feat: custom root roles (#3975)

## About the changes Implements custom root roles, encompassing a lot of different areas of the project, and slightly refactoring the current roles logic. It includes quite a clean up. This feature itself is behind a flag: `customRootRoles` This feature covers root roles in: - Users; - Service Accounts; - Groups; Apologies in advance. I may have gotten a bit carried away 🙈 ### Roles We now have a new admin tab called "Roles" where we can see all root roles and manage custom ones. We are not allowed to edit or remove *predefined* roles. ![image](https://github.com/Unleash/unleash/assets/14320932/1ad8695c-8c3f-440d-ac32-39746720d588) This meant slightly pushing away the existing roles to `project-roles` instead. One idea we want to explore in the future is to unify both types of roles in the UI instead of having 2 separate tabs. This includes modernizing project roles to fit more into our current design and decisions. Hovering the permissions cell expands detailed information about the role: ![image](https://github.com/Unleash/unleash/assets/14320932/81c4aae7-8b4d-4cb4-92d1-8f1bc3ef1f2a) ### Create and edit role Here's how the role form looks like (create / edit): ![image](https://github.com/Unleash/unleash/assets/14320932/85baec29-bb10-48c5-a207-b3e9a8de838a) Here I categorized permissions so it's easier to visualize and manage from a UX perspective. I'm using the same endpoint as before. I tried to unify the logic and get rid of the `projectRole` specific hooks. What distinguishes custom root roles from custom project roles is the extra `root-custom` type we see on the payload. By default we assume `custom` (custom project role) instead, which should help in terms of backwards compatibility. ### Delete role When we delete a custom role we try to help the end user make an informed decision by listing all the entities which currently use this custom root role: ![image](https://github.com/Unleash/unleash/assets/14320932/352ed529-76be-47a8-88da-5e924fb191d4) ~~As mentioned in the screenshot, when deleting a custom role, we demote all entities associated with it to the predefined `Viewer` role.~~ **EDIT**: Apparently we currently block this from the API (access-service deleteRole) with a message: ![image](https://github.com/Unleash/unleash/assets/14320932/82a8e50f-8dc5-4c18-a2ba-54e2ae91b91c) What should the correct behavior be? ### Role selector I added a new easy-to-use role selector component that is present in: - Users ![image](https://github.com/Unleash/unleash/assets/14320932/76953139-7fb6-437e-b3fa-ace1d9187674) - Service Accounts ![image](https://github.com/Unleash/unleash/assets/14320932/2b80bd55-9abb-4883-b715-15650ae752ea) - Groups ![image](https://github.com/Unleash/unleash/assets/14320932/ab438f7c-2245-4779-b157-2da1689fe402) ### Role description I also added a new role description component that you can see below the dropdown in the selector component, but it's also used to better describe each role in the respective tables: ![image](https://github.com/Unleash/unleash/assets/14320932/a3eecac1-2a34-4500-a68c-e3f62ebfa782) I'm not listing all the permissions of predefined roles. Those simply show the description in the tooltip: ![image](https://github.com/Unleash/unleash/assets/14320932/7e5b2948-45f0-4472-8311-bf533409ba6c) ### Role badge Groups is a bit different, since it uses a list of cards, so I added yet another component - Role badge: ![image](https://github.com/Unleash/unleash/assets/14320932/1d62c3db-072a-4c97-b86f-1d8ebdd3523e) I'm using this same component on the profile tab: ![image](https://github.com/Unleash/unleash/assets/14320932/214272db-a828-444e-8846-4f39b9456bc6) ## Discussion points - Are we being defensive enough with the use of the flag? Should we cover more? - Are we breaking backwards compatibility in any way? - What should we do when removing a role? Block or demote? - Maybe some existing permission-related issues will surface with this change: Are we being specific enough with our permissions? A lot of places are simply checking for `ADMIN`; - We may want to get rid of the API roles coupling we have with the users and SAs and instead use the new hooks (e.g. `useRoles`) explicitly; - We should update the docs; - Maybe we could allow the user to add a custom role directly from the role selector component; --------- Co-authored-by: Gastón Fournier <gaston@getunleash.io>
2025-10-27 11:02:16 +01:00 · 2023-06-14 14:40:40 +01:00 · 2023-06-14 14:40:40 +01:00 · bb026c0ba1
commit bb026c0ba1
parent 1bd182d02a
70 changed files with 2036 additions and 490 deletions
--- a/frontend/src/component/admin/Admin.tsx
+++ b/frontend/src/component/admin/Admin.tsx
@ -15,6 +15,7 @@ import AdminMenu from './menu/AdminMenu';
 import { Network } from './network/Network';
 import CreateProjectRole from './projectRoles/CreateProjectRole/CreateProjectRole';
 import EditProjectRole from './projectRoles/EditProjectRole/EditProjectRole';
 import { Roles } from './roles/Roles';
 import ProjectRoles from './projectRoles/ProjectRoles/ProjectRoles';
 import { ServiceAccounts } from './serviceAccounts/ServiceAccounts';
 import CreateUser from './users/CreateUser/CreateUser';
@ -27,8 +28,11 @@ export const Admin = () => (
        <AdminMenu />
        <Routes>
            <Route path="users" element={<UsersAdmin />} />
-            <Route path="create-project-role" element={<CreateProjectRole />} />
+            <Route path="project-roles/new" element={<CreateProjectRole />} />
-            <Route path="roles/:id/edit" element={<EditProjectRole />} />
+            <Route
                path="project-roles/:id/edit"
                element={<EditProjectRole />}
            />
            <Route path="api" element={<ApiTokenPage />} />
            <Route path="api/create-token" element={<CreateApiToken />} />
            <Route path="users/:id/edit" element={<EditUser />} />
@ -42,7 +46,8 @@ export const Admin = () => (
                element={<EditGroupContainer />}
            />
            <Route path="groups/:groupId" element={<Group />} />
-            <Route path="roles" element={<ProjectRoles />} />
+            <Route path="roles" element={<Roles />} />
            <Route path="project-roles" element={<ProjectRoles />} />
            <Route path="instance" element={<InstanceAdmin />} />
            <Route path="network/*" element={<Network />} />
            <Route path="maintenance" element={<MaintenanceAdmin />} />
--- a/frontend/src/component/admin/groups/GroupForm/GroupForm.tsx
+++ b/frontend/src/component/admin/groups/GroupForm/GroupForm.tsx
@ -1,5 +1,5 @@
 import React, { FC } from 'react';
-import { Autocomplete, Box, Button, styled, TextField } from '@mui/material';
+import { Box, Button, styled } from '@mui/material';
 import { UG_DESC_ID, UG_NAME_ID } from 'utils/testIds';
 import Input from 'component/common/Input/Input';
 import { IGroupUser } from 'interfaces/group';
@ -10,9 +10,10 @@ import { ItemList } from 'component/common/ItemList/ItemList';
 import useAuthSettings from 'hooks/api/getters/useAuthSettings/useAuthSettings';
 import { Link } from 'react-router-dom';
 import { HelpIcon } from 'component/common/HelpIcon/HelpIcon';
-import { IProjectRole } from 'interfaces/role';
+import IRole from 'interfaces/role';
 import { useUsers } from 'hooks/api/getters/useUsers/useUsers';
 import useUiConfig from 'hooks/api/getters/useUiConfig/useUiConfig';
 import { RoleSelect } from 'component/common/RoleSelect/RoleSelect';
 const StyledForm = styled('form')(() => ({
    display: 'flex',
@ -74,15 +75,6 @@ const StyledAutocompleteWrapper = styled('div')(({ theme }) => ({
    },
 }));
 const StyledRoleOption = styled('div')(({ theme }) => ({
    display: 'flex',
    flexDirection: 'column',
    '& > span:last-of-type': {
        fontSize: theme.fontSizes.smallerBody,
        color: theme.palette.text.secondary,
    },
 }));
 interface IGroupForm {
    name: string;
    description: string;
@ -128,24 +120,10 @@ export const GroupForm: FC<IGroupForm> = ({
    const groupRootRolesEnabled = Boolean(uiConfig.flags.groupRootRoles);
-    const roleIdToRole = (rootRoleId: number | null): IProjectRole | null => {
+    const roleIdToRole = (rootRoleId: number | null): IRole | null => {
-        return (
+        return roles.find((role: IRole) => role.id === rootRoleId) || null;
            roles.find((role: IProjectRole) => role.id === rootRoleId) || null
        );
    };
    const renderRoleOption = (
        props: React.HTMLAttributes<HTMLLIElement>,
        option: IProjectRole
    ) => (
        <li {...props}>
            <StyledRoleOption>
                <span>{option.name}</span>
                <span>{option.description}</span>
            </StyledRoleOption>
        </li>
    );
    return (
        <StyledForm onSubmit={handleSubmit}>
            <div>
@ -214,23 +192,12 @@ export const GroupForm: FC<IGroupForm> = ({
                                </Box>
                            </StyledInputDescription>
                            <StyledAutocompleteWrapper>
-                                <Autocomplete
+                                <RoleSelect
                                    data-testid="GROUP_ROOT_ROLE"
                                    size="small"
                                    openOnFocus
                                    value={roleIdToRole(rootRole)}
-                                    onChange={(_, newValue) =>
+                                    setValue={role =>
-                                        setRootRole(newValue?.id || null)
+                                        setRootRole(role?.id || null)
                                    }
                                    options={roles.filter(
                                        (role: IProjectRole) =>
                                            role.name !== 'Viewer'
                                    )}
                                    renderOption={renderRoleOption}
                                    getOptionLabel={option => option.name}
                                    renderInput={params => (
                                        <TextField {...params} label="Role" />
                                    )}
                                />
                            </StyledAutocompleteWrapper>
                        </>
--- a/frontend/src/component/admin/groups/GroupsList/GroupCard/GroupCard.tsx
+++ b/frontend/src/component/admin/groups/GroupsList/GroupCard/GroupCard.tsx
@ -6,7 +6,7 @@ import { GroupCardAvatars } from './GroupCardAvatars/GroupCardAvatars';
 import { Badge } from 'component/common/Badge/Badge';
 import { GroupCardActions } from './GroupCardActions/GroupCardActions';
 import TopicOutlinedIcon from '@mui/icons-material/TopicOutlined';
-import { IProjectRole } from 'interfaces/role';
+import { RoleBadge } from 'component/common/RoleBadge/RoleBadge';
 const StyledLink = styled(Link)(({ theme }) => ({
    textDecoration: 'none',
@ -86,14 +86,12 @@ const InfoBadgeDescription = styled('span')(({ theme }) => ({
 interface IGroupCardProps {
    group: IGroup;
    rootRoles: IProjectRole[];
    onEditUsers: (group: IGroup) => void;
    onRemoveGroup: (group: IGroup) => void;
 }
 export const GroupCard = ({
    group,
    rootRoles,
    onEditUsers,
    onRemoveGroup,
 }: IGroupCardProps) => {
@ -117,17 +115,7 @@ export const GroupCard = ({
                        show={
                            <InfoBadgeDescription>
                                <p>Root role:</p>
-                                <Badge
+                                <RoleBadge roleId={group.rootRole!} />
                                    color="success"
                                    icon={<TopicOutlinedIcon />}
                                >
                                    {
                                        rootRoles.find(
                                            (role: IProjectRole) =>
                                                role.id === group.rootRole
                                        )?.name
                                    }
                                </Badge>
                            </InfoBadgeDescription>
                        }
                    />
--- a/frontend/src/component/admin/groups/GroupsList/GroupsList.tsx
+++ b/frontend/src/component/admin/groups/GroupsList/GroupsList.tsx
@ -18,8 +18,6 @@ import { Add } from '@mui/icons-material';
 import { NAVIGATE_TO_CREATE_GROUP } from 'utils/testIds';
 import { EditGroupUsers } from '../Group/EditGroupUsers/EditGroupUsers';
 import { RemoveGroup } from '../RemoveGroup/RemoveGroup';
 import { useUsers } from 'hooks/api/getters/useUsers/useUsers';
 import { IProjectRole } from 'interfaces/role';
 type PageQueryType = Partial<Record<'search', string>>;
@ -51,7 +49,6 @@ export const GroupsList: VFC = () => {
    const [searchValue, setSearchValue] = useState(
        searchParams.get('search') || ''
    );
    const { roles } = useUsers();
    const isSmallScreen = useMediaQuery(theme.breakpoints.down('md'));
@ -85,10 +82,6 @@ export const GroupsList: VFC = () => {
        setRemoveOpen(true);
    };
    const getBindableRootRoles = () => {
        return roles.filter((role: IProjectRole) => role.type === 'root');
    };
    return (
        <PageContent
            isLoading={loading}
@ -141,7 +134,6 @@ export const GroupsList: VFC = () => {
                        <Grid key={group.id} item xs={12} md={6}>
                            <GroupCard
                                group={group}
                                rootRoles={getBindableRootRoles()}
                                onEditUsers={onEditUsers}
                                onRemoveGroup={onRemoveGroup}
                            />
--- a/frontend/src/component/admin/menu/AdminMenu.tsx
+++ b/frontend/src/component/admin/menu/AdminMenu.tsx
@ -55,11 +55,21 @@ function AdminMenu() {
                        }
                    />
                )}
-                {flags.RE && (
+                {flags.customRootRoles && (
                    <Tab
                        value="roles"
                        label={
                            <CenteredNavLink to="/admin/roles">
                                <span>Roles</span>
                            </CenteredNavLink>
                        }
                    />
                )}
                {flags.RE && (
                    <Tab
                        value="project-roles"
                        label={
                            <CenteredNavLink to="/admin/project-roles">
                                <span>Project roles</span>
                            </CenteredNavLink>
                        }
--- a/frontend/src/component/admin/projectRoles/CreateProjectRole/CreateProjectRole.tsx
+++ b/frontend/src/component/admin/projectRoles/CreateProjectRole/CreateProjectRole.tsx
@ -1,5 +1,5 @@
 import FormTemplate from 'component/common/FormTemplate/FormTemplate';
-import useProjectRolesApi from 'hooks/api/actions/useProjectRolesApi/useProjectRolesApi';
+import { useRolesApi } from 'hooks/api/actions/useRolesApi/useRolesApi';
 import { useNavigate } from 'react-router-dom';
 import ProjectRoleForm from '../ProjectRoleForm/ProjectRoleForm';
 import useProjectRoleForm from '../hooks/useProjectRoleForm';
@ -33,7 +33,7 @@ const CreateProjectRole = () => {
        getRoleKey,
    } = useProjectRoleForm();
-    const { createRole, loading } = useProjectRolesApi();
+    const { addRole, loading } = useRolesApi();
    const onSubmit = async (e: Event) => {
        e.preventDefault();
@ -44,8 +44,8 @@ const CreateProjectRole = () => {
        if (validName && validPermissions) {
            const payload = getProjectRolePayload();
            try {
-                await createRole(payload);
+                await addRole(payload);
-                navigate('/admin/roles');
+                navigate('/admin/project-roles');
                setToastData({
                    title: 'Project role created',
                    text: 'Now you can start assigning your project roles to project members.',
--- a/frontend/src/component/admin/projectRoles/EditProjectRole/EditProjectRole.tsx
+++ b/frontend/src/component/admin/projectRoles/EditProjectRole/EditProjectRole.tsx
@ -1,8 +1,8 @@
 import FormTemplate from 'component/common/FormTemplate/FormTemplate';
 import { UpdateButton } from 'component/common/UpdateButton/UpdateButton';
 import { ADMIN } from 'component/providers/AccessProvider/permissions';
-import useProjectRolesApi from 'hooks/api/actions/useProjectRolesApi/useProjectRolesApi';
+import { useRolesApi } from 'hooks/api/actions/useRolesApi/useRolesApi';
-import useProjectRole from 'hooks/api/getters/useProjectRole/useProjectRole';
+import { useRole } from 'hooks/api/getters/useRole/useRole';
 import useUiConfig from 'hooks/api/getters/useUiConfig/useUiConfig';
 import useToast from 'hooks/useToast';
 import { useNavigate } from 'react-router-dom';
@ -15,8 +15,8 @@ import { GO_BACK } from 'constants/navigate';
 const EditProjectRole = () => {
    const { uiConfig } = useUiConfig();
    const { setToastData, setToastApiError } = useToast();
-    const projectId = useRequiredPathParam('id');
+    const roleId = useRequiredPathParam('id');
-    const { role } = useProjectRole(projectId);
+    const { role, refetch } = useRole(roleId);
    const navigate = useNavigate();
    const {
@ -35,19 +35,18 @@ const EditProjectRole = () => {
        validateName,
        clearErrors,
        getRoleKey,
-    } = useProjectRoleForm(role.name, role.description, role?.permissions);
+    } = useProjectRoleForm(role?.name, role?.description, role?.permissions);
    const formatApiCode = () => {
        return `curl --location --request PUT '${
            uiConfig.unleashUrl
-        }/api/admin/roles/${role.id}' \\
+        }/api/admin/roles/${role?.id}' \\
 --header 'Authorization: INSERT_API_KEY' \\
 --header 'Content-Type: application/json' \\
 --data-raw '${JSON.stringify(getProjectRolePayload(), undefined, 2)}'`;
    };
-    const { refetch } = useProjectRole(projectId);
+    const { updateRole, loading } = useRolesApi();
    const { editRole, loading } = useProjectRolesApi();
    const onSubmit = async (e: Event) => {
        e.preventDefault();
@ -58,9 +57,9 @@ const EditProjectRole = () => {
        if (validName && validPermissions) {
            try {
-                await editRole(projectId, payload);
+                await updateRole(+roleId, payload);
                refetch();
-                navigate('/admin/roles');
+                navigate('/admin/project-roles');
                setToastData({
                    type: 'success',
                    title: 'Project role updated',
--- a/frontend/src/component/admin/projectRoles/ProjectRoleForm/PermissionAccordion/PermissionAccordion.tsx
+++ b/frontend/src/component/admin/projectRoles/ProjectRoleForm/PermissionAccordion/PermissionAccordion.tsx
@ -13,7 +13,7 @@ import {
    Typography,
 } from '@mui/material';
 import { ExpandMore } from '@mui/icons-material';
-import { IPermission } from 'interfaces/project';
+import { IPermission } from 'interfaces/permissions';
 import StringTruncator from 'component/common/StringTruncator/StringTruncator';
 import { ICheckedPermission } from 'component/admin/projectRoles/hooks/useProjectRoleForm';
@ -23,10 +23,10 @@ interface IEnvironmentPermissionAccordionProps {
    title: string;
    Icon: ReactNode;
    isInitiallyExpanded?: boolean;
-    context: 'project' | 'environment';
+    context: string;
    onPermissionChange: (permission: IPermission) => void;
    onCheckAll: () => void;
-    getRoleKey: (permission: { id: number; environment?: string }) => string;
+    getRoleKey?: (permission: { id: number; environment?: string }) => string;
 }
 const AccordionHeader = styled(Box)(({ theme }) => ({
@ -52,7 +52,7 @@ export const PermissionAccordion: VFC<IEnvironmentPermissionAccordionProps> = ({
    context,
    onPermissionChange,
    onCheckAll,
-    getRoleKey,
+    getRoleKey = permission => permission.id.toString(),
 }) => {
    const [expanded, setExpanded] = useState(isInitiallyExpanded);
    const permissionMap = useMemo(
--- a/frontend/src/component/admin/projectRoles/ProjectRoleForm/ProjectRoleForm.tsx
+++ b/frontend/src/component/admin/projectRoles/ProjectRoleForm/ProjectRoleForm.tsx
@ -10,8 +10,8 @@ import { ConditionallyRender } from 'component/common/ConditionallyRender/Condit
 import {
    IPermission,
    IProjectEnvironmentPermissions,
-    IProjectRolePermissions,
+    IPermissions,
-} from 'interfaces/project';
+} from 'interfaces/permissions';
 import { ICheckedPermission } from '../hooks/useProjectRoleForm';
 interface IProjectRoleForm {
@ -21,7 +21,7 @@ interface IProjectRoleForm {
    errors: { [key: string]: string };
    children: ReactNode;
    permissions:
-        | IProjectRolePermissions
+        | IPermissions
        | {
              project: IPermission[];
              environments: IProjectEnvironmentPermissions[];
--- a/frontend/src/component/admin/projectRoles/ProjectRoles/ProjectRoleList/ProjectRoleList.tsx
+++ b/frontend/src/component/admin/projectRoles/ProjectRoles/ProjectRoleList/ProjectRoleList.tsx
@ -9,9 +9,9 @@ import {
 } from 'component/common/Table';
 import { useTable, useGlobalFilter, useSortBy } from 'react-table';
 import { ADMIN } from 'component/providers/AccessProvider/permissions';
-import useProjectRoles from 'hooks/api/getters/useProjectRoles/useProjectRoles';
+import { useRoles } from 'hooks/api/getters/useRoles/useRoles';
-import IRole, { IProjectRole } from 'interfaces/role';
+import { IProjectRole } from 'interfaces/role';
-import useProjectRolesApi from 'hooks/api/actions/useProjectRolesApi/useProjectRolesApi';
+import { useRolesApi } from 'hooks/api/actions/useRolesApi/useRolesApi';
 import useToast from 'hooks/useToast';
 import ProjectRoleDeleteConfirm from '../ProjectRoleDeleteConfirm/ProjectRoleDeleteConfirm';
 import { formatUnknownError } from 'utils/formatUnknownError';
@ -30,19 +30,15 @@ import { IconCell } from 'component/common/Table/cells/IconCell/IconCell';
 import { Search } from 'component/common/Search/Search';
 import { useConditionallyHiddenColumns } from 'hooks/useConditionallyHiddenColumns';
 const ROOTROLE = 'root';
 const BUILTIN_ROLE_TYPE = 'project';
 const ProjectRoleList = () => {
    const navigate = useNavigate();
-    const { roles, refetch, loading } = useProjectRoles();
+    const { projectRoles: data, refetch, loading } = useRoles();
    const isExtraSmallScreen = useMediaQuery(theme.breakpoints.down('sm'));
-    const paginationFilter = (role: IRole) => role?.type !== ROOTROLE;
+    const { removeRole } = useRolesApi();
    const data = roles.filter(paginationFilter);
    const { deleteRole } = useProjectRolesApi();
    const [currentRole, setCurrentRole] = useState<IProjectRole | null>(null);
    const [delDialog, setDelDialog] = useState(false);
    const [confirmName, setConfirmName] = useState('');
@ -51,7 +47,7 @@ const ProjectRoleList = () => {
    const deleteProjectRole = async () => {
        if (!currentRole?.id) return;
        try {
-            await deleteRole(currentRole?.id);
+            await removeRole(currentRole?.id);
            refetch();
            setToastData({
                type: 'success',
@ -99,7 +95,7 @@ const ProjectRoleList = () => {
                            data-loading
                            disabled={type === BUILTIN_ROLE_TYPE}
                            onClick={() => {
-                                navigate(`/admin/roles/${id}/edit`);
+                                navigate(`/admin/project-roles/${id}/edit`);
                            }}
                            permission={ADMIN}
                            tooltipProps={{
@ -208,7 +204,7 @@ const ProjectRoleList = () => {
                                variant="contained"
                                color="primary"
                                onClick={() =>
-                                    navigate('/admin/create-project-role')
+                                    navigate('/admin/project-roles/new')
                                }
                            >
                                New project role
--- a/frontend/src/component/admin/projectRoles/hooks/useProjectRoleForm.ts
+++ b/frontend/src/component/admin/projectRoles/hooks/useProjectRoleForm.ts
@ -1,8 +1,8 @@
 import { useEffect, useState } from 'react';
-import { IPermission } from 'interfaces/project';
+import { IPermission } from 'interfaces/permissions';
 import cloneDeep from 'lodash.clonedeep';
-import useProjectRolePermissions from 'hooks/api/getters/useProjectRolePermissions/useProjectRolePermissions';
+import usePermissions from 'hooks/api/getters/usePermissions/usePermissions';
-import useProjectRolesApi from 'hooks/api/actions/useProjectRolesApi/useProjectRolesApi';
+import { useRolesApi } from 'hooks/api/actions/useRolesApi/useRolesApi';
 import { formatUnknownError } from 'utils/formatUnknownError';
 export interface ICheckedPermission {
@ -23,7 +23,7 @@ const useProjectRoleForm = (
    initialRoleDesc = '',
    initialCheckedPermissions: IPermission[] = []
 ) => {
-    const { permissions } = useProjectRolePermissions({
+    const { permissions } = usePermissions({
        revalidateIfStale: false,
        revalidateOnReconnect: false,
        revalidateOnFocus: false,
@ -53,7 +53,7 @@ const useProjectRoleForm = (
    const [errors, setErrors] = useState({});
-    const { validateRole } = useProjectRolesApi();
+    const { validateRole } = useRolesApi();
    useEffect(() => {
        setRoleName(initialRoleName);
--- a/frontend/src/component/admin/roles/RoleForm/RoleForm.tsx
+++ b/frontend/src/component/admin/roles/RoleForm/RoleForm.tsx
@ -0,0 +1,138 @@
 import { styled } from '@mui/material';
 import Input from 'component/common/Input/Input';
 import { PermissionAccordion } from 'component/admin/projectRoles/ProjectRoleForm/PermissionAccordion/PermissionAccordion';
 import { Person as UserIcon } from '@mui/icons-material';
 import { ICheckedPermissions, IPermission } from 'interfaces/permissions';
 import { IRoleFormErrors } from './useRoleForm';
 import { ROOT_PERMISSION_CATEGORIES } from '@server/types/permissions';
 import cloneDeep from 'lodash.clonedeep';
 const StyledInputDescription = styled('p')(({ theme }) => ({
    display: 'flex',
    color: theme.palette.text.primary,
    marginBottom: theme.spacing(1),
    '&:not(:first-of-type)': {
        marginTop: theme.spacing(4),
    },
 }));
 const StyledInput = styled(Input)(({ theme }) => ({
    width: '100%',
    maxWidth: theme.spacing(50),
 }));
 interface IRoleFormProps {
    name: string;
    onSetName: (name: string) => void;
    description: string;
    setDescription: React.Dispatch<React.SetStateAction<string>>;
    checkedPermissions: ICheckedPermissions;
    setCheckedPermissions: React.Dispatch<
        React.SetStateAction<ICheckedPermissions>
    >;
    handlePermissionChange: (permission: IPermission) => void;
    permissions: IPermission[];
    errors: IRoleFormErrors;
 }
 export const RoleForm = ({
    name,
    onSetName,
    description,
    setDescription,
    checkedPermissions,
    setCheckedPermissions,
    handlePermissionChange,
    permissions,
    errors,
 }: IRoleFormProps) => {
    const categorizedPermissions = permissions.map(permission => {
        const category = ROOT_PERMISSION_CATEGORIES.find(category =>
            category.permissions.includes(permission.name)
        );
        return {
            category: category ? category.label : 'Other',
            permission,
        };
    });
    const categories = new Set(
        categorizedPermissions.map(({ category }) => category).sort()
    );
    const onToggleAllPermissions = (category: string) => {
        let checkedPermissionsCopy = cloneDeep(checkedPermissions);
        const categoryPermissions = categorizedPermissions
            .filter(({ category: pCategory }) => pCategory === category)
            .map(({ permission }) => permission);
        const allChecked = categoryPermissions.every(
            (permission: IPermission) => checkedPermissionsCopy[permission.id]
        );
        if (allChecked) {
            categoryPermissions.forEach((permission: IPermission) => {
                delete checkedPermissionsCopy[permission.id];
            });
        } else {
            categoryPermissions.forEach((permission: IPermission) => {
                checkedPermissionsCopy[permission.id] = {
                    ...permission,
                };
            });
        }
        setCheckedPermissions(checkedPermissionsCopy);
    };
    return (
        <div>
            <StyledInputDescription>
                What is your new role name?
            </StyledInputDescription>
            <StyledInput
                autoFocus
                label="Role name"
                error={Boolean(errors.name)}
                errorText={errors.name}
                value={name}
                onChange={e => onSetName(e.target.value)}
                autoComplete="off"
                required
            />
            <StyledInputDescription>
                What is your new role description?
            </StyledInputDescription>
            <StyledInput
                label="Role description"
                value={description}
                onChange={e => setDescription(e.target.value)}
                autoComplete="off"
                required
            />
            <StyledInputDescription>
                What is your role allowed to do?
            </StyledInputDescription>
            {[...categories].map(category => (
                <PermissionAccordion
                    key={category}
                    title={`${category} permissions`}
                    context={category.toLowerCase()}
                    Icon={<UserIcon color="disabled" sx={{ mr: 1 }} />}
                    permissions={categorizedPermissions
                        .filter(
                            ({ category: pCategory }) => pCategory === category
                        )
                        .map(({ permission }) => permission)}
                    checkedPermissions={checkedPermissions}
                    onPermissionChange={(permission: IPermission) =>
                        handlePermissionChange(permission)
                    }
                    onCheckAll={() => onToggleAllPermissions(category)}
                />
            ))}
        </div>
    );
 };
--- a/frontend/src/component/admin/roles/RoleForm/useRoleForm.ts
+++ b/frontend/src/component/admin/roles/RoleForm/useRoleForm.ts
@ -0,0 +1,140 @@
 import { useEffect, useState } from 'react';
 import { IPermission, ICheckedPermissions } from 'interfaces/permissions';
 import cloneDeep from 'lodash.clonedeep';
 import usePermissions from 'hooks/api/getters/usePermissions/usePermissions';
 import IRole from 'interfaces/role';
 import { useRoles } from 'hooks/api/getters/useRoles/useRoles';
 enum ErrorField {
    NAME = 'name',
 }
 export interface IRoleFormErrors {
    [ErrorField.NAME]?: string;
 }
 export const useRoleForm = (
    initialName = '',
    initialDescription = '',
    initialPermissions: IPermission[] = []
 ) => {
    const { roles } = useRoles();
    const { permissions } = usePermissions({
        revalidateIfStale: false,
        revalidateOnReconnect: false,
        revalidateOnFocus: false,
    });
    const rootPermissions = permissions.root.filter(
        ({ name }) => name !== 'ADMIN'
    );
    const [name, setName] = useState(initialName);
    const [description, setDescription] = useState(initialDescription);
    const [checkedPermissions, setCheckedPermissions] =
        useState<ICheckedPermissions>({});
    useEffect(() => {
        setCheckedPermissions(
            initialPermissions.reduce(
                (acc: { [key: string]: IPermission }, curr: IPermission) => {
                    acc[curr.id] = curr;
                    return acc;
                },
                {}
            )
        );
    }, [initialPermissions.length]);
    const [errors, setErrors] = useState<IRoleFormErrors>({});
    useEffect(() => {
        setName(initialName);
    }, [initialName]);
    useEffect(() => {
        setDescription(initialDescription);
    }, [initialDescription]);
    const handlePermissionChange = (permission: IPermission) => {
        let checkedPermissionsCopy = cloneDeep(checkedPermissions);
        if (checkedPermissionsCopy[permission.id]) {
            delete checkedPermissionsCopy[permission.id];
        } else {
            checkedPermissionsCopy[permission.id] = { ...permission };
        }
        setCheckedPermissions(checkedPermissionsCopy);
    };
    const onToggleAllPermissions = () => {
        let checkedPermissionsCopy = cloneDeep(checkedPermissions);
        const allChecked = rootPermissions.every(
            (permission: IPermission) => checkedPermissionsCopy[permission.id]
        );
        if (allChecked) {
            rootPermissions.forEach((permission: IPermission) => {
                delete checkedPermissionsCopy[permission.id];
            });
        } else {
            rootPermissions.forEach((permission: IPermission) => {
                checkedPermissionsCopy[permission.id] = {
                    ...permission,
                };
            });
        }
        setCheckedPermissions(checkedPermissionsCopy);
    };
    const getRolePayload = () => ({
        name,
        description,
        type: 'root-custom',
        permissions: Object.values(checkedPermissions),
    });
    const isNameUnique = (name: string) => {
        return !roles.some(
            (existingRole: IRole) =>
                existingRole.name !== initialName &&
                existingRole.name.toLowerCase() === name.toLowerCase()
        );
    };
    const isNotEmpty = (value: string) => value.length;
    const hasPermissions = (permissions: ICheckedPermissions) =>
        Object.keys(permissions).length > 0;
    const clearError = (field: ErrorField) => {
        setErrors(errors => ({ ...errors, [field]: undefined }));
    };
    const setError = (field: ErrorField, error: string) => {
        setErrors(errors => ({ ...errors, [field]: error }));
    };
    return {
        name,
        description,
        errors,
        checkedPermissions,
        rootPermissions,
        setName,
        setDescription,
        setCheckedPermissions,
        handlePermissionChange,
        onToggleAllPermissions,
        getRolePayload,
        clearError,
        setError,
        isNameUnique,
        isNotEmpty,
        hasPermissions,
        ErrorField,
    };
 };
--- a/frontend/src/component/admin/roles/RoleModal/RoleModal.tsx
+++ b/frontend/src/component/admin/roles/RoleModal/RoleModal.tsx
@ -0,0 +1,164 @@
 import { Button, styled } from '@mui/material';
 import { SidebarModal } from 'component/common/SidebarModal/SidebarModal';
 import { useRoleForm } from '../RoleForm/useRoleForm';
 import useUiConfig from 'hooks/api/getters/useUiConfig/useUiConfig';
 import FormTemplate from 'component/common/FormTemplate/FormTemplate';
 import { RoleForm } from '../RoleForm/RoleForm';
 import { useRoles } from 'hooks/api/getters/useRoles/useRoles';
 import useToast from 'hooks/useToast';
 import { formatUnknownError } from 'utils/formatUnknownError';
 import { FormEvent } from 'react';
 import { useRolesApi } from 'hooks/api/actions/useRolesApi/useRolesApi';
 import { useRole } from 'hooks/api/getters/useRole/useRole';
 const StyledForm = styled('form')(() => ({
    display: 'flex',
    flexDirection: 'column',
    height: '100%',
 }));
 const StyledButtonContainer = styled('div')(({ theme }) => ({
    marginTop: 'auto',
    display: 'flex',
    justifyContent: 'flex-end',
    paddingTop: theme.spacing(4),
 }));
 const StyledCancelButton = styled(Button)(({ theme }) => ({
    marginLeft: theme.spacing(3),
 }));
 interface IRoleModalProps {
    roleId?: number;
    open: boolean;
    setOpen: React.Dispatch<React.SetStateAction<boolean>>;
 }
 export const RoleModal = ({ roleId, open, setOpen }: IRoleModalProps) => {
    const { role, refetch: refetchRole } = useRole(roleId?.toString());
    const {
        name,
        setName,
        description,
        setDescription,
        checkedPermissions,
        setCheckedPermissions,
        handlePermissionChange,
        getRolePayload,
        isNameUnique,
        isNotEmpty,
        hasPermissions,
        rootPermissions,
        errors,
        setError,
        clearError,
        ErrorField,
    } = useRoleForm(role?.name, role?.description, role?.permissions);
    const { refetch: refetchRoles } = useRoles();
    const { addRole, updateRole, loading } = useRolesApi();
    const { setToastData, setToastApiError } = useToast();
    const { uiConfig } = useUiConfig();
    const editing = role !== undefined;
    const isValid =
        isNameUnique(name) &&
        isNotEmpty(name) &&
        isNotEmpty(description) &&
        hasPermissions(checkedPermissions);
    const formatApiCode = () => {
        return `curl --location --request ${editing ? 'PUT' : 'POST'} '${
            uiConfig.unleashUrl
        }/api/admin/roles${editing ? `/${role.id}` : ''}' \\
    --header 'Authorization: INSERT_API_KEY' \\
    --header 'Content-Type: application/json' \\
    --data-raw '${JSON.stringify(getRolePayload(), undefined, 2)}'`;
    };
    const onSetName = (name: string) => {
        clearError(ErrorField.NAME);
        if (!isNameUnique(name)) {
            setError(ErrorField.NAME, 'A role with that name already exists.');
        }
        setName(name);
    };
    const refetch = () => {
        refetchRoles();
        refetchRole();
    };
    const onSubmit = async (e: FormEvent<HTMLFormElement>) => {
        e.preventDefault();
        if (!isValid) return;
        try {
            if (editing) {
                await updateRole(role.id, getRolePayload());
            } else {
                await addRole(getRolePayload());
            }
            setToastData({
                title: `Role ${editing ? 'updated' : 'added'} successfully`,
                type: 'success',
            });
            refetch();
            setOpen(false);
        } catch (error: unknown) {
            setToastApiError(formatUnknownError(error));
        }
    };
    return (
        <SidebarModal
            open={open}
            onClose={() => {
                setOpen(false);
            }}
            label={editing ? 'Edit role' : 'New role'}
        >
            <FormTemplate
                loading={loading}
                modal
                title={editing ? 'Edit role' : 'New role'}
                description="Roles allow you to control access to global root resources. Besides the built-in roles, you can create and manage custom roles to fit your needs."
                documentationLink="https://docs.getunleash.io/reference/rbac#standard-roles"
                documentationLinkLabel="Roles documentation"
                formatApiCode={formatApiCode}
            >
                <StyledForm onSubmit={onSubmit}>
                    <RoleForm
                        name={name}
                        onSetName={onSetName}
                        description={description}
                        setDescription={setDescription}
                        checkedPermissions={checkedPermissions}
                        setCheckedPermissions={setCheckedPermissions}
                        handlePermissionChange={handlePermissionChange}
                        permissions={rootPermissions}
                        errors={errors}
                    />
                    <StyledButtonContainer>
                        <Button
                            type="submit"
                            variant="contained"
                            color="primary"
                            disabled={!isValid}
                        >
                            {editing ? 'Save' : 'Add'} role
                        </Button>
                        <StyledCancelButton
                            onClick={() => {
                                setOpen(false);
                            }}
                        >
                            Cancel
                        </StyledCancelButton>
                    </StyledButtonContainer>
                </StyledForm>
            </FormTemplate>
        </SidebarModal>
    );
 };
--- a/frontend/src/component/admin/roles/Roles.tsx
+++ b/frontend/src/component/admin/roles/Roles.tsx
@ -0,0 +1,20 @@
 import { useContext } from 'react';
 import AccessContext from 'contexts/AccessContext';
 import { ConditionallyRender } from 'component/common/ConditionallyRender/ConditionallyRender';
 import { ADMIN } from 'component/providers/AccessProvider/permissions';
 import { RolesTable } from './RolesTable/RolesTable';
 import { AdminAlert } from 'component/common/AdminAlert/AdminAlert';
 export const Roles = () => {
    const { hasAccess } = useContext(AccessContext);
    return (
        <div>
            <ConditionallyRender
                condition={hasAccess(ADMIN)}
                show={<RolesTable />}
                elseShow={<AdminAlert />}
            />
        </div>
    );
 };
--- a/frontend/src/component/admin/roles/RolesTable/RoleDeleteDialog/RoleDeleteDialog.tsx
+++ b/frontend/src/component/admin/roles/RolesTable/RoleDeleteDialog/RoleDeleteDialog.tsx
@ -0,0 +1,127 @@
 import { Alert, styled } from '@mui/material';
 import { ConditionallyRender } from 'component/common/ConditionallyRender/ConditionallyRender';
 import { Dialogue } from 'component/common/Dialogue/Dialogue';
 import { useServiceAccounts } from 'hooks/api/getters/useServiceAccounts/useServiceAccounts';
 import { useUsers } from 'hooks/api/getters/useUsers/useUsers';
 import IRole from 'interfaces/role';
 import { RoleDeleteDialogUsers } from './RoleDeleteDialogUsers/RoleDeleteDialogUsers';
 import { RoleDeleteDialogServiceAccounts } from './RoleDeleteDialogServiceAccounts/RoleDeleteDialogServiceAccounts';
 import { useGroups } from 'hooks/api/getters/useGroups/useGroups';
 import { RoleDeleteDialogGroups } from './RoleDeleteDialogGroups/RoleDeleteDialogGroups';
 const StyledTableContainer = styled('div')(({ theme }) => ({
    marginTop: theme.spacing(1.5),
 }));
 const StyledLabel = styled('p')(({ theme }) => ({
    marginTop: theme.spacing(3),
 }));
 interface IRoleDeleteDialogProps {
    role?: IRole;
    open: boolean;
    setOpen: React.Dispatch<React.SetStateAction<boolean>>;
    onConfirm: (role: IRole) => void;
 }
 export const RoleDeleteDialog = ({
    role,
    open,
    setOpen,
    onConfirm,
 }: IRoleDeleteDialogProps) => {
    const { users } = useUsers();
    const { serviceAccounts } = useServiceAccounts();
    const { groups } = useGroups();
    const roleUsers = users.filter(({ rootRole }) => rootRole === role?.id);
    const roleServiceAccounts = serviceAccounts.filter(
        ({ rootRole }) => rootRole === role?.id
    );
    const roleGroups = groups?.filter(({ rootRole }) => rootRole === role?.id);
    const entitiesWithRole = Boolean(
        roleUsers.length || roleServiceAccounts.length || roleGroups?.length
    );
    return (
        <Dialogue
            title="Delete role?"
            open={open}
            primaryButtonText="Delete role"
            secondaryButtonText="Cancel"
            disabledPrimaryButton={entitiesWithRole}
            onClick={() => onConfirm(role!)}
            onClose={() => {
                setOpen(false);
            }}
        >
            <ConditionallyRender
                condition={entitiesWithRole}
                show={
                    <>
                        <Alert severity="error">
                            You are not allowed to delete a role that is
                            currently in use. Please change the role of the
                            following entities first:
                        </Alert>
                        <ConditionallyRender
                            condition={Boolean(roleUsers.length)}
                            show={
                                <>
                                    <StyledLabel>
                                        Users ({roleUsers.length}):
                                    </StyledLabel>
                                    <StyledTableContainer>
                                        <RoleDeleteDialogUsers
                                            users={roleUsers}
                                        />
                                    </StyledTableContainer>
                                </>
                            }
                        />
                        <ConditionallyRender
                            condition={Boolean(roleServiceAccounts.length)}
                            show={
                                <>
                                    <StyledLabel>
                                        Service accounts (
                                        {roleServiceAccounts.length}):
                                    </StyledLabel>
                                    <StyledTableContainer>
                                        <RoleDeleteDialogServiceAccounts
                                            serviceAccounts={
                                                roleServiceAccounts
                                            }
                                        />
                                    </StyledTableContainer>
                                </>
                            }
                        />
                        <ConditionallyRender
                            condition={Boolean(roleGroups?.length)}
                            show={
                                <>
                                    <StyledLabel>
                                        Groups ({roleGroups?.length}):
                                    </StyledLabel>
                                    <StyledTableContainer>
                                        <RoleDeleteDialogGroups
                                            groups={roleGroups!}
                                        />
                                    </StyledTableContainer>
                                </>
                            }
                        />
                    </>
                }
                elseShow={
                    <p>
                        You are about to delete role:{' '}
                        <strong>{role?.name}</strong>
                    </p>
                }
            />
        </Dialogue>
    );
 };
--- a/frontend/src/component/admin/roles/RolesTable/RoleDeleteDialog/RoleDeleteDialogGroups/RoleDeleteDialogGroups.tsx
+++ b/frontend/src/component/admin/roles/RolesTable/RoleDeleteDialog/RoleDeleteDialogGroups/RoleDeleteDialogGroups.tsx
@ -0,0 +1,84 @@
 import { VirtualizedTable } from 'component/common/Table';
 import { DateCell } from 'component/common/Table/cells/DateCell/DateCell';
 import { HighlightCell } from 'component/common/Table/cells/HighlightCell/HighlightCell';
 import { useMemo, useState } from 'react';
 import { useTable, useSortBy, useFlexLayout, Column } from 'react-table';
 import { sortTypes } from 'utils/sortTypes';
 import { IGroup } from 'interfaces/group';
 import { TextCell } from 'component/common/Table/cells/TextCell/TextCell';
 export type PageQueryType = Partial<
    Record<'sort' | 'order' | 'search', string>
 >;
 interface IRoleDeleteDialogGroupsProps {
    groups: IGroup[];
 }
 export const RoleDeleteDialogGroups = ({
    groups,
 }: IRoleDeleteDialogGroupsProps) => {
    const [initialState] = useState(() => ({
        sortBy: [{ id: 'createdAt' }],
    }));
    const columns = useMemo(
        () =>
            [
                {
                    id: 'name',
                    Header: 'Name',
                    accessor: (row: any) => row.name || '',
                    minWidth: 200,
                    Cell: ({ row: { original: group } }: any) => (
                        <HighlightCell
                            value={group.name}
                            subtitle={group.description}
                        />
                    ),
                },
                {
                    Header: 'Created',
                    accessor: 'createdAt',
                    Cell: DateCell,
                    sortType: 'date',
                    width: 120,
                    maxWidth: 120,
                },
                {
                    id: 'users',
                    Header: 'Users',
                    accessor: (row: IGroup) =>
                        row.users.length === 1
                            ? '1 user'
                            : `${row.users.length} users`,
                    Cell: TextCell,
                    maxWidth: 150,
                },
            ] as Column<IGroup>[],
        []
    );
    const { headerGroups, rows, prepareRow } = useTable(
        {
            columns,
            data: groups,
            initialState,
            sortTypes,
            autoResetHiddenColumns: false,
            autoResetSortBy: false,
            disableSortRemove: true,
            disableMultiSort: true,
        },
        useSortBy,
        useFlexLayout
    );
    return (
        <VirtualizedTable
            rows={rows}
            headerGroups={headerGroups}
            prepareRow={prepareRow}
        />
    );
 };
--- a/frontend/src/component/admin/roles/RolesTable/RoleDeleteDialog/RoleDeleteDialogServiceAccounts/RoleDeleteDialogServiceAccounts.tsx
+++ b/frontend/src/component/admin/roles/RolesTable/RoleDeleteDialog/RoleDeleteDialogServiceAccounts/RoleDeleteDialogServiceAccounts.tsx
@ -0,0 +1,109 @@
 import { VirtualizedTable } from 'component/common/Table';
 import { DateCell } from 'component/common/Table/cells/DateCell/DateCell';
 import { HighlightCell } from 'component/common/Table/cells/HighlightCell/HighlightCell';
 import { useMemo, useState } from 'react';
 import { useTable, useSortBy, useFlexLayout, Column } from 'react-table';
 import { sortTypes } from 'utils/sortTypes';
 import { TimeAgoCell } from 'component/common/Table/cells/TimeAgoCell/TimeAgoCell';
 import { IServiceAccount } from 'interfaces/service-account';
 import { ServiceAccountTokensCell } from 'component/admin/serviceAccounts/ServiceAccountsTable/ServiceAccountTokensCell/ServiceAccountTokensCell';
 export type PageQueryType = Partial<
    Record<'sort' | 'order' | 'search', string>
 >;
 interface IRoleDeleteDialogServiceAccountsProps {
    serviceAccounts: IServiceAccount[];
 }
 export const RoleDeleteDialogServiceAccounts = ({
    serviceAccounts,
 }: IRoleDeleteDialogServiceAccountsProps) => {
    const [initialState] = useState(() => ({
        sortBy: [{ id: 'seenAt' }],
    }));
    const columns = useMemo(
        () =>
            [
                {
                    id: 'name',
                    Header: 'Name',
                    accessor: (row: any) => row.name || '',
                    minWidth: 200,
                    Cell: ({ row: { original: serviceAccount } }: any) => (
                        <HighlightCell
                            value={serviceAccount.name}
                            subtitle={serviceAccount.username}
                        />
                    ),
                },
                {
                    id: 'tokens',
                    Header: 'Tokens',
                    accessor: (row: IServiceAccount) =>
                        row.tokens
                            ?.map(({ description }) => description)
                            .join('\n') || '',
                    Cell: ({
                        row: { original: serviceAccount },
                        value,
                    }: {
                        row: { original: IServiceAccount };
                        value: string;
                    }) => (
                        <ServiceAccountTokensCell
                            serviceAccount={serviceAccount}
                            value={value}
                        />
                    ),
                    maxWidth: 100,
                },
                {
                    Header: 'Created',
                    accessor: 'createdAt',
                    Cell: DateCell,
                    sortType: 'date',
                    width: 120,
                    maxWidth: 120,
                },
                {
                    id: 'seenAt',
                    Header: 'Last seen',
                    accessor: (row: IServiceAccount) =>
                        row.tokens.sort((a, b) => {
                            const aSeenAt = new Date(a.seenAt || 0);
                            const bSeenAt = new Date(b.seenAt || 0);
                            return bSeenAt?.getTime() - aSeenAt?.getTime();
                        })[0]?.seenAt,
                    Cell: TimeAgoCell,
                    sortType: 'date',
                    maxWidth: 150,
                },
            ] as Column<IServiceAccount>[],
        []
    );
    const { headerGroups, rows, prepareRow } = useTable(
        {
            columns,
            data: serviceAccounts,
            initialState,
            sortTypes,
            autoResetHiddenColumns: false,
            autoResetSortBy: false,
            disableSortRemove: true,
            disableMultiSort: true,
        },
        useSortBy,
        useFlexLayout
    );
    return (
        <VirtualizedTable
            rows={rows}
            headerGroups={headerGroups}
            prepareRow={prepareRow}
        />
    );
 };
--- a/frontend/src/component/admin/roles/RolesTable/RoleDeleteDialog/RoleDeleteDialogUsers/RoleDeleteDialogUsers.tsx
+++ b/frontend/src/component/admin/roles/RolesTable/RoleDeleteDialog/RoleDeleteDialogUsers/RoleDeleteDialogUsers.tsx
@ -0,0 +1,88 @@
 import { VirtualizedTable } from 'component/common/Table';
 import { DateCell } from 'component/common/Table/cells/DateCell/DateCell';
 import { HighlightCell } from 'component/common/Table/cells/HighlightCell/HighlightCell';
 import { useMemo, useState } from 'react';
 import { useTable, useSortBy, useFlexLayout, Column } from 'react-table';
 import { sortTypes } from 'utils/sortTypes';
 import { TimeAgoCell } from 'component/common/Table/cells/TimeAgoCell/TimeAgoCell';
 import { IUser } from 'interfaces/user';
 export type PageQueryType = Partial<
    Record<'sort' | 'order' | 'search', string>
 >;
 interface IRoleDeleteDialogUsersProps {
    users: IUser[];
 }
 export const RoleDeleteDialogUsers = ({
    users,
 }: IRoleDeleteDialogUsersProps) => {
    const [initialState] = useState(() => ({
        sortBy: [{ id: 'last-login' }],
    }));
    const columns = useMemo(
        () =>
            [
                {
                    id: 'name',
                    Header: 'Name',
                    accessor: (row: any) => row.name || '',
                    minWidth: 200,
                    Cell: ({ row: { original: user } }: any) => (
                        <HighlightCell
                            value={user.name}
                            subtitle={user.email || user.username}
                        />
                    ),
                },
                {
                    Header: 'Created',
                    accessor: 'createdAt',
                    Cell: DateCell,
                    sortType: 'date',
                    width: 120,
                    maxWidth: 120,
                },
                {
                    id: 'last-login',
                    Header: 'Last login',
                    accessor: (row: any) => row.seenAt || '',
                    Cell: ({ row: { original: user } }: any) => (
                        <TimeAgoCell
                            value={user.seenAt}
                            emptyText="Never"
                            title={date => `Last login: ${date}`}
                        />
                    ),
                    sortType: 'date',
                    maxWidth: 150,
                },
            ] as Column<IUser>[],
        []
    );
    const { headerGroups, rows, prepareRow } = useTable(
        {
            columns,
            data: users,
            initialState,
            sortTypes,
            autoResetHiddenColumns: false,
            autoResetSortBy: false,
            disableSortRemove: true,
            disableMultiSort: true,
        },
        useSortBy,
        useFlexLayout
    );
    return (
        <VirtualizedTable
            rows={rows}
            headerGroups={headerGroups}
            prepareRow={prepareRow}
        />
    );
 };
--- a/frontend/src/component/admin/roles/RolesTable/RolePermissionsCell/RolePermissionsCell.tsx
+++ b/frontend/src/component/admin/roles/RolesTable/RolePermissionsCell/RolePermissionsCell.tsx
@ -0,0 +1,31 @@
 import { VFC } from 'react';
 import { TextCell } from 'component/common/Table/cells/TextCell/TextCell';
 import { TooltipLink } from 'component/common/TooltipLink/TooltipLink';
 import IRole from 'interfaces/role';
 import { useRole } from 'hooks/api/getters/useRole/useRole';
 import { RoleDescription } from 'component/common/RoleDescription/RoleDescription';
 interface IRolePermissionsCellProps {
    row: { original: IRole };
 }
 export const RolePermissionsCell: VFC<IRolePermissionsCellProps> = ({
    row,
 }) => {
    const { original: rowRole } = row;
    const { role } = useRole(rowRole.id.toString());
    if (!role || role.type === 'root') return null;
    return (
        <TextCell>
            <TooltipLink
                tooltip={<RoleDescription roleId={rowRole.id} tooltip />}
            >
                {role.permissions?.length === 1
                    ? '1 permission'
                    : `${role.permissions?.length} permissions`}
            </TooltipLink>
        </TextCell>
    );
 };
--- a/frontend/src/component/admin/roles/RolesTable/RolesActionsCell/RolesActionsCell.tsx
+++ b/frontend/src/component/admin/roles/RolesTable/RolesActionsCell/RolesActionsCell.tsx
@ -0,0 +1,58 @@
 import { Delete, Edit } from '@mui/icons-material';
 import { Box, styled } from '@mui/material';
 import PermissionIconButton from 'component/common/PermissionIconButton/PermissionIconButton';
 import { ADMIN } from 'component/providers/AccessProvider/permissions';
 import IRole from 'interfaces/role';
 import { VFC } from 'react';
 const StyledBox = styled(Box)(() => ({
    display: 'flex',
    justifyContent: 'center',
 }));
 const DEFAULT_ROOT_ROLE = 'root';
 interface IRolesActionsCellProps {
    role: IRole;
    onEdit: (event: React.SyntheticEvent) => void;
    onDelete: (event: React.SyntheticEvent) => void;
 }
 export const RolesActionsCell: VFC<IRolesActionsCellProps> = ({
    role,
    onEdit,
    onDelete,
 }) => {
    const defaultRole = role.type === DEFAULT_ROOT_ROLE;
    return (
        <StyledBox>
            <PermissionIconButton
                data-loading
                onClick={onEdit}
                permission={ADMIN}
                disabled={defaultRole}
                tooltipProps={{
                    title: defaultRole
                        ? 'You cannot edit a predefined role'
                        : 'Edit role',
                }}
            >
                <Edit />
            </PermissionIconButton>
            <PermissionIconButton
                data-loading
                onClick={onDelete}
                permission={ADMIN}
                disabled={defaultRole}
                tooltipProps={{
                    title: defaultRole
                        ? 'You cannot remove a predefined role'
                        : 'Remove role',
                }}
            >
                <Delete />
            </PermissionIconButton>
        </StyledBox>
    );
 };
--- a/frontend/src/component/admin/roles/RolesTable/RolesCell/RolesCell.tsx
+++ b/frontend/src/component/admin/roles/RolesTable/RolesCell/RolesCell.tsx
@ -0,0 +1,26 @@
 import { ConditionallyRender } from 'component/common/ConditionallyRender/ConditionallyRender';
 import { Badge } from 'component/common/Badge/Badge';
 import { styled } from '@mui/material';
 import IRole from 'interfaces/role';
 import { HighlightCell } from 'component/common/Table/cells/HighlightCell/HighlightCell';
 const StyledBadge = styled(Badge)(({ theme }) => ({
    marginLeft: theme.spacing(1),
 }));
 interface IRolesCellProps {
    role: IRole;
 }
 export const RolesCell = ({ role }: IRolesCellProps) => (
    <HighlightCell
        value={role.name}
        subtitle={role.description}
        afterTitle={
            <ConditionallyRender
                condition={role.type === 'root'}
                show={<StyledBadge color="success">Predefined</StyledBadge>}
            />
        }
    />
 );
--- a/frontend/src/component/admin/roles/RolesTable/RolesTable.tsx
+++ b/frontend/src/component/admin/roles/RolesTable/RolesTable.tsx
@ -0,0 +1,233 @@
 import { useMemo, useState } from 'react';
 import { TablePlaceholder, VirtualizedTable } from 'component/common/Table';
 import { ConditionallyRender } from 'component/common/ConditionallyRender/ConditionallyRender';
 import IRole from 'interfaces/role';
 import useToast from 'hooks/useToast';
 import { formatUnknownError } from 'utils/formatUnknownError';
 import { PageContent } from 'component/common/PageContent/PageContent';
 import { PageHeader } from 'component/common/PageHeader/PageHeader';
 import { Button, useMediaQuery } from '@mui/material';
 import { SearchHighlightProvider } from 'component/common/Table/SearchHighlightContext/SearchHighlightContext';
 import { useFlexLayout, useSortBy, useTable } from 'react-table';
 import { sortTypes } from 'utils/sortTypes';
 import { TextCell } from 'component/common/Table/cells/TextCell/TextCell';
 import theme from 'themes/theme';
 import { Search } from 'component/common/Search/Search';
 import { useConditionallyHiddenColumns } from 'hooks/useConditionallyHiddenColumns';
 import { useSearch } from 'hooks/useSearch';
 import { IconCell } from 'component/common/Table/cells/IconCell/IconCell';
 import { SupervisedUserCircle } from '@mui/icons-material';
 import { RolesActionsCell } from './RolesActionsCell/RolesActionsCell';
 import { RolesCell } from './RolesCell/RolesCell';
 import { RoleDeleteDialog } from './RoleDeleteDialog/RoleDeleteDialog';
 import { useRolesApi } from 'hooks/api/actions/useRolesApi/useRolesApi';
 import { useRoles } from 'hooks/api/getters/useRoles/useRoles';
 import { RoleModal } from '../RoleModal/RoleModal';
 import { RolePermissionsCell } from './RolePermissionsCell/RolePermissionsCell';
 export const RolesTable = () => {
    const { setToastData, setToastApiError } = useToast();
    const { roles, refetch, loading } = useRoles();
    const { removeRole } = useRolesApi();
    const [searchValue, setSearchValue] = useState('');
    const [modalOpen, setModalOpen] = useState(false);
    const [deleteOpen, setDeleteOpen] = useState(false);
    const [selectedRole, setSelectedRole] = useState<IRole>();
    const onDeleteConfirm = async (role: IRole) => {
        try {
            await removeRole(role.id);
            setToastData({
                title: `${role.name} has been deleted`,
                type: 'success',
            });
            refetch();
            setDeleteOpen(false);
        } catch (error: unknown) {
            setToastApiError(formatUnknownError(error));
        }
    };
    const isSmallScreen = useMediaQuery(theme.breakpoints.down('md'));
    const columns = useMemo(
        () => [
            {
                id: 'Icon',
                Cell: () => (
                    <IconCell
                        icon={<SupervisedUserCircle color="disabled" />}
                    />
                ),
                disableGlobalFilter: true,
                maxWidth: 50,
            },
            {
                Header: 'Role',
                accessor: 'name',
                Cell: ({ row: { original: role } }: any) => (
                    <RolesCell role={role} />
                ),
                searchable: true,
                minWidth: 100,
            },
            {
                id: 'permissions',
                Header: 'Permissions',
                Cell: RolePermissionsCell,
                maxWidth: 140,
            },
            {
                Header: 'Actions',
                id: 'Actions',
                align: 'center',
                Cell: ({ row: { original: role } }: any) => (
                    <RolesActionsCell
                        role={role}
                        onEdit={() => {
                            setSelectedRole(role);
                            setModalOpen(true);
                        }}
                        onDelete={() => {
                            setSelectedRole(role);
                            setDeleteOpen(true);
                        }}
                    />
                ),
                width: 150,
                disableSortBy: true,
            },
            // Always hidden -- for search
            {
                accessor: 'description',
                Header: 'Description',
                searchable: true,
            },
        ],
        []
    );
    const [initialState] = useState({
        sortBy: [{ id: 'name' }],
        hiddenColumns: ['description'],
    });
    const { data, getSearchText } = useSearch(columns, searchValue, roles);
    const { headerGroups, rows, prepareRow, setHiddenColumns } = useTable(
        {
            columns: columns as any,
            data,
            initialState,
            sortTypes,
            autoResetHiddenColumns: false,
            autoResetSortBy: false,
            disableSortRemove: true,
            disableMultiSort: true,
            defaultColumn: {
                Cell: TextCell,
            },
        },
        useSortBy,
        useFlexLayout
    );
    useConditionallyHiddenColumns(
        [
            {
                condition: isSmallScreen,
                columns: ['Icon'],
            },
        ],
        setHiddenColumns,
        columns
    );
    return (
        <PageContent
            isLoading={loading}
            header={
                <PageHeader
                    title={`Roles (${rows.length})`}
                    actions={
                        <>
                            <ConditionallyRender
                                condition={!isSmallScreen}
                                show={
                                    <>
                                        <Search
                                            initialValue={searchValue}
                                            onChange={setSearchValue}
                                        />
                                        <PageHeader.Divider />
                                    </>
                                }
                            />
                            <Button
                                variant="contained"
                                color="primary"
                                onClick={() => {
                                    setSelectedRole(undefined);
                                    setModalOpen(true);
                                }}
                            >
                                New role
                            </Button>
                        </>
                    }
                >
                    <ConditionallyRender
                        condition={isSmallScreen}
                        show={
                            <Search
                                initialValue={searchValue}
                                onChange={setSearchValue}
                            />
                        }
                    />
                </PageHeader>
            }
        >
            <SearchHighlightProvider value={getSearchText(searchValue)}>
                <VirtualizedTable
                    rows={rows}
                    headerGroups={headerGroups}
                    prepareRow={prepareRow}
                />
            </SearchHighlightProvider>
            <ConditionallyRender
                condition={rows.length === 0}
                show={
                    <ConditionallyRender
                        condition={searchValue?.length > 0}
                        show={
                            <TablePlaceholder>
                                No roles found matching &ldquo;
                                {searchValue}
                                &rdquo;
                            </TablePlaceholder>
                        }
                        elseShow={
                            <TablePlaceholder>
                                No roles available. Get started by adding one.
                            </TablePlaceholder>
                        }
                    />
                }
            />
            <RoleModal
                roleId={selectedRole?.id}
                open={modalOpen}
                setOpen={setModalOpen}
            />
            <RoleDeleteDialog
                role={selectedRole}
                open={deleteOpen}
                setOpen={setDeleteOpen}
                onConfirm={onDeleteConfirm}
            />
        </PageContent>
    );
 };
--- a/frontend/src/component/admin/serviceAccounts/ServiceAccountsTable/ServiceAccountModal/ServiceAccountModal.tsx
+++ b/frontend/src/component/admin/serviceAccounts/ServiceAccountsTable/ServiceAccountModal/ServiceAccountModal.tsx
@ -6,7 +6,6 @@ import {
    Radio,
    RadioGroup,
    styled,
    Typography,
 } from '@mui/material';
 import FormTemplate from 'component/common/FormTemplate/FormTemplate';
 import { SidebarModal } from 'component/common/SidebarModal/SidebarModal';
@ -33,6 +32,8 @@ import { useServiceAccountTokensApi } from 'hooks/api/actions/useServiceAccountT
 import { INewPersonalAPIToken } from 'interfaces/personalAPIToken';
 import { ServiceAccountTokens } from './ServiceAccountTokens/ServiceAccountTokens';
 import { IServiceAccount } from 'interfaces/service-account';
 import { RoleSelect } from 'component/common/RoleSelect/RoleSelect';
 import IRole from 'interfaces/role';
 const StyledForm = styled('form')(() => ({
    display: 'flex',
@ -59,14 +60,9 @@ const StyledInput = styled(Input)(({ theme }) => ({
    maxWidth: theme.spacing(50),
 }));
-const StyledRoleBox = styled(FormControlLabel)(({ theme }) => ({
+const StyledRoleSelect = styled(RoleSelect)(({ theme }) => ({
-    margin: theme.spacing(0.5, 0),
+    width: '100%',
-    border: `1px solid ${theme.palette.divider}`,
+    maxWidth: theme.spacing(50),
    padding: theme.spacing(2),
 }));
 const StyledRoleRadio = styled(Radio)(({ theme }) => ({
    marginRight: theme.spacing(2),
 }));
 const StyledSecondaryContainer = styled('div')(({ theme }) => ({
@ -133,7 +129,7 @@ export const ServiceAccountModal = ({
    const [name, setName] = useState('');
    const [username, setUsername] = useState('');
-    const [rootRole, setRootRole] = useState(1);
+    const [rootRole, setRootRole] = useState<IRole | null>(null);
    const [tokenGeneration, setTokenGeneration] = useState<TokenGeneration>(
        TokenGeneration.LATER
    );
@ -160,7 +156,9 @@ export const ServiceAccountModal = ({
    useEffect(() => {
        setName(serviceAccount?.name || '');
        setUsername(serviceAccount?.username || '');
-        setRootRole(serviceAccount?.rootRole || 1);
+        setRootRole(
            roles.find(({ id }) => id === serviceAccount?.rootRole) || null
        );
        setTokenGeneration(TokenGeneration.LATER);
        setErrors({});
@ -173,7 +171,7 @@ export const ServiceAccountModal = ({
    const getServiceAccountPayload = (): IServiceAccountPayload => ({
        name,
        username,
-        rootRole,
+        rootRole: rootRole?.id || 0,
    });
    const handleSubmit = async (e: FormEvent<HTMLFormElement>) => {
@ -226,6 +224,7 @@ export const ServiceAccountModal = ({
            (serviceAccount: IServiceAccount) =>
                serviceAccount.username === value
        );
    const isRoleValid = rootRole !== null;
    const isPATValid =
        tokenGeneration === TokenGeneration.LATER ||
        (isNotEmpty(patDescription) && patExpiresAt > new Date());
@ -233,6 +232,7 @@ export const ServiceAccountModal = ({
        isNotEmpty(name) &&
        isNotEmpty(username) &&
        (editing || isUnique(username)) &&
        isRoleValid &&
        isPATValid;
    const suggestUsername = () => {
@ -305,39 +305,11 @@ export const ServiceAccountModal = ({
                        <StyledInputDescription>
                            What is your service account allowed to do?
                        </StyledInputDescription>
-                        <FormControl>
+                        <StyledRoleSelect
-                            <RadioGroup
+                            value={rootRole}
-                                name="rootRole"
+                            setValue={setRootRole}
-                                value={rootRole || ''}
+                            required
-                                onChange={e => setRootRole(+e.target.value)}
+                        />
                                data-loading
                            >
                                {roles
                                    .sort((a, b) => (a.name < b.name ? -1 : 1))
                                    .map(role => (
                                        <StyledRoleBox
                                            key={`role-${role.id}`}
                                            labelPlacement="end"
                                            label={
                                                <div>
                                                    <strong>{role.name}</strong>
                                                    <Typography variant="body2">
                                                        {role.description}
                                                    </Typography>
                                                </div>
                                            }
                                            control={
                                                <StyledRoleRadio
                                                    checked={
                                                        role.id === rootRole
                                                    }
                                                />
                                            }
                                            value={role.id}
                                        />
                                    ))}
                            </RadioGroup>
                        </FormControl>
                        <ConditionallyRender
                            condition={!editing}
                            show={
--- a/frontend/src/component/admin/serviceAccounts/ServiceAccountsTable/ServiceAccountTokensCell/ServiceAccountTokensCell.tsx
+++ b/frontend/src/component/admin/serviceAccounts/ServiceAccountsTable/ServiceAccountTokensCell/ServiceAccountTokensCell.tsx
@ -14,7 +14,7 @@ const StyledItem = styled(Typography)(({ theme }) => ({
 interface IServiceAccountTokensCellProps {
    serviceAccount: IServiceAccount;
    value: string;
-    onCreateToken: () => void;
+    onCreateToken?: () => void;
 }
 export const ServiceAccountTokensCell: VFC<IServiceAccountTokensCellProps> = ({
@ -24,8 +24,10 @@ export const ServiceAccountTokensCell: VFC<IServiceAccountTokensCellProps> = ({
 }) => {
    const { searchQuery } = useSearchHighlightContext();
-    if (!serviceAccount.tokens || serviceAccount.tokens.length === 0)
+    if (!serviceAccount.tokens || serviceAccount.tokens.length === 0) {
-        return <LinkCell title="Create token" onClick={onCreateToken} />;
+        if (!onCreateToken) return <TextCell>0 tokens</TextCell>;
        else return <LinkCell title="Create token" onClick={onCreateToken} />;
    }
    return (
        <TextCell>
--- a/frontend/src/component/admin/serviceAccounts/ServiceAccountsTable/ServiceAccountsTable.tsx
+++ b/frontend/src/component/admin/serviceAccounts/ServiceAccountsTable/ServiceAccountsTable.tsx
@ -28,6 +28,7 @@ import { ServiceAccountTokenDialog } from './ServiceAccountTokenDialog/ServiceAc
 import { ServiceAccountTokensCell } from './ServiceAccountTokensCell/ServiceAccountTokensCell';
 import { TimeAgoCell } from 'component/common/Table/cells/TimeAgoCell/TimeAgoCell';
 import { IServiceAccount } from 'interfaces/service-account';
 import { RoleCell } from 'component/common/Table/cells/RoleCell/RoleCell';
 export const ServiceAccountsTable = () => {
    const { setToastData, setToastApiError } = useToast();
@ -92,6 +93,9 @@ export const ServiceAccountsTable = () => {
                accessor: (row: any) =>
                    roles.find((role: IRole) => role.id === row.rootRole)
                        ?.name || '',
                Cell: ({ row: { original: serviceAccount }, value }: any) => (
                    <RoleCell value={value} roleId={serviceAccount.rootRole} />
                ),
                maxWidth: 120,
            },
            {
--- a/frontend/src/component/admin/users/UserForm/UserForm.tsx
+++ b/frontend/src/component/admin/users/UserForm/UserForm.tsx
@ -1,19 +1,11 @@
 import Input from 'component/common/Input/Input';
-import {
+import { Button, FormControl, Typography, Switch, styled } from '@mui/material';
    FormControlLabel,
    Button,
    RadioGroup,
    FormControl,
    Typography,
    Radio,
    Switch,
    styled,
 } from '@mui/material';
 import React from 'react';
 import { useUsers } from 'hooks/api/getters/useUsers/useUsers';
 import { ConditionallyRender } from 'component/common/ConditionallyRender/ConditionallyRender';
 import { EDIT } from 'constants/misc';
 import useUiConfig from 'hooks/api/getters/useUiConfig/useUiConfig';
 import { RoleSelect } from 'component/common/RoleSelect/RoleSelect';
 import IRole from 'interfaces/role';
 const StyledForm = styled('form')(() => ({
    display: 'flex',
@ -38,16 +30,6 @@ const StyledRoleSubtitle = styled(Typography)(({ theme }) => ({
    margin: theme.spacing(1, 0),
 }));
 const StyledRoleBox = styled(FormControlLabel)(({ theme }) => ({
    margin: theme.spacing(0.5, 0),
    border: `1px solid ${theme.palette.divider}`,
    padding: theme.spacing(2),
 }));
 const StyledRoleRadio = styled(Radio)(({ theme }) => ({
    marginRight: theme.spacing(2),
 }));
 const StyledFlexRow = styled('div')(() => ({
    display: 'flex',
    alignItems: 'center',
@ -66,12 +48,12 @@ const StyledCancelButton = styled(Button)(({ theme }) => ({
 interface IUserForm {
    email: string;
    name: string;
-    rootRole: number;
+    rootRole: IRole | null;
    sendEmail: boolean;
    setEmail: React.Dispatch<React.SetStateAction<string>>;
    setName: React.Dispatch<React.SetStateAction<string>>;
    setSendEmail: React.Dispatch<React.SetStateAction<boolean>>;
-    setRootRole: React.Dispatch<React.SetStateAction<number>>;
+    setRootRole: React.Dispatch<React.SetStateAction<IRole | null>>;
    handleSubmit: (e: any) => void;
    handleCancel: () => void;
    errors: { [key: string]: string };
@ -95,19 +77,8 @@ const UserForm: React.FC<IUserForm> = ({
    clearErrors,
    mode,
 }) => {
    const { roles } = useUsers();
    const { uiConfig } = useUiConfig();
    // @ts-expect-error
    const sortRoles = (a, b) => {
        if (b.name[0] < a.name[0]) {
            return 1;
        } else if (a.name[0] < b.name[0]) {
            return -1;
        }
        return 0;
    };
    return (
        <StyledForm onSubmit={handleSubmit}>
            <StyledContainer>
@ -132,39 +103,10 @@ const UserForm: React.FC<IUserForm> = ({
                    errorText={errors.email}
                    onFocus={() => clearErrors()}
                />
-                <FormControl>
+                <StyledRoleSubtitle variant="subtitle1" data-loading>
-                    <StyledRoleSubtitle variant="subtitle1" data-loading>
+                    What is your team member allowed to do?
-                        What is your team member allowed to do?
+                </StyledRoleSubtitle>
-                    </StyledRoleSubtitle>
+                <RoleSelect value={rootRole} setValue={setRootRole} required />
                    <RadioGroup
                        name="rootRole"
                        value={rootRole || ''}
                        onChange={e => setRootRole(+e.target.value)}
                        data-loading
                    >
                        {/* @ts-expect-error */}
                        {roles.sort(sortRoles).map(role => (
                            <StyledRoleBox
                                key={`role-${role.id}`}
                                labelPlacement="end"
                                label={
                                    <div>
                                        <strong>{role.name}</strong>
                                        <Typography variant="body2">
                                            {role.description}
                                        </Typography>
                                    </div>
                                }
                                control={
                                    <StyledRoleRadio
                                        checked={role.id === rootRole}
                                    />
                                }
                                value={role.id}
                            />
                        ))}
                    </RadioGroup>
                </FormControl>
                <ConditionallyRender
                    condition={mode !== EDIT && Boolean(uiConfig?.emailEnabled)}
                    show={
--- a/frontend/src/component/admin/users/UsersList/UsersList.tsx
+++ b/frontend/src/component/admin/users/UsersList/UsersList.tsx
@ -34,6 +34,7 @@ import { Search } from 'component/common/Search/Search';
 import { UserAvatar } from 'component/common/UserAvatar/UserAvatar';
 import { useConditionallyHiddenColumns } from 'hooks/useConditionallyHiddenColumns';
 import { UserLimitWarning } from './UserLimitWarning/UserLimitWarning';
 import { RoleCell } from 'component/common/Table/cells/RoleCell/RoleCell';
 const UsersList = () => {
    const navigate = useNavigate();
@ -126,6 +127,9 @@ const UsersList = () => {
                accessor: (row: any) =>
                    roles.find((role: IRole) => role.id === row.rootRole)
                        ?.name || '',
                Cell: ({ row: { original: user }, value }: any) => (
                    <RoleCell value={value} roleId={user.rootRole} />
                ),
                disableGlobalFilter: true,
                maxWidth: 120,
            },
--- a/frontend/src/component/admin/users/hooks/useAddUserForm.ts
+++ b/frontend/src/component/admin/users/hooks/useAddUserForm.ts
@ -1,17 +1,22 @@
 import { useEffect, useState } from 'react';
 import { useUsers } from 'hooks/api/getters/useUsers/useUsers';
 import useUiConfig from 'hooks/api/getters/useUiConfig/useUiConfig';
 import IRole from 'interfaces/role';
 import { useRoles } from 'hooks/api/getters/useRoles/useRoles';
 const useCreateUserForm = (
    initialName = '',
    initialEmail = '',
-    initialRootRole = 1
+    initialRootRole = null
 ) => {
    const { uiConfig } = useUiConfig();
    const { roles } = useRoles();
    const [name, setName] = useState(initialName);
    const [email, setEmail] = useState(initialEmail);
    const [sendEmail, setSendEmail] = useState(false);
-    const [rootRole, setRootRole] = useState(initialRootRole);
+    const [rootRole, setRootRole] = useState<IRole | null>(
        roles.find(({ id }) => id === initialRootRole) || null
    );
    const [errors, setErrors] = useState({});
    const { users } = useUsers();
@ -29,7 +34,7 @@ const useCreateUserForm = (
    }, [uiConfig?.emailEnabled]);
    useEffect(() => {
-        setRootRole(initialRootRole);
+        setRootRole(roles.find(({ id }) => id === initialRootRole) || null);
    }, [initialRootRole]);
    const getAddUserPayload = () => {
@ -37,7 +42,7 @@ const useCreateUserForm = (
            name: name,
            email: email,
            sendEmail: sendEmail,
-            rootRole: rootRole,
+            rootRole: rootRole?.id || 0,
        };
    };
@ -54,7 +59,6 @@ const useCreateUserForm = (
    };
    const validateEmail = () => {
        // @ts-expect-error
        if (users.some(user => user['email'] === email)) {
            setErrors(prev => ({ ...prev, email: 'Email already exists' }));
            return false;
--- a/frontend/src/component/common/HtmlTooltip/HtmlTooltip.tsx
+++ b/frontend/src/component/common/HtmlTooltip/HtmlTooltip.tsx
@ -65,6 +65,7 @@ export interface IHtmlTooltipProps extends TooltipProps {
    fontSize?: string;
 }
-export const HtmlTooltip = (props: IHtmlTooltipProps) => (
+export const HtmlTooltip = (props: IHtmlTooltipProps) => {
-    <StyledHtmlTooltip {...props}>{props.children}</StyledHtmlTooltip>
+    if (!Boolean(props.title)) return props.children;
-);
+    return <StyledHtmlTooltip {...props}>{props.children}</StyledHtmlTooltip>;
 };
--- a/frontend/src/component/common/RoleBadge/RoleBadge.tsx
+++ b/frontend/src/component/common/RoleBadge/RoleBadge.tsx
@ -0,0 +1,27 @@
 import { Badge } from 'component/common/Badge/Badge';
 import { HtmlTooltip } from 'component/common/HtmlTooltip/HtmlTooltip';
 import { useRole } from 'hooks/api/getters/useRole/useRole';
 import { Person as UserIcon } from '@mui/icons-material';
 import { RoleDescription } from 'component/common/RoleDescription/RoleDescription';
 interface IRoleBadgeProps {
    roleId: number;
 }
 export const RoleBadge = ({ roleId }: IRoleBadgeProps) => {
    const { role } = useRole(roleId.toString());
    if (!role) return null;
    return (
        <HtmlTooltip title={<RoleDescription roleId={roleId} tooltip />}>
            <Badge
                color="success"
                icon={<UserIcon />}
                sx={{ cursor: 'pointer' }}
            >
                {role.name}
            </Badge>
        </HtmlTooltip>
    );
 };
--- a/frontend/src/component/common/RoleDescription/RoleDescription.tsx
+++ b/frontend/src/component/common/RoleDescription/RoleDescription.tsx
@ -0,0 +1,100 @@
 import { SxProps, Theme, styled } from '@mui/material';
 import { ConditionallyRender } from '../ConditionallyRender/ConditionallyRender';
 import { ROOT_PERMISSION_CATEGORIES } from '@server/types/permissions';
 import { useRole } from 'hooks/api/getters/useRole/useRole';
 const StyledDescription = styled('div', {
    shouldForwardProp: prop => prop !== 'tooltip',
 })<{ tooltip?: boolean }>(({ theme, tooltip }) => ({
    width: '100%',
    maxWidth: theme.spacing(50),
    padding: tooltip ? theme.spacing(1) : theme.spacing(3),
    backgroundColor: tooltip
        ? theme.palette.background.paper
        : theme.palette.neutral.light,
    color: theme.palette.text.secondary,
    fontSize: theme.fontSizes.smallBody,
    borderRadius: theme.shape.borderRadiusMedium,
 }));
 const StyledDescriptionBlock = styled('div')(({ theme }) => ({
    marginTop: theme.spacing(2),
 }));
 const StyledDescriptionHeader = styled('p')(({ theme }) => ({
    color: theme.palette.text.primary,
    fontSize: theme.fontSizes.smallBody,
    fontWeight: theme.fontWeight.bold,
    marginBottom: theme.spacing(1),
 }));
 const StyledDescriptionSubHeader = styled('p')(({ theme }) => ({
    fontSize: theme.fontSizes.smallBody,
    marginTop: theme.spacing(1),
 }));
 interface IRoleDescriptionProps {
    roleId: number;
    tooltip?: boolean;
    className?: string;
    sx?: SxProps<Theme>;
 }
 export const RoleDescription = ({
    roleId,
    tooltip,
    ...rest
 }: IRoleDescriptionProps) => {
    const { role } = useRole(roleId.toString());
    if (!role) return null;
    const { name, description, permissions } = role;
    const categorizedPermissions = [...new Set(permissions)].map(permission => {
        const category = ROOT_PERMISSION_CATEGORIES.find(category =>
            category.permissions.includes(permission.name)
        );
        return {
            category: category ? category.label : 'Other',
            permission,
        };
    });
    const categories = new Set(
        categorizedPermissions.map(({ category }) => category).sort()
    );
    return (
        <StyledDescription tooltip={tooltip} {...rest}>
            <StyledDescriptionHeader sx={{ mb: 0 }}>
                {name}
            </StyledDescriptionHeader>
            <StyledDescriptionSubHeader>
                {description}
            </StyledDescriptionSubHeader>
            <ConditionallyRender
                condition={
                    categorizedPermissions.length > 0 && role.type !== 'root'
                }
                show={() =>
                    [...categories].map(category => (
                        <StyledDescriptionBlock key={category}>
                            <StyledDescriptionHeader>
                                {category}
                            </StyledDescriptionHeader>
                            {categorizedPermissions
                                .filter(({ category: c }) => c === category)
                                .map(({ permission }) => (
                                    <p key={permission.id}>
                                        {permission.displayName}
                                    </p>
                                ))}
                        </StyledDescriptionBlock>
                    ))
                }
            />
        </StyledDescription>
    );
 };
--- a/frontend/src/component/common/RoleSelect/RoleSelect.tsx
+++ b/frontend/src/component/common/RoleSelect/RoleSelect.tsx
@ -0,0 +1,71 @@
 import {
    Autocomplete,
    AutocompleteProps,
    TextField,
    styled,
 } from '@mui/material';
 import { useRoles } from 'hooks/api/getters/useRoles/useRoles';
 import IRole from 'interfaces/role';
 import { RoleDescription } from '../RoleDescription/RoleDescription';
 import { ConditionallyRender } from '../ConditionallyRender/ConditionallyRender';
 const StyledRoleOption = styled('div')(({ theme }) => ({
    display: 'flex',
    flexDirection: 'column',
    '& > span:last-of-type': {
        fontSize: theme.fontSizes.smallerBody,
        color: theme.palette.text.secondary,
    },
 }));
 interface IRoleSelectProps
    extends Partial<AutocompleteProps<IRole, false, false, false>> {
    value: IRole | null;
    setValue: (role: IRole | null) => void;
    required?: boolean;
 }
 export const RoleSelect = ({
    value,
    setValue,
    required,
    ...rest
 }: IRoleSelectProps) => {
    const { roles } = useRoles();
    const renderRoleOption = (
        props: React.HTMLAttributes<HTMLLIElement>,
        option: IRole
    ) => (
        <li {...props}>
            <StyledRoleOption>
                <span>{option.name}</span>
                <span>{option.description}</span>
            </StyledRoleOption>
        </li>
    );
    return (
        <>
            <Autocomplete
                openOnFocus
                size="small"
                value={value}
                onChange={(_, role) => setValue(role || null)}
                options={roles}
                renderOption={renderRoleOption}
                getOptionLabel={option => option.name}
                renderInput={params => (
                    <TextField {...params} label="Role" required={required} />
                )}
                {...rest}
            />
            <ConditionallyRender
                condition={Boolean(value)}
                show={() => (
                    <RoleDescription sx={{ marginTop: 1 }} roleId={value!.id} />
                )}
            />
        </>
    );
 };
--- a/frontend/src/component/common/Table/cells/HighlightCell/HighlightCell.tsx
+++ b/frontend/src/component/common/Table/cells/HighlightCell/HighlightCell.tsx
@ -7,6 +7,7 @@ import { ConditionallyRender } from 'component/common/ConditionallyRender/Condit
 interface IHighlightCellProps {
    value: string;
    subtitle?: string;
    afterTitle?: React.ReactNode;
 }
 const StyledContainer = styled(Box)(({ theme }) => ({
@ -40,6 +41,7 @@ const StyledSubtitle = styled('span')(({ theme }) => ({
 export const HighlightCell: VFC<IHighlightCellProps> = ({
    value,
    subtitle,
    afterTitle,
 }) => {
    const { searchQuery } = useSearchHighlightContext();
@ -53,6 +55,7 @@ export const HighlightCell: VFC<IHighlightCellProps> = ({
                data-loading
            >
                <Highlighter search={searchQuery}>{value}</Highlighter>
                {afterTitle}
            </StyledTitle>
            <ConditionallyRender
                condition={Boolean(subtitle)}
--- a/frontend/src/component/common/Table/cells/RoleCell/RoleCell.tsx
+++ b/frontend/src/component/common/Table/cells/RoleCell/RoleCell.tsx
@ -0,0 +1,28 @@
 import { VFC } from 'react';
 import { TextCell } from 'component/common/Table/cells/TextCell/TextCell';
 import { TooltipLink } from 'component/common/TooltipLink/TooltipLink';
 import { RoleDescription } from 'component/common/RoleDescription/RoleDescription';
 import useUiConfig from 'hooks/api/getters/useUiConfig/useUiConfig';
 interface IRoleCellProps {
    roleId: number;
    value: string;
 }
 export const RoleCell: VFC<IRoleCellProps> = ({ roleId, value }) => {
    const { isEnterprise, uiConfig } = useUiConfig();
    if (isEnterprise() && uiConfig.flags.customRootRoles) {
        return (
            <TextCell>
                <TooltipLink
                    tooltip={<RoleDescription roleId={roleId} tooltip />}
                >
                    {value}
                </TooltipLink>
            </TextCell>
        );
    }
    return <TextCell>{value}</TextCell>;
 };
--- a/frontend/src/component/environments/CreateEnvironment/CreateEnvironment.tsx
+++ b/frontend/src/component/environments/CreateEnvironment/CreateEnvironment.tsx
@ -9,7 +9,7 @@ import useEnvironmentApi from 'hooks/api/actions/useEnvironmentApi/useEnvironmen
 import useUiConfig from 'hooks/api/getters/useUiConfig/useUiConfig';
 import useToast from 'hooks/useToast';
 import { useEnvironments } from 'hooks/api/getters/useEnvironments/useEnvironments';
-import useProjectRolePermissions from 'hooks/api/getters/useProjectRolePermissions/useProjectRolePermissions';
+import usePermissions from 'hooks/api/getters/usePermissions/usePermissions';
 import { ConditionallyRender } from 'component/common/ConditionallyRender/ConditionallyRender';
 import { PageContent } from 'component/common/PageContent/PageContent';
 import { ADMIN } from 'component/providers/AccessProvider/permissions';
@ -25,7 +25,7 @@ const CreateEnvironment = () => {
    const { environments } = useEnvironments();
    const canCreateMoreEnvs = environments.length < ENV_LIMIT;
    const { createEnvironment, loading } = useEnvironmentApi();
-    const { refetch } = useProjectRolePermissions();
+    const { refetch } = usePermissions();
    const {
        name,
        setName,
--- a/frontend/src/component/environments/EditEnvironment/EditEnvironment.tsx
+++ b/frontend/src/component/environments/EditEnvironment/EditEnvironment.tsx
@ -2,7 +2,7 @@ import FormTemplate from 'component/common/FormTemplate/FormTemplate';
 import { UpdateButton } from 'component/common/UpdateButton/UpdateButton';
 import useEnvironmentApi from 'hooks/api/actions/useEnvironmentApi/useEnvironmentApi';
 import useEnvironment from 'hooks/api/getters/useEnvironment/useEnvironment';
-import useProjectRolePermissions from 'hooks/api/getters/useProjectRolePermissions/useProjectRolePermissions';
+import usePermissions from 'hooks/api/getters/usePermissions/usePermissions';
 import useUiConfig from 'hooks/api/getters/useUiConfig/useUiConfig';
 import useToast from 'hooks/useToast';
 import { useNavigate } from 'react-router-dom';
@ -23,7 +23,7 @@ const EditEnvironment = () => {
    const navigate = useNavigate();
    const { name, type, setName, setType, errors, clearErrors } =
        useEnvironmentForm(environment.name, environment.type);
-    const { refetch } = useProjectRolePermissions();
+    const { refetch } = usePermissions();
    const editPayload = () => {
        return {
--- a/frontend/src/component/environments/EnvironmentTable/EnvironmentActionCell/EnvironmentActionCell.tsx
+++ b/frontend/src/component/environments/EnvironmentTable/EnvironmentActionCell/EnvironmentActionCell.tsx
@ -4,7 +4,7 @@ import { useState } from 'react';
 import { IEnvironment } from 'interfaces/environments';
 import { formatUnknownError } from 'utils/formatUnknownError';
 import useEnvironmentApi from 'hooks/api/actions/useEnvironmentApi/useEnvironmentApi';
-import useProjectRolePermissions from 'hooks/api/getters/useProjectRolePermissions/useProjectRolePermissions';
+import usePermissions from 'hooks/api/getters/usePermissions/usePermissions';
 import { useEnvironments } from 'hooks/api/getters/useEnvironments/useEnvironments';
 import useToast from 'hooks/useToast';
 import { EnvironmentActionCellPopover } from './EnvironmentActionCellPopover/EnvironmentActionCellPopover';
@ -25,7 +25,7 @@ export const EnvironmentActionCell = ({
    const navigate = useNavigate();
    const { setToastApiError, setToastData } = useToast();
    const { environments, refetchEnvironments } = useEnvironments();
-    const { refetch: refetchPermissions } = useProjectRolePermissions();
+    const { refetch: refetchPermissions } = usePermissions();
    const { deleteEnvironment, toggleEnvironmentOn, toggleEnvironmentOff } =
        useEnvironmentApi();
--- a/frontend/src/component/menu/routes.ts
+++ b/frontend/src/component/menu/routes.ts
@ -465,6 +465,12 @@ export const adminMenuRoutes: INavigationMenuItem[] = [
    },
    {
        path: '/admin/roles',
        title: 'Roles',
        flag: 'customRootRoles',
        menu: { adminSettings: true, mode: ['enterprise'] },
    },
    {
        path: '/admin/project-roles',
        title: 'Project roles',
        flag: RE,
        menu: { adminSettings: true, mode: ['enterprise'] },
--- a/frontend/src/component/project/ProjectAccess/ProjectAccessAssign/ProjectRoleDescription/ProjectRoleDescription.tsx
+++ b/frontend/src/component/project/ProjectAccess/ProjectAccessAssign/ProjectRoleDescription/ProjectRoleDescription.tsx
@ -1,6 +1,6 @@
 import { styled, SxProps, Theme } from '@mui/material';
 import { ForwardedRef, forwardRef, useMemo, VFC } from 'react';
-import useProjectRole from 'hooks/api/getters/useProjectRole/useProjectRole';
+import { useRole } from 'hooks/api/getters/useRole/useRole';
 import { ConditionallyRender } from 'component/common/ConditionallyRender/ConditionallyRender';
 import useProjectAccess from 'hooks/api/getters/useProjectAccess/useProjectAccess';
 import { ProjectRoleDescriptionProjectPermissions } from './ProjectRoleDescriptionProjectPermissions/ProjectRoleDescriptionProjectPermissions';
@ -64,13 +64,13 @@ export const ProjectRoleDescription: VFC<IProjectRoleDescriptionProps> =
            }: IProjectRoleDescriptionProps,
            ref: ForwardedRef<HTMLDivElement>
        ) => {
-            const { role } = useProjectRole(roleId.toString());
+            const { role } = useRole(roleId.toString());
            const { access } = useProjectAccess(projectId);
            const accessRole = access?.roles.find(role => role.id === roleId);
            const environments = useMemo(() => {
                const environments = new Set<string>();
-                role.permissions
+                role?.permissions
                    ?.filter((permission: any) => permission.environment)
                    .forEach((permission: any) => {
                        environments.add(permission.environment);
@ -79,7 +79,7 @@ export const ProjectRoleDescription: VFC<IProjectRoleDescriptionProps> =
            }, [role]);
            const projectPermissions = useMemo(() => {
-                return role.permissions?.filter(
+                return role?.permissions?.filter(
                    (permission: any) => !permission.environment
                );
            }, [role]);
@ -92,7 +92,9 @@ export const ProjectRoleDescription: VFC<IProjectRoleDescriptionProps> =
                    ref={ref}
                >
                    <ConditionallyRender
-                        condition={role.permissions?.length > 0}
+                        condition={Boolean(
                            role?.permissions && role?.permissions?.length > 0
                        )}
                        show={
                            <>
                                <ConditionallyRender
@ -107,7 +109,7 @@ export const ProjectRoleDescription: VFC<IProjectRoleDescriptionProps> =
                                            <StyledDescriptionBlock>
                                                <ProjectRoleDescriptionProjectPermissions
                                                    permissions={
-                                                        role.permissions
+                                                        role?.permissions || []
                                                    }
                                                />
                                            </StyledDescriptionBlock>
@ -132,7 +134,8 @@ export const ProjectRoleDescription: VFC<IProjectRoleDescriptionProps> =
                                                                environment
                                                            }
                                                            permissions={
-                                                                role.permissions
+                                                                role?.permissions ||
                                                                []
                                                            }
                                                        />
                                                    </StyledDescriptionBlock>
--- a/frontend/src/component/providers/AccessProvider/permissions.ts
+++ b/frontend/src/component/providers/AccessProvider/permissions.ts
@ -18,6 +18,7 @@ export const CREATE_ADDON = 'CREATE_ADDON';
 export const UPDATE_ADDON = 'UPDATE_ADDON';
 export const DELETE_ADDON = 'DELETE_ADDON';
 export const CREATE_API_TOKEN = 'CREATE_API_TOKEN';
 export const UPDATE_API_TOKEN = 'UPDATE_API_TOKEN';
 export const DELETE_API_TOKEN = 'DELETE_API_TOKEN';
 export const READ_API_TOKEN = 'READ_API_TOKEN';
 export const DELETE_ENVIRONMENT = 'DELETE_ENVIRONMENT';
--- a/frontend/src/component/user/Profile/ProfileTab/ProfileTab.tsx
+++ b/frontend/src/component/user/Profile/ProfileTab/ProfileTab.tsx
@ -14,11 +14,11 @@ import { UserAvatar } from 'component/common/UserAvatar/UserAvatar';
 import { useProfile } from 'hooks/api/getters/useProfile/useProfile';
 import { useLocationSettings } from 'hooks/useLocationSettings';
 import { IUser } from 'interfaces/user';
 import InfoOutlinedIcon from '@mui/icons-material/InfoOutlined';
 import TopicOutlinedIcon from '@mui/icons-material/TopicOutlined';
 import { useNavigate } from 'react-router-dom';
 import { PageContent } from 'component/common/PageContent/PageContent';
 import { ConditionallyRender } from 'component/common/ConditionallyRender/ConditionallyRender';
 import { RoleBadge } from 'component/common/RoleBadge/RoleBadge';
 const StyledHeader = styled('div')(({ theme }) => ({
    display: 'flex',
@ -134,21 +134,17 @@ export const ProfileTab = ({ user }: IProfileTabProps) => {
                <StyledSectionLabel>Access</StyledSectionLabel>
                <StyledAccess>
                    <Box sx={{ width: '50%' }}>
-                        <Typography variant="body2">Your root role</Typography>
+                        <ConditionallyRender
-                        <Tooltip
+                            condition={Boolean(profile?.rootRole)}
-                            title={profile?.rootRole.description || ''}
+                            show={() => (
-                            arrow
+                                <>
-                            placement="bottom-end"
+                                    <Typography variant="body2">
-                            describeChild
+                                        Your root role
-                        >
+                                    </Typography>
-                            <Badge
+                                    <RoleBadge roleId={profile?.rootRole.id!} />
-                                color="success"
+                                </>
-                                icon={<InfoOutlinedIcon />}
+                            )}
-                                iconRight
+                        />
                            >
                                {profile?.rootRole.name}
                            </Badge>
                        </Tooltip>
                    </Box>
                    <Box>
                        <Typography variant="body2">Projects</Typography>
--- a/frontend/src/hooks/api/actions/useProjectRolesApi/useProjectRolesApi.ts
+++ b/frontend/src/hooks/api/actions/useProjectRolesApi/useProjectRolesApi.ts
@ -1,88 +0,0 @@
 import { IPermission } from 'interfaces/project';
 import useAPI from '../useApi/useApi';
 interface ICreateRolePayload {
    name: string;
    description: string;
    permissions: IPermission[];
 }
 const useProjectRolesApi = () => {
    const { makeRequest, createRequest, errors, loading } = useAPI({
        propagateErrors: true,
    });
    const createRole = async (payload: ICreateRolePayload) => {
        const path = `api/admin/roles`;
        const req = createRequest(path, {
            method: 'POST',
            body: JSON.stringify(payload),
        });
        try {
            const res = await makeRequest(req.caller, req.id);
            return res;
        } catch (e) {
            throw e;
        }
    };
    const editRole = async (id: string, payload: ICreateRolePayload) => {
        const path = `api/admin/roles/${id}`;
        const req = createRequest(path, {
            method: 'PUT',
            body: JSON.stringify(payload),
        });
        try {
            const res = await makeRequest(req.caller, req.id);
            return res;
        } catch (e) {
            throw e;
        }
    };
    const validateRole = async (payload: ICreateRolePayload) => {
        const path = `api/admin/roles/validate`;
        const req = createRequest(path, {
            method: 'POST',
            body: JSON.stringify(payload),
        });
        try {
            const res = await makeRequest(req.caller, req.id);
            return res;
        } catch (e) {
            throw e;
        }
    };
    const deleteRole = async (id: number) => {
        const path = `api/admin/roles/${id}`;
        const req = createRequest(path, {
            method: 'DELETE',
        });
        try {
            const res = await makeRequest(req.caller, req.id);
            return res;
        } catch (e) {
            throw e;
        }
    };
    return {
        createRole,
        deleteRole,
        editRole,
        validateRole,
        errors,
        loading,
    };
 };
 export default useProjectRolesApi;
--- a/frontend/src/hooks/api/actions/useRolesApi/useRolesApi.ts
+++ b/frontend/src/hooks/api/actions/useRolesApi/useRolesApi.ts
@ -0,0 +1,77 @@
 import { IPermission } from 'interfaces/permissions';
 import useAPI from '../useApi/useApi';
 interface IRolePayload {
    name: string;
    description: string;
    permissions: IPermission[];
 }
 export const useRolesApi = () => {
    const { loading, makeRequest, createRequest, errors } = useAPI({
        propagateErrors: true,
    });
    const addRole = async (role: IRolePayload) => {
        const requestId = 'addRole';
        const req = createRequest(
            'api/admin/roles',
            {
                method: 'POST',
                body: JSON.stringify(role),
            },
            requestId
        );
        const response = await makeRequest(req.caller, req.id);
        return await response.json();
    };
    const updateRole = async (roleId: number, role: IRolePayload) => {
        const requestId = 'updateRole';
        const req = createRequest(
            `api/admin/roles/${roleId}`,
            {
                method: 'PUT',
                body: JSON.stringify(role),
            },
            requestId
        );
        await makeRequest(req.caller, req.id);
    };
    const removeRole = async (roleId: number) => {
        const requestId = 'removeRole';
        const req = createRequest(
            `api/admin/roles/${roleId}`,
            { method: 'DELETE' },
            requestId
        );
        await makeRequest(req.caller, req.id);
    };
    const validateRole = async (payload: IRolePayload) => {
        const requestId = 'validateRole';
        const req = createRequest(
            'api/admin/roles/validate',
            {
                method: 'POST',
                body: JSON.stringify(payload),
            },
            requestId
        );
        await makeRequest(req.caller, req.id);
    };
    return {
        addRole,
        updateRole,
        removeRole,
        validateRole,
        errors,
        loading,
    };
 };
--- a/frontend/src/hooks/api/getters/useProjectRolePermissions/useProjectRolePermissions.ts
+++ b/frontend/src/hooks/api/getters/useProjectRolePermissions/useProjectRolePermissions.ts
@ -4,15 +4,16 @@ import { formatApiPath } from 'utils/formatPath';
 import {
    IProjectEnvironmentPermissions,
-    IProjectRolePermissions,
+    IPermissions,
    IPermission,
-} from 'interfaces/project';
+} from 'interfaces/permissions';
 import handleErrorResponses from '../httpErrorResponseHandler';
-interface IUseProjectRolePermissions {
+interface IUsePermissions {
    permissions:
-        | IProjectRolePermissions
+        | IPermissions
        | {
              root: IPermission[];
              project: IPermission[];
              environments: IProjectEnvironmentPermissions[];
          };
@ -21,9 +22,7 @@ interface IUseProjectRolePermissions {
    error: any;
 }
-const useProjectRolePermissions = (
+const usePermissions = (options: SWRConfiguration = {}): IUsePermissions => {
    options: SWRConfiguration = {}
 ): IUseProjectRolePermissions => {
    const fetcher = () => {
        const path = formatApiPath(`api/admin/permissions`);
        return fetch(path, {
@ -35,7 +34,7 @@ const useProjectRolePermissions = (
    const KEY = `api/admin/permissions`;
-    const { data, error } = useSWR<{ permissions: IProjectRolePermissions }>(
+    const { data, error } = useSWR<{ permissions: IPermissions }>(
        KEY,
        fetcher,
        options
@ -51,11 +50,15 @@ const useProjectRolePermissions = (
    }, [data, error]);
    return {
-        permissions: data?.permissions || { project: [], environments: [] },
+        permissions: data?.permissions || {
            root: [],
            project: [],
            environments: [],
        },
        error,
        loading,
        refetch,
    };
 };
-export default useProjectRolePermissions;
+export default usePermissions;
--- a/frontend/src/hooks/api/getters/useProjectRole/useProjectRole.ts
+++ b/frontend/src/hooks/api/getters/useProjectRole/useProjectRole.ts
@ -1,41 +0,0 @@
 import { mutate, SWRConfiguration } from 'swr';
 import { useState, useEffect } from 'react';
 import { formatApiPath } from 'utils/formatPath';
 import handleErrorResponses from '../httpErrorResponseHandler';
 import { useEnterpriseSWR } from '../useEnterpriseSWR/useEnterpriseSWR';
 const useProjectRole = (id: string, options: SWRConfiguration = {}) => {
    const fetcher = () => {
        const path = formatApiPath(`api/admin/roles/${id}`);
        return fetch(path, {
            method: 'GET',
        })
            .then(handleErrorResponses('project role'))
            .then(res => res.json());
    };
    const { data, error } = useEnterpriseSWR(
        {},
        `api/admin/roles/${id}`,
        fetcher,
        options
    );
    const [loading, setLoading] = useState(!error && !data);
    const refetch = () => {
        mutate(`api/admin/roles/${id}`);
    };
    useEffect(() => {
        setLoading(!error && !data);
    }, [data, error]);
    return {
        role: data ? data : {},
        error,
        loading,
        refetch,
    };
 };
 export default useProjectRole;
--- a/frontend/src/hooks/api/getters/useProjectRoles/useProjectRoles.ts
+++ b/frontend/src/hooks/api/getters/useProjectRoles/useProjectRoles.ts
@ -1,35 +0,0 @@
 import useSWR, { mutate, SWRConfiguration } from 'swr';
 import { useState, useEffect } from 'react';
 import { formatApiPath } from 'utils/formatPath';
 import handleErrorResponses from '../httpErrorResponseHandler';
 const useProjectRoles = (options: SWRConfiguration = {}) => {
    const fetcher = () => {
        const path = formatApiPath(`api/admin/roles`);
        return fetch(path, {
            method: 'GET',
        })
            .then(handleErrorResponses('project roles'))
            .then(res => res.json());
    };
    const { data, error } = useSWR(`api/admin/roles`, fetcher, options);
    const [loading, setLoading] = useState(!error && !data);
    const refetch = () => {
        mutate(`api/admin/roles`);
    };
    useEffect(() => {
        setLoading(!error && !data);
    }, [data, error]);
    return {
        roles: data?.roles || [],
        error,
        loading,
        refetch,
    };
 };
 export default useProjectRoles;
--- a/frontend/src/hooks/api/getters/useRole/useRole.ts
+++ b/frontend/src/hooks/api/getters/useRole/useRole.ts
@ -0,0 +1,67 @@
 import { SWRConfiguration } from 'swr';
 import { useMemo } from 'react';
 import { formatApiPath } from 'utils/formatPath';
 import handleErrorResponses from '../httpErrorResponseHandler';
 import IRole from 'interfaces/role';
 import useUiConfig from '../useUiConfig/useUiConfig';
 import { useConditionalSWR } from '../useConditionalSWR/useConditionalSWR';
 export interface IUseRoleOutput {
    role?: IRole;
    refetch: () => void;
    loading: boolean;
    error?: Error;
 }
 export const useRole = (
    id?: string,
    options: SWRConfiguration = {}
 ): IUseRoleOutput => {
    const { isEnterprise } = useUiConfig();
    const { data, error, mutate } = useConditionalSWR(
        Boolean(id) && isEnterprise(),
        undefined,
        formatApiPath(`api/admin/roles/${id}`),
        fetcher,
        options
    );
    const {
        data: ossData,
        error: ossError,
        mutate: ossMutate,
    } = useConditionalSWR(
        Boolean(id) && !isEnterprise(),
        { rootRoles: [] },
        formatApiPath(`api/admin/user-admin`),
        fetcher,
        options
    );
    return useMemo(() => {
        if (!isEnterprise()) {
            return {
                role: ((ossData?.rootRoles ?? []) as IRole[]).find(
                    ({ id: rId }) => rId === +id!
                ),
                loading: !ossError && !ossData,
                refetch: () => ossMutate(),
                error: ossError,
            };
        } else {
            return {
                role: data as IRole,
                loading: !error && !data,
                refetch: () => mutate(),
                error,
            };
        }
    }, [data, error, mutate, ossData, ossError, ossMutate]);
 };
 const fetcher = (path: string) => {
    return fetch(path)
        .then(handleErrorResponses('Role'))
        .then(res => res.json());
 };
--- a/frontend/src/hooks/api/getters/useRoles/useRoles.ts
+++ b/frontend/src/hooks/api/getters/useRoles/useRoles.ts
@ -0,0 +1,78 @@
 import IRole, { IProjectRole } from 'interfaces/role';
 import { useMemo } from 'react';
 import { formatApiPath } from 'utils/formatPath';
 import handleErrorResponses from '../httpErrorResponseHandler';
 import { useConditionalSWR } from '../useConditionalSWR/useConditionalSWR';
 import useUiConfig from '../useUiConfig/useUiConfig';
 const ROOT_ROLE = 'root';
 const ROOT_ROLES = [ROOT_ROLE, 'root-custom'];
 const PROJECT_ROLES = ['project', 'custom'];
 export const useRoles = () => {
    const { isEnterprise, uiConfig } = useUiConfig();
    const { data, error, mutate } = useConditionalSWR(
        isEnterprise(),
        { roles: [], projectRoles: [] },
        formatApiPath(`api/admin/roles`),
        fetcher
    );
    const {
        data: ossData,
        error: ossError,
        mutate: ossMutate,
    } = useConditionalSWR(
        !isEnterprise(),
        { rootRoles: [] },
        formatApiPath(`api/admin/user-admin`),
        fetcher
    );
    return useMemo(() => {
        if (!isEnterprise()) {
            return {
                roles: ossData?.rootRoles
                    .filter(({ type }: IRole) => type === ROOT_ROLE)
                    .sort(sortRoles) as IRole[],
                projectRoles: [],
                loading: !ossError && !ossData,
                refetch: () => ossMutate(),
                error: ossError,
            };
        } else {
            return {
                roles: (data?.roles
                    .filter(({ type }: IRole) =>
                        uiConfig.flags.customRootRoles
                            ? ROOT_ROLES.includes(type)
                            : type === ROOT_ROLE
                    )
                    .sort(sortRoles) ?? []) as IRole[],
                projectRoles: (data?.roles
                    .filter(({ type }: IRole) => PROJECT_ROLES.includes(type))
                    .sort(sortRoles) ?? []) as IProjectRole[],
                loading: !error && !data,
                refetch: () => mutate(),
                error,
            };
        }
    }, [data, error, mutate, ossData, ossError, ossMutate]);
 };
 const fetcher = (path: string) => {
    return fetch(path)
        .then(handleErrorResponses('Roles'))
        .then(res => res.json());
 };
 export const sortRoles = (a: IRole, b: IRole) => {
    if (a.type === 'root' && b.type !== 'root') {
        return -1;
    } else if (a.type !== 'root' && b.type === 'root') {
        return 1;
    } else {
        return a.name.localeCompare(b.name);
    }
 };
--- a/frontend/src/hooks/api/getters/useUsers/useUsers.ts
+++ b/frontend/src/hooks/api/getters/useUsers/useUsers.ts
@ -2,8 +2,18 @@ import useSWR from 'swr';
 import { useMemo } from 'react';
 import { formatApiPath } from 'utils/formatPath';
 import handleErrorResponses from '../httpErrorResponseHandler';
 import { IUser } from 'interfaces/user';
 import IRole from 'interfaces/role';
-export const useUsers = () => {
+interface IUseUsersOutput {
    users: IUser[];
    roles: IRole[];
    loading: boolean;
    refetch: () => void;
    error?: Error;
 }
 export const useUsers = (): IUseUsersOutput => {
    const { data, error, mutate } = useSWR(
        formatApiPath(`api/admin/user-admin`),
        fetcher
--- a/frontend/src/interfaces/permissions.ts
+++ b/frontend/src/interfaces/permissions.ts
@ -0,0 +1,21 @@
 export interface IPermission {
    id: number;
    name: string;
    displayName: string;
    environment?: string;
 }
 export interface IPermissions {
    root: IPermission[];
    project: IPermission[];
    environments: IProjectEnvironmentPermissions[];
 }
 export interface IProjectEnvironmentPermissions {
    name: string;
    permissions: IPermission[];
 }
 export interface ICheckedPermissions {
    [key: string]: IPermission;
 }
--- a/frontend/src/interfaces/project.ts
+++ b/frontend/src/interfaces/project.ts
@ -34,20 +34,3 @@ export interface IProjectHealthReport extends IProject {
    activeCount: number;
    updatedAt: string;
 }
 export interface IPermission {
    id: number;
    name: string;
    displayName: string;
    environment?: string;
 }
 export interface IProjectRolePermissions {
    project: IPermission[];
    environments: IProjectEnvironmentPermissions[];
 }
 export interface IProjectEnvironmentPermissions {
    name: string;
    permissions: IPermission[];
 }
--- a/frontend/src/interfaces/role.ts
+++ b/frontend/src/interfaces/role.ts
@ -1,9 +1,12 @@
 import { IPermission } from './permissions';
 interface IRole {
    id: number;
    name: string;
    project: string | null;
    description: string;
    type: string;
    permissions?: IPermission[];
 }
 export interface IProjectRole {
--- a/frontend/src/interfaces/uiConfig.ts
+++ b/frontend/src/interfaces/uiConfig.ts
@ -54,6 +54,7 @@ export interface IFlags {
    segmentContextFieldUsage?: boolean;
    disableNotifications?: boolean;
    advancedPlayground?: boolean;
    customRootRoles?: boolean;
 }
 export interface IVersionInfo {
--- a/src/lib/snapshots/create-config.test.ts.snap
+++ b/src/lib/snapshots/create-config.test.ts.snap
@ -71,6 +71,7 @@ exports[`should create default config 1`] = `
      "anonymiseEventLog": false,
      "caseInsensitiveInOperators": false,
      "cleanClientApi": false,
      "customRootRoles": false,
      "demo": false,
      "disableBulkToggle": false,
      "disableNotifications": false,
@ -105,6 +106,7 @@ exports[`should create default config 1`] = `
      "anonymiseEventLog": false,
      "caseInsensitiveInOperators": false,
      "cleanClientApi": false,
      "customRootRoles": false,
      "demo": false,
      "disableBulkToggle": false,
      "disableNotifications": false,
--- a/src/lib/db/access-store.ts
+++ b/src/lib/db/access-store.ts
@ -101,6 +101,7 @@ export class AccessStore implements IAccessStore {
            .select(['id', 'permission', 'type', 'display_name'])
            .where('type', 'project')
            .orWhere('type', 'environment')
            .orWhere('type', 'root')
            .from(`${T.PERMISSIONS} as p`);
        return rows.map(this.mapPermission);
    }
@ -172,7 +173,7 @@ export class AccessStore implements IAccessStore {
    }
    mapUserPermission(row: IPermissionRow): IUserPermission {
-        let project: string = undefined;
+        let project: string | undefined = undefined;
        // Since the editor should have access to the default project,
        // we map the project to the project and environment specific
        // permissions that are connected to the editor role.
@ -425,11 +426,11 @@ export class AccessStore implements IAccessStore {
    async removeRolesOfTypeForUser(
        userId: number,
-        roleType: string,
+        roleTypes: string[],
    ): Promise<void> {
        const rolesToRemove = this.db(T.ROLES)
            .select('id')
-            .where({ type: roleType });
+            .whereIn('type', roleTypes);
        return this.db(T.ROLE_USER)
            .where({ user_id: userId })
--- a/src/lib/db/role-store.ts
+++ b/src/lib/db/role-store.ts
@ -160,7 +160,7 @@ export default class RoleStore implements IRoleStore {
        return this.db
            .select(['id', 'name', 'type', 'description'])
            .from<IRole>(T.ROLES)
-            .where('type', 'root');
+            .whereIn('type', ['root', 'root-custom']);
    }
    async removeRolesForProject(projectId: string): Promise<void> {
@ -177,7 +177,7 @@ export default class RoleStore implements IRoleStore {
            .distinctOn('user_id')
            .from(`${T.ROLES} AS r`)
            .leftJoin(`${T.ROLE_USER} AS ru`, 'r.id', 'ru.role_id')
-            .where('r.type', '=', 'root');
+            .whereIn('r.type', ['root', 'root-custom']);
        return rows.map((row) => ({
            roleId: Number(row.id),
--- a/src/lib/features/access/createAccessService.ts
+++ b/src/lib/features/access/createAccessService.ts
@ -17,7 +17,7 @@ export const createAccessService = (
    db: Db,
    config: IUnleashConfig,
 ): AccessService => {
-    const { eventBus, getLogger } = config;
+    const { eventBus, getLogger, flagResolver } = config;
    const eventStore = new EventStore(db, getLogger);
    const groupStore = new GroupStore(db);
    const accountStore = new AccountStore(db, getLogger);
@ -31,7 +31,7 @@ export const createAccessService = (
    return new AccessService(
        { accessStore, accountStore, roleStore, environmentStore },
-        { getLogger },
+        { getLogger, flagResolver },
        groupService,
    );
 };
@ -39,7 +39,7 @@ export const createAccessService = (
 export const createFakeAccessService = (
    config: IUnleashConfig,
 ): AccessService => {
-    const { getLogger } = config;
+    const { getLogger, flagResolver } = config;
    const eventStore = new FakeEventStore();
    const groupStore = new FakeGroupStore();
    const accountStore = new FakeAccountStore();
@ -53,7 +53,7 @@ export const createFakeAccessService = (
    return new AccessService(
        { accessStore, accountStore, roleStore, environmentStore },
-        { getLogger },
+        { getLogger, flagResolver },
        groupService,
    );
 };
--- a/src/lib/features/feature-toggle/createFeatureToggleService.ts
+++ b/src/lib/features/feature-toggle/createFeatureToggleService.ts
@ -91,7 +91,7 @@ export const createFeatureToggleService = (
    );
    const accessService = new AccessService(
        { accessStore, accountStore, roleStore, environmentStore },
-        { getLogger },
+        { getLogger, flagResolver },
        groupService,
    );
    const segmentService = new SegmentService(
@ -145,7 +145,7 @@ export const createFakeFeatureToggleService = (
    );
    const accessService = new AccessService(
        { accessStore, accountStore, roleStore, environmentStore },
-        { getLogger },
+        { getLogger, flagResolver },
        groupService,
    );
    const segmentService = new SegmentService(
--- a/src/lib/routes/admin-api/user-admin.ts
+++ b/src/lib/routes/admin-api/user-admin.ts
@ -523,7 +523,6 @@ export default class UserAdminController extends Controller {
        req: Request,
        res: Response<AdminCountSchema>,
    ): Promise<void> {
        console.log('user-admin controller');
        const adminCount = await this.accountService.getAdminCount();
        this.openApiService.respondWithValidation(
--- a/src/lib/services/access-service.test.ts
+++ b/src/lib/services/access-service.test.ts
@ -3,10 +3,15 @@ import getLogger from '../../test/fixtures/no-logger';
 import createStores from '../../test/fixtures/store';
 import { AccessService, IRoleValidation } from './access-service';
 import { GroupService } from './group-service';
 import { createTestConfig } from '../../test/config/test-config';
 function getSetup(withNameInUse: boolean) {
    const stores = createStores();
    const config = createTestConfig({
        getLogger,
    });
    stores.roleStore = {
        ...stores.roleStore,
        async nameInUse(): Promise<boolean> {
@ -14,13 +19,7 @@ function getSetup(withNameInUse: boolean) {
        },
    };
    return {
-        accessService: new AccessService(
+        accessService: new AccessService(stores, config, {} as GroupService),
            stores,
            {
                getLogger,
            },
            {} as GroupService,
        ),
        stores,
    };
 }
--- a/src/lib/services/access-service.ts
+++ b/src/lib/services/access-service.ts
@ -25,12 +25,18 @@ import NameExistsError from '../error/name-exists-error';
 import { IEnvironmentStore } from 'lib/types/stores/environment-store';
 import RoleInUseError from '../error/role-in-use-error';
 import { roleSchema } from '../schema/role-schema';
-import { ALL_ENVS, ALL_PROJECTS, CUSTOM_ROLE_TYPE } from '../util/constants';
+import {
    ALL_ENVS,
    ALL_PROJECTS,
    CUSTOM_ROOT_ROLE_TYPE,
    CUSTOM_PROJECT_ROLE_TYPE,
 } from '../util/constants';
 import { DEFAULT_PROJECT } from '../types/project';
 import InvalidOperationError from '../error/invalid-operation-error';
 import BadDataError from '../error/bad-data-error';
 import { IGroupModelWithProjectRole } from '../types/group';
 import { GroupService } from './group-service';
 import { IFlagResolver, IUnleashConfig } from 'lib/types';
 const { ADMIN } = permissions;
@ -45,6 +51,7 @@ const PROJECT_ADMIN = [
 interface IRoleCreation {
    name: string;
    description: string;
    type?: 'root-custom' | 'custom';
    permissions?: IPermission[];
 }
@ -58,6 +65,7 @@ interface IRoleUpdate {
    id: number;
    name: string;
    description: string;
    type?: 'root-custom' | 'custom';
    permissions?: IPermission[];
 }
@ -76,6 +84,8 @@ export class AccessService {
    private logger: Logger;
    private flagResolver: IFlagResolver;
    constructor(
        {
            accessStore,
@ -86,7 +96,10 @@ export class AccessService {
            IUnleashStores,
            'accessStore' | 'accountStore' | 'roleStore' | 'environmentStore'
        >,
-        { getLogger }: { getLogger: Function },
+        {
            getLogger,
            flagResolver,
        }: Pick<IUnleashConfig, 'getLogger' | 'flagResolver'>,
        groupService: GroupService,
    ) {
        this.store = accessStore;
@ -95,6 +108,7 @@ export class AccessService {
        this.groupService = groupService;
        this.environmentStore = environmentStore;
        this.logger = getLogger('/services/access-service.ts');
        this.flagResolver = flagResolver;
    }
    /**
@ -158,6 +172,10 @@ export class AccessService {
        const bindablePermissions = await this.store.getAvailablePermissions();
        const environments = await this.environmentStore.getAll();
        const rootPermissions = bindablePermissions.filter(
            ({ type }) => type === 'root',
        );
        const projectPermissions = bindablePermissions.filter((x) => {
            return x.type === 'project';
        });
@ -176,6 +194,7 @@ export class AccessService {
        });
        return {
            root: rootPermissions,
            project: projectPermissions,
            environments: allEnvironmentPermissions,
        };
@ -225,10 +244,10 @@ export class AccessService {
        const newRootRole = await this.resolveRootRole(role);
        if (newRootRole) {
            try {
-                await this.store.removeRolesOfTypeForUser(
+                await this.store.removeRolesOfTypeForUser(userId, [
                    userId,
                    RoleType.ROOT,
-                );
+                    RoleType.ROOT_CUSTOM,
                ]);
                await this.store.addUserToRole(
                    userId,
@ -467,38 +486,81 @@ export class AccessService {
    }
    async createRole(role: IRoleCreation): Promise<ICustomRole> {
        // CUSTOM_PROJECT_ROLE_TYPE is assumed by default for backward compatibility
        const roleType =
            role.type === CUSTOM_ROOT_ROLE_TYPE
                ? CUSTOM_ROOT_ROLE_TYPE
                : CUSTOM_PROJECT_ROLE_TYPE;
        if (
            roleType === CUSTOM_ROOT_ROLE_TYPE &&
            !this.flagResolver.isEnabled('customRootRoles')
        ) {
            throw new InvalidOperationError(
                'Custom root roles are not enabled.',
            );
        }
        const baseRole = {
            ...(await this.validateRole(role)),
-            roleType: CUSTOM_ROLE_TYPE,
+            roleType,
        };
        const rolePermissions = role.permissions;
        const newRole = await this.roleStore.create(baseRole);
        if (rolePermissions) {
-            await this.store.addEnvironmentPermissionsToRole(
+            if (roleType === CUSTOM_ROOT_ROLE_TYPE) {
-                newRole.id,
+                await this.store.addPermissionsToRole(
-                rolePermissions,
+                    newRole.id,
-            );
+                    rolePermissions.map(({ name }) => name),
                );
            } else {
                await this.store.addEnvironmentPermissionsToRole(
                    newRole.id,
                    rolePermissions,
                );
            }
        }
        return newRole;
    }
    async updateRole(role: IRoleUpdate): Promise<ICustomRole> {
        const roleType =
            role.type === CUSTOM_ROOT_ROLE_TYPE
                ? CUSTOM_ROOT_ROLE_TYPE
                : CUSTOM_PROJECT_ROLE_TYPE;
        if (
            roleType === CUSTOM_ROOT_ROLE_TYPE &&
            !this.flagResolver.isEnabled('customRootRoles')
        ) {
            throw new InvalidOperationError(
                'Custom root roles are not enabled.',
            );
        }
        await this.validateRole(role, role.id);
        const baseRole = {
            id: role.id,
            name: role.name,
            description: role.description,
-            roleType: CUSTOM_ROLE_TYPE,
+            roleType,
        };
        const rolePermissions = role.permissions;
        const newRole = await this.roleStore.update(baseRole);
        if (rolePermissions) {
            await this.store.wipePermissionsFromRole(newRole.id);
-            await this.store.addEnvironmentPermissionsToRole(
+            if (roleType === CUSTOM_ROOT_ROLE_TYPE) {
-                newRole.id,
+                await this.store.addPermissionsToRole(
-                rolePermissions,
+                    newRole.id,
-            );
+                    rolePermissions.map(({ name }) => name),
                );
            } else {
                await this.store.addEnvironmentPermissionsToRole(
                    newRole.id,
                    rolePermissions,
                );
            }
        }
        return newRole;
    }
@ -532,7 +594,10 @@ export class AccessService {
    async validateRoleIsNotBuiltIn(roleId: number): Promise<void> {
        const role = await this.store.get(roleId);
-        if (role.type !== CUSTOM_ROLE_TYPE) {
+        if (
            role.type !== CUSTOM_PROJECT_ROLE_TYPE &&
            role.type !== CUSTOM_ROOT_ROLE_TYPE
        ) {
            throw new InvalidOperationError(
                'You cannot change built in roles.',
            );
--- a/src/lib/types/experimental.ts
+++ b/src/lib/types/experimental.ts
@ -25,7 +25,8 @@ export type IFlagKey =
    | 'experimentalExtendedTelemetry'
    | 'segmentContextFieldUsage'
    | 'disableNotifications'
-    | 'advancedPlayground';
+    | 'advancedPlayground'
    | 'customRootRoles';
 export type IFlags = Partial<{ [key in IFlagKey]: boolean | Variant }>;
@ -118,6 +119,10 @@ const flags: IFlags = {
        process.env.ADVANCED_PLAYGROUND,
        false,
    ),
    customRootRoles: parseEnvVarBoolean(
        process.env.UNLEASH_EXPERIMENTAL_CUSTOM_ROOT_ROLES,
        false,
    ),
 };
 export const defaultExperimentalOptions: IExperimentalOptions = {
--- a/src/lib/types/model.ts
+++ b/src/lib/types/model.ts
@ -272,6 +272,7 @@ export interface IRoleData {
 }
 export interface IAvailablePermissions {
    root: IPermission[];
    project: IPermission[];
    environments: IEnvironmentPermission[];
 }
@ -305,6 +306,7 @@ export enum RoleName {
 export enum RoleType {
    ROOT = 'root',
    ROOT_CUSTOM = 'root-custom',
    PROJECT = 'project',
 }
--- a/src/lib/types/permissions.ts
+++ b/src/lib/types/permissions.ts
@ -46,3 +46,51 @@ export const SKIP_CHANGE_REQUEST = 'SKIP_CHANGE_REQUEST';
 export const READ_PROJECT_API_TOKEN = 'READ_PROJECT_API_TOKEN';
 export const CREATE_PROJECT_API_TOKEN = 'CREATE_PROJECT_API_TOKEN';
 export const DELETE_PROJECT_API_TOKEN = 'DELETE_PROJECT_API_TOKEN';
 export const ROOT_PERMISSION_CATEGORIES = [
    {
        label: 'Addon',
        permissions: [CREATE_ADDON, UPDATE_ADDON, DELETE_ADDON],
    },
    {
        label: 'API token',
        permissions: [
            READ_API_TOKEN,
            CREATE_API_TOKEN,
            UPDATE_API_TOKEN,
            DELETE_API_TOKEN,
        ],
    },
    {
        label: 'Application',
        permissions: [UPDATE_APPLICATION],
    },
    {
        label: 'Context field',
        permissions: [
            CREATE_CONTEXT_FIELD,
            UPDATE_CONTEXT_FIELD,
            DELETE_CONTEXT_FIELD,
        ],
    },
    {
        label: 'Project',
        permissions: [CREATE_PROJECT],
    },
    {
        label: 'Role',
        permissions: [READ_ROLE, UPDATE_ROLE],
    },
    {
        label: 'Segment',
        permissions: [CREATE_SEGMENT, UPDATE_SEGMENT, DELETE_SEGMENT],
    },
    {
        label: 'Strategy',
        permissions: [CREATE_STRATEGY, UPDATE_STRATEGY, DELETE_STRATEGY],
    },
    {
        label: 'Tag type',
        permissions: [UPDATE_TAG_TYPE, DELETE_TAG_TYPE],
    },
 ];
--- a/src/lib/types/stores/access-store.ts
+++ b/src/lib/types/stores/access-store.ts
@ -120,7 +120,10 @@ export interface IAccessStore extends Store<IRole, number> {
        projectId: string,
    ): Promise<void>;
-    removeRolesOfTypeForUser(userId: number, roleType: string): Promise<void>;
+    removeRolesOfTypeForUser(
        userId: number,
        roleTypes: string[],
    ): Promise<void>;
    addPermissionsToRole(
        role_id: number,
--- a/src/lib/util/constants.ts
+++ b/src/lib/util/constants.ts
@ -7,7 +7,8 @@ export const ROOT_PERMISSION_TYPE = 'root';
 export const ENVIRONMENT_PERMISSION_TYPE = 'environment';
 export const PROJECT_PERMISSION_TYPE = 'project';
-export const CUSTOM_ROLE_TYPE = 'custom';
+export const CUSTOM_ROOT_ROLE_TYPE = 'root-custom';
 export const CUSTOM_PROJECT_ROLE_TYPE = 'custom';
 /* CONTEXT FIELD OPERATORS */
--- a/src/test/e2e/services/access-service.e2e.test.ts
+++ b/src/test/e2e/services/access-service.e2e.test.ts
@ -219,7 +219,7 @@ beforeAll(async () => {
        experimental: { environments: { enabled: true } },
    });
    groupService = new GroupService(stores, { getLogger });
-    accessService = new AccessService(stores, { getLogger }, groupService);
+    accessService = new AccessService(stores, config, groupService);
    const roles = await accessService.getRootRoles();
    editorRole = roles.find((r) => r.name === RoleName.EDITOR);
    adminRole = roles.find((r) => r.name === RoleName.ADMIN);
--- a/src/test/fixtures/access-service-mock.ts
+++ b/src/test/fixtures/access-service-mock.ts
@ -20,7 +20,7 @@ class AccessServiceMock extends AccessService {
                roleStore: undefined,
                environmentStore: undefined,
            },
-            { getLogger: noLoggerProvider },
+            { getLogger: noLoggerProvider, flagResolver: undefined },
            undefined,
        );
    }
--- a/src/test/fixtures/fake-access-store.ts
+++ b/src/test/fixtures/fake-access-store.ts
@ -181,7 +181,10 @@ class AccessStoreMock implements IAccessStore {
        return Promise.resolve([]);
    }
-    removeRolesOfTypeForUser(userId: number, roleType: string): Promise<void> {
+    removeRolesOfTypeForUser(
        userId: number,
        roleTypes: string[],
    ): Promise<void> {
        return Promise.resolve(undefined);
    }