</AppContext.Provider>
+				</Provider>
+			</QueryClientProvider>
+		</MemoryRouter>,
+	);
+
+jest.mock('hooks/queryBuilder/useCreateAlerts', () => ({
+	__esModule: true,
+	default: jest.fn(() => jest.fn()),
+}));
+
+jest.mock('hooks/dashboard/useGetResolvedText', () => {
+	// eslint-disable-next-line sonarjs/no-duplicate-string
+	const TEST_WIDGET_TITLE_RESOLVED = 'Test Widget Title';
+	return {
+		__esModule: true,
+		default: jest.fn(() => ({
+			truncatedText: TEST_WIDGET_TITLE_RESOLVED,
+			fullText: TEST_WIDGET_TITLE_RESOLVED,
+		})),
+	};
+});
+
+jest.mock('lucide-react', () => ({
+	CircleX: (): JSX.Element => <svg data-testid="lucide-circle-x" />,
+	TriangleAlert: (): JSX.Element => <svg data-testid="lucide-triangle-alert" />,
+	X: (): JSX.Element => <svg data-testid="lucide-x" />,
+}));
+jest.mock('antd', () => ({
+	...jest.requireActual('antd'),
+	Spin: (): JSX.Element => <div data-testid="antd-spin" />,
+}));
+
+const mockWidget: Widgets = {
+	id: 'test-widget-id',
+	title: TEST_WIDGET_TITLE,
+	description: 'Test Description',
+	panelTypes: PANEL_TYPES.TIME_SERIES,
+	query: {
+		builder: {
+			queryData: [],
+			queryFormulas: [],
+			queryTraceOperator: [],
+		},
+		promql: [],
+		clickhouse_sql: [],
+		id: 'query-id',
+		queryType: 'builder' as EQueryType,
+	},
+	timePreferance: 'GLOBAL_TIME',
+	opacity: '',
+	nullZeroValues: '',
+	yAxisUnit: '',
+	fillSpans: false,
+	softMin: null,
+	softMax: null,
+	selectedLogFields: [],
+	selectedTracesFields: [],
+};
+
+const mockQueryResponse = ({
+	data: {
+		payload: {
+			data: {
+				result: [],
+				resultType: '',
+			},
+		},
+		statusCode: 200,
+		message: 'success',
+		error: null,
+	},
+	isLoading: false,
+	isError: false,
+	error: null,
+	isFetching: false,
+} as unknown) as UseQueryResult<
+	SuccessResponse<MetricRangePayloadProps, unknown> & {
+		warning?: Warning;
+	},
+	Error
+>;
+
+describe('WidgetHeader', () => {
+	const mockOnView = jest.fn();
+	const mockSetSearchTerm = jest.fn();
+	const tableProcessedDataRef: MutableRefObject<RowData[]> = {
+		current: [
+			{
+				timestamp: 1234567890,
+				key: 'key1',
+				col1: 'val1',
+				col2: 'val2',
+			},
+		],
+	};
+
+	beforeEach(() => {
+		jest.clearAllMocks();
+	});
+
+	it('renders widget header with title', () => {
+		render(
+			<WidgetHeader
+				title={TEST_WIDGET_TITLE}
+				widget={mockWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={mockQueryResponse}
+				isWarning={false}
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+			/>,
+		);
+
+		expect(screen.getByText(TEST_WIDGET_TITLE_RESOLVED)).toBeInTheDocument();
+	});
+
+	it('returns null for empty widget', () => {
+		const emptyWidget = {
+			...mockWidget,
+			id: PANEL_TYPES.EMPTY_WIDGET,
+		};
+
+		const { container } = render(
+			<WidgetHeader
+				title="Empty Widget"
+				widget={emptyWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={mockQueryResponse}
+				isWarning={false}
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+			/>,
+		);
+
+		expect(container.innerHTML).toBe('');
+	});
+
+	it('shows search input for table panels', async () => {
+		const tableWidget = {
+			...mockWidget,
+			panelTypes: PANEL_TYPES.TABLE,
+		};
+
+		render(
+			<WidgetHeader
+				title={TABLE_WIDGET_TITLE}
+				widget={tableWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={mockQueryResponse}
+				isWarning={false}
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+			/>,
+		);
+
+		const searchIcon = screen.getByTestId(WIDGET_HEADER_SEARCH);
+		expect(searchIcon).toBeInTheDocument();
+
+		await userEvent.click(searchIcon);
+
+		expect(screen.getByTestId(WIDGET_HEADER_SEARCH_INPUT)).toBeInTheDocument();
+	});
+
+	it('handles search input changes and closing', async () => {
+		const tableWidget = {
+			...mockWidget,
+			panelTypes: PANEL_TYPES.TABLE,
+		};
+
+		render(
+			<WidgetHeader
+				title={TABLE_WIDGET_TITLE}
+				widget={tableWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={mockQueryResponse}
+				isWarning={false}
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+			/>,
+		);
+
+		const searchIcon = screen.getByTestId(`${WIDGET_HEADER_SEARCH}`);
+		await userEvent.click(searchIcon);
+
+		const searchInput = screen.getByTestId(WIDGET_HEADER_SEARCH_INPUT);
+		await userEvent.type(searchInput, 'test search');
+		expect(mockSetSearchTerm).toHaveBeenCalledWith('test search');
+
+		const closeButton = screen
+			.getByTestId(WIDGET_HEADER_SEARCH_INPUT)
+			.parentElement?.querySelector('.search-header-icons');
+		if (closeButton) {
+			await userEvent.click(closeButton);
+			expect(mockSetSearchTerm).toHaveBeenCalledWith('');
+		}
+	});
+
+	it('shows error icon when query has error', () => {
+		const errorResponse = {
+			...mockQueryResponse,
+			isError: true as const,
+			error: { message: 'Test error' } as Error,
+			data: undefined,
+		} as UseQueryResult<
+			SuccessResponse<MetricRangePayloadProps, unknown> & {
+				warning?: Warning;
+			},
+			Error
+		>;
+
+		render(
+			<WidgetHeader
+				title={TEST_WIDGET_TITLE}
+				widget={mockWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={errorResponse}
+				isWarning={false}
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+			/>,
+		);
+
+		// check if CircleX icon is rendered
+		const circleXIcon = screen.getByTestId('lucide-circle-x');
+		expect(circleXIcon).toBeInTheDocument();
+	});
+
+	it('shows warning icon when query has warning', () => {
+		const warningData = mockQueryResponse.data
+			? {
+					...mockQueryResponse.data,
+					warning: {
+						code: 'WARNING_CODE',
+						message: 'Test warning',
+						url: 'https://example.com',
+						warnings: [{ message: 'Test warning' }],
+					} as Warning,
+			  }
+			: undefined;
+
+		const warningResponse = {
+			...mockQueryResponse,
+			data: warningData,
+		} as UseQueryResult<
+			SuccessResponse<MetricRangePayloadProps, unknown> & {
+				warning?: Warning;
+			},
+			Error
+		>;
+
+		render(
+			<WidgetHeader
+				title={TEST_WIDGET_TITLE}
+				widget={mockWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={warningResponse}
+				isWarning
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+			/>,
+		);
+
+		const triangleAlertIcon = screen.getByTestId('lucide-triangle-alert');
+		expect(triangleAlertIcon).toBeInTheDocument();
+	});
+
+	it('shows spinner when fetching response', () => {
+		const fetchingResponse = {
+			...mockQueryResponse,
+			isFetching: true,
+			isLoading: true,
+		} as UseQueryResult<
+			SuccessResponse<MetricRangePayloadProps, unknown> & {
+				warning?: Warning;
+			},
+			Error
+		>;
+
+		render(
+			<WidgetHeader
+				title={TEST_WIDGET_TITLE}
+				widget={mockWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={fetchingResponse}
+				isWarning={false}
+				isFetchingResponse
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+			/>,
+		);
+
+		const antSpin = screen.getByTestId('antd-spin');
+		expect(antSpin).toBeInTheDocument();
+	});
+
+	it('renders menu options icon', () => {
+		render(
+			<WidgetHeader
+				title={TEST_WIDGET_TITLE}
+				widget={mockWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={mockQueryResponse}
+				isWarning={false}
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+				headerMenuList={[MenuItemKeys.View]}
+			/>,
+		);
+
+		const moreOptionsIcon = screen.getByTestId('widget-header-options');
+		expect(moreOptionsIcon).toBeInTheDocument();
+	});
+
+	it('shows search icon for table panels', () => {
+		const tableWidget = {
+			...mockWidget,
+			panelTypes: PANEL_TYPES.TABLE,
+		};
+
+		render(
+			<WidgetHeader
+				title={TABLE_WIDGET_TITLE}
+				widget={tableWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={mockQueryResponse}
+				isWarning={false}
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+			/>,
+		);
+
+		const searchIcon = screen.getByTestId(WIDGET_HEADER_SEARCH);
+		expect(searchIcon).toBeInTheDocument();
+	});
+
+	it('does not show search icon for non-table panels', () => {
+		render(
+			<WidgetHeader
+				title={TEST_WIDGET_TITLE}
+				widget={mockWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={mockQueryResponse}
+				isWarning={false}
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+			/>,
+		);
+
+		const searchIcon = screen.queryByTestId(WIDGET_HEADER_SEARCH);
+		expect(searchIcon).not.toBeInTheDocument();
+	});
+
+	it('renders threshold when provided', () => {
+		const threshold = <div data-testid="threshold">Threshold Component</div>;
+
+		render(
+			<WidgetHeader
+				title={TEST_WIDGET_TITLE}
+				widget={mockWidget}
+				onView={mockOnView}
+				parentHover={false}
+				queryResponse={mockQueryResponse}
+				isWarning={false}
+				isFetchingResponse={false}
+				tableProcessedDataRef={tableProcessedDataRef}
+				setSearchTerm={mockSetSearchTerm}
+				threshold={threshold}
+			/>,
+		);
+
+		expect(screen.getByTestId('threshold')).toBeInTheDocument();
+	});
+});

frontend/src/container/GridCardLayout/WidgetHeader/index.tsx

@@ -35,6 +35,7 @@ import { SuccessResponse, Warning } from 'types/api';
 import { Widgets } from 'types/api/dashboard/getAll';
 import APIError from 'types/api/error';
 import { MetricRangePayloadProps } from 'types/api/metrics/getQueryRange';
+import { buildAbsolutePath } from 'utils/app';
 
 import { errorTooltipPosition } from './config';
 import { MENUITEM_KEYS_VS_LABELS, MenuItemKeys } from './contants';
@@ -87,7 +88,10 @@ function WidgetHeader({
 			QueryParams.compositeQuery,
 			encodeURIComponent(JSON.stringify(widget.query)),
 		);
-		const generatedUrl = `${window.location.pathname}/new?${urlQuery}`;
+		const generatedUrl = buildAbsolutePath({
+			relativePath: 'new',
+			urlQueryString: urlQuery.toString(),
+		});
 		safeNavigate(generatedUrl);
 	}, [safeNavigate, urlQuery, widget.id, widget.panelTypes, widget.query]);
 
@@ -240,6 +244,7 @@ function WidgetHeader({
 							onClick={(e): void => {
 								e.stopPropagation();
 								e.preventDefault();
+								setSearchTerm('');
 								setShowGlobalSearch(false);
 							}}
 							className="search-header-icons"

frontend/src/container/LogExplorerQuerySection/LogExplorerQuerySection.test.tsx

@@ -0,0 +1,366 @@
+import { PANEL_TYPES } from 'constants/queryBuilder';
+import { useGetPanelTypesQueryParam } from 'hooks/queryBuilder/useGetPanelTypesQueryParam';
+import { useShareBuilderUrl } from 'hooks/queryBuilder/useShareBuilderUrl';
+import { ExplorerViews } from 'pages/LogsExplorer/utils';
+import { cleanup, render, screen, waitFor } from 'tests/test-utils';
+import { DataTypes } from 'types/api/queryBuilder/queryAutocompleteResponse';
+import { Query, QueryState } from 'types/api/queryBuilder/queryBuilderData';
+import { EQueryType } from 'types/common/dashboard';
+import { DataSource, QueryBuilderContextType } from 'types/common/queryBuilder';
+import { explorerViewToPanelType } from 'utils/explorerUtils';
+
+import LogExplorerQuerySection from './index';
+
+const CM_EDITOR_SELECTOR = '.cm-editor .cm-content';
+const QUERY_AGGREGATION_TEST_ID = 'query-aggregation-container';
+const QUERY_ADDON_TEST_ID = 'query-add-ons';
+
+// Mock DOM APIs that CodeMirror needs
+beforeAll(() => {
+	// Mock getClientRects and getBoundingClientRect for Range objects
+	const mockRect: DOMRect = {
+		width: 100,
+		height: 20,
+		top: 0,
+		left: 0,
+		right: 100,
+		bottom: 20,
+		x: 0,
+		y: 0,
+		toJSON: (): DOMRect => mockRect,
+	} as DOMRect;
+
+	// Create a minimal Range mock with only what CodeMirror actually uses
+	const createMockRange = (): Range => {
+		let startContainer: Node = document.createTextNode('');
+		let endContainer: Node = document.createTextNode('');
+		let startOffset = 0;
+		let endOffset = 0;
+
+		const rectList = {
+			length: 1,
+			item: (index: number): DOMRect | null => (index === 0 ? mockRect : null),
+			0: mockRect,
+		};
+
+		const mockRange = {
+			// CodeMirror uses these for text measurement
+			getClientRects: (): DOMRectList => (rectList as unknown) as DOMRectList,
+			getBoundingClientRect: (): DOMRect => mockRect,
+			// CodeMirror calls these to set up text ranges
+			setStart: (node: Node, offset: number): void => {
+				startContainer = node;
+				startOffset = offset;
+			},
+			setEnd: (node: Node, offset: number): void => {
+				endContainer = node;
+				endOffset = offset;
+			},
+			// Minimal Range properties (TypeScript requires these)
+			get startContainer(): Node {
+				return startContainer;
+			},
+			get endContainer(): Node {
+				return endContainer;
+			},
+			get startOffset(): number {
+				return startOffset;
+			},
+			get endOffset(): number {
+				return endOffset;
+			},
+			get collapsed(): boolean {
+				return startContainer === endContainer && startOffset === endOffset;
+			},
+			commonAncestorContainer: document.body,
+		};
+		return (mockRange as unknown) as Range;
+	};
+
+	// Mock document.createRange to return a new Range instance each time
+	document.createRange = (): Range => createMockRange();
+
+	// Mock getBoundingClientRect for elements
+	Element.prototype.getBoundingClientRect = (): DOMRect => mockRect;
+});
+
+jest.mock('hooks/useDarkMode', () => ({
+	useIsDarkMode: (): boolean => false,
+}));
+
+jest.mock('providers/Dashboard/Dashboard', () => ({
+	useDashboard: (): { selectedDashboard: undefined } => ({
+		selectedDashboard: undefined,
+	}),
+}));
+
+jest.mock('api/querySuggestions/getKeySuggestions', () => ({
+	getKeySuggestions: jest.fn().mockResolvedValue({
+		data: {
+			data: { keys: {} },
+		},
+	}),
+}));
+
+jest.mock('api/querySuggestions/getValueSuggestion', () => ({
+	getValueSuggestions: jest.fn().mockResolvedValue({
+		data: { data: { values: { stringValues: [], numberValues: [] } } },
+	}),
+}));
+
+// Mock the hooks
+jest.mock('hooks/queryBuilder/useGetPanelTypesQueryParam');
+jest.mock('hooks/queryBuilder/useShareBuilderUrl');
+
+const mockUseGetPanelTypesQueryParam = jest.mocked(useGetPanelTypesQueryParam);
+const mockUseShareBuilderUrl = jest.mocked(useShareBuilderUrl);
+
+const mockUpdateAllQueriesOperators = jest.fn() as jest.MockedFunction<
+	(query: Query, panelType: PANEL_TYPES, dataSource: DataSource) => Query
+>;
+
+const mockResetQuery = jest.fn() as jest.MockedFunction<
+	(newCurrentQuery?: QueryState) => void
+>;
+
+const mockRedirectWithQueryBuilderData = jest.fn() as jest.MockedFunction<
+	(query: Query) => void
+>;
+
+// Create a mock query that we'll use to verify persistence
+const createMockQuery = (filterExpression?: string): Query => ({
+	id: 'test-query-id',
+	queryType: EQueryType.QUERY_BUILDER,
+	builder: {
+		queryData: [
+			{
+				aggregateAttribute: {
+					id: 'body--string----false',
+					dataType: DataTypes.String,
+					key: 'body',
+					type: '',
+				},
+				aggregateOperator: 'count',
+				dataSource: DataSource.LOGS,
+				disabled: false,
+				expression: 'A',
+				filters: {
+					items: [],
+					op: 'AND',
+				},
+				filter: filterExpression
+					? {
+							expression: filterExpression,
+					  }
+					: undefined,
+				functions: [],
+				groupBy: [
+					{
+						key: 'cloud.account.id',
+						type: 'tag',
+					},
+				],
+				having: [],
+				legend: '',
+				limit: null,
+				orderBy: [{ columnName: 'timestamp', order: 'desc' }],
+				pageSize: 0,
+				queryName: 'A',
+				reduceTo: 'avg',
+				stepInterval: 60,
+			},
+		],
+		queryFormulas: [],
+		queryTraceOperator: [],
+	},
+	clickhouse_sql: [],
+	promql: [],
+});
+
+// Helper function to verify CodeMirror content
+const verifyCodeMirrorContent = async (
+	expectedFilterExpression: string,
+): Promise<void> => {
+	await waitFor(
+		() => {
+			const editorContent = document.querySelector(
+				CM_EDITOR_SELECTOR,
+			) as HTMLElement;
+			expect(editorContent).toBeInTheDocument();
+			const textContent = editorContent.textContent || '';
+			expect(textContent).toBe(expectedFilterExpression);
+		},
+		{ timeout: 3000 },
+	);
+};
+
+const VIEWS_TO_TEST = [
+	ExplorerViews.LIST,
+	ExplorerViews.TIMESERIES,
+	ExplorerViews.TABLE,
+];
+
+describe('LogExplorerQuerySection', () => {
+	let mockQuery: Query;
+	let mockQueryBuilderContext: Partial<QueryBuilderContextType>;
+
+	beforeEach(() => {
+		jest.clearAllMocks();
+
+		mockQuery = createMockQuery();
+
+		// Mock the return value of updateAllQueriesOperators to return the same query
+		mockUpdateAllQueriesOperators.mockReturnValue(mockQuery);
+
+		// Setup query builder context mock
+		mockQueryBuilderContext = {
+			currentQuery: mockQuery,
+			updateAllQueriesOperators: mockUpdateAllQueriesOperators,
+			resetQuery: mockResetQuery,
+			redirectWithQueryBuilderData: mockRedirectWithQueryBuilderData,
+			panelType: PANEL_TYPES.LIST,
+			initialDataSource: DataSource.LOGS,
+			addNewBuilderQuery: jest.fn() as jest.MockedFunction<() => void>,
+			addNewFormula: jest.fn() as jest.MockedFunction<() => void>,
+			handleSetConfig: jest.fn() as jest.MockedFunction<
+				(panelType: PANEL_TYPES, dataSource: DataSource | null) => void
+			>,
+			addTraceOperator: jest.fn() as jest.MockedFunction<() => void>,
+		};
+
+		// Mock useGetPanelTypesQueryParam
+		mockUseGetPanelTypesQueryParam.mockReturnValue(PANEL_TYPES.LIST);
+
+		// Mock useShareBuilderUrl
+		mockUseShareBuilderUrl.mockImplementation(() => {});
+	});
+
+	afterEach(() => {
+		jest.clearAllMocks();
+	});
+
+	it('should maintain query state across multiple view changes', () => {
+		const { rerender } = render(
+			<LogExplorerQuerySection selectedView={ExplorerViews.LIST} />,
+			undefined,
+			{
+				queryBuilderOverrides: mockQueryBuilderContext as QueryBuilderContextType,
+			},
+		);
+
+		const initialQuery = mockQueryBuilderContext.currentQuery;
+
+		VIEWS_TO_TEST.forEach((view) => {
+			rerender(<LogExplorerQuerySection selectedView={view} />);
+			expect(mockQueryBuilderContext.currentQuery).toEqual(initialQuery);
+		});
+	});
+
+	it('should persist filter expressions across view changes', async () => {
+		// Test with a more complex filter expression
+		const complexFilter =
+			"(service.name = 'api-gateway' OR service.name = 'backend') AND http.status_code IN [500, 502, 503] AND NOT error = 'timeout'";
+		const queryWithComplexFilter = createMockQuery(complexFilter);
+
+		const contextWithComplexFilter: Partial<QueryBuilderContextType> = {
+			...mockQueryBuilderContext,
+			currentQuery: queryWithComplexFilter,
+		};
+
+		const { rerender } = render(
+			<LogExplorerQuerySection selectedView={ExplorerViews.LIST} />,
+			undefined,
+			{
+				queryBuilderOverrides: contextWithComplexFilter as QueryBuilderContextType,
+			},
+		);
+
+		VIEWS_TO_TEST.forEach(async (view) => {
+			rerender(<LogExplorerQuerySection selectedView={view} />);
+			await verifyCodeMirrorContent(complexFilter);
+		});
+	});
+
+	it('should render QueryAggregation and QueryAddOns when switching from LIST to TIMESERIES or TABLE view', async () => {
+		// Helper function to verify components are rendered
+		const verifyComponentsRendered = async (): Promise<void> => {
+			await waitFor(
+				() => {
+					expect(screen.getByTestId(QUERY_AGGREGATION_TEST_ID)).toBeInTheDocument();
+				},
+				{ timeout: 3000 },
+			);
+			await waitFor(
+				() => {
+					expect(screen.getByTestId(QUERY_ADDON_TEST_ID)).toBeInTheDocument();
+				},
+				{ timeout: 3000 },
+			);
+		};
+
+		// Start with LIST view - QueryAggregation and QueryAddOns should NOT be rendered
+		mockUseGetPanelTypesQueryParam.mockReturnValue(PANEL_TYPES.LIST);
+		const contextWithList: Partial<QueryBuilderContextType> = {
+			...mockQueryBuilderContext,
+			panelType: PANEL_TYPES.LIST,
+		};
+
+		render(
+			<LogExplorerQuerySection selectedView={ExplorerViews.LIST} />,
+			undefined,
+			{
+				queryBuilderOverrides: contextWithList as QueryBuilderContextType,
+			},
+		);
+
+		// Verify QueryAggregation is NOT rendered in LIST view
+		expect(
+			screen.queryByTestId(QUERY_AGGREGATION_TEST_ID),
+		).not.toBeInTheDocument();
+
+		// Verify QueryAddOns is NOT rendered in LIST view (check for one of the add-on tabs)
+		expect(screen.queryByTestId(QUERY_ADDON_TEST_ID)).not.toBeInTheDocument();
+
+		cleanup();
+
+		// Switch to TIMESERIES view
+		const timeseriesPanelType = explorerViewToPanelType[ExplorerViews.TIMESERIES];
+		mockUseGetPanelTypesQueryParam.mockReturnValue(timeseriesPanelType);
+		const contextWithTimeseries: Partial<QueryBuilderContextType> = {
+			...mockQueryBuilderContext,
+			panelType: timeseriesPanelType,
+		};
+
+		render(
+			<LogExplorerQuerySection selectedView={ExplorerViews.TIMESERIES} />,
+			undefined,
+			{
+				queryBuilderOverrides: contextWithTimeseries as QueryBuilderContextType,
+			},
+		);
+
+		// Verify QueryAggregation and QueryAddOns are rendered
+		await verifyComponentsRendered();
+
+		cleanup();
+
+		// Switch to TABLE view
+		const tablePanelType = explorerViewToPanelType[ExplorerViews.TABLE];
+		mockUseGetPanelTypesQueryParam.mockReturnValue(tablePanelType);
+		const contextWithTable: Partial<QueryBuilderContextType> = {
+			...mockQueryBuilderContext,
+			panelType: tablePanelType,
+		};
+
+		render(
+			<LogExplorerQuerySection selectedView={ExplorerViews.TABLE} />,
+			undefined,
+			{
+				queryBuilderOverrides: contextWithTable as QueryBuilderContextType,
+			},
+		);
+
+		// Verify QueryAggregation and QueryAddOns are still rendered in TABLE view
+		await verifyComponentsRendered();
+	});
+});

frontend/src/container/NewWidget/index.tsx

@@ -501,7 +501,7 @@ function NewWidget({
 								stackedBarChart: selectedWidget?.stackedBarChart || false,
 								yAxisUnit: selectedWidget?.yAxisUnit,
 								decimalPrecision:
-									selectedWidget?.decimalPrecision || PrecisionOptionsEnum.TWO,
+									selectedWidget?.decimalPrecision ?? PrecisionOptionsEnum.TWO,
 								panelTypes: graphType,
 								query: adjustedQueryForV5,
 								thresholds: selectedWidget?.thresholds,
@@ -532,7 +532,7 @@ function NewWidget({
 								stackedBarChart: selectedWidget?.stackedBarChart || false,
 								yAxisUnit: selectedWidget?.yAxisUnit,
 								decimalPrecision:
-									selectedWidget?.decimalPrecision || PrecisionOptionsEnum.TWO,
+									selectedWidget?.decimalPrecision ?? PrecisionOptionsEnum.TWO,
 								panelTypes: graphType,
 								query: adjustedQueryForV5,
 								thresholds: selectedWidget?.thresholds,

frontend/src/container/PanelWrapper/__tests__/__snapshots__/ValuePanelWrapper.test.tsx.snap

@@ -49,12 +49,14 @@ exports[`Value panel wrappper tests should render tooltip when there are conflic
       >
         <span
           class="ant-typography value-graph-text css-dev-only-do-not-override-2i2tap"
+          data-testid="value-graph-text"
           style="color: Blue; font-size: 16px;"
         >
           295.43
         </span>
         <span
           class="ant-typography value-graph-unit css-dev-only-do-not-override-2i2tap"
+          data-testid="value-graph-suffix-unit"
           style="color: Blue; font-size: calc(16px * 0.7);"
         >
           ms

frontend/src/container/SpanDetailsDrawer/Events/components/EventAttribute.tsx

@@ -3,6 +3,7 @@ import { Tooltip, Typography } from 'antd';
 import AttributeWithExpandablePopover from './AttributeWithExpandablePopover';
 
 const EXPANDABLE_ATTRIBUTE_KEYS = ['exception.stacktrace', 'exception.message'];
+const ATTRIBUTE_LENGTH_THRESHOLD = 100;
 
 interface EventAttributeProps {
 	attributeKey: string;
@@ -15,7 +16,11 @@ function EventAttribute({
 	attributeValue,
 	onExpand,
 }: EventAttributeProps): JSX.Element {
-	if (EXPANDABLE_ATTRIBUTE_KEYS.includes(attributeKey)) {
+	const shouldExpand =
+		EXPANDABLE_ATTRIBUTE_KEYS.includes(attributeKey) ||
+		attributeValue.length > ATTRIBUTE_LENGTH_THRESHOLD;
+
+	if (shouldExpand) {
 		return (
 			<AttributeWithExpandablePopover
 				attributeKey={attributeKey}

frontend/src/container/SpanDetailsDrawer/SpanDetailsDrawer.styles.scss

@@ -51,9 +51,12 @@
 		padding: 10px 12px;
 
 		.item {
-			display: flex;
-			flex-direction: column;
-			gap: 8px;
+			&,
+			.attribute-container {
+				display: flex;
+				flex-direction: column;
+				gap: 8px;
+			}
 
 			.span-name-wrapper {
 				display: flex;
@@ -413,6 +416,7 @@
 				text-transform: uppercase;
 			}
 
+			.attribute-container .wrapper,
 			.value-wrapper {
 				display: flex;
 				align-items: center;

frontend/src/container/SpanDetailsDrawer/SpanDetailsDrawer.tsx

@@ -4,6 +4,7 @@ import {
 	Button,
 	Checkbox,
 	Input,
+	Modal,
 	Select,
 	Skeleton,
 	Tabs,
@@ -52,6 +53,7 @@ import { formatEpochTimestamp } from 'utils/timeUtils';
 
 import Attributes from './Attributes/Attributes';
 import { RelatedSignalsViews } from './constants';
+import EventAttribute from './Events/components/EventAttribute';
 import Events from './Events/Events';
 import LinkedSpans from './LinkedSpans/LinkedSpans';
 import SpanRelatedSignals from './SpanRelatedSignals/SpanRelatedSignals';
@@ -166,11 +168,27 @@ function SpanDetailsDrawer(props: ISpanDetailsDrawerProps): JSX.Element {
 		setShouldUpdateUserPreference,
 	] = useState<boolean>(false);
 
+	const [statusMessageModalContent, setStatusMessageModalContent] = useState<{
+		title: string;
+		content: string;
+	} | null>(null);
+
 	const handleTimeRangeChange = useCallback((value: number): void => {
 		setShouldFetchSpanPercentilesData(true);
 		setSelectedTimeRange(value);
 	}, []);
 
+	const showStatusMessageModal = useCallback(
+		(title: string, content: string): void => {
+			setStatusMessageModalContent({ title, content });
+		},
+		[],
+	);
+
+	const handleStatusMessageModalCancel = useCallback((): void => {
+		setStatusMessageModalContent(null);
+	}, []);
+
 	const color = generateColor(
 		selectedSpan?.serviceName || '',
 		themeColors.traceDetailColors,
@@ -868,14 +886,11 @@ function SpanDetailsDrawer(props: ISpanDetailsDrawerProps): JSX.Element {
 
 						{selectedSpan.statusMessage && (
 							<div className="item">
-								<Typography.Text className="attribute-key">
-									status message
-								</Typography.Text>
-								<div className="value-wrapper">
-									<Typography.Text className="attribute-value">
-										{selectedSpan.statusMessage}
-									</Typography.Text>
-								</div>
+								<EventAttribute
+									attributeKey="status message"
+									attributeValue={selectedSpan.statusMessage}
+									onExpand={showStatusMessageModal}
+								/>
 							</div>
 						)}
 						<div className="item">
@@ -936,6 +951,19 @@ function SpanDetailsDrawer(props: ISpanDetailsDrawerProps): JSX.Element {
 					key={activeDrawerView}
 				/>
 			)}
+
+			<Modal
+				title={statusMessageModalContent?.title}
+				open={!!statusMessageModalContent}
+				onCancel={handleStatusMessageModalCancel}
+				footer={null}
+				width="80vw"
+				centered
+			>
+				<pre className="attribute-with-expandable-popover__full-view">
+					{statusMessageModalContent?.content}
+				</pre>
+			</Modal>
 		</>
 	);
 }

frontend/src/container/SpanDetailsDrawer/__tests__/SpanDetailsDrawer.test.tsx

@@ -29,6 +29,8 @@ import {
 	mockEmptyLogsResponse,
 	mockSpan,
 	mockSpanLogsResponse,
+	mockSpanWithLongStatusMessage,
+	mockSpanWithShortStatusMessage,
 } from './mockData';
 
 // Get typed mocks
@@ -128,6 +130,39 @@ jest.mock('lib/uPlotLib/utils/generateColor', () => ({
 	generateColor: jest.fn().mockReturnValue('#1f77b4'),
 }));
 
+jest.mock(
+	'container/SpanDetailsDrawer/Events/components/AttributeWithExpandablePopover',
+	() =>
+		// eslint-disable-next-line func-names, @typescript-eslint/explicit-function-return-type, react/display-name
+		function ({
+			attributeKey,
+			attributeValue,
+			onExpand,
+		}: {
+			attributeKey: string;
+			attributeValue: string;
+			onExpand: (title: string, content: string) => void;
+		}) {
+			return (
+				<div className="attribute-container" key={attributeKey}>
+					<div className="attribute-key">{attributeKey}</div>
+					<div className="wrapper">
+						<div className="attribute-value">{attributeValue}</div>
+						<div data-testid="popover-content">
+							<pre>{attributeValue}</pre>
+							<button
+								type="button"
+								onClick={(): void => onExpand(attributeKey, attributeValue)}
+							>
+								Expand
+							</button>
+						</div>
+					</div>
+				</div>
+			);
+		},
+);
+
 // Mock getSpanPercentiles API
 jest.mock('api/trace/getSpanPercentiles', () => ({
 	__esModule: true,
@@ -1153,3 +1188,112 @@ describe('SpanDetailsDrawer - Search Visibility User Flows', () => {
 		expect(searchInput).toHaveFocus();
 	});
 });
+
+describe('SpanDetailsDrawer - Status Message Truncation User Flows', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		mockSafeNavigate.mockClear();
+		mockWindowOpen.mockClear();
+		mockUpdateAllQueriesOperators.mockClear();
+
+		(GetMetricQueryRange as jest.Mock).mockImplementation(() =>
+			Promise.resolve(mockEmptyLogsResponse),
+		);
+	});
+
+	afterEach(() => {
+		server.resetHandlers();
+	});
+
+	it('should display expandable popover with Expand button for long status message', () => {
+		render(
+			<QueryBuilderContext.Provider value={mockQueryBuilderContextValue as any}>
+				<SpanDetailsDrawer
+					isSpanDetailsDocked={false}
+					setIsSpanDetailsDocked={jest.fn()}
+					selectedSpan={mockSpanWithLongStatusMessage}
+					traceStartTime={1640995200000}
+					traceEndTime={1640995260000}
+				/>
+			</QueryBuilderContext.Provider>,
+		);
+
+		// User sees status message label
+		expect(screen.getByText('status message')).toBeInTheDocument();
+
+		// User sees the status message value (appears in both original element and popover preview)
+		const statusMessageElements = screen.getAllByText(
+			mockSpanWithLongStatusMessage.statusMessage,
+		);
+		expect(statusMessageElements.length).toBeGreaterThan(0);
+
+		// User sees Expand button in popover (popover is mocked to render immediately)
+		const expandButton = screen.getByRole('button', { name: /expand/i });
+		expect(expandButton).toBeInTheDocument();
+	});
+
+	it('should open modal with full status message when user clicks Expand button', async () => {
+		render(
+			<QueryBuilderContext.Provider value={mockQueryBuilderContextValue as any}>
+				<SpanDetailsDrawer
+					isSpanDetailsDocked={false}
+					setIsSpanDetailsDocked={jest.fn()}
+					selectedSpan={mockSpanWithLongStatusMessage}
+					traceStartTime={1640995200000}
+					traceEndTime={1640995260000}
+				/>
+			</QueryBuilderContext.Provider>,
+		);
+
+		// User clicks the Expand button (popover is mocked to render immediately)
+		const expandButton = screen.getByRole('button', { name: /expand/i });
+		await fireEvent.click(expandButton);
+
+		// User sees modal with the full status message content
+		await waitFor(() => {
+			// Modal should be visible with the title
+			const modalTitle = document.querySelector('.ant-modal-title');
+			expect(modalTitle).toBeInTheDocument();
+			expect(modalTitle?.textContent).toBe('status message');
+			// Modal content should contain the full message in a pre tag
+			const preElement = document.querySelector(
+				'.attribute-with-expandable-popover__full-view',
+			);
+			expect(preElement).toBeInTheDocument();
+			expect(preElement?.textContent).toBe(
+				mockSpanWithLongStatusMessage.statusMessage,
+			);
+		});
+	});
+
+	it('should display short status message as simple text without popover', () => {
+		render(
+			<QueryBuilderContext.Provider value={mockQueryBuilderContextValue as any}>
+				<SpanDetailsDrawer
+					isSpanDetailsDocked={false}
+					setIsSpanDetailsDocked={jest.fn()}
+					selectedSpan={mockSpanWithShortStatusMessage}
+					traceStartTime={1640995200000}
+					traceEndTime={1640995260000}
+				/>
+			</QueryBuilderContext.Provider>,
+		);
+
+		// User sees status message label and value
+		expect(screen.getByText('status message')).toBeInTheDocument();
+		expect(
+			screen.getByText(mockSpanWithShortStatusMessage.statusMessage),
+		).toBeInTheDocument();
+
+		// User hovers over the status message value
+		const statusMessageValue = screen.getByText(
+			mockSpanWithShortStatusMessage.statusMessage,
+		);
+		fireEvent.mouseEnter(statusMessageValue);
+
+		// No Expand button should appear (no expandable popover for short messages)
+		expect(
+			screen.queryByRole('button', { name: /expand/i }),
+		).not.toBeInTheDocument();
+	});
+});

frontend/src/container/SpanDetailsDrawer/__tests__/mockData.ts

@@ -35,6 +35,19 @@ export const mockSpan: Span = {
 	level: 0,
 };
 
+// Mock span with long status message (> 100 characters) for testing truncation
+export const mockSpanWithLongStatusMessage: Span = {
+	...mockSpan,
+	statusMessage:
+		'Error: Connection timeout occurred while trying to reach the database server. The connection pool was exhausted and all retry attempts failed after 30 seconds.',
+};
+
+// Mock span with short status message (<= 100 characters)
+export const mockSpanWithShortStatusMessage: Span = {
+	...mockSpan,
+	statusMessage: 'Connection successful',
+};
+
 // Mock logs with proper relationships
 export const mockSpanLogs: ILog[] = [
 	{

frontend/src/tests/test-utils.tsx

@@ -29,6 +29,20 @@ import { QueryBuilderContextType } from 'types/common/queryBuilder';
 import { ROLES, USER_ROLES } from 'types/roles';
 // import { MemoryRouter as V5MemoryRouter } from 'react-router-dom-v5-compat';
 
+// Mock ResizeObserver
+class ResizeObserverMock {
+	// eslint-disable-next-line class-methods-use-this
+	observe(): void {}
+
+	// eslint-disable-next-line class-methods-use-this
+	unobserve(): void {}
+
+	// eslint-disable-next-line class-methods-use-this
+	disconnect(): void {}
+}
+
+global.ResizeObserver = (ResizeObserverMock as unknown) as typeof ResizeObserver;
+
 const queryClient = new QueryClient({
 	defaultOptions: {
 		queries: {

frontend/src/utils/__tests__/app.test.ts

@@ -0,0 +1,126 @@
+import { buildAbsolutePath } from '../app';
+
+const BASE_PATH = '/some-base-path';
+
+describe('buildAbsolutePath', () => {
+	const originalLocation = window.location;
+
+	afterEach(() => {
+		Object.defineProperty(window, 'location', {
+			writable: true,
+			value: originalLocation,
+		});
+	});
+
+	const mockLocation = (pathname: string): void => {
+		Object.defineProperty(window, 'location', {
+			writable: true,
+			value: {
+				pathname,
+				href: `http://localhost:8080${pathname}`,
+				origin: 'http://localhost:8080',
+				protocol: 'http:',
+				host: 'localhost',
+				hostname: 'localhost',
+				port: '',
+				search: '',
+				hash: '',
+			},
+		});
+	};
+
+	describe('when base path ends with a forward slash', () => {
+		beforeEach(() => {
+			mockLocation(`${BASE_PATH}/`);
+		});
+
+		it('should build absolute path without query string', () => {
+			const result = buildAbsolutePath({ relativePath: 'users' });
+			expect(result).toBe(`${BASE_PATH}/users`);
+		});
+
+		it('should build absolute path with query string', () => {
+			const result = buildAbsolutePath({
+				relativePath: 'users',
+				urlQueryString: 'id=123&sort=name',
+			});
+			expect(result).toBe(`${BASE_PATH}/users?id=123&sort=name`);
+		});
+
+		it('should handle nested relative paths', () => {
+			const result = buildAbsolutePath({ relativePath: 'users/profile/settings' });
+			expect(result).toBe(`${BASE_PATH}/users/profile/settings`);
+		});
+	});
+
+	describe('when base path does not end with a forward slash', () => {
+		beforeEach(() => {
+			mockLocation(`${BASE_PATH}`);
+		});
+
+		it('should append forward slash and build absolute path', () => {
+			const result = buildAbsolutePath({ relativePath: 'users' });
+			expect(result).toBe(`${BASE_PATH}/users`);
+		});
+
+		it('should append forward slash and build absolute path with query string', () => {
+			const result = buildAbsolutePath({
+				relativePath: 'users',
+				urlQueryString: 'filter=active',
+			});
+			expect(result).toBe(`${BASE_PATH}/users?filter=active`);
+		});
+	});
+
+	describe('edge cases', () => {
+		it('should handle empty relative path', () => {
+			mockLocation(`${BASE_PATH}/`);
+			const result = buildAbsolutePath({ relativePath: '' });
+			expect(result).toBe(`${BASE_PATH}/`);
+		});
+
+		it('should handle query string with empty relative path', () => {
+			mockLocation(`${BASE_PATH}/`);
+			const result = buildAbsolutePath({
+				relativePath: '',
+				urlQueryString: 'search=test',
+			});
+			expect(result).toBe(`${BASE_PATH}/?search=test`);
+		});
+
+		it('should handle relative path starting with forward slash', () => {
+			mockLocation(`${BASE_PATH}/`);
+			const result = buildAbsolutePath({ relativePath: '/users' });
+			expect(result).toBe(`${BASE_PATH}/users`);
+		});
+
+		it('should handle complex query strings', () => {
+			mockLocation(`${BASE_PATH}/dashboard`);
+			const result = buildAbsolutePath({
+				relativePath: 'reports',
+				urlQueryString: 'date=2024-01-01&type=summary&format=pdf',
+			});
+			expect(result).toBe(
+				`${BASE_PATH}/dashboard/reports?date=2024-01-01&type=summary&format=pdf`,
+			);
+		});
+
+		it('should handle undefined query string', () => {
+			mockLocation(`${BASE_PATH}/`);
+			const result = buildAbsolutePath({
+				relativePath: 'users',
+				urlQueryString: undefined,
+			});
+			expect(result).toBe(`${BASE_PATH}/users`);
+		});
+
+		it('should handle empty query string', () => {
+			mockLocation(`${BASE_PATH}/`);
+			const result = buildAbsolutePath({
+				relativePath: 'users',
+				urlQueryString: '',
+			});
+			expect(result).toBe(`${BASE_PATH}/users`);
+		});
+	});
+});

frontend/src/utils/__tests__/queryContextUtils.test.ts

@@ -61,6 +61,58 @@ describe('extractQueryPairs', () => {
 		]);
 	});
 
+	test('should test for filter expression with freeText', () => {
+		const input = "disconnected deployment.env not in ['mq-kafka']";
+		const result = extractQueryPairs(input);
+		expect(result).toEqual([
+			{
+				key: 'disconnected',
+				operator: '',
+				valueList: [],
+				valuesPosition: [],
+				hasNegation: false,
+				isMultiValue: false,
+				value: undefined,
+				position: {
+					keyStart: 0,
+					keyEnd: 11,
+					operatorStart: 0,
+					operatorEnd: 0,
+					negationStart: 0,
+					negationEnd: 0,
+					valueStart: undefined,
+					valueEnd: undefined,
+				},
+				isComplete: false,
+			},
+			{
+				key: 'deployment.env',
+				operator: 'in',
+				value: "['mq-kafka']",
+				valueList: ["'mq-kafka'"],
+				valuesPosition: [
+					{
+						start: 36,
+						end: 45,
+					},
+				],
+				hasNegation: true,
+				isMultiValue: true,
+				position: {
+					keyStart: 13,
+					keyEnd: 26,
+					operatorStart: 32,
+					operatorEnd: 33,
+					valueStart: 35,
+					valueEnd: 46,
+					negationStart: 28,
+					negationEnd: 30,
+				},
+				isComplete: true,
+			},
+		]);
+	});
+
 	test('should extract IN with numeric list inside parentheses', () => {
 		const input = 'id IN (1, 2, 3)';
 		const result = extractQueryPairs(input);

frontend/src/utils/app.ts

@@ -38,3 +38,33 @@ export function isIngestionActive(data: any): boolean {
 
 	return parseInt(value, 10) > 0;
 }
+
+/**
+ * Builds an absolute path by combining the current page's pathname with a relative path.
+ *
+ * @param {Object} params - The parameters for building the absolute path
+ * @param {string} params.relativePath - The relative path to append to the current pathname
+ * @param {string} [params.urlQueryString] - Optional query string to append to the final path (without leading '?')
+ *
+ * @returns {string} The constructed absolute path, optionally with query string
+ */
+export function buildAbsolutePath({
+	relativePath,
+	urlQueryString,
+}: {
+	relativePath: string;
+	urlQueryString?: string;
+}): string {
+	const { pathname } = window.location;
+	// ensure base path always ends with a forward slash
+	const basePath = pathname.endsWith('/') ? pathname : `${pathname}/`;
+
+	// handle relative path starting with a forward slash
+	const normalizedRelativePath = relativePath.startsWith('/')
+		? relativePath.slice(1)
+		: relativePath;
+
+	const absolutePath = basePath + normalizedRelativePath;
+
+	return urlQueryString ? `${absolutePath}?${urlQueryString}` : absolutePath;
+}

frontend/src/utils/queryContextUtils.ts

@@ -1339,8 +1339,7 @@ export function extractQueryPairs(query: string): IQueryPair[] {
 			else if (
 				currentPair &&
 				currentPair.key &&
-				(isConjunctionToken(token.type) ||
-					(token.type === FilterQueryLexer.KEY && isQueryPairComplete(currentPair)))
+				(isConjunctionToken(token.type) || token.type === FilterQueryLexer.KEY)
 			) {
 				queryPairs.push({
 					key: currentPair.key,

go.mod

@@ -341,7 +341,7 @@ require (
 	golang.org/x/time v0.11.0 // indirect
 	golang.org/x/tools v0.36.0 // indirect
 	gonum.org/v1/gonum v0.16.0 // indirect
-	google.golang.org/api v0.236.0 // indirect
+	google.golang.org/api v0.236.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect
 	google.golang.org/grpc v1.75.1 // indirect

go.sum

@@ -1713,6 +1713,8 @@ google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX
 google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
+google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 h1:1tXaIXCracvtsRxSBsYDiSBN0cuJvM7QYW+MrpIRY78=
+google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:49MsLSx0oWMOZqcpB3uL8ZOkAh1+TndpJ8ONoCBWiZk=
 google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=
 google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE=

pkg/apiserver/signozapiserver/global.go

@@ -0,0 +1,30 @@
+package signozapiserver
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/gorilla/mux"
+)
+
+func (provider *provider) addGlobalRoutes(router *mux.Router) error {
+	if err := router.Handle("/api/v1/global/config", handler.New(provider.authZ.EditAccess(provider.globalHandler.GetConfig), handler.OpenAPIDef{
+		ID:                  "GetGlobalConfig",
+		Tags:                []string{"global"},
+		Summary:             "Get global config",
+		Description:         "This endpoints returns global config",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(types.GettableGlobalConfig),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/apiserver/signozapiserver/provider.go

@@ -6,6 +6,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/apiserver"
 	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/global"
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/http/middleware"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -28,6 +29,7 @@ type provider struct {
 	sessionHandler    session.Handler
 	authDomainHandler authdomain.Handler
 	preferenceHandler preference.Handler
+	globalHandler     global.Handler
 }
 
 func NewFactory(
@@ -38,9 +40,10 @@ func NewFactory(
 	sessionHandler session.Handler,
 	authDomainHandler authdomain.Handler,
 	preferenceHandler preference.Handler,
+	globalHandler global.Handler,
 ) factory.ProviderFactory[apiserver.APIServer, apiserver.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("signoz"), func(ctx context.Context, providerSettings factory.ProviderSettings, config apiserver.Config) (apiserver.APIServer, error) {
-		return newProvider(ctx, providerSettings, config, orgGetter, authz, orgHandler, userHandler, sessionHandler, authDomainHandler, preferenceHandler)
+		return newProvider(ctx, providerSettings, config, orgGetter, authz, orgHandler, userHandler, sessionHandler, authDomainHandler, preferenceHandler, globalHandler)
 	})
 }
 
@@ -55,6 +58,7 @@ func newProvider(
 	sessionHandler session.Handler,
 	authDomainHandler authdomain.Handler,
 	preferenceHandler preference.Handler,
+	globalHandler global.Handler,
 ) (apiserver.APIServer, error) {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/apiserver/signozapiserver")
 	router := mux.NewRouter().UseEncodedPath()
@@ -68,6 +72,7 @@ func newProvider(
 		sessionHandler:    sessionHandler,
 		authDomainHandler: authDomainHandler,
 		preferenceHandler: preferenceHandler,
+		globalHandler:     globalHandler,
 	}
 
 	provider.authZ = middleware.NewAuthZ(settings.Logger(), orgGetter, authz)
@@ -104,6 +109,10 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}
 
+	if err := provider.addGlobalRoutes(router); err != nil {
+		return err
+	}
+
 	return nil
 }
 

pkg/authn/callbackauthn/googlecallbackauthn/authn.go

@@ -3,6 +3,7 @@ package googlecallbackauthn
 import (
 	"context"
 	"net/url"
+	"strings"
 
 	"github.com/SigNoz/signoz/pkg/authn"
 	"github.com/SigNoz/signoz/pkg/errors"
@@ -10,6 +11,9 @@ import (
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+	admin "google.golang.org/api/admin/directory/v1"
+	"google.golang.org/api/option"
 )
 
 const (
@@ -18,7 +22,7 @@ const (
 )
 
 var (
-	scopes []string = []string{"email"}
+	scopes []string = []string{"email", "profile"}
 )
 
 var _ authn.CallbackAuthN = (*AuthN)(nil)
@@ -113,8 +117,22 @@ func (a *AuthN) HandleCallback(ctx context.Context, query url.Values) (*authtype
 		return nil, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "google: failed to parse email").WithAdditional(err.Error())
 	}
 
-	return authtypes.NewCallbackIdentity(claims.Name, email, authDomain.StorableAuthDomain().OrgID, state), nil
+	var groups []string
+	if authDomain.AuthDomainConfig().Google.FetchGroups {
+		groups, err = a.fetchGoogleWorkspaceGroups(ctx, claims.Email, authDomain.AuthDomainConfig().Google)
+		if err != nil {
+			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "google: could not fetch groups").WithAdditional(err.Error())
+		}
 
+		if len(authDomain.AuthDomainConfig().Google.AllowedGroups) > 0 {
+			groups = filterGroups(groups, authDomain.AuthDomainConfig().Google.AllowedGroups)
+			if len(groups) == 0 {
+				return nil, errors.Newf(errors.TypeForbidden, errors.CodeForbidden, "google: user %q is not in any allowed groups", claims.Email)
+			}
+		}
+	}
+
+	return authtypes.NewCallbackIdentity(claims.Name, email, authDomain.StorableAuthDomain().OrgID, state, groups, ""), nil
 }
 
 func (a *AuthN) ProviderInfo(ctx context.Context, authDomain *authtypes.AuthDomain) *authtypes.AuthNProviderInfo {
@@ -136,3 +154,84 @@ func (a *AuthN) oauth2Config(siteURL *url.URL, authDomain *authtypes.AuthDomain,
 		}).String(),
 	}
 }
+
+func (a *AuthN) fetchGoogleWorkspaceGroups(ctx context.Context, userEmail string, config *authtypes.GoogleConfig) ([]string, error) {
+	adminEmail := config.GetAdminEmailForDomain(userEmail)
+	if adminEmail == "" {
+		return nil, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "no admin email configured for domain of %s", userEmail)
+	}
+
+	jwtConfig, err := google.JWTConfigFromJSON([]byte(config.ServiceAccountJSON), admin.AdminDirectoryGroupReadonlyScope)
+	if err != nil {
+		return nil, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "invalid service account credentials").WithAdditional(err.Error())
+	}
+
+	jwtConfig.Subject = adminEmail
+
+	adminService, err := admin.NewService(ctx, option.WithHTTPClient(jwtConfig.Client(ctx)))
+	if err != nil {
+		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "unable to create directory service").WithAdditional(err.Error())
+	}
+
+	checkedGroups := make(map[string]struct{})
+
+	return a.getGroups(adminService, userEmail, config.FetchTransitiveGroupMembership, checkedGroups)
+}
+
+// Recursive method
+func (a *AuthN) getGroups(adminService *admin.Service, userEmail string, fetchTransitive bool, checkedGroups map[string]struct{}) ([]string, error) {
+	var userGroups []string
+	var pageToken string
+
+	for {
+		call := adminService.Groups.List().UserKey(userEmail)
+		if pageToken != "" {
+			call = call.PageToken(pageToken)
+		}
+
+		groupList, err := call.Do()
+		if err != nil {
+			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "unable to list groups").WithAdditional(err.Error())
+		}
+
+		for _, group := range groupList.Groups {
+			if _, exists := checkedGroups[group.Email]; exists {
+				continue
+			}
+
+			checkedGroups[group.Email] = struct{}{}
+			userGroups = append(userGroups, group.Email)
+
+			if fetchTransitive {
+				transitiveGroups, err := a.getGroups(adminService, group.Email, fetchTransitive, checkedGroups)
+				if err != nil {
+					return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "unable to list transitive groups").WithAdditional(err.Error())
+				}
+				userGroups = append(userGroups, transitiveGroups...)
+			}
+		}
+
+		pageToken = groupList.NextPageToken
+		if pageToken == "" {
+			break
+		}
+	}
+
+	return userGroups, nil
+}
+
+func filterGroups(userGroups, allowedGroups []string) []string {
+	allowed := make(map[string]struct{}, len(allowedGroups))
+	for _, g := range allowedGroups {
+		allowed[strings.ToLower(g)] = struct{}{} // just to make o(1) searches
+	}
+
+	var filtered []string
+	for _, g := range userGroups {
+		if _, ok := allowed[strings.ToLower(g)]; ok {
+			filtered = append(filtered, g)
+		}
+	}
+
+	return filtered
+}

pkg/errors/errors.go

@@ -112,7 +112,7 @@ func (b *base) WithUrl(u string) *base {
 	}
 }
 
-// WithUrl adds additional messages to the base error and returns a new base error.
+// WithAdditional adds additional messages to the base error and returns a new base error.
 func (b *base) WithAdditional(a ...string) *base {
 	return &base{
 		t: b.t,

pkg/global/config.go

@@ -0,0 +1,41 @@
+package global
+
+import (
+	"net/url"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+)
+
+var (
+	ErrCodeInvalidGlobalConfig = errors.MustNewCode("invalid_global_config")
+)
+
+type Config struct {
+	ExternalURL  *url.URL `mapstructure:"external_url"`
+	IngestionURL *url.URL `mapstructure:"ingestion_url"`
+}
+
+func NewConfigFactory() factory.ConfigFactory {
+	return factory.NewConfigFactory(factory.MustNewName("global"), newConfig)
+}
+
+func newConfig() factory.Config {
+	return &Config{
+		ExternalURL: &url.URL{
+			Scheme: "",
+			Host:   "<unset>",
+			Path:   "",
+		},
+		IngestionURL: &url.URL{
+			Scheme: "",
+			Host:   "<unset>",
+			Path:   "",
+		},
+	}
+}
+
+func (c Config) Validate() error {
+	return nil
+}

pkg/global/global.go

@@ -0,0 +1,11 @@
+package global
+
+import "net/http"
+
+type Global interface {
+	GetConfig() Config
+}
+
+type Handler interface {
+	GetConfig(http.ResponseWriter, *http.Request)
+}

pkg/global/signozglobal/handler.go

@@ -0,0 +1,23 @@
+package signozglobal
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/global"
+	"github.com/SigNoz/signoz/pkg/http/render"
+	"github.com/SigNoz/signoz/pkg/types"
+)
+
+type handler struct {
+	global global.Global
+}
+
+func NewHandler(global global.Global) global.Handler {
+	return &handler{global: global}
+}
+
+func (handker *handler) GetConfig(rw http.ResponseWriter, r *http.Request) {
+	cfg := handker.global.GetConfig()
+
+	render.Success(rw, http.StatusOK, types.NewGettableGlobalConfig(cfg.ExternalURL, cfg.IngestionURL))
+}

pkg/global/signozglobal/provider.go

@@ -0,0 +1,31 @@
+package signozglobal
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/global"
+)
+
+type provider struct {
+	config   global.Config
+	settings factory.ScopedProviderSettings
+}
+
+func NewFactory() factory.ProviderFactory[global.Global, global.Config] {
+	return factory.NewProviderFactory(factory.MustNewName("signoz"), func(ctx context.Context, providerSettings factory.ProviderSettings, config global.Config) (global.Global, error) {
+		return newProvider(ctx, providerSettings, config)
+	})
+}
+
+func newProvider(_ context.Context, providerSettings factory.ProviderSettings, config global.Config) (global.Global, error) {
+	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/global/signozglobal")
+	return &provider{
+		config:   config,
+		settings: settings,
+	}, nil
+}
+
+func (provider *provider) GetConfig() global.Config {
+	return provider.config
+}

pkg/http/middleware/api_key.go

@@ -1,6 +1,7 @@
 package middleware
 
 import (
+	"context"
 	"log/slog"
 	"net/http"
 	"time"
@@ -11,6 +12,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
+	"golang.org/x/sync/singleflight"
 )
 
 const (
@@ -23,10 +25,18 @@ type APIKey struct {
 	headers []string
 	logger  *slog.Logger
 	sharder sharder.Sharder
+	sfGroup *singleflight.Group
 }
 
 func NewAPIKey(store sqlstore.SQLStore, headers []string, logger *slog.Logger, sharder sharder.Sharder) *APIKey {
-	return &APIKey{store: store, uuid: authtypes.NewUUID(), headers: headers, logger: logger, sharder: sharder}
+	return &APIKey{
+		store:   store,
+		uuid:    authtypes.NewUUID(),
+		headers: headers,
+		logger:  logger,
+		sharder: sharder,
+		sfGroup: &singleflight.Group{},
+	}
 }
 
 func (a *APIKey) Wrap(next http.Handler) http.Handler {
@@ -109,11 +119,24 @@ func (a *APIKey) Wrap(next http.Handler) http.Handler {
 
 		next.ServeHTTP(w, r)
 
-		apiKey.LastUsed = time.Now()
-		_, err = a.store.BunDB().NewUpdate().Model(&apiKey).Column("last_used").Where("token = ?", apiKeyToken).Where("revoked = false").Exec(r.Context())
-		if err != nil {
-			a.logger.ErrorContext(r.Context(), "failed to update last used of api key", "error", err)
-		}
+		lastUsedCtx := context.WithoutCancel(r.Context())
+		_, _, _ = a.sfGroup.Do(apiKey.ID.StringValue(), func() (any, error) {
+			apiKey.LastUsed = time.Now()
+			_, err = a.
+				store.
+				BunDB().
+				NewUpdate().
+				Model(&apiKey).
+				Column("last_used").
+				Where("token = ?", apiKeyToken).
+				Where("revoked = false").
+				Exec(lastUsedCtx)
+			if err != nil {
+				a.logger.ErrorContext(lastUsedCtx, "failed to update last used of api key", "error", err)
+			}
+
+			return true, nil
+		})
 
 	})
 

pkg/modules/metricsexplorer/implmetricsexplorer/handler.go

@@ -137,6 +137,28 @@ func (h *handler) GetMetricMetadata(rw http.ResponseWriter, req *http.Request) {
 	render.Success(rw, http.StatusOK, metadata)
 }
 
+func (h *handler) GetMetricAlerts(rw http.ResponseWriter, req *http.Request) {
+	claims, err := authtypes.ClaimsFromContext(req.Context())
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	metricName := strings.TrimSpace(req.URL.Query().Get("metricName"))
+	if metricName == "" {
+		render.Error(rw, errors.NewInvalidInputf(errors.CodeInvalidInput, "metricName query parameter is required"))
+		return
+	}
+
+	orgID := valuer.MustNewUUID(claims.OrgID)
+	out, err := h.module.GetMetricAlerts(req.Context(), orgID, metricName)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+	render.Success(rw, http.StatusOK, out)
+}
+
 func (h *handler) GetMetricDashboards(rw http.ResponseWriter, req *http.Request) {
 	claims, err := authtypes.ClaimsFromContext(req.Context())
 	if err != nil {

pkg/modules/metricsexplorer/implmetricsexplorer/module.go

@@ -20,6 +20,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/metricsexplorertypes"
 	"github.com/SigNoz/signoz/pkg/types/metrictypes"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
+	"github.com/SigNoz/signoz/pkg/types/ruletypes"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	sqlbuilder "github.com/huandu/go-sqlbuilder"
@@ -33,12 +34,13 @@ type module struct {
 	condBuilder            qbtypes.ConditionBuilder
 	logger                 *slog.Logger
 	cache                  cache.Cache
+	ruleStore              ruletypes.RuleStore
 	dashboardModule        dashboard.Module
 	config                 metricsexplorer.Config
 }
 
 // NewModule constructs the metrics module with the provided dependencies.
-func NewModule(ts telemetrystore.TelemetryStore, telemetryMetadataStore telemetrytypes.MetadataStore, cache cache.Cache, dashboardModule dashboard.Module, providerSettings factory.ProviderSettings, cfg metricsexplorer.Config) metricsexplorer.Module {
+func NewModule(ts telemetrystore.TelemetryStore, telemetryMetadataStore telemetrytypes.MetadataStore, cache cache.Cache, ruleStore ruletypes.RuleStore, dashboardModule dashboard.Module, providerSettings factory.ProviderSettings, cfg metricsexplorer.Config) metricsexplorer.Module {
 	fieldMapper := telemetrymetrics.NewFieldMapper()
 	condBuilder := telemetrymetrics.NewConditionBuilder(fieldMapper)
 	return &module{
@@ -48,6 +50,7 @@ func NewModule(ts telemetrystore.TelemetryStore, telemetryMetadataStore telemetr
 		logger:                 providerSettings.Logger,
 		telemetryMetadataStore: telemetryMetadataStore,
 		cache:                  cache,
+		ruleStore:              ruleStore,
 		dashboardModule:        dashboardModule,
 		config:                 cfg,
 	}
@@ -197,11 +200,32 @@ func (m *module) UpdateMetricMetadata(ctx context.Context, orgID valuer.UUID, re
 	return nil
 }
 
+func (m *module) GetMetricAlerts(ctx context.Context, orgID valuer.UUID, metricName string) (*metricsexplorertypes.MetricAlertsResponse, error) {
+	if metricName == "" {
+		return nil, errors.NewInvalidInputf(errors.CodeInvalidInput, "metricName is required")
+	}
+	ruleAlerts, err := m.ruleStore.GetStoredRulesByMetricName(ctx, orgID.String(), metricName)
+	if err != nil {
+		return nil, errors.WrapInternalf(err, errors.CodeInternal, "failed to get stored rules by metric name")
+	}
+
+	alerts := make([]metricsexplorertypes.MetricAlert, len(ruleAlerts))
+	for i, ruleAlert := range ruleAlerts {
+		alerts[i] = metricsexplorertypes.MetricAlert{
+			AlertName: ruleAlert.AlertName,
+			AlertID:   ruleAlert.AlertID,
+		}
+	}
+
+	return &metricsexplorertypes.MetricAlertsResponse{
+		Alerts: alerts,
+	}, nil
+}
+
 func (m *module) GetMetricDashboards(ctx context.Context, orgID valuer.UUID, metricName string) (*metricsexplorertypes.MetricDashboardsResponse, error) {
 	if metricName == "" {
 		return nil, errors.NewInvalidInputf(errors.CodeInvalidInput, "metricName is required")
 	}
-
 	data, err := m.dashboardModule.GetByMetricNames(ctx, orgID, []string{metricName})
 	if err != nil {
 		return nil, errors.WrapInternalf(err, errors.CodeInternal, "failed to get dashboards for metric")

pkg/modules/metricsexplorer/metricsexplorer.go

@@ -15,6 +15,7 @@ type Handler interface {
 	GetMetricMetadata(http.ResponseWriter, *http.Request)
 	GetMetricAttributes(http.ResponseWriter, *http.Request)
 	UpdateMetricMetadata(http.ResponseWriter, *http.Request)
+	GetMetricAlerts(http.ResponseWriter, *http.Request)
 	GetMetricDashboards(http.ResponseWriter, *http.Request)
 	GetMetricHighlights(http.ResponseWriter, *http.Request)
 }
@@ -25,6 +26,7 @@ type Module interface {
 	GetTreemap(ctx context.Context, orgID valuer.UUID, req *metricsexplorertypes.TreemapRequest) (*metricsexplorertypes.TreemapResponse, error)
 	GetMetricMetadataMulti(ctx context.Context, orgID valuer.UUID, metricNames []string) (map[string]*metricsexplorertypes.MetricMetadata, error)
 	UpdateMetricMetadata(ctx context.Context, orgID valuer.UUID, req *metricsexplorertypes.UpdateMetricMetadataRequest) error
+	GetMetricAlerts(ctx context.Context, orgID valuer.UUID, metricName string) (*metricsexplorertypes.MetricAlertsResponse, error)
 	GetMetricDashboards(ctx context.Context, orgID valuer.UUID, metricName string) (*metricsexplorertypes.MetricDashboardsResponse, error)
 	GetMetricHighlights(ctx context.Context, orgID valuer.UUID, metricName string) (*metricsexplorertypes.MetricHighlightsResponse, error)
 	GetMetricAttributes(ctx context.Context, orgID valuer.UUID, req *metricsexplorertypes.MetricAttributesRequest) (*metricsexplorertypes.MetricAttributesResponse, error)

pkg/modules/session/implsession/module.go

@@ -2,6 +2,7 @@ package implsession
 
 import (
 	"context"
+	"fmt"
 	"net/url"
 	"slices"
 	"strings"
@@ -123,7 +124,7 @@ func (module *module) DeprecatedCreateSessionByEmailPassword(ctx context.Context
 	}
 
 	if !factorPassword.Equals(password) {
-		return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email orpassword")
+		return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email or password")
 	}
 
 	identity := authtypes.NewIdentity(users[0].ID, users[0].OrgID, users[0].Email, users[0].Role)
@@ -151,13 +152,33 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 		return "", err
 	}
 
+	module.settings.Logger().InfoContext(ctx, "$$$$$$$$$$$$$$ callback values %%%%%%%%%%%%%%", "values", values)
+
 	callbackIdentity, err := callbackAuthN.HandleCallback(ctx, values)
 	if err != nil {
 		module.settings.Logger().ErrorContext(ctx, "failed to handle callback", "error", err, "authn_provider", authNProvider)
 		return "", err
 	}
 
-	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, types.RoleViewer, callbackIdentity.OrgID)
+	authDomain, err := module.authDomain.GetByOrgIDAndID(ctx, callbackIdentity.OrgID, callbackIdentity.State.DomainID)
+	if err != nil {
+		return "", err
+	}
+
+	roleMapping := authDomain.AuthDomainConfig().RoleMapping
+
+	// DEBUG: Add this line to print the callback identity
+	module.settings.Logger().InfoContext(ctx, "$$$$$$$$$$$$$$$$ DEBUG callback identity ###############",
+		"email", callbackIdentity.Email,
+		"name", callbackIdentity.Name,
+		"groups", callbackIdentity.Groups,
+		"role", callbackIdentity.Role,
+		"orgID", callbackIdentity.OrgID,
+	)
+
+	role := resolveRole(callbackIdentity, roleMapping)
+
+	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, role, callbackIdentity.OrgID)
 	if err != nil {
 		return "", err
 	}
@@ -231,3 +252,59 @@ func getProvider[T authn.AuthN](authNProvider authtypes.AuthNProvider, authNs ma
 
 	return provider, nil
 }
+
+func resolveRole(callbackIdentity *authtypes.CallbackIdentity, roleMapping *authtypes.RoleMapping) types.Role {
+
+	// DEBUG: Print all assertion values to see what's being received
+	fmt.Printf("\n=== DEBUG: callback identity values ===\n")
+	fmt.Printf("callbackIdentity.Name - %s", callbackIdentity.Name)
+	fmt.Printf("callbackIdentity.Role - %s", callbackIdentity.Role)
+	fmt.Printf("=================================\n\n")
+
+	if roleMapping == nil {
+		return types.RoleViewer
+	}
+
+	if roleMapping.UseRoleAttribute && callbackIdentity.Role != "" {
+		if role, err := types.NewRole(strings.ToUpper(callbackIdentity.Role)); err == nil {
+			return role
+		}
+	}
+
+	if len(roleMapping.GroupMappings) > 0 && len(callbackIdentity.Groups) > 0 {
+		highestRole := types.RoleViewer
+		found := false
+
+		for _, group := range callbackIdentity.Groups {
+			if mappedRole, exists := roleMapping.GroupMappings[group]; exists {
+				found = true
+				if role, err := types.NewRole(strings.ToUpper(mappedRole)); err == nil {
+					if compareRoles(role, highestRole) > 0 {
+						highestRole = role
+					}
+				}
+			}
+		}
+
+		if found {
+			return highestRole
+		}
+	}
+
+	if roleMapping.DefaultRole != "" {
+		if role, err := types.NewRole(strings.ToUpper(roleMapping.DefaultRole)); err == nil {
+			return role
+		}
+	}
+
+	return types.RoleViewer
+}
+
+func compareRoles(a, b types.Role) int {
+	order := map[types.Role]int{
+		types.RoleViewer: 0,
+		types.RoleEditor: 1,
+		types.RoleAdmin:  2,
+	}
+	return order[a] - order[b]
+}

pkg/query-service/app/http_handler.go

@@ -630,6 +630,7 @@ func (ah *APIHandler) MetricExplorerRoutes(router *mux.Router, am *middleware.Au
 	router.HandleFunc("/api/v2/metrics/metadata", am.ViewAccess(ah.Signoz.Handlers.MetricsExplorer.GetMetricMetadata)).Methods(http.MethodGet)
 	router.HandleFunc("/api/v2/metrics/{metric_name}/metadata", am.EditAccess(ah.Signoz.Handlers.MetricsExplorer.UpdateMetricMetadata)).Methods(http.MethodPost)
 	router.HandleFunc("/api/v2/metric/highlights", am.ViewAccess(ah.Signoz.Handlers.MetricsExplorer.GetMetricHighlights)).Methods(http.MethodGet)
+	router.HandleFunc("/api/v2/metric/alerts", am.ViewAccess(ah.Signoz.Handlers.MetricsExplorer.GetMetricAlerts)).Methods(http.MethodGet)
 	router.HandleFunc("/api/v2/metric/dashboards", am.ViewAccess(ah.Signoz.Handlers.MetricsExplorer.GetMetricDashboards)).Methods(http.MethodGet)
 }
 

pkg/query-service/app/server.go

@@ -3,13 +3,13 @@ package app
 import (
 	"context"
 	"fmt"
-	"log/slog"
 	"net"
 	"net/http"
 	_ "net/http/pprof" // http profiler
 	"slices"
 
 	"github.com/SigNoz/signoz/pkg/cache/memorycache"
+	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/ruler/rulestore/sqlrulestore"
 
@@ -17,6 +17,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/alertmanager"
 	"github.com/SigNoz/signoz/pkg/apis/fields"
+	"github.com/SigNoz/signoz/pkg/cache"
 	"github.com/SigNoz/signoz/pkg/http/middleware"
 	"github.com/SigNoz/signoz/pkg/licensing/nooplicensing"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
@@ -30,6 +31,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/query-service/app/logparsingpipeline"
 	"github.com/SigNoz/signoz/pkg/query-service/app/opamp"
 	opAmpModel "github.com/SigNoz/signoz/pkg/query-service/app/opamp/model"
+	"github.com/SigNoz/signoz/pkg/query-service/interfaces"
 	"github.com/SigNoz/signoz/pkg/signoz"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/telemetrystore"
@@ -37,10 +39,8 @@ import (
 	"github.com/rs/cors"
 	"github.com/soheilhy/cmux"
 
-	"github.com/SigNoz/signoz/pkg/cache"
 	"github.com/SigNoz/signoz/pkg/query-service/constants"
 	"github.com/SigNoz/signoz/pkg/query-service/healthcheck"
-	"github.com/SigNoz/signoz/pkg/query-service/interfaces"
 	"github.com/SigNoz/signoz/pkg/query-service/rules"
 	"github.com/SigNoz/signoz/pkg/query-service/utils"
 	"go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux"
@@ -107,7 +107,8 @@ func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {
 		signoz.Prometheus,
 		signoz.Modules.OrgGetter,
 		signoz.Querier,
-		signoz.Instrumentation.Logger(),
+		signoz.Instrumentation.ToProviderSettings(),
+		signoz.QueryParser,
 	)
 	if err != nil {
 		return nil, err
@@ -339,9 +340,10 @@ func makeRulesManager(
 	prometheus prometheus.Prometheus,
 	orgGetter organization.Getter,
 	querier querier.Querier,
-	logger *slog.Logger,
+	providerSettings factory.ProviderSettings,
+	queryParser queryparser.QueryParser,
 ) (*rules.Manager, error) {
-	ruleStore := sqlrulestore.NewRuleStore(sqlstore)
+	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)
 	maintenanceStore := sqlrulestore.NewMaintenanceStore(sqlstore)
 	// create manager opts
 	managerOpts := &rules.ManagerOptions{
@@ -351,7 +353,7 @@ func makeRulesManager(
 		Logger:           zap.L(),
 		Reader:           ch,
 		Querier:          querier,
-		SLogger:          logger,
+		SLogger:          providerSettings.Logger,
 		Cache:            cache,
 		EvalDelay:        constants.GetEvalDelay(),
 		OrgGetter:        orgGetter,

pkg/ruler/rulestore/rulestoretest/rule.go

@@ -5,6 +5,8 @@ import (
 	"regexp"
 
 	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/SigNoz/signoz/pkg/factory/factorytest"
+	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/ruler/rulestore/sqlrulestore"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/sqlstore/sqlstoretest"
@@ -21,7 +23,10 @@ type MockSQLRuleStore struct {
 // NewMockSQLRuleStore creates a new MockSQLRuleStore with sqlmock
 func NewMockSQLRuleStore() *MockSQLRuleStore {
 	sqlStore := sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherRegexp)
-	ruleStore := sqlrulestore.NewRuleStore(sqlStore)
+	// For tests, we can pass nil for queryParser and use test provider settings
+	providerSettings := factorytest.NewSettings()
+
+	ruleStore := sqlrulestore.NewRuleStore(sqlStore, queryparser.New(providerSettings), providerSettings)
 
 	return &MockSQLRuleStore{
 		ruleStore: ruleStore,
@@ -59,6 +64,11 @@ func (m *MockSQLRuleStore) GetStoredRules(ctx context.Context, orgID string) ([]
 	return m.ruleStore.GetStoredRules(ctx, orgID)
 }
 
+// GetStoredRulesByMetricName implements ruletypes.RuleStore - delegates to underlying ruleStore
+func (m *MockSQLRuleStore) GetStoredRulesByMetricName(ctx context.Context, orgID string, metricName string) ([]ruletypes.RuleAlert, error) {
+	return m.ruleStore.GetStoredRulesByMetricName(ctx, orgID, metricName)
+}
+
 // ExpectCreateRule sets up SQL expectations for CreateRule operation
 func (m *MockSQLRuleStore) ExpectCreateRule(rule *ruletypes.Rule) {
 	rows := sqlmock.NewRows([]string{"id", "created_at", "updated_at", "created_by", "updated_by", "deleted", "data", "org_id"}).
@@ -104,6 +114,17 @@ func (m *MockSQLRuleStore) ExpectGetStoredRules(orgID string, rules []*ruletypes
 		WillReturnRows(rows)
 }
 
+// ExpectGetStoredRulesByMetricName sets up SQL expectations for GetStoredRulesByMetricName operation
+func (m *MockSQLRuleStore) ExpectGetStoredRulesByMetricName(orgID string, metricName string, rules []*ruletypes.Rule) {
+	rows := sqlmock.NewRows([]string{"id", "created_at", "updated_at", "created_by", "updated_by", "deleted", "data", "org_id"})
+	for _, rule := range rules {
+		rows.AddRow(rule.ID, rule.CreatedAt, rule.UpdatedAt, rule.CreatedBy, rule.UpdatedBy, rule.Deleted, rule.Data, rule.OrgID)
+	}
+	expectedPattern := `SELECT (.+) FROM "rule".+WHERE \(.+org_id.+'` + orgID + `'\)`
+	m.mock.ExpectQuery(expectedPattern).
+		WillReturnRows(rows)
+}
+
 // AssertExpectations asserts that all SQL expectations were met
 func (m *MockSQLRuleStore) AssertExpectations() error {
 	return m.mock.ExpectationsWereMet()

pkg/ruler/rulestore/sqlrulestore/rule.go

@@ -2,18 +2,31 @@ package sqlrulestore
 
 import (
 	"context"
+	"encoding/json"
+	"log/slog"
+	"slices"
 
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
+	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	ruletypes "github.com/SigNoz/signoz/pkg/types/ruletypes"
+	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type rule struct {
-	sqlstore sqlstore.SQLStore
+	sqlstore    sqlstore.SQLStore
+	queryParser queryparser.QueryParser
+	logger      *slog.Logger
 }
 
-func NewRuleStore(store sqlstore.SQLStore) ruletypes.RuleStore {
-	return &rule{sqlstore: store}
+func NewRuleStore(store sqlstore.SQLStore, queryParser queryparser.QueryParser, providerSettings factory.ProviderSettings) ruletypes.RuleStore {
+	return &rule{
+		sqlstore:    store,
+		queryParser: queryParser,
+		logger:      providerSettings.Logger,
+	}
 }
 
 func (r *rule) CreateRule(ctx context.Context, storedRule *ruletypes.Rule, cb func(context.Context, valuer.UUID) error) (valuer.UUID, error) {
@@ -101,3 +114,92 @@ func (r *rule) GetStoredRule(ctx context.Context, id valuer.UUID) (*ruletypes.Ru
 	}
 	return rule, nil
 }
+
+func (r *rule) GetStoredRulesByMetricName(ctx context.Context, orgID string, metricName string) ([]ruletypes.RuleAlert, error) {
+	if metricName == "" {
+		return []ruletypes.RuleAlert{}, nil
+	}
+
+	// Get all stored rules for the organization
+	storedRules, err := r.GetStoredRules(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	alerts := make([]ruletypes.RuleAlert, 0)
+	seen := make(map[string]bool)
+
+	for _, storedRule := range storedRules {
+		var ruleData ruletypes.PostableRule
+		if err := json.Unmarshal([]byte(storedRule.Data), &ruleData); err != nil {
+			r.logger.WarnContext(ctx, "failed to unmarshal rule data", "rule_id", storedRule.ID.StringValue(), "error", err)
+			continue
+		}
+
+		// Check conditions: must be metric-based alert with valid composite query
+		if ruleData.AlertType != ruletypes.AlertTypeMetric ||
+			ruleData.RuleCondition == nil ||
+			ruleData.RuleCondition.CompositeQuery == nil {
+			continue
+		}
+
+		// Search for metricName in the Queries array (v5 format only)
+		// TODO check if we need to support v3 query format structs
+		found := false
+		for _, queryEnvelope := range ruleData.RuleCondition.CompositeQuery.Queries {
+			// Check based on query type
+			switch queryEnvelope.Type {
+			case qbtypes.QueryTypeBuilder:
+				// Cast to QueryBuilderQuery[MetricAggregation] for metrics
+				if spec, ok := queryEnvelope.Spec.(qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation]); ok {
+					// Check if signal is metrics
+					if spec.Signal == telemetrytypes.SignalMetrics {
+						for _, agg := range spec.Aggregations {
+							if agg.MetricName == metricName {
+								found = true
+								break
+							}
+						}
+					}
+				}
+			case qbtypes.QueryTypePromQL:
+				if spec, ok := queryEnvelope.Spec.(qbtypes.PromQuery); ok {
+					result, err := r.queryParser.AnalyzeQueryFilter(ctx, qbtypes.QueryTypePromQL, spec.Query)
+					if err != nil {
+						r.logger.WarnContext(ctx, "failed to parse PromQL query", "query", spec.Query, "error", err)
+						continue
+					}
+					if slices.Contains(result.MetricNames, metricName) {
+						found = true
+						break
+					}
+				}
+			case qbtypes.QueryTypeClickHouseSQL:
+				if spec, ok := queryEnvelope.Spec.(qbtypes.ClickHouseQuery); ok {
+					result, err := r.queryParser.AnalyzeQueryFilter(ctx, qbtypes.QueryTypeClickHouseSQL, spec.Query)
+					if err != nil {
+						r.logger.WarnContext(ctx, "failed to parse ClickHouse query", "query", spec.Query, "error", err)
+						continue
+					}
+					if slices.Contains(result.MetricNames, metricName) {
+						found = true
+						break
+					}
+				}
+			}
+			if found {
+				break
+			}
+		}
+
+		if found && !seen[storedRule.ID.StringValue()] {
+			seen[storedRule.ID.StringValue()] = true
+			alerts = append(alerts, ruletypes.RuleAlert{
+				AlertName: ruleData.AlertName,
+				AlertID:   storedRule.ID.StringValue(),
+			})
+		}
+	}
+
+	return alerts, nil
+}

pkg/ruler/signozruler/provider.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/ruler"
 	"github.com/SigNoz/signoz/pkg/ruler/rulestore/sqlrulestore"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
@@ -22,7 +23,8 @@ func NewFactory(sqlstore sqlstore.SQLStore) factory.ProviderFactory[ruler.Ruler,
 }
 
 func New(ctx context.Context, settings factory.ProviderSettings, config ruler.Config, sqlstore sqlstore.SQLStore) (ruler.Ruler, error) {
-	return &provider{ruleStore: sqlrulestore.NewRuleStore(sqlstore)}, nil
+	queryParser := queryparser.New(settings)
+	return &provider{ruleStore: sqlrulestore.NewRuleStore(sqlstore, queryParser, settings)}, nil
 }
 
 func (provider *provider) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {

pkg/signoz/config.go

@@ -18,6 +18,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/gateway"
+	"github.com/SigNoz/signoz/pkg/global"
 	"github.com/SigNoz/signoz/pkg/instrumentation"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer"
 	"github.com/SigNoz/signoz/pkg/prometheus"
@@ -39,6 +40,9 @@ import (
 
 // Config defines the entire input configuration of signoz.
 type Config struct {
+	// Global config
+	Global global.Config `mapstructure:"global"`
+
 	// Version config
 	Version version.Config `mapstructure:"version"`
 
@@ -141,6 +145,7 @@ func (df *DeprecatedFlags) RegisterFlags(cmd *cobra.Command) {
 
 func NewConfig(ctx context.Context, logger *slog.Logger, resolverConfig config.ResolverConfig, deprecatedFlags DeprecatedFlags) (Config, error) {
 	configFactories := []factory.ConfigFactory{
+		global.NewConfigFactory(),
 		version.NewConfigFactory(),
 		instrumentation.NewConfigFactory(),
 		analytics.NewConfigFactory(),

pkg/signoz/handler.go

@@ -2,6 +2,8 @@ package signoz
 
 import (
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/global"
+	"github.com/SigNoz/signoz/pkg/global/signozglobal"
 	"github.com/SigNoz/signoz/pkg/licensing"
 	"github.com/SigNoz/signoz/pkg/modules/apdex"
 	"github.com/SigNoz/signoz/pkg/modules/apdex/implapdex"
@@ -34,9 +36,10 @@ type Handlers struct {
 	SpanPercentile  spanpercentile.Handler
 	Services        services.Handler
 	MetricsExplorer metricsexplorer.Handler
+	Global          global.Handler
 }
 
-func NewHandlers(modules Modules, providerSettings factory.ProviderSettings, querier querier.Querier, licensing licensing.Licensing) Handlers {
+func NewHandlers(modules Modules, providerSettings factory.ProviderSettings, querier querier.Querier, licensing licensing.Licensing, global global.Global) Handlers {
 	return Handlers{
 		SavedView:       implsavedview.NewHandler(modules.SavedView),
 		Apdex:           implapdex.NewHandler(modules.Apdex),
@@ -47,5 +50,6 @@ func NewHandlers(modules Modules, providerSettings factory.ProviderSettings, que
 		Services:        implservices.NewHandler(modules.Services),
 		MetricsExplorer: implmetricsexplorer.NewHandler(modules.MetricsExplorer),
 		SpanPercentile:  implspanpercentile.NewHandler(modules.SpanPercentile),
+		Global:          signozglobal.NewHandler(global),
 	}
 }

pkg/signoz/handler_test.go

@@ -40,7 +40,7 @@ func TestNewHandlers(t *testing.T) {
 	require.NoError(t, err)
 	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{})
 
-	handlers := NewHandlers(modules, providerSettings, nil, nil)
+	handlers := NewHandlers(modules, providerSettings, nil, nil, nil)
 
 	reflectVal := reflect.ValueOf(handlers)
 	for i := 0; i < reflectVal.NumField(); i++ {

pkg/signoz/module.go

@@ -39,6 +39,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/queryparser"
+	"github.com/SigNoz/signoz/pkg/ruler/rulestore/sqlrulestore"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/telemetrystore"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
@@ -87,6 +88,7 @@ func NewModules(
 	orgSetter := implorganization.NewSetter(implorganization.NewStore(sqlstore), alertmanager, quickfilter)
 	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, analytics)
 	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
+	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)
 	dashboard := impldashboard.NewModule(sqlstore, providerSettings, analytics, orgGetter, implrole.NewModule(implrole.NewStore(sqlstore), authz, nil), queryParser)
 
 	return Modules{
@@ -105,6 +107,6 @@ func NewModules(
 		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter),
 		SpanPercentile:  implspanpercentile.NewModule(querier, providerSettings),
 		Services:        implservices.NewModule(querier, telemetryStore),
-		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, dashboard, providerSettings, config.MetricsExplorer),
+		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),
 	}
 }

pkg/signoz/openapi.go

@@ -8,6 +8,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/apiserver"
 	"github.com/SigNoz/signoz/pkg/apiserver/signozapiserver"
 	"github.com/SigNoz/signoz/pkg/authz"
+	"github.com/SigNoz/signoz/pkg/global"
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/instrumentation"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -36,6 +37,7 @@ func NewOpenAPI(ctx context.Context, instrumentation instrumentation.Instrumenta
 		struct{ session.Handler }{},
 		struct{ authdomain.Handler }{},
 		struct{ preference.Handler }{},
+		struct{ global.Handler }{},
 	).New(ctx, instrumentation.ToProviderSettings(), apiserver.Config{})
 	if err != nil {
 		return nil, err

pkg/signoz/provider.go

@@ -18,6 +18,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/emailing/noopemailing"
 	"github.com/SigNoz/signoz/pkg/emailing/smtpemailing"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/global"
+	"github.com/SigNoz/signoz/pkg/global/signozglobal"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain/implauthdomain"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
@@ -221,7 +223,7 @@ func NewQuerierProviderFactories(telemetryStore telemetrystore.TelemetryStore, p
 	)
 }
 
-func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.AuthZ, modules Modules, handlers Handlers) factory.NamedMap[factory.ProviderFactory[apiserver.APIServer, apiserver.Config]] {
+func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.AuthZ, global global.Global, modules Modules, handlers Handlers) factory.NamedMap[factory.ProviderFactory[apiserver.APIServer, apiserver.Config]] {
 	return factory.MustNewNamedMap(
 		signozapiserver.NewFactory(
 			orgGetter,
@@ -231,6 +233,7 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			implsession.NewHandler(modules.Session),
 			implauthdomain.NewHandler(modules.AuthDomain),
 			implpreference.NewHandler(modules.Preference),
+			signozglobal.NewHandler(global),
 		),
 	)
 }
@@ -242,3 +245,9 @@ func NewTokenizerProviderFactories(cache cache.Cache, sqlstore sqlstore.SQLStore
 		jwttokenizer.NewFactory(cache, tokenStore),
 	)
 }
+
+func NewGlobalProviderFactories() factory.NamedMap[factory.ProviderFactory[global.Global, global.Config]] {
+	return factory.MustNewNamedMap(
+		signozglobal.NewFactory(),
+	)
+}

pkg/signoz/provider_test.go

@@ -83,6 +83,7 @@ func TestNewProviderFactories(t *testing.T) {
 		NewAPIServerProviderFactories(
 			implorganization.NewGetter(implorganization.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual)), nil),
 			nil,
+			nil,
 			Modules{},
 			Handlers{},
 		)

pkg/signoz/signoz.go

@@ -345,18 +345,29 @@ func New(
 		telemetrymetadata.AttributesMetadataLocalTableName,
 	)
 
+	global, err := factory.NewProviderFromNamedMap(
+		ctx,
+		providerSettings,
+		config.Global,
+		NewGlobalProviderFactories(),
+		"signoz",
+	)
+	if err != nil {
+		return nil, err
+	}
+
 	// Initialize all modules
 	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config)
 
 	// Initialize all handlers for the modules
-	handlers := NewHandlers(modules, providerSettings, querier, licensing)
+	handlers := NewHandlers(modules, providerSettings, querier, licensing, global)
 
 	// Initialize the API server
 	apiserver, err := factory.NewProviderFromNamedMap(
 		ctx,
 		providerSettings,
 		config.APIServer,
-		NewAPIServerProviderFactories(orgGetter, authz, modules, handlers),
+		NewAPIServerProviderFactories(orgGetter, authz, global, modules, handlers),
 		"signoz",
 	)
 	if err != nil {

pkg/types/authtypes/authn.go

@@ -32,10 +32,12 @@ type Identity struct {
 }
 
 type CallbackIdentity struct {
-	Name  string       `json:"name"`
-	Email valuer.Email `json:"email"`
-	OrgID valuer.UUID  `json:"orgId"`
-	State State        `json:"state"`
+	Name   string       `json:"name"`
+	Email  valuer.Email `json:"email"`
+	OrgID  valuer.UUID  `json:"orgId"`
+	State  State        `json:"state"`
+	Groups []string     `json:"groups,omitempty"`
+	Role   string       `json:"role,omitempty"`
 }
 
 type State struct {
@@ -85,12 +87,14 @@ func NewIdentity(userID valuer.UUID, orgID valuer.UUID, email valuer.Email, role
 	}
 }
 
-func NewCallbackIdentity(name string, email valuer.Email, orgID valuer.UUID, state State) *CallbackIdentity {
+func NewCallbackIdentity(name string, email valuer.Email, orgID valuer.UUID, state State, groups []string, role string) *CallbackIdentity {
 	return &CallbackIdentity{
-		Name:  name,
-		Email: email,
-		OrgID: orgID,
-		State: state,
+		Name:   name,
+		Email:  email,
+		OrgID:  orgID,
+		State:  state,
+		Groups: groups,
+		Role:   role,
 	}
 }
 

pkg/types/authtypes/domain.go

@@ -63,6 +63,7 @@ type AuthDomainConfig struct {
 	SAML          *SamlConfig   `json:"samlConfig"`
 	Google        *GoogleConfig `json:"googleAuthConfig"`
 	OIDC          *OIDCConfig   `json:"oidcConfig"`
+	RoleMapping   *RoleMapping  `json:"roleMapping"`
 }
 
 type AuthDomain struct {

pkg/types/authtypes/google.go

@@ -2,10 +2,13 @@ package authtypes
 
 import (
 	"encoding/json"
+	"strings"
 
 	"github.com/SigNoz/signoz/pkg/errors"
 )
 
+const wildCardDomain = "*"
+
 type GoogleConfig struct {
 	// ClientID is the application's ID. For example, 292085223830.apps.googleusercontent.com.
 	ClientID string `json:"clientId"`
@@ -15,6 +18,27 @@ type GoogleConfig struct {
 
 	// What is the meaning of this? Should we remove this?
 	RedirectURI string `json:"redirectURI"`
+
+	// Whether to fetch the Google workspace groups (required additional API scopes)
+	FetchGroups bool `json:"fetchGroups"`
+
+	// Service Account creds JSON stored for Google Admin SDK access
+	// This is content of the JSON file stored directly into db as string
+	// Required if FetchGroups is true (unless running on GCE with default credentials)
+	ServiceAccountJSON string `json:"serviceAccountJson,omitempty"`
+
+	// Map of workspace domain to admin email for service account impersonation
+	// The service account will impersonate this admin to call the directory API
+	// Use "*" as key for wildcard/default that matches any domain
+	// Example: {"example.com": "admin@exmaple.com", "*": "fallbackadmin@company.com"}
+	DomainToAdminEmail map[string]string `json:"adminEmail,omitempty"`
+
+	// If true, fetch transitive group membership (recursive - groups that contains other groups)
+	FetchTransitiveGroupMembership bool `json:"fetchTransitiveGroupMembership,omitempty"`
+
+	// Optional list of allowed groups
+	// If this is present, only users belonging to one of these groups will be allowed to login
+	AllowedGroups []string `json:"allowedGroups,omitempty"`
 }
 
 func (config *GoogleConfig) UnmarshalJSON(data []byte) error {
@@ -33,6 +57,33 @@ func (config *GoogleConfig) UnmarshalJSON(data []byte) error {
 		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "clientSecret is required")
 	}
 
+	if temp.FetchGroups {
+		if len(temp.DomainToAdminEmail) == 0 {
+			return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "domainToAdminEmail is required if fetchGroups is true")
+		}
+		
+		if temp.ServiceAccountJSON == "" {
+			return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "serviceAccountJSON is required if fetchGroups is true")
+		}
+	}
+
 	*config = GoogleConfig(temp)
 	return nil
 }
+
+func (config *GoogleConfig) GetAdminEmailForDomain(userEmail string) string {
+	domain := extractDomainFromEmail(userEmail)
+
+	if adminEmail, ok := config.DomainToAdminEmail[domain]; ok {
+		return adminEmail
+	}
+
+	return config.DomainToAdminEmail[wildCardDomain]
+}
+
+func extractDomainFromEmail(email string) string {
+	if at := strings.LastIndex(email, "@"); at >= 0 {
+		return email[at+1:]
+	}
+	return wildCardDomain
+}

pkg/types/authtypes/oidc.go

@@ -34,6 +34,12 @@ type OIDCConfig struct {
 type ClaimMapping struct {
 	// Configurable key which contains the email claims. Defaults to "email"
 	Email string `json:"email"`
+	// Configuration key which contains the name. Defaults to "name"
+	Name string `json:"name"`
+	// Configuration key which contains the name. Defaults to "groups" (Optional)
+	Groups string `json:"groups"`
+	// Configuration key which contains the name. Defaults to "role" (Optional)
+	Role string `json:"role"`
 }
 
 func (config *OIDCConfig) UnmarshalJSON(data []byte) error {

pkg/types/authtypes/rolemapping.go

@@ -0,0 +1,10 @@
+package authtypes
+
+type RoleMapping struct {
+	// Default role any new SSO users. Defaults to "VIEWER"
+	DefaultRole string `json:"defaultRole"`
+	// Map of IDP group names to SigNoz roles. Key is group name, value is SigNoz role
+	GroupMappings map[string]string `json:"groupMappings"`
+	// If true, use the role claim directly from IDP instead of group mappings
+	UseRoleAttribute bool `json:"useRoleAttribute"`
+}

pkg/types/authtypes/saml.go

@@ -20,6 +20,18 @@ type SamlConfig struct {
 	// For providers like jumpcloud, this should be set to true.
 	// Note: This is the reverse of WantAuthnRequestsSigned. If WantAuthnRequestsSigned is false, then InsecureSkipAuthNRequestsSigned should be true.
 	InsecureSkipAuthNRequestsSigned bool `json:"insecureSkipAuthNRequestsSigned"`
+
+	// Mapping of SAML assertion attributes
+	AttributeMapping *SamlAttributeMapping `json:"samlAttributeMapping"`
+}
+
+type SamlAttributeMapping struct {
+	// SAML attribute name for display name
+	Name string `json:"name"`
+	// SAML attribute name for groups
+	Groups string `json:"groups"`
+	// SAML attribute name for direct role
+	Role string `json:"role"`
 }
 
 func (config *SamlConfig) UnmarshalJSON(data []byte) error {

pkg/types/global.go

@@ -0,0 +1,15 @@
+package types
+
+import "net/url"
+
+type GettableGlobalConfig struct {
+	ExternalURL  string `json:"external_url"`
+	IngestionURL string `json:"ingestion_url"`
+}
+
+func NewGettableGlobalConfig(externalURL, ingestionURL *url.URL) *GettableGlobalConfig {
+	return &GettableGlobalConfig{
+		ExternalURL:  externalURL.String(),
+		IngestionURL: ingestionURL.String(),
+	}
+}

pkg/types/metricsexplorertypes/metricsexplorertypes.go

@@ -221,6 +221,17 @@ type TreemapResponse struct {
 	Samples    []TreemapEntry `json:"samples"`
 }
 
+// MetricAlert represents an alert associated with a metric.
+type MetricAlert struct {
+	AlertName string `json:"alertName"`
+	AlertID   string `json:"alertId"`
+}
+
+// MetricAlertsResponse represents the response for metric alerts endpoint.
+type MetricAlertsResponse struct {
+	Alerts []MetricAlert `json:"alerts"`
+}
+
 // MetricDashboard represents a dashboard/widget referencing a metric.
 type MetricDashboard struct {
 	DashboardName string `json:"dashboardName"`

pkg/types/ruletypes/rule.go

@@ -47,10 +47,17 @@ func NewStatsFromRules(rules []*Rule) map[string]any {
 	return stats
 }
 
+// RuleAlert represents an alert associated with a rule, used when filtering by metric name
+type RuleAlert struct {
+	AlertName string
+	AlertID   string
+}
+
 type RuleStore interface {
 	CreateRule(context.Context, *Rule, func(context.Context, valuer.UUID) error) (valuer.UUID, error)
 	EditRule(context.Context, *Rule, func(context.Context) error) error
 	DeleteRule(context.Context, valuer.UUID, func(context.Context) error) error
 	GetStoredRules(context.Context, string) ([]*Rule, error)
 	GetStoredRule(context.Context, valuer.UUID) (*Rule, error)
+	GetStoredRulesByMetricName(context.Context, string, string) ([]RuleAlert, error)
 }

tests/integration/conftest.py

@@ -33,6 +33,12 @@ def pytest_addoption(parser: pytest.Parser):
         default=False,
         help="Teardown environment. Run pytest --basetemp=./tmp/ -vv --teardown src/bootstrap/setup::test_teardown to teardown your local dev environment.",
     )
+    parser.addoption(
+        "--with-web",
+        action="store_true",
+        default=False,
+        help="Build and run with web. Run pytest --basetemp=./tmp/ -vv --with-web src/bootstrap/setup::test_setup to setup your local dev environment with web.",
+    )
     parser.addoption(
         "--sqlstore-provider",
         action="store",

tests/integration/fixtures/auth.py

@@ -1,6 +1,5 @@
-from typing import Tuple
 from http import HTTPStatus
-from typing import Callable, List
+from typing import Callable, List, Tuple
 
 import pytest
 import requests
@@ -134,9 +133,9 @@ def get_tokens(signoz: types.SigNoz) -> Callable[[str, str], Tuple[str, str]]:
         )
 
         assert response.status_code == HTTPStatus.OK
-        accessToken = response.json()["data"]["accessToken"]
-        refreshToken = response.json()["data"]["refreshToken"]
-        return accessToken, refreshToken
+        access_token = response.json()["data"]["accessToken"]
+        refresh_token = response.json()["data"]["refreshToken"]
+        return access_token, refresh_token
 
     return _get_tokens
 

tests/integration/fixtures/idputils.py

@@ -1,4 +1,4 @@
-from typing import Callable, Dict, Any
+from typing import Any, Callable, Dict, List
 from urllib.parse import urljoin
 from xml.etree import ElementTree
 
@@ -26,6 +26,15 @@ def create_saml_client(
             realm_name="master",
         )
 
+        # DELETE existing client if it exists (to ensure mappers are updated)
+        saml_client_id = f"{signoz.self.host_configs['8080'].address}:{signoz.self.host_configs['8080'].port}"
+        try:
+            existing_client_id = client.get_client_id(client_id=saml_client_id)
+            if existing_client_id:
+                client.delete_client(existing_client_id)
+        except Exception:
+            pass  # Client doesn't exist, that's fine
+
         client.create_client(
             skip_exists=True,
             payload={
@@ -71,7 +80,9 @@ def create_saml_client(
                     "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
                     "saml.onetimeuse.condition": "false",
                     "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "NONE",
-                    "saml_assertion_consumer_url_post": urljoin(f"{signoz.self.host_configs['8080'].base()}", callback_path)
+                    "saml_assertion_consumer_url_post": urljoin(
+                        f"{signoz.self.host_configs['8080'].base()}", callback_path
+                    ),
                 },
                 "authenticationFlowBindingOverrides": {},
                 "fullScopeAllowed": True,
@@ -112,6 +123,31 @@ def create_saml_client(
                             "attribute.name": "Role",
                         },
                     },
+                    {
+                        "name": "groups",
+                        "protocol": "saml",
+                        "protocolMapper": "saml-group-membership-mapper",
+                        "consentRequired": False,
+                        "config": {
+                            "full.path": "false",
+                            "attribute.nameformat": "Basic",
+                            "single": "true", # ! this was changed to true as we need the groups in the single attribute section
+                            "friendly.name": "groups",
+                            "attribute.name": "groups",
+                        },
+                    },
+                    {
+                        "name": "role attribute",
+                        "protocol": "saml",
+                        "protocolMapper": "saml-user-attribute-mapper",
+                        "consentRequired": False,
+                        "config": {
+                            "attribute.nameformat": "Basic",
+                            "user.attribute": "signoz_role",
+                            "friendly.name": "signoz_role",
+                            "attribute.name": "signoz_role",
+                        },
+                    },
                 ],
                 "defaultClientScopes": ["saml_organization", "role_list"],
                 "optionalClientScopes": [],
@@ -124,9 +160,11 @@ def create_saml_client(
 
 @pytest.fixture(name="update_saml_client_attributes", scope="function")
 def update_saml_client_attributes(
-    idp: types.TestContainerIDP
+    idp: types.TestContainerIDP,
 ) -> Callable[[str, Dict[str, Any]], None]:
-    def _update_saml_client_attributes(client_id: str, attributes: Dict[str, Any]) -> None:
+    def _update_saml_client_attributes(
+        client_id: str, attributes: Dict[str, Any]
+    ) -> None:
         client = KeycloakAdmin(
             server_url=idp.container.host_configs["6060"].base(),
             username=IDP_ROOT_USERNAME,
@@ -159,6 +197,16 @@ def create_oidc_client(
             realm_name="master",
         )
 
+        _ensure_groups_client_scope(client)
+
+        # DELETE existing client if it exists (to ensure redirect URIs are updated)
+        try:
+            existing_client_id = client.get_client_id(client_id=client_id)
+            if existing_client_id:
+                client.delete_client(existing_client_id)
+        except Exception:
+            pass  # Client doesn't exist, that's fine
+
         client.create_client(
             skip_exists=True,
             payload={
@@ -204,6 +252,7 @@ def create_oidc_client(
                     "profile",
                     "basic",
                     "email",
+                    "groups",
                 ],
                 "optionalClientScopes": [
                     "address",
@@ -329,3 +378,248 @@ def idp_login(driver: webdriver.Chrome) -> Callable[[str, str], None]:
         wait.until(EC.invisibility_of_element((By.ID, "kc-login")))
 
     return _idp_login
+
+
+@pytest.fixture(name="create_group_idp", scope="function")
+def create_group_idp(idp: types.TestContainerIDP) -> Callable[[str], str]:
+    """Creates a group in Keycloak IDP."""
+    client = KeycloakAdmin(
+        server_url=idp.container.host_configs["6060"].base(),
+        username=IDP_ROOT_USERNAME,
+        password=IDP_ROOT_PASSWORD,
+        realm_name="master",
+    )
+
+    created_groups = []
+
+    def _create_group_idp(group_name: str) -> str:
+        group_id = client.create_group({"name": group_name}, skip_exists=True)
+        created_groups.append(group_id)
+        return group_id
+
+    yield _create_group_idp
+
+    for group_id in created_groups:
+        try:
+            client.delete_group(group_id)
+        except Exception:
+            pass
+
+
+@pytest.fixture(name="create_user_idp_with_groups", scope="function")
+def create_user_idp_with_groups(
+    idp: types.TestContainerIDP,
+    create_group_idp: Callable[[str], str],
+) -> Callable[[str, str, bool, List[str]], None]:
+    """Creates a user in Keycloak IDP with specified groups."""
+    client = KeycloakAdmin(
+        server_url=idp.container.host_configs["6060"].base(),
+        username=IDP_ROOT_USERNAME,
+        password=IDP_ROOT_PASSWORD,
+        realm_name="master",
+    )
+
+    created_users = []
+
+    def _create_user_idp_with_groups(
+        email: str, password: str, verified: bool, groups: List[str]
+    ) -> None:
+        # Create groups first
+        group_ids = []
+        for group_name in groups:
+            group_id = create_group_idp(group_name)
+            group_ids.append(group_id)
+
+        # Create user
+        user_id = client.create_user(
+            exist_ok=False,
+            payload={
+                "username": email,
+                "email": email,
+                "enabled": True,
+                "emailVerified": verified,
+            },
+        )
+        client.set_user_password(user_id, password, temporary=False)
+        created_users.append(user_id)
+
+        # Add user to groups
+        for group_id in group_ids:
+            client.group_user_add(user_id, group_id)
+
+    yield _create_user_idp_with_groups
+
+    for user_id in created_users:
+        try:
+            break
+            client.delete_user(user_id)
+        except Exception:
+            pass
+
+
+@pytest.fixture(name="add_user_to_group", scope="function")
+def add_user_to_group(
+    idp: types.TestContainerIDP,
+    create_group_idp: Callable[[str], str],
+) -> Callable[[str, str], None]:
+    """Adds an existing user to a group."""
+    client = KeycloakAdmin(
+        server_url=idp.container.host_configs["6060"].base(),
+        username=IDP_ROOT_USERNAME,
+        password=IDP_ROOT_PASSWORD,
+        realm_name="master",
+    )
+
+    def _add_user_to_group(email: str, group_name: str) -> None:
+        user_id = client.get_user_id(email)
+        group_id = create_group_idp(group_name)
+        client.group_user_add(user_id, group_id)
+
+    return _add_user_to_group
+
+
+@pytest.fixture(name="create_user_idp_with_role", scope="function")
+def create_user_idp_with_role(
+    idp: types.TestContainerIDP,
+    create_group_idp: Callable[[str], str],
+) -> Callable[[str, str, bool, str, List[str]], None]:
+    """Creates a user in Keycloak IDP with a custom role attribute and optional groups."""
+    client = KeycloakAdmin(
+        server_url=idp.container.host_configs["6060"].base(),
+        username=IDP_ROOT_USERNAME,
+        password=IDP_ROOT_PASSWORD,
+        realm_name="master",
+    )
+
+    created_users = []
+
+    def _create_user_idp_with_role(
+        email: str, password: str, verified: bool, role: str, groups: List[str]
+    ) -> None:
+        # Create groups first
+        group_ids = []
+        for group_name in groups:
+            group_id = create_group_idp(group_name)
+            group_ids.append(group_id)
+
+        # Create user with role attribute
+        user_id = client.create_user(
+            exist_ok=False,
+            payload={
+                "username": email,
+                "email": email,
+                "enabled": True,
+                "emailVerified": verified,
+                "attributes": {
+                    "signoz_role": role,
+                },
+            },
+        )
+        client.set_user_password(user_id, password, temporary=False)
+        created_users.append(user_id)
+
+        # Add user to groups
+        for group_id in group_ids:
+            client.group_user_add(user_id, group_id)
+
+    yield _create_user_idp_with_role
+
+    for user_id in created_users:
+        try:
+            break
+            client.delete_user(user_id)
+        except Exception:
+            pass
+
+
+@pytest.fixture(name="setup_user_profile", scope="package")
+def setup_user_profile(idp: types.TestContainerIDP) -> Callable[[], None]:
+    """Setup Keycloak User Profile with signoz_role attribute."""
+    def _setup_user_profile() -> None:
+        client = KeycloakAdmin(
+            server_url=idp.container.host_configs["6060"].base(),
+            username=IDP_ROOT_USERNAME,
+            password=IDP_ROOT_PASSWORD,
+            realm_name="master",
+        )
+        
+        # Get current user profile config
+        profile = client.get_realm_users_profile()
+        
+        # Check if signoz_role attribute already exists
+        attributes = profile.get("attributes", [])
+        signoz_role_exists = any(attr.get("name") == "signoz_role" for attr in attributes)
+        
+        if not signoz_role_exists:
+            # Add signoz_role attribute to user profile
+            attributes.append({
+                "name": "signoz_role",
+                "displayName": "SigNoz Role",
+                "validations": {},
+                "annotations": {},
+                # "required": {
+                #     "roles": []  # Not required
+                # },
+                "permissions": {
+                    "view": ["admin", "user"],
+                    "edit": ["admin"]
+                },
+                "multivalued": False
+            })
+            profile["attributes"] = attributes
+            
+            # Update the realm user profile
+            client.update_realm_users_profile(payload=profile)
+    
+    return _setup_user_profile
+
+
+def _ensure_groups_client_scope(client: KeycloakAdmin) -> None:
+    """Create 'groups' client scope if it doesn't exist."""
+    # Check if groups scope exists
+    scopes = client.get_client_scopes()
+    groups_scope_exists = any(s.get("name") == "groups" for s in scopes)
+    
+    if not groups_scope_exists:
+        # Create the groups client scope
+        client.create_client_scope(
+            payload={
+                "name": "groups",
+                "description": "Group membership",
+                "protocol": "openid-connect",
+                "attributes": {
+                    "include.in.token.scope": "true",
+                    "display.on.consent.screen": "true",
+                },
+                "protocolMappers": [
+                    {
+                        "name": "groups",
+                        "protocol": "openid-connect",
+                        "protocolMapper": "oidc-group-membership-mapper",
+                        "consentRequired": False,
+                        "config": {
+                            "full.path": "false",
+                            "id.token.claim": "true",
+                            "access.token.claim": "true",
+                            "claim.name": "groups",
+                            "userinfo.token.claim": "true",
+                        },
+                    },
+                    {
+                        "name": "signoz_role",
+                        "protocol": "openid-connect",
+                        "protocolMapper": "oidc-usermodel-attribute-mapper",
+                        "consentRequired": False,
+                        "config": {
+                            "user.attribute": "signoz_role",
+                            "id.token.claim": "true",
+                            "access.token.claim": "true",
+                            "claim.name": "signoz_role",
+                            "userinfo.token.claim": "true",
+                            "jsonType.label": "String",
+                        },
+                    },
+                ],
+            },
+            skip_exists=True,
+        )

tests/integration/fixtures/logs.py

@@ -429,7 +429,11 @@ def ttl_legacy_logs_v2_table_setup(request, signoz: types.SigNoz):
     ).result_rows
     assert result is not None
     # Add cleanup to restore original table
-    request.addfinalizer(lambda:  signoz.telemetrystore.conn.query("RENAME TABLE signoz_logs.logs_v2_backup TO signoz_logs.logs_v2;"))
+    request.addfinalizer(
+        lambda: signoz.telemetrystore.conn.query(
+            "RENAME TABLE signoz_logs.logs_v2_backup TO signoz_logs.logs_v2;"
+        )
+    )
 
     # Create new test tables
     result = signoz.telemetrystore.conn.query(
@@ -445,10 +449,15 @@ def ttl_legacy_logs_v2_table_setup(request, signoz: types.SigNoz):
 
     assert result is not None
     # Add cleanup to drop test table
-    request.addfinalizer(lambda:  signoz.telemetrystore.conn.query("DROP TABLE IF EXISTS signoz_logs.logs_v2;"))
+    request.addfinalizer(
+        lambda: signoz.telemetrystore.conn.query(
+            "DROP TABLE IF EXISTS signoz_logs.logs_v2;"
+        )
+    )
 
     yield  # Test runs here
 
+
 @pytest.fixture(name="ttl_legacy_logs_v2_resource_table_setup", scope="function")
 def ttl_legacy_logs_v2_resource_table_setup(request, signoz: types.SigNoz):
     """
@@ -463,7 +472,11 @@ def ttl_legacy_logs_v2_resource_table_setup(request, signoz: types.SigNoz):
     ).result_rows
     assert result is not None
     # Add cleanup to restore original table
-    request.addfinalizer(lambda:  signoz.telemetrystore.conn.query("RENAME TABLE signoz_logs.logs_v2_resource_backup TO signoz_logs.logs_v2_resource;"))
+    request.addfinalizer(
+        lambda: signoz.telemetrystore.conn.query(
+            "RENAME TABLE signoz_logs.logs_v2_resource_backup TO signoz_logs.logs_v2_resource;"
+        )
+    )
 
     # Create new test tables
     result = signoz.telemetrystore.conn.query(
@@ -478,6 +491,10 @@ def ttl_legacy_logs_v2_resource_table_setup(request, signoz: types.SigNoz):
 
     assert result is not None
     # Add cleanup to drop test table
-    request.addfinalizer(lambda:  signoz.telemetrystore.conn.query("DROP TABLE IF EXISTS signoz_logs.logs_v2_resource;"))
+    request.addfinalizer(
+        lambda: signoz.telemetrystore.conn.query(
+            "DROP TABLE IF EXISTS signoz_logs.logs_v2_resource;"
+        )
+    )
 
-    yield  # Test runs here
+    yield  # Test runs here

tests/integration/fixtures/signoz.py

@@ -1,7 +1,7 @@
-from os import path
 import platform
 import time
 from http import HTTPStatus
+from os import path
 
 import docker
 import docker.errors
@@ -34,14 +34,21 @@ def signoz(  # pylint: disable=too-many-arguments,too-many-positional-arguments
         # Run the migrations for clickhouse
         request.getfixturevalue("migrator")
 
+        # Get the no-web flag
+        with_web = pytestconfig.getoption("--with-web")
+
         arch = platform.machine()
         if arch == "x86_64":
             arch = "amd64"
 
         # Build the image
+        dockerfile_path = "cmd/enterprise/Dockerfile.integration"
+        if with_web:
+            dockerfile_path = "cmd/enterprise/Dockerfile.with-web.integration"
+
         self = DockerImage(
             path="../../",
-            dockerfile_path="cmd/enterprise/Dockerfile.integration",
+            dockerfile_path=dockerfile_path,
             tag="signoz:integration",
             buildargs={
                 "TARGETARCH": arch,
@@ -53,7 +60,7 @@ def signoz(  # pylint: disable=too-many-arguments,too-many-positional-arguments
 
         env = (
             {
-                "SIGNOZ_WEB_ENABLED": True,
+                "SIGNOZ_WEB_ENABLED": False,
                 "SIGNOZ_WEB_DIRECTORY": "/root/web",
                 "SIGNOZ_INSTRUMENTATION_LOGS_LEVEL": "debug",
                 "SIGNOZ_PROMETHEUS_ACTIVE__QUERY__TRACKER_ENABLED": False,
@@ -63,6 +70,9 @@ def signoz(  # pylint: disable=too-many-arguments,too-many-positional-arguments
             | clickhouse.env
         )
 
+        if with_web:
+            env["SIGNOZ_WEB_ENABLED"] = True
+
         container = DockerContainer("signoz:integration")
         for k, v in env.items():
             container.with_env(k, v)
@@ -71,7 +81,7 @@ def signoz(  # pylint: disable=too-many-arguments,too-many-positional-arguments
 
         provider = request.config.getoption("--sqlstore-provider")
         if provider == "sqlite":
-            dir_path = path.dirname(sqlstore.env["SIGNOZ_SQLSTORE_SQLITE_PATH"])            
+            dir_path = path.dirname(sqlstore.env["SIGNOZ_SQLSTORE_SQLITE_PATH"])
             container.with_volume_mapping(
                 dir_path,
                 dir_path,

tests/integration/fixtures/sqlite.py

@@ -27,7 +27,6 @@ def sqlite(
         with engine.connect() as conn:
             result = conn.execute(sql.text("SELECT 1"))
             assert result.fetchone()[0] == 1
-            
 
         return types.TestContainerSQL(
             container=types.TestContainerDocker(
@@ -53,7 +52,6 @@ def sqlite(
             result = conn.execute(sql.text("SELECT 1"))
             assert result.fetchone()[0] == 1
 
-
         return types.TestContainerSQL(
             container=types.TestContainerDocker(
                 id="",

tests/integration/src/callbackauthn/b_saml.py

@@ -1,9 +1,10 @@
 from http import HTTPStatus
-from typing import Callable, List, Dict, Any
+from typing import Any, Callable, Dict, List
 
 import requests
 from selenium import webdriver
 from wiremock.resources.mappings import Mapping
+import uuid
 
 from fixtures.auth import (
     USER_ADMIN_EMAIL,
@@ -93,10 +94,11 @@ def test_create_auth_domain(
         f"{signoz.self.host_configs['8080'].address}:{signoz.self.host_configs['8080'].port}",
         {
             "saml_idp_initiated_sso_url_name": "idp-initiated-saml-test",
-            "saml_idp_initiated_sso_relay_state": relay_state_url
-        }
+            "saml_idp_initiated_sso_relay_state": relay_state_url,
+        },
     )
 
+
 def test_saml_authn(
     signoz: SigNoz,
     idp: TestContainerIDP,  # pylint: disable=unused-argument
@@ -163,7 +165,10 @@ def test_idp_initiated_saml_authn(
     assert len(session_context["orgs"]) == 1
     assert len(session_context["orgs"][0]["authNSupport"]["callback"]) == 1
 
-    idp_initiated_login_url = idp.container.host_configs["6060"].base() + "/realms/master/protocol/saml/clients/idp-initiated-saml-test"
+    idp_initiated_login_url = (
+        idp.container.host_configs["6060"].base()
+        + "/realms/master/protocol/saml/clients/idp-initiated-saml-test"
+    )
 
     driver.get(idp_initiated_login_url)
     idp_login("viewer.idp.initiated@saml.integration.test", "password")
@@ -191,3 +196,437 @@ def test_idp_initiated_saml_authn(
 
     assert found_user is not None
     assert found_user["role"] == "VIEWER"
+
+
+def _get_saml_domain(signoz: SigNoz, admin_token: str) -> dict:
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/domains"),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    return next(
+        (
+            domain
+            for domain in response.json()["data"]
+            if domain["name"] == "saml.integration.test"
+        ),
+        None,
+    )
+
+
+def _get_user_by_email(signoz: SigNoz, admin_token: str, email: str) -> dict:
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    return next(
+        (user for user in response.json()["data"] if user["email"] == email),
+        None,
+    )
+
+
+def _perform_saml_login(
+    signoz: SigNoz,
+    driver: webdriver.Chrome,
+    get_session_context: Callable[[str], str],
+    idp_login: Callable[[str, str], None],
+    email: str,
+    password: str,
+) -> None:
+    session_context = get_session_context(email)
+    url = session_context["orgs"][0]["authNSupport"]["callback"][0]["url"]
+    driver.get(url)
+    idp_login(email, password)
+
+
+def test_saml_update_domain_with_group_mappings(
+    signoz: SigNoz,
+    get_token: Callable[[str, str], str],
+    get_saml_settings: Callable[[], dict],
+) -> None:
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    domain = _get_saml_domain(signoz, admin_token)
+    settings = get_saml_settings()
+
+    # update the existing saml domain to have role mappings also
+    response = requests.put(
+        signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
+        json={
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
+                    "samlEntity": settings["entityID"],
+                    "samlIdp": settings["singleSignOnServiceLocation"],
+                    "samlCert": settings["certificate"],
+                    "samlAttributeMapping": {
+                        "name": "displayName",
+                        "groups": "groups",
+                        "role": "role",
+                    },
+                },
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "signoz-admins": "ADMIN",
+                        "signoz-editors": "EDITOR",
+                        "signoz-viewers": "VIEWER",
+                    },
+                    "useRoleAttribute": False,
+                },
+            },
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+
+def test_saml_role_mapping_single_group_admin(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: User in 'signoz-admins' group gets ADMIN role.
+    """
+    email = "admin-group-user@saml.integration.test"
+    create_user_idp_with_groups(email, "password", True, ["signoz-admins"])
+
+    _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "ADMIN"
+
+
+def test_saml_role_mapping_single_group_editor(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: User in 'signoz-editors' group gets EDITOR role.
+    """
+    email = "editor-group-user@saml.integration.test"
+    create_user_idp_with_groups(email, "password", True, ["signoz-editors"])
+
+    _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "EDITOR"
+
+
+def test_saml_role_mapping_multiple_groups_highest_wins(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: User in multiple groups gets highest role.
+    User is in both 'signoz-viewers' and 'signoz-editors'.
+    Expected: User gets EDITOR (highest of VIEWER and EDITOR).
+    """
+    email = f"multi-group-user-{uuid.uuid4().hex[:8]}@saml.integration.test"
+    create_user_idp_with_groups(email, "password", True, ["signoz-viewers", "signoz-editors"])
+
+    # DEBUG: Verify user has both groups in Keycloak
+    from keycloak import KeycloakAdmin
+    kc = KeycloakAdmin(
+        server_url=idp.container.host_configs["6060"].base(),
+        username="admin",
+        password="password",
+        realm_name="master",
+    )
+    user_id = kc.get_user_id(email)
+    groups = kc.get_user_groups(user_id)
+    print(f"\n=== DEBUG: User groups in Keycloak: {[g['name'] for g in groups]} ===\n")
+
+    # DEBUG: Check if domain has role mappings configured
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    domain = _get_saml_domain(signoz, admin_token)
+    print(f"\n=== DEBUG: Domain role mapping config: {domain.get('roleMapping')} ===\n")
+    print(f"domain: {domain}")
+
+    _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "EDITOR"
+
+
+def test_saml_role_mapping_explicit_viewer_group(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: User explicitly mapped to VIEWER via groups should get VIEWER.
+    This tests the bug where VIEWER group mappings were incorrectly ignored.
+    """
+    email = "viewer-group-user@saml.integration.test"
+    create_user_idp_with_groups(email, "password", True, ["signoz-viewers"])
+
+    _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "VIEWER"
+
+
+def test_saml_role_mapping_unmapped_group_uses_default(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: User in unmapped group falls back to default role (VIEWER).
+    """
+    email = "unmapped-group-user@saml.integration.test"
+    create_user_idp_with_groups(email, "password", True, ["some-other-group"])
+
+    _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "VIEWER"
+
+
+def test_saml_update_domain_with_use_role_claim(
+    signoz: SigNoz,
+    get_token: Callable[[str, str], str],
+    get_saml_settings: Callable[[], dict],
+) -> None:
+    """
+    Updates SAML domain to enable useRoleAttribute (direct role attribute).
+    """
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    domain = _get_saml_domain(signoz, admin_token)
+    settings = get_saml_settings()
+
+    response = requests.put(
+        signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
+        json={
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "saml",
+                "samlConfig": {
+                    "samlEntity": settings["entityID"],
+                    "samlIdp": settings["singleSignOnServiceLocation"],
+                    "samlCert": settings["certificate"],
+                    "samlAttributeMapping": {
+                        "name": "displayName",
+                        "groups": "groups",
+                        "role": "signoz_role",
+                    },
+                },
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "signoz-admins": "ADMIN",
+                        "signoz-editors": "EDITOR",
+                    },
+                    "useRoleAttribute": True,
+                },
+            },
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+
+def test_saml_role_mapping_role_claim_takes_precedence(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp_with_role: Callable[[str, str, bool, str, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+    setup_user_profile: Callable[[], None],
+) -> None:
+    """
+    Test: useRoleAttribute takes precedence over group mappings.
+    User is in 'signoz-editors' group but has role attribute 'ADMIN'.
+    Expected: User gets ADMIN (from role attribute).
+    """
+
+    setup_user_profile()
+
+    email = "role-claim-precedence@saml.integration.test"
+    create_user_idp_with_role(email, "password", True, "ADMIN", ["signoz-editors"])
+
+    _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "ADMIN"
+
+
+def test_saml_role_mapping_invalid_role_claim_fallback(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp_with_role: Callable[[str, str, bool, str, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+    setup_user_profile: Callable[[], None],
+) -> None:
+    """
+    Test: Invalid role claim falls back to group mappings.
+    User has invalid role 'SUPERADMIN' and is in 'signoz-editors'.
+    Expected: User gets EDITOR (from group mapping).
+    """
+    setup_user_profile()
+    email = "invalid-role-user@saml.integration.test"
+    create_user_idp_with_role(email, "password", True, "SUPERADMIN", ["signoz-editors"])
+
+    _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "EDITOR"
+
+
+def test_saml_role_mapping_case_insensitive(
+    signoz: SigNoz,
+    idp: TestContainerIDP,  # pylint: disable=unused-argument
+    driver: webdriver.Chrome,
+    create_user_idp_with_role: Callable[[str, str, bool, str, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+    setup_user_profile: Callable[[], None],
+) -> None:
+    """
+    Test: Role attribute matching is case-insensitive.
+    User has role 'admin' (lowercase).
+    Expected: User gets ADMIN role.
+    """
+    setup_user_profile()
+    email = "lowercase-role-user@saml.integration.test"
+    create_user_idp_with_role(email, "password", True, "admin", [])
+
+    _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "ADMIN"
+
+
+# def test_saml_role_mapping_update_on_subsequent_login(
+#     signoz: SigNoz,
+#     idp: TestContainerIDP,  # pylint: disable=unused-argument
+#     driver: webdriver.Chrome,
+#     create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+#     add_user_to_group: Callable[[str, str], None],
+#     idp_login: Callable[[str, str], None],
+#     get_token: Callable[[str, str], str],
+#     get_session_context: Callable[[str], str],
+# ) -> None:
+#     """
+#     Test: User's role should update on subsequent logins when IDP groups change.
+    
+#     This tests the critical bug where GetOrCreateUser doesn't update roles.
+    
+#     Steps:
+#     1. User logs in with 'signoz-editors' group -> gets EDITOR role
+#     2. User's group changes in IDP to 'signoz-admins'
+#     3. User logs in again -> should get ADMIN role
+#     """
+#     email = "role-update-user@saml.integration.test"
+    
+#     # First login with EDITOR group
+#     create_user_idp_with_groups(email, "password", True, ["signoz-editors"])
+#     _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+#     admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+#     found_user = _get_user_by_email(signoz, admin_token, email)
+
+#     assert found_user is not None
+#     assert found_user["role"] == "EDITOR"
+
+#     # Add user to admin group in IDP
+#     add_user_to_group(email, "signoz-admins")
+
+#     # Clear browser session and login again
+#     driver.delete_all_cookies()
+#     _perform_saml_login(signoz, driver, get_session_context, idp_login, email, "password")
+
+#     # Check if role was updated
+#     found_user = _get_user_by_email(signoz, admin_token, email)
+
+#     assert found_user is not None
+#     # After fix, this should be ADMIN. Currently stays EDITOR (bug).
+#     assert found_user["role"] == "ADMIN"
+
+
+#!########################################################################
+#!############## KEEP THIS IN THE END ALWAYS #############################
+#!########################################################################
+def test_cleanup_saml_domain(
+    signoz: SigNoz,
+    get_token: Callable[[str, str], str],
+) -> None:
+    """Cleanup: Remove the SAML domain after tests complete."""
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    domain = _get_saml_domain(signoz, admin_token)
+    
+    if domain:
+        response = requests.delete(
+            signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
+            headers={"Authorization": f"Bearer {admin_token}"},
+            timeout=2,
+        )
+        # 204 No Content or 200 OK are both valid
+        assert response.status_code in [HTTPStatus.OK, HTTPStatus.NO_CONTENT, HTTPStatus.NOT_FOUND]
+
+    # also remove the saml client from the idp
+    response = requests.delete(
+        idp.container.host_configs["6060"].get(f"/realms/master/clients/{domain['id']}"),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code in [HTTPStatus.OK, HTTPStatus.NO_CONTENT, HTTPStatus.NOT_FOUND]

tests/integration/src/callbackauthn/c_oidc.py

@@ -127,3 +127,429 @@ def test_oidc_authn(
 
     assert found_user is not None
     assert found_user["role"] == "VIEWER"
+
+
+def _get_oidc_domain(signoz: SigNoz, admin_token: str) -> dict:
+    """Helper to get the OIDC domain."""
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/domains"),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    return next(
+        (
+            domain
+            for domain in response.json()["data"]
+            if domain["name"] == "oidc.integration.test"
+        ),
+        None,
+    )
+
+
+def _get_user_by_email(signoz: SigNoz, admin_token: str, email: str) -> dict:
+    """Helper to get a user by email."""
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    return next(
+        (user for user in response.json()["data"] if user["email"] == email),
+        None,
+    )
+
+
+def _perform_oidc_login(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    get_session_context: Callable[[str], str],
+    idp_login: Callable[[str, str], None],
+    email: str,
+    password: str,
+) -> None:
+    """Helper to perform OIDC login flow."""
+    session_context = get_session_context(email)
+    url = session_context["orgs"][0]["authNSupport"]["callback"][0]["url"]
+    parsed_url = urlparse(url)
+    actual_url = (
+        f"{idp.container.host_configs['6060'].get(parsed_url.path)}?{parsed_url.query}"
+    )
+    driver.get(actual_url)
+    idp_login(email, password)
+
+
+def test_oidc_update_domain_with_group_mappings(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    get_token: Callable[[str, str], str],
+    get_oidc_settings: Callable[[str], dict],
+) -> None:
+    """
+    Updates OIDC domain to add role mapping with group mappings and claim mapping.
+    """
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    domain = _get_oidc_domain(signoz, admin_token)
+    client_id = f"oidc.integration.test.{signoz.self.host_configs['8080'].address}:{signoz.self.host_configs['8080'].port}"
+    settings = get_oidc_settings(client_id)
+
+    response = requests.put(
+        signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
+        json={
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "oidc",
+                "oidcConfig": {
+                    "clientId": settings["client_id"],
+                    "clientSecret": settings["client_secret"],
+                    "issuer": f"{idp.container.container_configs['6060'].get(urlparse(settings['issuer']).path)}",
+                    "issuerAlias": settings["issuer"],
+                    "getUserInfo": True,
+                    "claimMapping": {
+                        "email": "email",
+                        "name": "name",
+                        "groups": "groups",
+                        "role": "signoz_role",
+                    },
+                },
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "signoz-admins": "ADMIN",
+                        "signoz-editors": "EDITOR",
+                        "signoz-viewers": "VIEWER",
+                    },
+                    "useRoleAttribute": False,
+                },
+            },
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+
+def test_oidc_role_mapping_single_group_admin(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: OIDC user in 'signoz-admins' group gets ADMIN role.
+    """
+    email = "admin-group-user@oidc.integration.test"
+    create_user_idp_with_groups(email, "password123", True, ["signoz-admins"])
+
+    _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "ADMIN"
+
+
+def test_oidc_role_mapping_single_group_editor(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: OIDC user in 'signoz-editors' group gets EDITOR role.
+    """
+    email = "editor-group-user@oidc.integration.test"
+    create_user_idp_with_groups(email, "password123", True, ["signoz-editors"])
+
+    _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "EDITOR"
+
+
+def test_oidc_role_mapping_multiple_groups_highest_wins(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: OIDC user in multiple groups gets highest role.
+    User is in 'signoz-viewers' and 'signoz-admins'.
+    Expected: User gets ADMIN (highest of the two).
+    """
+    email = "multi-group-user@oidc.integration.test"
+    create_user_idp_with_groups(email, "password123", True, ["signoz-viewers", "signoz-admins"])
+
+    _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "ADMIN"
+
+
+def test_oidc_role_mapping_explicit_viewer_group(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: OIDC user explicitly mapped to VIEWER via groups gets VIEWER.
+    Tests the bug where VIEWER mappings were ignored.
+    """
+    email = "viewer-group-user@oidc.integration.test"
+    create_user_idp_with_groups(email, "password123", True, ["signoz-viewers"])
+
+    _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "VIEWER"
+
+
+def test_oidc_role_mapping_unmapped_group_uses_default(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+) -> None:
+    """
+    Test: OIDC user in unmapped group falls back to default role.
+    """
+    email = "unmapped-group-user@oidc.integration.test"
+    create_user_idp_with_groups(email, "password123", True, ["some-other-group"])
+
+    _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "VIEWER"
+
+
+def test_oidc_update_domain_with_use_role_claim(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    get_token: Callable[[str, str], str],
+    get_oidc_settings: Callable[[str], dict],
+) -> None:
+    """
+    Updates OIDC domain to enable useRoleClaim.
+    """
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    domain = _get_oidc_domain(signoz, admin_token)
+    client_id = f"oidc.integration.test.{signoz.self.host_configs['8080'].address}:{signoz.self.host_configs['8080'].port}"
+    settings = get_oidc_settings(client_id)
+
+    response = requests.put(
+        signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
+        json={
+            "config": {
+                "ssoEnabled": True,
+                "ssoType": "oidc",
+                "oidcConfig": {
+                    "clientId": settings["client_id"],
+                    "clientSecret": settings["client_secret"],
+                    "issuer": f"{idp.container.container_configs['6060'].get(urlparse(settings['issuer']).path)}",
+                    "issuerAlias": settings["issuer"],
+                    "getUserInfo": True,
+                    "claimMapping": {
+                        "email": "email",
+                        "name": "name",
+                        "groups": "groups",
+                        "role": "signoz_role",
+                    },
+                },
+                "roleMapping": {
+                    "defaultRole": "VIEWER",
+                    "groupMappings": {
+                        "signoz-admins": "ADMIN",
+                        "signoz-editors": "EDITOR",
+                    },
+                    "useRoleAttribute": True,
+                },
+            },
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+
+def test_oidc_role_mapping_role_claim_takes_precedence(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    create_user_idp_with_role: Callable[[str, str, bool, str, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+    setup_user_profile: Callable[[], None],
+) -> None:
+    """
+    Test: useRoleAttribute takes precedence over group mappings.
+    User is in 'signoz-editors' group but has role claim 'ADMIN'.
+    Expected: User gets ADMIN (from role claim).
+    """
+    setup_user_profile()
+    email = "role-claim-precedence@oidc.integration.test"
+    create_user_idp_with_role(email, "password123", True, "ADMIN", ["signoz-editors"])
+
+    _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "ADMIN"
+
+
+def test_oidc_role_mapping_invalid_role_claim_fallback(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    create_user_idp_with_role: Callable[[str, str, bool, str, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+    setup_user_profile: Callable[[], None],
+) -> None:
+    """
+    Test: Invalid role claim falls back to group mappings.
+    User has invalid role 'SUPERADMIN' and is in 'signoz-editors'.
+    Expected: User gets EDITOR (from group mapping).
+    """
+    setup_user_profile()
+    email = "invalid-role-user@oidc.integration.test"
+    create_user_idp_with_role(email, "password123", True, "SUPERADMIN", ["signoz-editors"])
+
+    _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "EDITOR"
+
+
+def test_oidc_role_mapping_case_insensitive(
+    signoz: SigNoz,
+    idp: TestContainerIDP,
+    driver: webdriver.Chrome,
+    create_user_idp_with_role: Callable[[str, str, bool, str, List[str]], None],
+    idp_login: Callable[[str, str], None],
+    get_token: Callable[[str, str], str],
+    get_session_context: Callable[[str], str],
+    setup_user_profile: Callable[[], None],
+) -> None:
+    """
+    Test: Role claim matching is case-insensitive.
+    User has role 'editor' (lowercase).
+    Expected: User gets EDITOR role.
+    """
+    setup_user_profile()
+    email = "lowercase-role-user@oidc.integration.test"
+    create_user_idp_with_role(email, "password123", True, "editor", [])
+
+    _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    found_user = _get_user_by_email(signoz, admin_token, email)
+
+    assert found_user is not None
+    assert found_user["role"] == "EDITOR"
+
+
+# def test_oidc_role_mapping_update_on_subsequent_login(
+#     signoz: SigNoz,
+#     idp: TestContainerIDP,
+#     driver: webdriver.Chrome,
+#     create_user_idp_with_groups: Callable[[str, str, bool, List[str]], None],
+#     add_user_to_group: Callable[[str, str], None],
+#     idp_login: Callable[[str, str], None],
+#     get_token: Callable[[str, str], str],
+#     get_session_context: Callable[[str], str],
+# ) -> None:
+#     """
+#     Test: User's role should update on subsequent logins when IDP groups change.
+    
+#     This tests the critical bug where GetOrCreateUser doesn't update roles.
+    
+#     Steps:
+#     1. User logs in with 'signoz-editors' group -> gets EDITOR role
+#     2. User's group changes in IDP to 'signoz-admins'
+#     3. User logs in again -> should get ADMIN role
+#     """
+#     email = "role-update-user@oidc.integration.test"
+    
+#     # First login with EDITOR group
+#     create_user_idp_with_groups(email, "password123", True, ["signoz-editors"])
+#     _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+#     admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+#     found_user = _get_user_by_email(signoz, admin_token, email)
+
+#     assert found_user is not None
+#     assert found_user["role"] == "EDITOR"
+
+#     # Add user to admin group in IDP
+#     add_user_to_group(email, "signoz-admins")
+
+#     # Clear browser session and login again
+#     driver.delete_all_cookies()
+#     _perform_oidc_login(signoz, idp, driver, get_session_context, idp_login, email, "password123")
+
+#     # Check if role was updated
+#     found_user = _get_user_by_email(signoz, admin_token, email)
+
+#     assert found_user is not None
+#     # After fix, this should be ADMIN. Currently stays EDITOR (bug).
+#     assert found_user["role"] == "ADMIN"
+
+
+#!########################################################################
+#!############## KEEP THIS IN THE END ALWAYS #############################
+#!########################################################################
+def test_cleanup_oidc_domain(
+    signoz: SigNoz,
+    get_token: Callable[[str, str], str],
+) -> None:
+    """Cleanup: Remove the OIDC domain after tests complete."""
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    domain = _get_oidc_domain(signoz, admin_token)
+    
+    if domain:
+        response = requests.delete(
+            signoz.self.host_configs["8080"].get(f"/api/v1/domains/{domain['id']}"),
+            headers={"Authorization": f"Bearer {admin_token}"},
+            timeout=2,
+        )
+        # 204 No Content or 200 OK are both valid
+        assert response.status_code in [HTTPStatus.OK, HTTPStatus.NO_CONTENT, HTTPStatus.NOT_FOUND]

tests/integration/src/cloudintegrations/a_get_connection_params.py

@@ -146,16 +146,16 @@ def test_generate_connection_params(
     data = response_data["data"]
 
     # ingestion_key is created by the mocked gateway and should match
-    assert data["ingestion_key"] == "test-ingestion-key-123456", (
-        "ingestion_key should match the mocked ingestion key"
-    )
+    assert (
+        data["ingestion_key"] == "test-ingestion-key-123456"
+    ), "ingestion_key should match the mocked ingestion key"
 
     # ingestion_url should be https://ingest.test.signoz.cloud based on the mocked deployment DNS
-    assert data["ingestion_url"] == "https://ingest.test.signoz.cloud", (
-        "ingestion_url should be https://ingest.test.signoz.cloud"
-    )
+    assert (
+        data["ingestion_url"] == "https://ingest.test.signoz.cloud"
+    ), "ingestion_url should be https://ingest.test.signoz.cloud"
 
     # signoz_api_url should be https://test-deployment.test.signoz.cloud based on the mocked deployment name and DNS
-    assert data["signoz_api_url"] == "https://test-deployment.test.signoz.cloud", (
-        "signoz_api_url should be https://test-deployment.test.signoz.cloud"
-    )
+    assert (
+        data["signoz_api_url"] == "https://test-deployment.test.signoz.cloud"
+    ), "signoz_api_url should be https://test-deployment.test.signoz.cloud"

tests/integration/src/dashboard/a_public_dashboard.py

@@ -1,11 +1,12 @@
 from http import HTTPStatus
 from typing import Callable, List
-from wiremock.resources.mappings import Mapping
+
 import requests
 from sqlalchemy import sql
+from wiremock.resources.mappings import Mapping
 
-from fixtures.auth import USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD,add_license
-from fixtures.types import Operation, SigNoz,TestContainerDocker
+from fixtures.auth import USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD, add_license
+from fixtures.types import Operation, SigNoz, TestContainerDocker
 
 
 def test_apply_license(
@@ -19,6 +20,7 @@ def test_apply_license(
     """
     add_license(signoz, make_http_mocks, get_token)
 
+
 def test_create_and_get_public_dashboard(
     signoz: SigNoz,
     create_user_admin: Operation,  # pylint: disable=unused-argument
@@ -28,11 +30,7 @@ def test_create_and_get_public_dashboard(
 
     response = requests.post(
         signoz.self.host_configs["8080"].get("/api/v1/dashboards"),
-        json={
-            "title": "Sample Title",
-            "uploadedGrafana": False,
-            "version": "v5"
-        },
+        json={"title": "Sample Title", "uploadedGrafana": False, "version": "v5"},
         headers={"Authorization": f"Bearer {admin_token}"},
         timeout=2,
     )
@@ -40,10 +38,12 @@ def test_create_and_get_public_dashboard(
     assert response.status_code == HTTPStatus.CREATED
     assert response.json()["status"] == "success"
     data = response.json()["data"]
-    id = data["id"]
+    dashboard_id = data["id"]
 
     response = requests.post(
-        signoz.self.host_configs["8080"].get(f"/api/v1/dashboards/{id}/public"),
+        signoz.self.host_configs["8080"].get(
+            f"/api/v1/dashboards/{dashboard_id}/public"
+        ),
         json={
             "timeRangeEnabled": True,
             "defaultTimeRange": "10s",
@@ -56,25 +56,27 @@ def test_create_and_get_public_dashboard(
     assert "id" in response.json()["data"]
 
     response = requests.get(
-        signoz.self.host_configs["8080"].get(f"/api/v1/dashboards/{id}/public"),
+        signoz.self.host_configs["8080"].get(
+            f"/api/v1/dashboards/{dashboard_id}/public"
+        ),
         headers={"Authorization": f"Bearer {admin_token}"},
         timeout=2,
     )
 
     assert response.status_code == HTTPStatus.OK
     assert response.json()["status"] == "success"
-    assert response.json()["data"]["timeRangeEnabled"] == True
+    assert response.json()["data"]["timeRangeEnabled"] is True
     assert response.json()["data"]["defaultTimeRange"] == "10s"
     public_path = response.json()["data"]["publicPath"]
     assert public_path.startswith("/public/dashboard/")
     public_dashboard_id = public_path.split("/public/dashboard/")[-1]
 
-    row = None    
+    row = None
     with signoz.sqlstore.conn.connect() as conn:
         # verify the role creation
         result = conn.execute(
             sql.text("SELECT * FROM role WHERE name = :role"),
-            {"role": "signoz-anonymous"}
+            {"role": "signoz-anonymous"},
         )
         row = result.mappings().fetchone()
         assert row is not None
@@ -84,18 +86,18 @@ def test_create_and_get_public_dashboard(
         tuple_object_id = f"organization/{row["org_id"]}/role/{row["id"]}"
         tuple_result = conn.execute(
             sql.text("SELECT * FROM tuple WHERE object_id = :object_id"),
-            {"object_id": tuple_object_id}
+            {"object_id": tuple_object_id},
         )
         tuple_row = tuple_result.fetchone()
         assert tuple_row is not None
 
         # verify the tuple creation for public-dashboard
-        tuple_object_id = f"organization/{row["org_id"]}/public-dashboard/{public_dashboard_id}"
+        tuple_object_id = (
+            f"organization/{row["org_id"]}/public-dashboard/{public_dashboard_id}"
+        )
         tuple_result = conn.execute(
             sql.text("SELECT * FROM tuple WHERE object_id = :object_id"),
-            {"object_id": tuple_object_id}
+            {"object_id": tuple_object_id},
         )
         tuple_row = tuple_result.fetchone()
         assert tuple_row is not None
-        
-    

tests/integration/src/passwordauthn/b_license.py

@@ -1,9 +1,7 @@
 import http
-import json
 from typing import Callable, List
 
 import requests
-from sqlalchemy import sql
 from wiremock.client import (
     HttpMethods,
     Mapping,
@@ -138,7 +136,7 @@ def test_refresh_license(
     )
     assert response.status_code == http.HTTPStatus.OK
     assert response.json()["data"]["valid_from"] == 1732146922
-   
+
     response = requests.post(
         url=signoz.zeus.host_configs["8080"].get("/__admin/requests/count"),
         json={"method": "GET", "url": "/v2/licenses/me"},

tests/integration/src/passwordauthn/d_password.py

@@ -185,7 +185,6 @@ def test_reset_password(
     assert token is not None
 
 
-
 def test_reset_password_with_no_password(
     signoz: types.SigNoz, get_token: Callable[[str, str], str]
 ) -> None:

tests/integration/src/passwordauthn/e_role.py

@@ -1,11 +1,16 @@
-from typing import Tuple
-import requests
 from http import HTTPStatus
+from typing import Callable, Tuple
+
 import requests
-from typing import Callable
+
 from fixtures import types
 
-def test_change_role(signoz: types.SigNoz, get_token: Callable[[str, str], str], get_tokens: Callable[[str, str], Tuple[str, str]]):
+
+def test_change_role(
+    signoz: types.SigNoz,
+    get_token: Callable[[str, str], str],
+    get_tokens: Callable[[str, str], Tuple[str, str]],
+):
     admin_token = get_token("admin@integration.test", "password123Z$")
 
     # Create a new user as VIEWER
@@ -34,7 +39,9 @@ def test_change_role(signoz: types.SigNoz, get_token: Callable[[str, str], str],
     assert response.status_code == HTTPStatus.CREATED
 
     # Make some API calls as new user
-    new_user_token, new_user_refresh_token = get_tokens("admin+rolechange@integration.test", "password123Z$")
+    new_user_token, new_user_refresh_token = get_tokens(
+        "admin+rolechange@integration.test", "password123Z$"
+    )
 
     response = requests.get(
         signoz.self.host_configs["8080"].get("/api/v1/user/me"),
@@ -54,7 +61,7 @@ def test_change_role(signoz: types.SigNoz, get_token: Callable[[str, str], str],
     )
 
     assert response.status_code == HTTPStatus.FORBIDDEN
-    
+
     # Change the new user's role - move to ADMIN
     response = requests.put(
         signoz.self.host_configs["8080"].get(f"/api/v1/user/{new_user_id}"),
@@ -91,7 +98,10 @@ def test_change_role(signoz: types.SigNoz, get_token: Callable[[str, str], str],
 
     # Make some API call again which is protected
     rotate_response = response.json()["data"]
-    new_user_token, new_user_refresh_token = rotate_response["accessToken"], rotate_response["refreshToken"]
+    new_user_token, new_user_refresh_token = (
+        rotate_response["accessToken"],
+        rotate_response["refreshToken"],
+    )
 
     response = requests.get(
         signoz.self.host_configs["8080"].get("/api/v1/org/preferences"),

tests/integration/src/preference/a_user.py

@@ -0,0 +1,71 @@
+from http import HTTPStatus
+from typing import Callable
+
+import requests
+
+from fixtures import types
+from fixtures.logger import setup_logger
+
+logger = setup_logger(__name__)
+
+
+def test_get_user_preference(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token("admin@integration.test", "password123Z$")
+
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/user/preferences"),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+
+    assert response.status_code == HTTPStatus.OK
+    assert response.json()["data"] is not None
+
+
+def test_get_set_user_preference_by_name(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token("admin@integration.test", "password123Z$")
+
+    # preference does not exist
+    response = requests.get(
+        signoz.self.host_configs["8080"].get(
+            "/api/v1/user/preferences/somenonexistentpreference"
+        ),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+
+    # This should be NOT_FOUND
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+
+    # play with welcome_checklist_do_later preference
+    response = requests.put(
+        signoz.self.host_configs["8080"].get(
+            "/api/v1/user/preferences/welcome_checklist_do_later"
+        ),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        json={"value": True},
+        timeout=2,
+    )
+
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # get preference by name
+    response = requests.get(
+        signoz.self.host_configs["8080"].get(
+            "/api/v1/user/preferences/welcome_checklist_do_later"
+        ),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+
+    assert response.status_code == HTTPStatus.OK
+    assert response.json()["data"] is not None
+    assert response.json()["data"]["value"] is True

tests/integration/src/ttl/a_ttl.py

@@ -83,7 +83,9 @@ def test_set_ttl_traces_success(
     assert all("toIntervalSecond(12960000)" in ttl_part for ttl_part in ttl_parts)
 
 
-def test_set_ttl_traces_with_cold_storage(signoz: types.SigNoz, get_token: Callable[[str, str], str]):
+def test_set_ttl_traces_with_cold_storage(
+    signoz: types.SigNoz, get_token: Callable[[str, str], str]
+):
     """Test setting TTL for traces with cold storage configuration."""
     payload = {
         "type": "traces",
@@ -292,10 +294,7 @@ def test_set_custom_retention_ttl_basic(
             retention_col[3] == "100"
         ), f"Expected default value of _retention_days to be 100 in table {table}, but got {retention_col[3]}"
 
-    tables_to_check = [
-        "logs_attribute_keys",
-        "logs_resource_keys"
-    ]
+    tables_to_check = ["logs_attribute_keys", "logs_resource_keys"]
 
     # Query to get table engine info which includes TTL
     table_list = "', '".join(tables_to_check)
@@ -316,8 +315,8 @@ def test_set_custom_retention_ttl_basic(
 def test_set_custom_retention_ttl_basic_fallback(
     signoz: types.SigNoz,
     get_token,
-    ttl_legacy_logs_v2_table_setup, # pylint: disable=unused-argument
-    ttl_legacy_logs_v2_resource_table_setup, # pylint: disable=unused-argument
+    ttl_legacy_logs_v2_table_setup,  # pylint: disable=unused-argument
+    ttl_legacy_logs_v2_resource_table_setup,  # pylint: disable=unused-argument
 ):
     """Test setting TTL for logs using the new setTTLLogs method."""
 
@@ -354,7 +353,7 @@ def test_set_custom_retention_ttl_basic_fallback(
         "logs_v2",
         "logs_v2_resource",
         "logs_attribute_keys",
-        "logs_resource_keys"
+        "logs_resource_keys",
     ]
 
     # Query to get table engine info which includes TTL
@@ -678,8 +677,8 @@ def test_get_custom_retention_ttl(
 def test_set_ttl_logs_success(
     signoz: types.SigNoz,
     get_token,
-    ttl_legacy_logs_v2_table_setup,# pylint: disable=unused-argument
-    ttl_legacy_logs_v2_resource_table_setup,# pylint: disable=unused-argument
+    ttl_legacy_logs_v2_table_setup,  # pylint: disable=unused-argument
+    ttl_legacy_logs_v2_resource_table_setup,  # pylint: disable=unused-argument
 ):
     """Test setting TTL for logs using the new setTTLLogs method."""