[SM-713] Add database support for secret access policies (#3681)

* mssql add column and migration

* Add secret access policies to EF models and config

* Clear new access policies on service account delete

* Add SM cleanup code on delete

* Fix EF org user bulk delete

* Run EF migrations

bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/ServiceAccountRepository.cs

@@ -84,22 +84,29 @@ public class ServiceAccountRepository : Repository<Core.SecretsManager.Entities.
 
     public async Task DeleteManyByIdAsync(IEnumerable<Guid> ids)
     {
+        var targetIds = ids.ToList();
         using var scope = ServiceScopeFactory.CreateScope();
         var dbContext = GetDatabaseContext(scope);
 
+        await using var transaction = await dbContext.Database.BeginTransactionAsync();
+
         // Policies can't have a cascade delete, so we need to delete them manually.
-        var policies = dbContext.AccessPolicies.Where(ap =>
+        await dbContext.AccessPolicies.Where(ap =>
-            ((ServiceAccountProjectAccessPolicy)ap).ServiceAccountId.HasValue && ids.Contains(((ServiceAccountProjectAccessPolicy)ap).ServiceAccountId!.Value) ||
+                targetIds.Contains(((ServiceAccountProjectAccessPolicy)ap).ServiceAccountId!.Value) ||
-            ((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccountId.HasValue && ids.Contains(((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value) ||
+                targetIds.Contains(((ServiceAccountSecretAccessPolicy)ap).ServiceAccountId!.Value) ||
-            ((UserServiceAccountAccessPolicy)ap).GrantedServiceAccountId.HasValue && ids.Contains(((UserServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value));
+                targetIds.Contains(((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value) ||
-        dbContext.RemoveRange(policies);
+                targetIds.Contains(((UserServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value))
+            .ExecuteDeleteAsync();
 
-        var apiKeys = dbContext.ApiKeys.Where(a => a.ServiceAccountId.HasValue && ids.Contains(a.ServiceAccountId!.Value));
+        await dbContext.ApiKeys
-        dbContext.RemoveRange(apiKeys);
+            .Where(a => targetIds.Contains(a.ServiceAccountId!.Value))
+            .ExecuteDeleteAsync();
 
-        var serviceAccounts = dbContext.ServiceAccount.Where(c => ids.Contains(c.Id));
+        await dbContext.ServiceAccount
-        dbContext.RemoveRange(serviceAccounts);
+            .Where(c => targetIds.Contains(c.Id))
-        await dbContext.SaveChangesAsync();
+            .ExecuteDeleteAsync();
+
+        await transaction.CommitAsync();
     }
 
     public async Task<(bool Read, bool Write)> AccessToServiceAccountAsync(Guid id, Guid userId,

src/Core/SecretsManager/Entities/AccessPolicy.cs

@@ -38,6 +38,14 @@ public class UserServiceAccountAccessPolicy : BaseAccessPolicy
     public ServiceAccount? GrantedServiceAccount { get; set; }
 }
 
+public class UserSecretAccessPolicy : BaseAccessPolicy
+{
+    public Guid? OrganizationUserId { get; set; }
+    public User? User { get; set; }
+    public Guid? GrantedSecretId { get; set; }
+    public Secret? GrantedSecret { get; set; }
+}
+
 public class GroupProjectAccessPolicy : BaseAccessPolicy
 {
     public Guid? GroupId { get; set; }
@@ -56,6 +64,15 @@ public class GroupServiceAccountAccessPolicy : BaseAccessPolicy
     public ServiceAccount? GrantedServiceAccount { get; set; }
 }
 
+public class GroupSecretAccessPolicy : BaseAccessPolicy
+{
+    public Guid? GroupId { get; set; }
+    public Group? Group { get; set; }
+    public bool? CurrentUserInGroup { get; set; }
+    public Guid? GrantedSecretId { get; set; }
+    public Secret? GrantedSecret { get; set; }
+}
+
 public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
 {
     public Guid? ServiceAccountId { get; set; }
@@ -63,3 +80,11 @@ public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
     public Guid? GrantedProjectId { get; set; }
     public Project? GrantedProject { get; set; }
 }
+
+public class ServiceAccountSecretAccessPolicy : BaseAccessPolicy
+{
+    public Guid? ServiceAccountId { get; set; }
+    public ServiceAccount? ServiceAccount { get; set; }
+    public Guid? GrantedSecretId { get; set; }
+    public Secret? GrantedSecret { get; set; }
+}

src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs

@@ -180,6 +180,8 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
                 .ExecuteDeleteAsync();
             await dbContext.UserServiceAccountAccessPolicy.Where(ap => ap.OrganizationUser.OrganizationId == organization.Id)
                 .ExecuteDeleteAsync();
+            await dbContext.UserSecretAccessPolicy.Where(ap => ap.OrganizationUser.OrganizationId == organization.Id)
+                .ExecuteDeleteAsync();
             await dbContext.OrganizationUsers.Where(ou => ou.OrganizationId == organization.Id)
                 .ExecuteDeleteAsync();
             await dbContext.ProviderOrganizations.Where(po => po.OrganizationId == organization.Id)

src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs

@@ -100,6 +100,8 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
                 dbContext.UserProjectAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
             dbContext.UserServiceAccountAccessPolicy.RemoveRange(
                 dbContext.UserServiceAccountAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
+            dbContext.UserSecretAccessPolicy.RemoveRange(
+                dbContext.UserSecretAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
 
             var orgSponsorships = await dbContext.OrganizationSponsorships
                 .Where(os => os.SponsoringOrganizationUserId == organizationUserId)
@@ -117,18 +119,36 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
 
     public async Task DeleteManyAsync(IEnumerable<Guid> organizationUserIds)
     {
-        using (var scope = ServiceScopeFactory.CreateScope())
+        var targetOrganizationUserIds = organizationUserIds.ToList();
-        {
+        using var scope = ServiceScopeFactory.CreateScope();
-            var dbContext = GetDatabaseContext(scope);
+        var dbContext = GetDatabaseContext(scope);
-            await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdsAsync(organizationUserIds);
-            var entities = await dbContext.OrganizationUsers
-                // TODO: Does this work?
-                .Where(ou => organizationUserIds.Contains(ou.Id))
-                .ToListAsync();
 
-            dbContext.OrganizationUsers.RemoveRange(entities);
+        var transaction = await dbContext.Database.BeginTransactionAsync();
-            await dbContext.SaveChangesAsync();
+        await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdsAsync(targetOrganizationUserIds);
-        }
+
+        await dbContext.CollectionUsers
+            .Where(cu => targetOrganizationUserIds.Contains(cu.OrganizationUserId))
+            .ExecuteDeleteAsync();
+
+        await dbContext.GroupUsers
+            .Where(gu => targetOrganizationUserIds.Contains(gu.OrganizationUserId))
+            .ExecuteDeleteAsync();
+
+        await dbContext.UserProjectAccessPolicy
+            .Where(ap => targetOrganizationUserIds.Contains(ap.OrganizationUserId!.Value))
+            .ExecuteDeleteAsync();
+        await dbContext.UserServiceAccountAccessPolicy
+            .Where(ap => targetOrganizationUserIds.Contains(ap.OrganizationUserId!.Value))
+            .ExecuteDeleteAsync();
+        await dbContext.UserSecretAccessPolicy
+            .Where(ap => targetOrganizationUserIds.Contains(ap.OrganizationUserId!.Value))
+            .ExecuteDeleteAsync();
+
+        await dbContext.OrganizationUsers
+            .Where(ou => targetOrganizationUserIds.Contains(ou.Id)).ExecuteDeleteAsync();
+
+        await dbContext.SaveChangesAsync();
+        await transaction.CommitAsync();
     }
 
     public async Task<Tuple<Core.Entities.OrganizationUser, ICollection<CollectionAccessSelection>>> GetByIdWithCollectionsAsync(Guid id)

src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs

@@ -27,6 +27,9 @@ public class DatabaseContext : DbContext
     public DbSet<ServiceAccountProjectAccessPolicy> ServiceAccountProjectAccessPolicy { get; set; }
     public DbSet<UserServiceAccountAccessPolicy> UserServiceAccountAccessPolicy { get; set; }
     public DbSet<GroupServiceAccountAccessPolicy> GroupServiceAccountAccessPolicy { get; set; }
+    public DbSet<UserSecretAccessPolicy> UserSecretAccessPolicy { get; set; }
+    public DbSet<GroupSecretAccessPolicy> GroupSecretAccessPolicy { get; set; }
+    public DbSet<ServiceAccountSecretAccessPolicy> ServiceAccountSecretAccessPolicy { get; set; }
     public DbSet<ApiKey> ApiKeys { get; set; }
     public DbSet<Cipher> Ciphers { get; set; }
     public DbSet<Collection> Collections { get; set; }

src/Infrastructure.EntityFramework/SecretsManager/Configurations/AccessPolicyEntityTypeConfiguration.cs

@@ -13,9 +13,12 @@ public class AccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<Acce
             .HasDiscriminator<string>("Discriminator")
             .HasValue<UserProjectAccessPolicy>(AccessPolicyDiscriminator.UserProject)
             .HasValue<UserServiceAccountAccessPolicy>(AccessPolicyDiscriminator.UserServiceAccount)
+            .HasValue<UserSecretAccessPolicy>(AccessPolicyDiscriminator.UserSecret)
             .HasValue<GroupProjectAccessPolicy>(AccessPolicyDiscriminator.GroupProject)
             .HasValue<GroupServiceAccountAccessPolicy>(AccessPolicyDiscriminator.GroupServiceAccount)
-            .HasValue<ServiceAccountProjectAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountProject);
+            .HasValue<GroupSecretAccessPolicy>(AccessPolicyDiscriminator.GroupSecret)
+            .HasValue<ServiceAccountProjectAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountProject)
+            .HasValue<ServiceAccountSecretAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountSecret);
 
         builder
             .Property(s => s.Id)
@@ -63,6 +66,26 @@ public class UserServiceAccountAccessPolicyEntityTypeConfiguration : IEntityType
     }
 }
 
+public class UserSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<UserSecretAccessPolicy>
+{
+    public void Configure(EntityTypeBuilder<UserSecretAccessPolicy> builder)
+    {
+        builder
+            .Property(e => e.OrganizationUserId)
+            .HasColumnName(nameof(UserSecretAccessPolicy.OrganizationUserId));
+
+        builder
+            .Property(e => e.GrantedSecretId)
+            .HasColumnName(nameof(UserSecretAccessPolicy.GrantedSecretId));
+
+        builder
+            .HasOne(e => e.GrantedSecret)
+            .WithMany(e => e.UserAccessPolicies)
+            .HasForeignKey(nameof(UserSecretAccessPolicy.GrantedSecretId))
+            .OnDelete(DeleteBehavior.Cascade);
+    }
+}
+
 public class GroupProjectAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<GroupProjectAccessPolicy>
 {
     public void Configure(EntityTypeBuilder<GroupProjectAccessPolicy> builder)
@@ -109,6 +132,32 @@ public class GroupServiceAccountAccessPolicyEntityTypeConfiguration : IEntityTyp
     }
 }
 
+public class GroupSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<GroupSecretAccessPolicy>
+{
+    public void Configure(EntityTypeBuilder<GroupSecretAccessPolicy> builder)
+    {
+        builder
+            .Property(e => e.GroupId)
+            .HasColumnName(nameof(GroupSecretAccessPolicy.GroupId));
+
+        builder
+            .Property(e => e.GrantedSecretId)
+            .HasColumnName(nameof(GroupSecretAccessPolicy.GrantedSecretId));
+
+        builder
+            .HasOne(e => e.GrantedSecret)
+            .WithMany(e => e.GroupAccessPolicies)
+            .HasForeignKey(nameof(GroupSecretAccessPolicy.GrantedSecretId))
+            .OnDelete(DeleteBehavior.Cascade);
+
+        builder
+            .HasOne(e => e.Group)
+            .WithMany()
+            .HasForeignKey(nameof(GroupSecretAccessPolicy.GroupId))
+            .OnDelete(DeleteBehavior.Cascade);
+    }
+}
+
 public class ServiceAccountProjectAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<ServiceAccountProjectAccessPolicy>
 {
     public void Configure(EntityTypeBuilder<ServiceAccountProjectAccessPolicy> builder)
@@ -128,3 +177,23 @@ public class ServiceAccountProjectAccessPolicyEntityTypeConfiguration : IEntityT
             .OnDelete(DeleteBehavior.Cascade);
     }
 }
+
+public class ServiceAccountSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<ServiceAccountSecretAccessPolicy>
+{
+    public void Configure(EntityTypeBuilder<ServiceAccountSecretAccessPolicy> builder)
+    {
+        builder
+            .Property(e => e.ServiceAccountId)
+            .HasColumnName(nameof(ServiceAccountSecretAccessPolicy.ServiceAccountId));
+
+        builder
+            .Property(e => e.GrantedSecretId)
+            .HasColumnName(nameof(ServiceAccountSecretAccessPolicy.GrantedSecretId));
+
+        builder
+            .HasOne(e => e.GrantedSecret)
+            .WithMany(e => e.ServiceAccountAccessPolicies)
+            .HasForeignKey(nameof(ServiceAccountSecretAccessPolicy.GrantedSecretId))
+            .OnDelete(DeleteBehavior.Cascade);
+    }
+}

src/Infrastructure.EntityFramework/SecretsManager/Discriminators/AccessPolicyDiscriminator.cs

@@ -4,8 +4,10 @@ public static class AccessPolicyDiscriminator
 {
     public const string UserProject = "user_project";
     public const string UserServiceAccount = "user_service_account";
+    public const string UserSecret = "user_secret";
     public const string GroupProject = "group_project";
     public const string GroupServiceAccount = "group_service_account";
+    public const string GroupSecret = "group_secret";
     public const string ServiceAccountProject = "service_account_project";
-
+    public const string ServiceAccountSecret = "service_account_secret";
 }

src/Infrastructure.EntityFramework/SecretsManager/Models/AccessPolicy.cs

@@ -24,6 +24,12 @@ public class AccessPolicyMapperProfile : Profile
             .ReverseMap()
             .ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
 
+        CreateMap<Core.SecretsManager.Entities.UserSecretAccessPolicy, UserSecretAccessPolicy>()
+            .ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
+            .ForMember(dst => dst.OrganizationUser, opt => opt.Ignore())
+            .ReverseMap()
+            .ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
+
         CreateMap<Core.SecretsManager.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>()
             .ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
             .ForMember(dst => dst.Group, opt => opt.Ignore())
@@ -34,10 +40,20 @@ public class AccessPolicyMapperProfile : Profile
             .ForMember(dst => dst.Group, opt => opt.Ignore())
             .ReverseMap();
 
+        CreateMap<Core.SecretsManager.Entities.GroupSecretAccessPolicy, GroupSecretAccessPolicy>()
+            .ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
+            .ForMember(dst => dst.Group, opt => opt.Ignore())
+            .ReverseMap();
+
         CreateMap<Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>()
             .ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
             .ForMember(dst => dst.ServiceAccount, opt => opt.Ignore())
             .ReverseMap();
+
+        CreateMap<Core.SecretsManager.Entities.ServiceAccountSecretAccessPolicy, ServiceAccountSecretAccessPolicy>()
+            .ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
+            .ForMember(dst => dst.ServiceAccount, opt => opt.Ignore())
+            .ReverseMap();
     }
 }
 
@@ -61,6 +77,14 @@ public class UserServiceAccountAccessPolicy : AccessPolicy
     public virtual ServiceAccount GrantedServiceAccount { get; set; }
 }
 
+public class UserSecretAccessPolicy : AccessPolicy
+{
+    public Guid? OrganizationUserId { get; set; }
+    public virtual OrganizationUser OrganizationUser { get; set; }
+    public Guid? GrantedSecretId { get; set; }
+    public virtual Secret GrantedSecret { get; set; }
+}
+
 public class GroupProjectAccessPolicy : AccessPolicy
 {
     public Guid? GroupId { get; set; }
@@ -77,6 +101,14 @@ public class GroupServiceAccountAccessPolicy : AccessPolicy
     public virtual ServiceAccount GrantedServiceAccount { get; set; }
 }
 
+public class GroupSecretAccessPolicy : AccessPolicy
+{
+    public Guid? GroupId { get; set; }
+    public virtual Group Group { get; set; }
+    public Guid? GrantedSecretId { get; set; }
+    public virtual Secret GrantedSecret { get; set; }
+}
+
 public class ServiceAccountProjectAccessPolicy : AccessPolicy
 {
     public Guid? ServiceAccountId { get; set; }
@@ -84,3 +116,12 @@ public class ServiceAccountProjectAccessPolicy : AccessPolicy
     public Guid? GrantedProjectId { get; set; }
     public virtual Project GrantedProject { get; set; }
 }
+
+public class ServiceAccountSecretAccessPolicy : AccessPolicy
+{
+    public Guid? ServiceAccountId { get; set; }
+    public virtual ServiceAccount ServiceAccount { get; set; }
+    public Guid? GrantedSecretId { get; set; }
+    public virtual Secret GrantedSecret { get; set; }
+}
+

src/Infrastructure.EntityFramework/SecretsManager/Models/Secret.cs

@@ -5,8 +5,11 @@ namespace Bit.Infrastructure.EntityFramework.SecretsManager.Models;
 
 public class Secret : Core.SecretsManager.Entities.Secret
 {
-    public virtual new ICollection<Project> Projects { get; set; }
+    public new virtual ICollection<Project> Projects { get; set; }
     public virtual Organization Organization { get; set; }
+    public virtual ICollection<UserSecretAccessPolicy> UserAccessPolicies { get; set; }
+    public virtual ICollection<GroupSecretAccessPolicy> GroupAccessPolicies { get; set; }
+    public virtual ICollection<ServiceAccountSecretAccessPolicy> ServiceAccountAccessPolicies { get; set; }
 }
 
 public class SecretMapperProfile : Profile

src/Sql/SecretsManager/dbo/Tables/AccessPolicy.sql

@@ -1,34 +1,40 @@
-CREATE TABLE [AccessPolicy] (
+CREATE TABLE [dbo].[AccessPolicy]
-    [Id]                      UNIQUEIDENTIFIER NOT NULL,
+(
-    [Discriminator]           NVARCHAR(50)     NOT NULL,
+    [Id] UNIQUEIDENTIFIER NOT NULL,
-    [OrganizationUserId]      UNIQUEIDENTIFIER NULL,
+    [Discriminator] NVARCHAR (50) NOT NULL,
-    [GroupId]                 UNIQUEIDENTIFIER NULL,
+    [OrganizationUserId] UNIQUEIDENTIFIER NULL,
-    [ServiceAccountId]        UNIQUEIDENTIFIER NULL,
+    [GroupId] UNIQUEIDENTIFIER NULL,
-    [GrantedProjectId]        UNIQUEIDENTIFIER NULL,
+    [ServiceAccountId] UNIQUEIDENTIFIER NULL,
+    [GrantedProjectId] UNIQUEIDENTIFIER NULL,
     [GrantedServiceAccountId] UNIQUEIDENTIFIER NULL,
-    [Read]                    BIT NOT NULL,
+    [Read] BIT NOT NULL,
-    [Write]                   BIT NOT NULL,
+    [Write] BIT NOT NULL,
-    [CreationDate]            DATETIME2 NOT NULL,
+    [CreationDate] DATETIME2 NOT NULL,
-    [RevisionDate]            DATETIME2 NOT NULL,
+    [RevisionDate] DATETIME2 NOT NULL,
-    CONSTRAINT [PK_AccessPolicy] PRIMARY KEY CLUSTERED ([Id]),
+    [GrantedSecretId] UNIQUEIDENTIFIER NULL,
-    CONSTRAINT [FK_AccessPolicy_Group_GroupId] FOREIGN KEY ([GroupId]) REFERENCES [Group] ([Id]) ON DELETE CASCADE,
+    CONSTRAINT [PK_AccessPolicy] PRIMARY KEY CLUSTERED ([Id] ASC),
-    CONSTRAINT [FK_AccessPolicy_OrganizationUser_OrganizationUserId] FOREIGN KEY ([OrganizationUserId]) REFERENCES [OrganizationUser] ([Id]),
+    CONSTRAINT [FK_AccessPolicy_Group_GroupId] FOREIGN KEY ([GroupId]) REFERENCES [dbo].[Group] ([Id]) ON DELETE CASCADE,
-    CONSTRAINT [FK_AccessPolicy_Project_GrantedProjectId] FOREIGN KEY ([GrantedProjectId]) REFERENCES [Project] ([Id]) ON DELETE CASCADE,
+    CONSTRAINT [FK_AccessPolicy_OrganizationUser_OrganizationUserId] FOREIGN KEY ([OrganizationUserId]) REFERENCES [dbo].[OrganizationUser] ([Id]),
-    CONSTRAINT [FK_AccessPolicy_ServiceAccount_GrantedServiceAccountId] FOREIGN KEY ([GrantedServiceAccountId]) REFERENCES [ServiceAccount] ([Id]),
+    CONSTRAINT [FK_AccessPolicy_Project_GrantedProjectId] FOREIGN KEY ([GrantedProjectId]) REFERENCES [dbo].[Project] ([Id]) ON DELETE CASCADE,
-    CONSTRAINT [FK_AccessPolicy_ServiceAccount_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [ServiceAccount] ([Id])
+    CONSTRAINT [FK_AccessPolicy_ServiceAccount_GrantedServiceAccountId] FOREIGN KEY ([GrantedServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id]),
+    CONSTRAINT [FK_AccessPolicy_ServiceAccount_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id]),
+    CONSTRAINT [FK_AccessPolicy_Secret_GrantedSecretId] FOREIGN KEY ([GrantedSecretId]) REFERENCES [dbo].[Secret] ([Id]) ON DELETE CASCADE
 );
 
 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GroupId] ON [AccessPolicy] ([GroupId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GroupId] ON [dbo].[AccessPolicy]([GroupId] ASC);
 
 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_OrganizationUserId] ON [AccessPolicy] ([OrganizationUserId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_OrganizationUserId] ON [dbo].[AccessPolicy]([OrganizationUserId] ASC);
 
 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedProjectId] ON [AccessPolicy] ([GrantedProjectId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedProjectId] ON [dbo].[AccessPolicy]([GrantedProjectId] ASC);
 
 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_ServiceAccountId] ON [AccessPolicy] ([ServiceAccountId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_ServiceAccountId] ON [dbo].[AccessPolicy]([ServiceAccountId] ASC);
 
 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedServiceAccountId] ON [AccessPolicy] ([GrantedServiceAccountId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedServiceAccountId] ON [dbo].[AccessPolicy]([GrantedServiceAccountId] ASC);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedSecretId] ON [dbo].[AccessPolicy]([GrantedSecretId] ASC);

util/Migrator/DbScripts/2024-02-16_00_AddSecretAccessPolicies.sql

@@ -0,0 +1,14 @@
+IF COL_LENGTH('[dbo].[AccessPolicy]', 'GrantedSecretId') IS NULL
+BEGIN
+    ALTER TABLE [dbo].[AccessPolicy] ADD [GrantedSecretId] [uniqueidentifier] NULL
+    CONSTRAINT [FK_AccessPolicy_Secret_GrantedSecretId] FOREIGN KEY ([GrantedSecretId]) REFERENCES [Secret] ([Id]) ON DELETE CASCADE
+END
+GO
+
+IF NOT EXISTS(SELECT name
+FROM sys.indexes
+WHERE name = 'IX_AccessPolicy_GrantedSecretId')
+BEGIN
+    CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedSecretId] ON [dbo].[AccessPolicy] ([GrantedSecretId] ASC);
+END
+GO

util/MySqlMigrations/Migrations/20240216170327_AddSecretAccessPolicies.cs

@@ -0,0 +1,49 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddSecretAccessPolicies : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<Guid>(
+            name: "GrantedSecretId",
+            table: "AccessPolicy",
+            type: "char(36)",
+            nullable: true,
+            collation: "ascii_general_ci");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_AccessPolicy_GrantedSecretId",
+            table: "AccessPolicy",
+            column: "GrantedSecretId");
+
+        migrationBuilder.AddForeignKey(
+            name: "FK_AccessPolicy_Secret_GrantedSecretId",
+            table: "AccessPolicy",
+            column: "GrantedSecretId",
+            principalTable: "Secret",
+            principalColumn: "Id",
+            onDelete: ReferentialAction.Cascade);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropForeignKey(
+            name: "FK_AccessPolicy_Secret_GrantedSecretId",
+            table: "AccessPolicy");
+
+        migrationBuilder.DropIndex(
+            name: "IX_AccessPolicy_GrantedSecretId",
+            table: "AccessPolicy");
+
+        migrationBuilder.DropColumn(
+            name: "GrantedSecretId",
+            table: "AccessPolicy");
+    }
+}

util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs

@@ -1732,6 +1732,27 @@ namespace Bit.MySqlMigrations.Migrations
                     b.HasDiscriminator().HasValue("group_project");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
                 {
                     b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@@ -1763,6 +1784,7 @@ namespace Bit.MySqlMigrations.Migrations
                         .HasColumnName("GrantedProjectId");
 
                     b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
                         .HasColumnType("char(36)")
                         .HasColumnName("ServiceAccountId");
 
@@ -1773,6 +1795,27 @@ namespace Bit.MySqlMigrations.Migrations
                     b.HasDiscriminator().HasValue("service_account_project");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
                 {
                     b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@@ -1794,6 +1837,27 @@ namespace Bit.MySqlMigrations.Migrations
                     b.HasDiscriminator().HasValue("user_project");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("char(36)")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
                 {
                     b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@@ -2245,6 +2309,23 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Navigation("Group");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@@ -2277,6 +2358,22 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Navigation("ServiceAccount");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
@@ -2293,6 +2390,22 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Navigation("OrganizationUser");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@@ -2376,6 +2489,15 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Navigation("UserAccessPolicies");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
                 {
                     b.Navigation("GroupAccessPolicies");

util/PostgresMigrations/Migrations/20240216170332_AddSecretAccessPolicies.cs

@@ -0,0 +1,48 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddSecretAccessPolicies : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<Guid>(
+            name: "GrantedSecretId",
+            table: "AccessPolicy",
+            type: "uuid",
+            nullable: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_AccessPolicy_GrantedSecretId",
+            table: "AccessPolicy",
+            column: "GrantedSecretId");
+
+        migrationBuilder.AddForeignKey(
+            name: "FK_AccessPolicy_Secret_GrantedSecretId",
+            table: "AccessPolicy",
+            column: "GrantedSecretId",
+            principalTable: "Secret",
+            principalColumn: "Id",
+            onDelete: ReferentialAction.Cascade);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropForeignKey(
+            name: "FK_AccessPolicy_Secret_GrantedSecretId",
+            table: "AccessPolicy");
+
+        migrationBuilder.DropIndex(
+            name: "IX_AccessPolicy_GrantedSecretId",
+            table: "AccessPolicy");
+
+        migrationBuilder.DropColumn(
+            name: "GrantedSecretId",
+            table: "AccessPolicy");
+    }
+}

util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs

@@ -1746,6 +1746,27 @@ namespace Bit.PostgresMigrations.Migrations
                     b.HasDiscriminator().HasValue("group_project");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
                 {
                     b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@@ -1777,6 +1798,7 @@ namespace Bit.PostgresMigrations.Migrations
                         .HasColumnName("GrantedProjectId");
 
                     b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
                         .HasColumnType("uuid")
                         .HasColumnName("ServiceAccountId");
 
@@ -1787,6 +1809,27 @@ namespace Bit.PostgresMigrations.Migrations
                     b.HasDiscriminator().HasValue("service_account_project");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
                 {
                     b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@@ -1808,6 +1851,27 @@ namespace Bit.PostgresMigrations.Migrations
                     b.HasDiscriminator().HasValue("user_project");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("uuid")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
                 {
                     b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@@ -2259,6 +2323,23 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Navigation("Group");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@@ -2291,6 +2372,22 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Navigation("ServiceAccount");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
@@ -2307,6 +2404,22 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Navigation("OrganizationUser");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@@ -2390,6 +2503,15 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Navigation("UserAccessPolicies");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
                 {
                     b.Navigation("GroupAccessPolicies");

util/SqliteMigrations/Migrations/20240216170322_AddSecretAccessPolicies.cs

@@ -0,0 +1,48 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddSecretAccessPolicies : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<Guid>(
+            name: "GrantedSecretId",
+            table: "AccessPolicy",
+            type: "TEXT",
+            nullable: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_AccessPolicy_GrantedSecretId",
+            table: "AccessPolicy",
+            column: "GrantedSecretId");
+
+        migrationBuilder.AddForeignKey(
+            name: "FK_AccessPolicy_Secret_GrantedSecretId",
+            table: "AccessPolicy",
+            column: "GrantedSecretId",
+            principalTable: "Secret",
+            principalColumn: "Id",
+            onDelete: ReferentialAction.Cascade);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropForeignKey(
+            name: "FK_AccessPolicy_Secret_GrantedSecretId",
+            table: "AccessPolicy");
+
+        migrationBuilder.DropIndex(
+            name: "IX_AccessPolicy_GrantedSecretId",
+            table: "AccessPolicy");
+
+        migrationBuilder.DropColumn(
+            name: "GrantedSecretId",
+            table: "AccessPolicy");
+    }
+}

util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs

@@ -1730,6 +1730,27 @@ namespace Bit.SqliteMigrations.Migrations
                     b.HasDiscriminator().HasValue("group_project");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("GroupId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GroupId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("GroupId");
+
+                    b.HasDiscriminator().HasValue("group_secret");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
                 {
                     b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@@ -1761,6 +1782,7 @@ namespace Bit.SqliteMigrations.Migrations
                         .HasColumnName("GrantedProjectId");
 
                     b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
                         .HasColumnType("TEXT")
                         .HasColumnName("ServiceAccountId");
 
@@ -1771,6 +1793,27 @@ namespace Bit.SqliteMigrations.Migrations
                     b.HasDiscriminator().HasValue("service_account_project");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("ServiceAccountId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("ServiceAccountId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("ServiceAccountId");
+
+                    b.HasDiscriminator().HasValue("service_account_secret");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
                 {
                     b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@@ -1792,6 +1835,27 @@ namespace Bit.SqliteMigrations.Migrations
                     b.HasDiscriminator().HasValue("user_project");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
+
+                    b.Property<Guid?>("GrantedSecretId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("GrantedSecretId");
+
+                    b.Property<Guid?>("OrganizationUserId")
+                        .ValueGeneratedOnUpdateSometimes()
+                        .HasColumnType("TEXT")
+                        .HasColumnName("OrganizationUserId");
+
+                    b.HasIndex("GrantedSecretId");
+
+                    b.HasIndex("OrganizationUserId");
+
+                    b.HasDiscriminator().HasValue("user_secret");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
                 {
                     b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@@ -2243,6 +2307,23 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Navigation("Group");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("GroupAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
+                        .WithMany()
+                        .HasForeignKey("GroupId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("Group");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@@ -2275,6 +2356,22 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Navigation("ServiceAccount");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("ServiceAccountAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
+                        .WithMany()
+                        .HasForeignKey("ServiceAccountId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("ServiceAccount");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
@@ -2291,6 +2388,22 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Navigation("OrganizationUser");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
+                {
+                    b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
+                        .WithMany("UserAccessPolicies")
+                        .HasForeignKey("GrantedSecretId")
+                        .OnDelete(DeleteBehavior.Cascade);
+
+                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
+                        .WithMany()
+                        .HasForeignKey("OrganizationUserId");
+
+                    b.Navigation("GrantedSecret");
+
+                    b.Navigation("OrganizationUser");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
                 {
                     b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@@ -2374,6 +2487,15 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Navigation("UserAccessPolicies");
                 });
 
+            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
+                {
+                    b.Navigation("GroupAccessPolicies");
+
+                    b.Navigation("ServiceAccountAccessPolicies");
+
+                    b.Navigation("UserAccessPolicies");
+                });
+
             modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
                 {
                     b.Navigation("GroupAccessPolicies");