diff --git a/apps/web/src/api/buster_rest/security/index.ts b/apps/web/src/api/buster_rest/security/index.ts
new file mode 100644
index 000000000..e69de29bb
diff --git a/apps/web/src/api/buster_rest/security/queryRequests.ts b/apps/web/src/api/buster_rest/security/queryRequests.ts
new file mode 100644
index 000000000..8c10cbe29
--- /dev/null
+++ b/apps/web/src/api/buster_rest/security/queryRequests.ts
@@ -0,0 +1,122 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { securityQueryKeys } from '@/api/query_keys/security';
+import {
+  getWorkspaceSettings,
+  getInviteLink,
+  getApprovedDomains,
+  updateWorkspaceSettings,
+  updateInviteLinks,
+  refreshInviteLink,
+  addApprovedDomain,
+  removeApprovedDomain
+} from './requests';
+import type {
+  GetApprovedDomainsResponse,
+  GetWorkspaceSettingsResponse
+} from '@buster/server-shared/security';
+
+export const useGetWorkspaceSettings = () => {
+  return useQuery({
+    ...securityQueryKeys.securityGetWorkspaceSettings,
+    queryFn: getWorkspaceSettings,
+    initialData: {
+      restrict_new_user_invitations: false,
+      default_role: 'viewer',
+      default_datasets: []
+    } satisfies GetWorkspaceSettingsResponse
+  });
+};
+
+export const useGetInviteLink = () => {
+  return useQuery({
+    ...securityQueryKeys.securityInviteLink,
+    queryFn: getInviteLink
+  });
+};
+
+export const useGetApprovedDomains = () => {
+  return useQuery({
+    ...securityQueryKeys.securityApprovedDomains,
+    queryFn: getApprovedDomains,
+    initialData: []
+  });
+};
+
+export const useUpdateWorkspaceSettings = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: updateWorkspaceSettings,
+    onSuccess: (data) => {
+      queryClient.setQueryData(securityQueryKeys.securityGetWorkspaceSettings.queryKey, data);
+    }
+  });
+};
+
+export const useUpdateInviteLinks = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: updateInviteLinks,
+    onMutate: (variables) => {
+      queryClient.setQueryData(securityQueryKeys.securityInviteLink.queryKey, (prev) => {
+        if (!prev) return prev;
+        return {
+          ...prev,
+          ...variables
+        };
+      });
+    },
+    onSuccess: (data) => {
+      queryClient.setQueryData(securityQueryKeys.securityInviteLink.queryKey, data);
+    }
+  });
+};
+
+export const useRefreshInviteLink = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: refreshInviteLink,
+    onSuccess: (data) => {
+      queryClient.setQueryData(securityQueryKeys.securityInviteLink.queryKey, data);
+    }
+  });
+};
+
+export const useAddApprovedDomain = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: addApprovedDomain,
+    onMutate: (variables) => {
+      queryClient.setQueryData(securityQueryKeys.securityApprovedDomains.queryKey, (prev) => {
+        if (!prev) return prev;
+        return [
+          ...prev,
+          ...variables.domains.map((domain) => ({
+            domain,
+            created_at: new Date().toISOString()
+          })) satisfies GetApprovedDomainsResponse
+         ] satisfies GetApprovedDomainsResponse;
+      });
+    },
+    onSuccess: (data) => {
+      queryClient.setQueryData(securityQueryKeys.securityApprovedDomains.queryKey, data);
+    }
+  });
+};
+
+export const useRemoveApprovedDomain = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: removeApprovedDomain,
+    onMutate: (variables) => {
+      queryClient.setQueryData(securityQueryKeys.securityApprovedDomains.queryKey, (prev) => {
+        if (!prev) return prev;
+        return prev.filter(
+          (domain) => !variables.domains.includes(domain.domain)
+        ) satisfies GetApprovedDomainsResponse;
+      });
+    },
+    onSuccess: (data) => {
+      queryClient.setQueryData(securityQueryKeys.securityApprovedDomains.queryKey, data);
+    }
+  });
+};
diff --git a/apps/web/src/api/buster_rest/security/requests.ts b/apps/web/src/api/buster_rest/security/requests.ts
new file mode 100644
index 000000000..fcefb69af
--- /dev/null
+++ b/apps/web/src/api/buster_rest/security/requests.ts
@@ -0,0 +1,64 @@
+import { mainApiV2 } from '../instances';
+import {
+  type UpdateInviteLinkRequest,
+  type AddApprovedDomainRequest,
+  type RemoveApprovedDomainRequest,
+  type UpdateWorkspaceSettingsRequest,
+  type GetApprovedDomainsResponse,
+  type GetInviteLinkResponse,
+  type RefreshInviteLinkResponse,
+  type UpdateInviteLinkResponse,
+  type AddApprovedDomainsResponse,
+  type GetWorkspaceSettingsResponse,
+  type UpdateWorkspaceSettingsResponse
+} from '@buster/server-shared/security';
+
+export const updateInviteLinks = async (request: UpdateInviteLinkRequest) => {
+  return await mainApiV2
+    .post<UpdateInviteLinkResponse>('/security/invite-links', request)
+    .then((res) => res.data);
+};
+
+export const refreshInviteLink = async () => {
+  return await mainApiV2
+    .post<RefreshInviteLinkResponse>('/security/invite-links/refresh')
+    .then((res) => res.data);
+};
+
+export const getInviteLink = async () => {
+  return await mainApiV2
+    .get<GetInviteLinkResponse>('/security/invite-links')
+    .then((res) => res.data);
+};
+
+export const getApprovedDomains = async () => {
+  return await mainApiV2
+    .get<GetApprovedDomainsResponse>('/security/approved-domains')
+    .then((res) => res.data);
+};
+
+export const addApprovedDomain = async (request: AddApprovedDomainRequest) => {
+  return await mainApiV2
+    .post<AddApprovedDomainsResponse>('/security/approved-domains', request)
+    .then((res) => res.data);
+};
+
+export const removeApprovedDomain = async (request: RemoveApprovedDomainRequest) => {
+  return await mainApiV2
+    .delete<GetApprovedDomainsResponse>('/security/approved-domains', {
+      params: request
+    })
+    .then((res) => res.data);
+};
+
+export const getWorkspaceSettings = async () => {
+  return await mainApiV2
+    .get<GetWorkspaceSettingsResponse>('/security/settings')
+    .then((res) => res.data);
+};
+
+export const updateWorkspaceSettings = async (request: UpdateWorkspaceSettingsRequest) => {
+  return await mainApiV2
+    .put<UpdateWorkspaceSettingsResponse>('/security/settings', request)
+    .then((res) => res.data);
+};
diff --git a/apps/web/src/api/query_keys/index.ts b/apps/web/src/api/query_keys/index.ts
index 6ea017d51..ceab64d1d 100644
--- a/apps/web/src/api/query_keys/index.ts
+++ b/apps/web/src/api/query_keys/index.ts
@@ -10,6 +10,7 @@ import { permissionGroupQueryKeys } from './permission_groups';
 import { searchQueryKeys } from './search';
 import { termsQueryKeys } from './terms';
 import { userQueryKeys } from './users';
+import { securityQueryKeys } from './security';
 
 export const queryKeys = {
   ...datasetQueryKeys,
@@ -23,5 +24,6 @@ export const queryKeys = {
   ...datasourceQueryKeys,
   ...datasetGroupQueryKeys,
   ...permissionGroupQueryKeys,
-  ...currencyQueryKeys
+  ...currencyQueryKeys,
+  ...securityQueryKeys
 };
diff --git a/apps/web/src/api/query_keys/security.ts b/apps/web/src/api/query_keys/security.ts
new file mode 100644
index 000000000..c7f701c58
--- /dev/null
+++ b/apps/web/src/api/query_keys/security.ts
@@ -0,0 +1,24 @@
+import type {
+  GetWorkspaceSettingsResponse,
+  GetApprovedDomainsResponse,
+  GetInviteLinkResponse
+} from '@buster/server-shared/security';
+import { queryOptions } from '@tanstack/react-query';
+
+export const securityGetWorkspaceSettings = queryOptions<GetWorkspaceSettingsResponse>({
+  queryKey: ['security', 'workspace-settings']
+});
+
+export const securityApprovedDomains = queryOptions<GetApprovedDomainsResponse>({
+  queryKey: ['security', 'approved-domains']
+});
+
+export const securityInviteLink = queryOptions<GetInviteLinkResponse>({
+  queryKey: ['security', 'invite-link']
+});
+
+export const securityQueryKeys = {
+  securityGetWorkspaceSettings,
+  securityApprovedDomains,
+  securityInviteLink
+};
diff --git a/apps/web/src/app/app/(settings_layout)/settings/(permissions)/users/ListUsersComponent.tsx b/apps/web/src/app/app/(settings_layout)/settings/(permissions)/users/ListUsersComponent.tsx
index bf1b372e0..3b0ad6bbf 100644
--- a/apps/web/src/app/app/(settings_layout)/settings/(permissions)/users/ListUsersComponent.tsx
+++ b/apps/web/src/app/app/(settings_layout)/settings/(permissions)/users/ListUsersComponent.tsx
@@ -12,7 +12,7 @@ import {
 import { BusterInfiniteList } from '@/components/ui/list/BusterInfiniteList';
 import { Text } from '@/components/ui/typography';
 import { BusterRoutes, createBusterRoute } from '@/routes';
-import { OrganizationUserRoleText } from './config';
+import { OrganizationUserRoleText } from '@/lib/organization/translations';
 
 export const ListUsersComponent: React.FC<{
   users: OrganizationUser[];
diff --git a/apps/web/src/app/app/(settings_layout)/settings/(permissions)/users/config.ts b/apps/web/src/app/app/(settings_layout)/settings/(permissions)/users/config.ts
index 021e6f0a4..98a64fe6c 100644
--- a/apps/web/src/app/app/(settings_layout)/settings/(permissions)/users/config.ts
+++ b/apps/web/src/app/app/(settings_layout)/settings/(permissions)/users/config.ts
@@ -4,12 +4,3 @@ export const OrganizationUserStatusText: Record<OrganizationUser['status'], stri
   active: 'Active',
   inactive: 'Inactive'
 };
-
-export const OrganizationUserRoleText: Record<OrganizationUser['role'], string> = {
-  data_admin: 'Data Admin',
-  workspace_admin: 'Workspace Admin',
-  querier: 'Querier',
-  restricted_querier: 'Restricted Querier',
-  viewer: 'Viewer',
-  none: 'None'
-};
diff --git a/apps/web/src/app/app/(settings_layout)/settings/(restricted-width)/(admin-only)/security/page.tsx b/apps/web/src/app/app/(settings_layout)/settings/(restricted-width)/(admin-only)/security/page.tsx
new file mode 100644
index 000000000..c88316992
--- /dev/null
+++ b/apps/web/src/app/app/(settings_layout)/settings/(restricted-width)/(admin-only)/security/page.tsx
@@ -0,0 +1,23 @@
+import { InviteLinks } from '@/components/features/security/InviteLinks';
+import { SettingsPageHeader } from '../../../_components/SettingsPageHeader';
+import { ApprovedEmailDomains } from '@/components/features/security/ApprovedEmailDomains';
+import { WorkspaceRestrictions } from '@/components/features/security/WorkspaceRestrictions';
+
+export default function Page() {
+  return (
+    <div className="flex flex-col space-y-4">
+      <div>
+        <SettingsPageHeader
+          title="Security"
+          description="Manage security and general permission settings"
+        />
+
+        <div className="flex flex-col space-y-6">
+          <InviteLinks />
+          <ApprovedEmailDomains />
+          <WorkspaceRestrictions />
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/web/src/components/features/security/ApprovedEmailDomains.tsx b/apps/web/src/components/features/security/ApprovedEmailDomains.tsx
new file mode 100644
index 000000000..ee46b0ed3
--- /dev/null
+++ b/apps/web/src/components/features/security/ApprovedEmailDomains.tsx
@@ -0,0 +1,179 @@
+'use client';
+
+import React, { useMemo, useState } from 'react';
+import { SecurityCards } from './SecurityCards';
+import { Input } from '@/components/ui/inputs';
+import { Button } from '@/components/ui/buttons';
+import { Text } from '@/components/ui/typography';
+import { Plus, Dots, Trash } from '@/components/ui/icons';
+import { useBusterNotifications } from '@/context/BusterNotifications';
+import { Dropdown } from '@/components/ui/dropdown';
+import {
+  useGetApprovedDomains,
+  useAddApprovedDomain,
+  useRemoveApprovedDomain
+} from '@/api/buster_rest/security/queryRequests';
+import pluralize from 'pluralize';
+import { useMemoizedFn } from '@/hooks';
+import { formatDate } from '@/lib/date';
+
+interface ApprovedDomain {
+  domain: string;
+  created_at: string;
+}
+
+export const ApprovedEmailDomains = React.memo(() => {
+  const { data: approvedDomains = [] } = useGetApprovedDomains();
+  const { mutateAsync: removeDomain } = useRemoveApprovedDomain();
+  const domainCount = approvedDomains.length;
+
+  const [isEnabledAddDomain, setIsEnabledAddDomain] = useState(false);
+
+  const { openInfoMessage, openErrorMessage } = useBusterNotifications();
+
+  const countText = pluralize('approved email domain', domainCount, true);
+
+  const handleRemoveDomain = useMemoizedFn(async (domain: string) => {
+    try {
+      await removeDomain({ domains: [domain] });
+      openInfoMessage('Domain removed successfully');
+    } catch (error) {
+      openErrorMessage('Failed to remove domain');
+    }
+  });
+
+  const sections = useMemo(
+    () =>
+      [
+        // Header section with count and add button
+        <div key="header" className="flex items-center justify-between">
+          <Text>{countText}</Text>
+          <Button onClick={() => setIsEnabledAddDomain(true)} suffix={<Plus />}>
+            Add domain
+          </Button>
+        </div>,
+
+        // Add domain input section (when adding)
+        isEnabledAddDomain && (
+          <AddDomainInput key="add-domain" setIsEnabledAddDomain={setIsEnabledAddDomain} />
+        ),
+
+        // Domain list sections
+        ...approvedDomains.map((domainData) => (
+          <DomainListItem
+            key={domainData.domain}
+            domainData={domainData}
+            onRemove={handleRemoveDomain}
+          />
+        ))
+      ].filter(Boolean),
+    [countText, isEnabledAddDomain, approvedDomains, handleRemoveDomain]
+  );
+
+  return (
+    <SecurityCards
+      title="Approved email domains"
+      description="Anyone with an email address at these domains is allowed to sign up for this workspace"
+      cards={[{ sections }]}
+    />
+  );
+});
+
+ApprovedEmailDomains.displayName = 'ApprovedEmailDomains';
+
+const AddDomainInput = React.memo(
+  ({ setIsEnabledAddDomain }: { setIsEnabledAddDomain: (isEnabledAddDomain: boolean) => void }) => {
+    const { mutateAsync: addDomain } = useAddApprovedDomain();
+    const { openInfoMessage, openErrorMessage } = useBusterNotifications();
+
+    const [newDomain, setNewDomain] = useState('');
+
+    const handleAddDomain = useMemoizedFn(async () => {
+      const domain = newDomain.trim();
+      if (!domain) return;
+      
+      const domainRegex = /^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]\.[a-zA-Z]{2,}$/;
+      if (!domainRegex.test(domain)) {
+        openErrorMessage('Please enter a valid domain name');
+        return;
+      }
+      try {
+        await addDomain({ domains: [newDomain.trim()] });
+        setNewDomain('');
+        setIsEnabledAddDomain(false);
+        openInfoMessage('Domain added successfully');
+      } catch (error) {
+        openErrorMessage('Failed to add domain');
+      }
+    });
+
+    return (
+      <div key="add-domain" className="flex items-center space-x-2">
+        <Input
+          className="flex-1"
+          value={newDomain}
+          onChange={(e) => setNewDomain(e.target.value)}
+          placeholder="Enter domain (e.g., company.com)"
+          onKeyDown={(e) => {
+            if (e.key === 'Enter') {
+              handleAddDomain();
+            } else if (e.key === 'Escape') {
+              setIsEnabledAddDomain(false);
+              setNewDomain('');
+            }
+          }}
+          autoFocus
+        />
+        <Button variant="outlined" size="tall" onClick={handleAddDomain}>
+          Add
+        </Button>
+        <Button
+          size="tall"
+          variant={'ghost'}
+          onClick={() => {
+            setIsEnabledAddDomain(false);
+            setNewDomain('');
+          }}>
+          Cancel
+        </Button>
+      </div>
+    );
+  }
+);
+
+AddDomainInput.displayName = 'AddDomainInput';
+
+const DomainListItem = React.memo<{
+  domainData: ApprovedDomain;
+  onRemove: (domain: string) => Promise<void>;
+}>(({ domainData, onRemove }) => {
+  const items = useMemo(
+    () => [
+      {
+        label: 'Remove domain',
+        value: 'remove',
+        icon: <Trash />,
+        onClick: () => onRemove(domainData.domain)
+      }
+    ],
+    [domainData.domain, onRemove]
+  );
+
+  return (
+    <div className="flex items-center justify-between">
+      <div className="mr-2 flex min-w-0 flex-1 flex-col space-y-0.5">
+        <Text className="font-medium" truncate>
+          {domainData.domain}
+        </Text>
+        <Text variant="secondary" size="sm">
+          Added {formatDate({ date: domainData.created_at, format: 'LL' })}
+        </Text>
+      </div>
+      <Dropdown side="left" align="center" items={items}>
+        <Button variant="ghost" prefix={<Dots />} />
+      </Dropdown>
+    </div>
+  );
+});
+
+DomainListItem.displayName = 'DomainListItem';
diff --git a/apps/web/src/components/features/security/InviteLinks.stories.tsx b/apps/web/src/components/features/security/InviteLinks.stories.tsx
new file mode 100644
index 000000000..247f75e66
--- /dev/null
+++ b/apps/web/src/components/features/security/InviteLinks.stories.tsx
@@ -0,0 +1,32 @@
+import type { Meta, StoryObj } from '@storybook/react';
+import { InviteLinks } from './InviteLinks';
+
+const meta: Meta<typeof InviteLinks> = {
+  title: 'Features/InviteLinks',
+  component: InviteLinks,
+  parameters: {
+    layout: 'padded',
+    docs: {
+      description: {
+        component:
+          'A security feature component that allows administrators to manage invite links for workspace access. Users can enable/disable invite links, generate new links, and copy them to clipboard.'
+      }
+    }
+  },
+  tags: ['autodocs']
+};
+
+export default meta;
+type Story = StoryObj<typeof InviteLinks>;
+
+export const Default: Story = {
+  name: 'Default',
+  parameters: {
+    docs: {
+      description: {
+        story:
+          'The default state of the InviteLinks component showing the toggle switch, link input field, and action buttons.'
+      }
+    }
+  }
+};
diff --git a/apps/web/src/components/features/security/InviteLinks.tsx b/apps/web/src/components/features/security/InviteLinks.tsx
new file mode 100644
index 000000000..7b3db6d42
--- /dev/null
+++ b/apps/web/src/components/features/security/InviteLinks.tsx
@@ -0,0 +1,79 @@
+'use client';
+
+import React from 'react';
+import { SecurityCards } from './SecurityCards';
+import { Switch } from '@/components/ui/switch';
+import { Input } from '@/components/ui/inputs';
+import { Button } from '@/components/ui/buttons';
+import { Text } from '@/components/ui/typography';
+import { Copy2, Refresh } from '@/components/ui/icons';
+import { useBusterNotifications } from '@/context/BusterNotifications';
+import { AppTooltip } from '@/components/ui/tooltip';
+import { useGetInviteLink, useUpdateInviteLinks } from '@/api/buster_rest/security/queryRequests';
+
+export const InviteLinks = React.memo(() => {
+  const { data: inviteLink } = useGetInviteLink();
+  const { mutateAsync: updateInviteLink } = useUpdateInviteLinks();
+  const enabled = inviteLink?.enabled ?? false;
+  const link = inviteLink?.link ?? '';
+
+  const { openInfoMessage } = useBusterNotifications();
+
+  const onClickCopy = () => {
+    navigator.clipboard.writeText(link);
+    openInfoMessage('Invite link copied to clipboard');
+  };
+
+  const onClickRefresh = async () => {
+    await updateInviteLink({ refresh_link: true });
+    openInfoMessage('Invite link refreshed');
+  };
+
+  const onToggleEnabled = (enabled: boolean) => {
+    updateInviteLink({ enabled });
+  };
+
+  return (
+    <SecurityCards
+      title="Invite links"
+      description="A uniquely generated invite link allows anyone with the link to join your workspace"
+      cards={[
+        {
+          sections: [
+            <div key="title" className="flex items-center justify-between">
+              <Text>Enable invite links</Text>
+              <Switch checked={enabled} onCheckedChange={onToggleEnabled} />
+            </div>,
+            enabled && (
+              <div key="link" className="flex items-center justify-between space-x-2">
+                <div className="relative w-full">
+                  <Input
+                    className="w-full bg-transparent!"
+                    disabled
+                    value={link}
+                    placeholder="Invite link"
+                  />
+                  <div className="absolute top-1/2 right-1 -translate-y-1/2">
+                    <AppTooltip title="Refresh the invite link" side="top" sideOffset={8}>
+                      <Button
+                        variant="ghost"
+                        size={'small'}
+                        onClick={onClickRefresh}
+                        suffix={<Refresh />}
+                      />
+                    </AppTooltip>
+                  </div>
+                </div>
+                <Button variant="outlined" size={'tall'} onClick={onClickCopy} suffix={<Copy2 />}>
+                  Copy
+                </Button>
+              </div>
+            )
+          ].filter(Boolean)
+        }
+      ]}
+    />
+  );
+});
+
+InviteLinks.displayName = 'InviteLinks';
diff --git a/apps/web/src/components/features/security/SecurityCards.stories.tsx b/apps/web/src/components/features/security/SecurityCards.stories.tsx
new file mode 100644
index 000000000..998d3ba86
--- /dev/null
+++ b/apps/web/src/components/features/security/SecurityCards.stories.tsx
@@ -0,0 +1,268 @@
+import type { Meta, StoryObj } from '@storybook/react';
+import { SecurityCards } from './SecurityCards';
+import { Button } from '@/components/ui/buttons';
+import { Pill } from '@/components/ui/pills/Pill';
+import { Text } from '@/components/ui/typography';
+
+const meta: Meta<typeof SecurityCards> = {
+  title: 'Features/SecurityCards',
+  component: SecurityCards,
+  parameters: {
+    layout: 'padded',
+    docs: {
+      description: {
+        component:
+          'A security cards component that displays security-related information in structured card sections.'
+      }
+    }
+  },
+  tags: ['autodocs']
+};
+
+export default meta;
+type Story = StoryObj<typeof SecurityCards>;
+
+// Mock data for different use cases
+const basicSections = [
+  <div className="flex items-center justify-between">
+    <div>
+      <Text className="font-medium">Two-Factor Authentication</Text>
+      <Text variant="secondary" size="sm">
+        Add an extra layer of security to your account
+      </Text>
+    </div>
+    <Button size="small" variant="outlined">
+      Enable
+    </Button>
+  </div>,
+  <div className="flex items-center justify-between">
+    <div>
+      <Text className="font-medium">API Keys</Text>
+      <Text variant="secondary" size="sm">
+        Manage your API access tokens
+      </Text>
+    </div>
+    <Button size="small" variant="outlined">
+      Manage
+    </Button>
+  </div>,
+  <div className="flex items-center justify-between">
+    <div>
+      <Text className="font-medium">Invite Links</Text>
+      <Text variant="secondary" size="sm">
+        Share your account with others
+      </Text>
+    </div>
+    <Button size="small" variant="outlined">
+      Manage
+    </Button>
+  </div>
+];
+
+const detailedSections = [
+  <div className="flex items-center justify-between">
+    <div>
+      <div className="mb-1 flex items-center gap-2">
+        <Text className="font-medium">Password Policy</Text>
+        <Pill variant="success">Active</Pill>
+      </div>
+      <Text variant="secondary" size="sm">
+        Minimum 8 characters with uppercase, lowercase, numbers, and symbols
+      </Text>
+    </div>
+    <Button size="small">Update</Button>
+  </div>,
+  <div className="flex items-center justify-between">
+    <div>
+      <div className="mb-1 flex items-center gap-2">
+        <Text className="font-medium">Session Timeout</Text>
+        <Pill variant="gray">30 minutes</Pill>
+      </div>
+      <Text variant="secondary" size="sm">
+        Automatic logout after period of inactivity
+      </Text>
+    </div>
+    <Button size="small" variant="outlined">
+      Configure
+    </Button>
+  </div>,
+  <div className="flex items-center justify-between">
+    <div>
+      <Text className="font-medium">IP Restrictions</Text>
+      <Text variant="secondary" size="sm">
+        Limit access to specific IP addresses
+      </Text>
+    </div>
+    <Button size="small" variant="ghost">
+      Setup
+    </Button>
+  </div>
+];
+
+const accessLogSections = [
+  <div>
+    <div className="mb-2 flex items-center justify-between">
+      <Text className="font-medium">Recent Login Activity</Text>
+      <Text variant="secondary" size="sm">
+        Last 7 days
+      </Text>
+    </div>
+    <div className="space-y-2">
+      <div className="flex items-center justify-between py-1">
+        <div>
+          <Text size="sm">Chrome on macOS</Text>
+          <Text variant="secondary" size="xs">
+            192.168.1.100 • 2 hours ago
+          </Text>
+        </div>
+        <Pill variant="success">Current</Pill>
+      </div>
+      <div className="flex items-center justify-between py-1">
+        <div>
+          <Text size="sm">Safari on iPhone</Text>
+          <Text variant="secondary" size="xs">
+            10.0.1.50 • 1 day ago
+          </Text>
+        </div>
+        <Button size="small" variant="ghost">
+          Revoke
+        </Button>
+      </div>
+    </div>
+  </div>
+];
+
+export const Default: Story = {
+  args: {
+    title: 'Account Security',
+    description: 'Manage your security settings and authentication methods',
+    cards: [
+      {
+        sections: basicSections
+      }
+    ]
+  }
+};
+
+export const MultipleCards: Story = {
+  args: {
+    title: 'Security Overview',
+    description: 'Complete security configuration for your organization',
+    cards: [
+      {
+        sections: detailedSections
+      },
+      {
+        sections: accessLogSections
+      }
+    ]
+  }
+};
+
+export const SingleSection: Story = {
+  args: {
+    title: 'Quick Setup',
+    description: 'Essential security setting that needs immediate attention',
+    cards: [
+      {
+        sections: [
+          <div className="flex items-center justify-between">
+            <div>
+              <Text className="font-medium">Enable Two-Factor Authentication</Text>
+              <Text variant="secondary" size="sm">
+                Protect your account with an additional verification step
+              </Text>
+            </div>
+            <Button>Get Started</Button>
+          </div>
+        ]
+      }
+    ]
+  }
+};
+
+export const EmptyState: Story = {
+  args: {
+    title: 'Security Settings',
+    description: 'No security configurations available',
+    cards: []
+  }
+};
+
+export const ComplexContent: Story = {
+  args: {
+    title: 'Advanced Security Configuration',
+    description: 'Comprehensive security settings with detailed controls',
+    cards: [
+      {
+        sections: [
+          <div>
+            <div className="mb-3 flex items-center justify-between">
+              <div>
+                <Text className="font-medium">Organization Policies</Text>
+                <Text variant="secondary" size="sm">
+                  Configure security policies for all team members
+                </Text>
+              </div>
+              <Button size="small">Manage</Button>
+            </div>
+            <div className="grid grid-cols-2 gap-4">
+              <div className="space-y-2">
+                <Text size="sm" className="font-medium">
+                  Password Requirements
+                </Text>
+                <ul className="space-y-1">
+                  <li className="flex items-center gap-2">
+                    <div className="h-1.5 w-1.5 rounded-full bg-green-500" />
+                    <Text size="xs" variant="secondary">
+                      Minimum 12 characters
+                    </Text>
+                  </li>
+                  <li className="flex items-center gap-2">
+                    <div className="h-1.5 w-1.5 rounded-full bg-green-500" />
+                    <Text size="xs" variant="secondary">
+                      Special characters required
+                    </Text>
+                  </li>
+                </ul>
+              </div>
+              <div className="space-y-2">
+                <Text size="sm" className="font-medium">
+                  Access Controls
+                </Text>
+                <ul className="space-y-1">
+                  <li className="flex items-center gap-2">
+                    <div className="h-1.5 w-1.5 rounded-full bg-blue-500" />
+                    <Text size="xs" variant="secondary">
+                      Role-based permissions
+                    </Text>
+                  </li>
+                  <li className="flex items-center gap-2">
+                    <div className="h-1.5 w-1.5 rounded-full bg-blue-500" />
+                    <Text size="xs" variant="secondary">
+                      IP whitelisting enabled
+                    </Text>
+                  </li>
+                </ul>
+              </div>
+            </div>
+          </div>,
+          <div className="flex items-center justify-between">
+            <div>
+              <Text className="font-medium">Audit Logging</Text>
+              <Text variant="secondary" size="sm">
+                Track all security-related events and user actions
+              </Text>
+            </div>
+            <div className="flex items-center gap-2">
+              <Pill variant="success">Enabled</Pill>
+              <Button size="small" variant="outlined">
+                View Logs
+              </Button>
+            </div>
+          </div>
+        ]
+      }
+    ]
+  }
+};
diff --git a/apps/web/src/components/features/security/SecurityCards.tsx b/apps/web/src/components/features/security/SecurityCards.tsx
new file mode 100644
index 000000000..49676a7b5
--- /dev/null
+++ b/apps/web/src/components/features/security/SecurityCards.tsx
@@ -0,0 +1,39 @@
+import React from 'react';
+import { Title, Paragraph } from '@/components/ui/typography';
+import { cn } from '@/lib/classMerge';
+
+interface SecurityCardsProps {
+  title: string;
+  description: string;
+  cards: {
+    sections: React.ReactNode[];
+  }[];
+}
+
+export const SecurityCards: React.FC<SecurityCardsProps> = ({ title, description, cards }) => {
+  return (
+    <div className="flex flex-col space-y-3.5">
+      <div className="flex flex-col space-y-1.5">
+        <Title as="h3" className="text-lg">
+          {title}
+        </Title>
+        <Paragraph variant="secondary">{description}</Paragraph>
+      </div>
+      {cards.map((card, index) => (
+        <SecurityCard key={index} sections={card.sections} />
+      ))}
+    </div>
+  );
+};
+
+const SecurityCard = ({ sections }: { sections: React.ReactNode[] }) => {
+  return (
+    <div className="flex flex-col rounded border">
+      {sections.map((section, index) => (
+        <div key={index} className={cn(index !== sections.length - 1 && 'border-b', 'px-4 py-2.5')}>
+          {section}
+        </div>
+      ))}
+    </div>
+  );
+};
diff --git a/apps/web/src/components/features/security/WorkspaceRestrictions.tsx b/apps/web/src/components/features/security/WorkspaceRestrictions.tsx
new file mode 100644
index 000000000..65401da93
--- /dev/null
+++ b/apps/web/src/components/features/security/WorkspaceRestrictions.tsx
@@ -0,0 +1,159 @@
+'use client';
+
+import React, { useMemo, type ReactNode } from 'react';
+import { SecurityCards } from './SecurityCards';
+import { Text } from '@/components/ui/typography';
+import { Button } from '@/components/ui/buttons';
+import { Switch } from '@/components/ui/switch';
+import {
+  useGetWorkspaceSettings,
+  useUpdateWorkspaceSettings
+} from '@/api/buster_rest/security/queryRequests';
+import type {
+  GetWorkspaceSettingsResponse,
+  UpdateWorkspaceSettingsRequest
+} from '@buster/server-shared/security';
+import { Select, type SelectItem } from '@/components/ui/select';
+import { type OrganizationRole, OrganizationRoleEnum } from '@buster/server-shared/organization';
+import { OrganizationUserRoleText } from '@/lib/organization/translations';
+import { useGetDatasets } from '@/api/buster_rest/datasets';
+import { SelectMultiple } from '@/components/ui/select/SelectMultiple';
+
+export const WorkspaceRestrictions = React.memo(() => {
+  const { data: workspaceSettings } = useGetWorkspaceSettings();
+  const { mutateAsync: updateWorkspaceSettings } = useUpdateWorkspaceSettings();
+
+  const sections: ReactNode[] = useMemo(
+    () => [
+      <EnableRestrictions
+        key="enable-restrictions"
+        restrict_new_user_invitations={workspaceSettings?.restrict_new_user_invitations}
+        updateWorkspaceSettings={updateWorkspaceSettings}
+      />,
+      <DefaultRole
+        key="default-role"
+        default_role={workspaceSettings?.default_role}
+        updateWorkspaceSettings={updateWorkspaceSettings}
+      />,
+      <DefaultDatasets
+        key="default-datasets"
+        default_datasets={workspaceSettings?.default_datasets}
+        updateWorkspaceSettings={updateWorkspaceSettings}
+      />
+    ],
+    [workspaceSettings]
+  );
+
+  return (
+    <SecurityCards
+      title="Workspace restrictions"
+      description="Restrict the workspace to only allow users with an email address at these domains"
+      cards={[{ sections }]}
+    />
+  );
+});
+
+WorkspaceRestrictions.displayName = 'WorkspaceRestrictions';
+
+const EnableRestrictions = ({
+  restrict_new_user_invitations = false,
+  updateWorkspaceSettings
+}: Pick<GetWorkspaceSettingsResponse, 'restrict_new_user_invitations'> & {
+  updateWorkspaceSettings: (request: UpdateWorkspaceSettingsRequest) => Promise<unknown>;
+}) => {
+  return (
+    <div className="flex items-center justify-between">
+      <div className="flex flex-col space-y-0.5">
+        <Text>Restrict new user invitations</Text>
+        <Text variant="secondary" size={'sm'}>
+          {`Only allow admins to invite new members to workspace`}
+        </Text>
+      </div>
+      <Switch
+        checked={restrict_new_user_invitations}
+        onCheckedChange={(v) => {
+          updateWorkspaceSettings({ restrict_new_user_invitations: v });
+        }}
+      />
+    </div>
+  );
+};
+
+const DefaultRole = ({
+  default_role = 'viewer',
+  updateWorkspaceSettings
+}: Pick<GetWorkspaceSettingsResponse, 'default_role'> & {
+  updateWorkspaceSettings: (request: UpdateWorkspaceSettingsRequest) => Promise<unknown>;
+}) => {
+  const items: SelectItem<OrganizationRole>[] = useMemo(() => {
+    return Object.values(OrganizationRoleEnum).map((role) => ({
+      label: OrganizationUserRoleText[role as OrganizationRole],
+      value: role as OrganizationRole
+    }));
+  }, []);
+
+  return (
+    <div className="flex items-center justify-between">
+      <div className="flex min-w-0 flex-1 flex-col space-y-0.5">
+        <Text>Default Role</Text>
+        <Text variant="secondary" size={'sm'}>
+          {`Select which default role is assigned to new users`}
+        </Text>
+      </div>
+      <Select
+        items={items}
+        className="w-36 max-w-72"
+        value={default_role}
+        onChange={(v) => {
+          updateWorkspaceSettings({ default_role: v });
+        }}
+      />
+    </div>
+  );
+};
+
+const DefaultDatasets = ({
+  default_datasets = [],
+  updateWorkspaceSettings
+}: Pick<GetWorkspaceSettingsResponse, 'default_datasets'> & {
+  updateWorkspaceSettings: (request: UpdateWorkspaceSettingsRequest) => Promise<unknown>;
+}) => {
+  const { data: datasets, isFetched: isDatasetsFetched } = useGetDatasets();
+
+  const items: SelectItem<string>[] = useMemo(() => {
+    const baseItems =
+      datasets?.map((dataset) => ({
+        label: dataset.name,
+        value: dataset.id
+      })) || [];
+
+    return [{ label: 'All datasets', value: 'all' }, ...baseItems];
+  }, [datasets]);
+
+  const selectedItems = useMemo(() => {
+    return default_datasets.map((dataset) => dataset.id);
+  }, [default_datasets]);
+
+  return (
+    <div className="flex items-center justify-between">
+      <div className="flex flex-col space-y-0.5">
+        <Text>Default Datasets</Text>
+        <Text variant="secondary" size={'sm'}>
+          {`Select which datasets people can access by default`}
+        </Text>
+      </div>
+      <SelectMultiple
+        items={items}
+        value={selectedItems}
+        loading={!isDatasetsFetched}
+        placeholder="Select datasets"
+        className="w-40 max-w-72"
+        align="end"
+        side="left"
+        onChange={(v) => {
+          updateWorkspaceSettings({ default_datasets_ids: v });
+        }}
+      />
+    </div>
+  );
+};
diff --git a/apps/web/src/components/features/sidebars/SidebarSettings.tsx b/apps/web/src/components/features/sidebars/SidebarSettings.tsx
index a4a650d6d..4e6392b28 100644
--- a/apps/web/src/components/features/sidebars/SidebarSettings.tsx
+++ b/apps/web/src/components/features/sidebars/SidebarSettings.tsx
@@ -52,6 +52,11 @@ const permissionAndSecurityItems = (currentParentRoute: BusterRoutes): ISidebarG
   id: 'permission-and-security',
   icon: <LockCircle />,
   items: [
+    {
+      label: 'Security',
+      route: createBusterRoute({ route: BusterRoutes.SETTINGS_SECURITY }),
+      id: createBusterRoute({ route: BusterRoutes.SETTINGS_SECURITY })
+    },
     {
       label: 'Users',
       route: createBusterRoute({ route: BusterRoutes.SETTINGS_USERS }),
@@ -89,8 +94,18 @@ export const SidebarSettings: React.FC = React.memo(() => {
   return (
     <Sidebar
       content={content}
-      header={useMemo(() => <SidebarSettingsHeader />, [])}
-      footer={useMemo(() => <SidebarUserFooter />, [])}
+      header={useMemo(
+        () => (
+          <SidebarSettingsHeader />
+        ),
+        []
+      )}
+      footer={useMemo(
+        () => (
+          <SidebarUserFooter />
+        ),
+        []
+      )}
     />
   );
 });
diff --git a/apps/web/src/components/ui/select/SelectMultiple.stories.tsx b/apps/web/src/components/ui/select/SelectMultiple.stories.tsx
index 98510a3c3..71c1f3a2b 100644
--- a/apps/web/src/components/ui/select/SelectMultiple.stories.tsx
+++ b/apps/web/src/components/ui/select/SelectMultiple.stories.tsx
@@ -43,6 +43,7 @@ const SelectMultipleWithHooks = () => {
         onChange={handleSelect}
         placeholder="Select multiple options..."
         value={value}
+        loading={true}
       />
     </div>
   );
diff --git a/apps/web/src/components/ui/select/SelectMultiple.tsx b/apps/web/src/components/ui/select/SelectMultiple.tsx
index ca84a53f2..0520f4a19 100644
--- a/apps/web/src/components/ui/select/SelectMultiple.tsx
+++ b/apps/web/src/components/ui/select/SelectMultiple.tsx
@@ -4,10 +4,11 @@ import type { VariantProps } from 'class-variance-authority';
 import React, { useMemo } from 'react';
 import { useMemoizedFn } from '@/hooks';
 import { cn } from '@/lib/classMerge';
-import { Dropdown, type DropdownItem } from '../dropdown/Dropdown';
+import { Dropdown, type DropdownItem, type DropdownProps } from '../dropdown/Dropdown';
 import { InputTag } from '../inputs/InputTag';
 import type { SelectItem } from './Select';
 import { selectVariants } from './SelectBase';
+import { CircleSpinnerLoader } from '../loaders';
 
 interface SelectMultipleProps extends VariantProps<typeof selectVariants> {
   items: SelectItem[];
@@ -17,6 +18,9 @@ interface SelectMultipleProps extends VariantProps<typeof selectVariants> {
   value: string[];
   disabled?: boolean;
   useSearch?: boolean;
+  loading?: boolean;
+  align?: DropdownProps['align'];
+  side?: DropdownProps['side'];
 }
 
 export const SelectMultiple: React.FC<SelectMultipleProps> = React.memo(
@@ -29,6 +33,9 @@ export const SelectMultiple: React.FC<SelectMultipleProps> = React.memo(
     variant = 'default',
     value,
     disabled,
+    align = 'start',
+    side = 'bottom',
+    loading = false,
     useSearch = true
   }) => {
     const selectedRecord = useMemo(() => {
@@ -76,7 +83,8 @@ export const SelectMultiple: React.FC<SelectMultipleProps> = React.memo(
         onSelect={handleSelect}
         menuHeader={useSearch ? 'Search...' : undefined}
         selectType="multiple"
-        align="start"
+        align={align}
+        side={side}
         modal={false}
         className="w-[var(--radix-dropdown-menu-trigger-width)] max-w-full!">
         <div
@@ -104,6 +112,13 @@ export const SelectMultiple: React.FC<SelectMultipleProps> = React.memo(
           {selectedItems.length > 0 && (
             <div className="from-background via-background/80 pointer-events-none absolute top-0 right-0 z-10 h-full w-8 bg-gradient-to-l to-transparent" />
           )}
+          {loading && (
+            <div
+              className="absolute top-0 right-0 flex h-full w-8 items-center justify-center"
+              data-loading="true">
+              <CircleSpinnerLoader size={16} />
+            </div>
+          )}
         </div>
       </Dropdown>
     );
diff --git a/apps/web/src/layouts/ChatLayout/FileContainer/FileContainerHeader/interfaces.ts b/apps/web/src/layouts/ChatLayout/FileContainer/FileContainerHeader/interfaces.ts
index d0edcd8d2..f6cb979b4 100644
--- a/apps/web/src/layouts/ChatLayout/FileContainer/FileContainerHeader/interfaces.ts
+++ b/apps/web/src/layouts/ChatLayout/FileContainer/FileContainerHeader/interfaces.ts
@@ -5,7 +5,7 @@ export type FileContainerSegmentProps = {
   selectedFileId: string | undefined;
   chatId: string | undefined;
   overrideOldVersionMessage?: boolean;
-  isVersionHistoryMode: boolean;
+  isVersionHistoryMode?: boolean;
 };
 
 export type FileContainerButtonsProps = {
diff --git a/apps/web/src/lib/organization/index.ts b/apps/web/src/lib/organization/index.ts
new file mode 100644
index 000000000..b01054046
--- /dev/null
+++ b/apps/web/src/lib/organization/index.ts
@@ -0,0 +1 @@
+export * from './translations';
diff --git a/apps/web/src/lib/organization/translations.ts b/apps/web/src/lib/organization/translations.ts
new file mode 100644
index 000000000..20196e1a4
--- /dev/null
+++ b/apps/web/src/lib/organization/translations.ts
@@ -0,0 +1,10 @@
+import type { OrganizationRole } from '@buster/server-shared/organization';
+
+export const OrganizationUserRoleText: Record<OrganizationRole, string> = {
+  data_admin: 'Data Admin',
+  workspace_admin: 'Workspace Admin',
+  querier: 'Querier',
+  restricted_querier: 'Restricted Querier',
+  viewer: 'Viewer',
+  none: 'None'
+};
diff --git a/packages/server-shared/package.json b/packages/server-shared/package.json
index 60adf11c6..f6afa5714 100644
--- a/packages/server-shared/package.json
+++ b/packages/server-shared/package.json
@@ -56,6 +56,10 @@
     "./teams": {
       "types": "./dist/teams/index.d.ts",
       "default": "./dist/teams/index.js"
+    },
+    "./security": {
+      "types": "./dist/security/index.d.ts",
+      "default": "./dist/security/index.js"
     }
   },
   "dependencies": {
diff --git a/packages/server-shared/src/organization/roles.types.ts b/packages/server-shared/src/organization/roles.types.ts
index 4317f7dba..c16a47b01 100644
--- a/packages/server-shared/src/organization/roles.types.ts
+++ b/packages/server-shared/src/organization/roles.types.ts
@@ -1,6 +1,19 @@
-import { userOrganizationRoleEnum } from '@buster/database';
+import type { userOrganizationRoleEnum } from '@buster/database'; //we import as type to avoid postgres dependency in the frontend ☹️
 import { z } from 'zod/v4';
 
-export const OrganizationRoleSchema = z.enum([...userOrganizationRoleEnum.enumValues, 'none']);
+type OrganizationRoleBase = (typeof userOrganizationRoleEnum.enumValues)[number] | 'none';
+
+//We need this to avoid postgres dependency in the frontend ☹️
+export const OrganizationRoleEnum: Record<OrganizationRoleBase, OrganizationRoleBase> =
+  Object.freeze({
+    none: 'none',
+    viewer: 'viewer',
+    workspace_admin: 'workspace_admin',
+    data_admin: 'data_admin',
+    querier: 'querier',
+    restricted_querier: 'restricted_querier',
+  });
+
+export const OrganizationRoleSchema = z.enum(Object.values(OrganizationRoleEnum));
 
 export type OrganizationRole = z.infer<typeof OrganizationRoleSchema>;
diff --git a/packages/server-shared/src/security/index.ts b/packages/server-shared/src/security/index.ts
new file mode 100644
index 000000000..0b4b018e3
--- /dev/null
+++ b/packages/server-shared/src/security/index.ts
@@ -0,0 +1,2 @@
+export * from './requests';
+export * from './responses';
diff --git a/packages/server-shared/src/security/requests.ts b/packages/server-shared/src/security/requests.ts
new file mode 100644
index 000000000..1efe27cff
--- /dev/null
+++ b/packages/server-shared/src/security/requests.ts
@@ -0,0 +1,41 @@
+import { z } from 'zod/v4';
+import { OrganizationRoleSchema } from '../organization';
+
+export const UpdateInviteLinkRequestSchema = z.object({
+  enabled: z.boolean().optional(),
+  refresh_link: z.boolean().optional(),
+});
+
+export type UpdateInviteLinkRequest = z.infer<typeof UpdateInviteLinkRequestSchema>;
+
+export const AddApprovedDomainRequestSchema = z.object({
+  domains: z.array(z.string()),
+});
+
+export type AddApprovedDomainRequest = z.infer<typeof AddApprovedDomainRequestSchema>;
+
+export const RemoveApprovedDomainRequestSchema = z.object({
+  domains: z.array(z.string()),
+});
+
+export type RemoveApprovedDomainRequest = z.infer<typeof RemoveApprovedDomainRequestSchema>;
+
+export const UpdateWorkspaceSettingsRequestSchema = z.object({
+  restrict_new_user_invitations: z.boolean().optional(),
+  default_role: OrganizationRoleSchema.optional(),
+  // this can either be a uuid or "all"
+  default_datasets_ids: z
+    .array(
+      z.union([
+        z
+          .string()
+          .regex(
+            /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/
+          ),
+        z.literal('all'),
+      ])
+    )
+    .optional(),
+});
+
+export type UpdateWorkspaceSettingsRequest = z.infer<typeof UpdateWorkspaceSettingsRequestSchema>;
diff --git a/packages/server-shared/src/security/responses.ts b/packages/server-shared/src/security/responses.ts
new file mode 100644
index 000000000..eb10a45d2
--- /dev/null
+++ b/packages/server-shared/src/security/responses.ts
@@ -0,0 +1,41 @@
+import { z } from 'zod/v4';
+import { OrganizationRoleSchema } from '../organization';
+
+export const GetInviteLinkResponseSchema = z.object({
+  link: z.string(),
+  enabled: z.boolean(),
+});
+export const UpdateInviteLinkResponseSchema = GetInviteLinkResponseSchema;
+export const RefreshInviteLinkResponseSchema = GetInviteLinkResponseSchema;
+
+export const GetApprovedDomainsResponseSchema = z.array(
+  z.object({
+    domain: z.string(),
+    created_at: z.string(),
+  })
+);
+export const AddApprovedDomainsResponseSchema = GetApprovedDomainsResponseSchema;
+export const UpdateApprovedDomainsResponseSchema = GetApprovedDomainsResponseSchema;
+export const RemoveApprovedDomainsResponseSchema = GetApprovedDomainsResponseSchema;
+
+export const GetWorkspaceSettingsResponseSchema = z.object({
+  restrict_new_user_invitations: z.boolean(),
+  default_role: OrganizationRoleSchema,
+  default_datasets: z.array(
+    z.object({
+      id: z.string(),
+      name: z.string(),
+    })
+  ),
+});
+export const UpdateWorkspaceSettingsResponseSchema = GetWorkspaceSettingsResponseSchema;
+
+export type RefreshInviteLinkResponse = z.infer<typeof RefreshInviteLinkResponseSchema>;
+export type UpdateInviteLinkResponse = z.infer<typeof UpdateInviteLinkResponseSchema>;
+export type GetInviteLinkResponse = z.infer<typeof GetInviteLinkResponseSchema>;
+export type GetApprovedDomainsResponse = z.infer<typeof GetApprovedDomainsResponseSchema>;
+export type AddApprovedDomainsResponse = z.infer<typeof AddApprovedDomainsResponseSchema>;
+export type UpdateApprovedDomainsResponse = z.infer<typeof UpdateApprovedDomainsResponseSchema>;
+export type RemoveApprovedDomainsResponse = z.infer<typeof RemoveApprovedDomainsResponseSchema>;
+export type GetWorkspaceSettingsResponse = z.infer<typeof GetWorkspaceSettingsResponseSchema>;
+export type UpdateWorkspaceSettingsResponse = z.infer<typeof UpdateWorkspaceSettingsResponseSchema>;
diff --git a/packages/server-shared/src/teams/teams.types.ts b/packages/server-shared/src/teams/teams.types.ts
index 6f80c1f82..538176cd9 100644
--- a/packages/server-shared/src/teams/teams.types.ts
+++ b/packages/server-shared/src/teams/teams.types.ts
@@ -1,8 +1,14 @@
-import { teamRoleEnum } from '@buster/database';
+import type { teamRoleEnum } from '@buster/database'; //we import as type to avoid postgres dependency in the frontend ☹️
 import { z } from 'zod/v4';
 import { SharingSettingSchema } from '../user/sharing-setting.types';
 
-export const TeamRoleSchema = z.enum([...teamRoleEnum.enumValues, 'none']);
+type TeamRoleBase = (typeof teamRoleEnum.enumValues)[number] | 'none';
+const TeamRoleEnums: Record<TeamRoleBase, TeamRoleBase> = Object.freeze({
+  none: 'none',
+  manager: 'manager',
+  member: 'member',
+});
+export const TeamRoleSchema = z.enum(Object.values(TeamRoleEnums));
 
 export type TeamRole = z.infer<typeof TeamRoleSchema>;
 
diff --git a/packages/server-shared/src/user/roles.types.ts b/packages/server-shared/src/user/roles.types.ts
index 3ebcef1a0..b49fb5ba8 100644
--- a/packages/server-shared/src/user/roles.types.ts
+++ b/packages/server-shared/src/user/roles.types.ts
@@ -1,6 +1,18 @@
-import { userOrganizationRoleEnum } from '@buster/database';
+import type { userOrganizationRoleEnum } from '@buster/database'; //we import as type to avoid postgres dependency in the frontend ☹️
 import { z } from 'zod/v4';
 
-export const UserOrganizationRoleSchema = z.enum([...userOrganizationRoleEnum.enumValues, 'none']);
+type UserOrganizationRoleBase = (typeof userOrganizationRoleEnum.enumValues)[number] | 'none';
+
+const UserOrganizationRoleEnums: Record<UserOrganizationRoleBase, UserOrganizationRoleBase> =
+  Object.freeze({
+    none: 'none',
+    viewer: 'viewer',
+    workspace_admin: 'workspace_admin',
+    data_admin: 'data_admin',
+    querier: 'querier',
+    restricted_querier: 'restricted_querier',
+  });
+
+export const UserOrganizationRoleSchema = z.enum(Object.values(UserOrganizationRoleEnums));
 
 export type UserOrganizationRole = z.infer<typeof UserOrganizationRoleSchema>;
diff --git a/packages/server-shared/src/user/sharing-setting.types.ts b/packages/server-shared/src/user/sharing-setting.types.ts
index ef68a538a..c559f9867 100644
--- a/packages/server-shared/src/user/sharing-setting.types.ts
+++ b/packages/server-shared/src/user/sharing-setting.types.ts
@@ -1,6 +1,14 @@
-import { sharingSettingEnum } from '@buster/database';
+import type { sharingSettingEnum } from '@buster/database'; //we import as type to avoid postgres dependency in the frontend ☹️
 import { z } from 'zod/v4';
 
-export const SharingSettingSchema = z.enum([...sharingSettingEnum.enumValues, 'none']);
+type SharingSettingBase = (typeof sharingSettingEnum.enumValues)[number] | 'none';
+
+const SharingSettingEnums: Record<SharingSettingBase, SharingSettingBase> = Object.freeze({
+  none: 'none',
+  public: 'public',
+  team: 'team',
+  organization: 'organization',
+});
+export const SharingSettingSchema = z.enum(Object.values(SharingSettingEnums));
 
 export type SharingSetting = z.infer<typeof SharingSettingSchema>;