getsentry
diff --git a/‎src/sentry/data_secrecy/data_access_grant_service/__init__.py b/‎src/sentry/data_secrecy/data_access_grant_service/__init__.py
diff --git a/‎src/sentry/data_secrecy/data_access_grant_service/impl.py
Lines changed: 0 additions & 35 deletions b/‎src/sentry/data_secrecy/data_access_grant_service/impl.py
Lines changed: 0 additions & 35 deletions
diff --git a/‎src/sentry/data_secrecy/data_access_grant_service/model.py
Lines changed: 0 additions & 13 deletions b/‎src/sentry/data_secrecy/data_access_grant_service/model.py
Lines changed: 0 additions & 13 deletions
diff --git a/‎src/sentry/data_secrecy/data_access_grant_service/serial.py
Lines changed: 0 additions & 17 deletions b/‎src/sentry/data_secrecy/data_access_grant_service/serial.py
Lines changed: 0 additions & 17 deletions
diff --git a/‎src/sentry/data_secrecy/data_access_grant_service/service.py
Lines changed: 0 additions & 31 deletions b/‎src/sentry/data_secrecy/data_access_grant_service/service.py
Lines changed: 0 additions & 31 deletions
diff --git a/‎src/sentry/data_secrecy/data_secrecy_logic.py
Lines changed: 5 additions & 13 deletions b/‎src/sentry/data_secrecy/data_secrecy_logic.py
Lines changed: 5 additions & 13 deletions
diff --git a/‎src/sentry/data_secrecy/service/impl.py
Lines changed: 31 additions & 12 deletions b/‎src/sentry/data_secrecy/service/impl.py
Lines changed: 31 additions & 12 deletions
diff --git a/‎src/sentry/data_secrecy/service/model.py
Lines changed: 8 additions & 8 deletions b/‎src/sentry/data_secrecy/service/model.py
Lines changed: 8 additions & 8 deletions
diff --git a/‎src/sentry/data_secrecy/service/serial.py
Lines changed: 15 additions & 8 deletions b/‎src/sentry/data_secrecy/service/serial.py
Lines changed: 15 additions & 8 deletions
diff --git a/‎src/sentry/data_secrecy/service/service.py
Lines changed: 10 additions & 11 deletions b/‎src/sentry/data_secrecy/service/service.py
Lines changed: 10 additions & 11 deletions
@@ -1,8 +1,6 @@
 from django.conf import settings
-from django.utils import timezone
 
 from sentry import features
-from sentry.data_secrecy.service.service import data_secrecy_service
 from sentry.models.organization import Organization
 from sentry.organizations.services.organization import RpcOrganization, RpcUserOrganizationContext
 
@@ -11,7 +9,7 @@ def should_allow_superuser_access(
     organization_context: Organization | RpcUserOrganizationContext,
 ) -> bool:
 
-    # If self hosted installation, superuser access is allowed
+    # If self hosted installation, allow superuser access
     if settings.SENTRY_SELF_HOSTED:
         return True
 
@@ -21,19 +19,13 @@ def should_allow_superuser_access(
     else:
         organization = organization_context
 
-    # If organization does not have data-secrecy feature, return True
+    # If organization does not have data-secrecy feature, allow superuser access
     if not features.has("organizations:data-secrecy", organization):
         return True
 
-    # If organization's prevent_superuser_access bitflag is False, return True
+    # If organization's prevent_superuser_access bitflag is False, allow superuser access
     if not organization.flags.prevent_superuser_access:
         return True
 
-    ds = data_secrecy_service.get_data_secrecy_waiver(organization_id=organization.id)
-
-    # If no data secrecy waiver exists, data secrecy is active
-    if ds is None:
-        return False
-
-    # If current time is before the access_end time of the waiver, data secrecy is active
-    return timezone.now() <= ds.access_end
+    # If organization has data-secrecy feature, but prevent_superuser_access is True, prevent superuser access
+    return False
@@ -1,16 +1,35 @@
-from sentry.data_secrecy.models.datasecrecywaiver import DataSecrecyWaiver
-from sentry.data_secrecy.service.model import RpcDataSecrecyWaiver
-from sentry.data_secrecy.service.serial import serialize_data_secrecy_waiver
-from sentry.data_secrecy.service.service import DataSecrecyService
+from django.db import models
+from django.utils import timezone
 
+from sentry.data_secrecy.models.data_access_grant import DataAccessGrant
+from sentry.data_secrecy.service.model import RpcEffectiveGrantStatus
+from sentry.data_secrecy.service.serial import serialize_effective_grant_status
+from sentry.data_secrecy.service.service import DataAccessGrantService
 
-class DatabaseBackedDataSecrecyService(DataSecrecyService):
-    def get_data_secrecy_waiver(self, *, organization_id: int) -> RpcDataSecrecyWaiver | None:
-        try:
-            data_secrecy_waiver = DataSecrecyWaiver.objects.filter(
-                organization_id=organization_id
-            ).get()
-        except DataSecrecyWaiver.DoesNotExist:
+
+class DatabaseBackedDataAccessGrantService(DataAccessGrantService):
+    def get_effective_grant_status(self, *, organization_id: int) -> RpcEffectiveGrantStatus | None:
+        """
+        Get the effective grant status for an organization.
+        """
+        now = timezone.now()
+        active_grants = DataAccessGrant.objects.filter(
+            organization_id=organization_id,
+            grant_start__lte=now,
+            grant_end__gt=now,
+            revocation_date__isnull=True,  # Not revoked
+        )
+
+        if not active_grants.exists():
             return None
 
-        return serialize_data_secrecy_waiver(data_secrecy_waiver=data_secrecy_waiver)
+        # Calculate aggregate grant status - only need the time window for access control
+        min_start = active_grants.aggregate(min_start=models.Min("grant_start"))["min_start"]
+        max_end = active_grants.aggregate(max_end=models.Max("grant_end"))["max_end"]
+
+        grant_status = {
+            "access_start": min_start.isoformat(),
+            "access_end": max_end.isoformat(),
+        }
+
+        return serialize_effective_grant_status(grant_status, organization_id)
@@ -1,13 +1,13 @@
 from datetime import datetime
 
-from django.utils import timezone
-from pydantic import Field
-
 from sentry.hybridcloud.rpc import RpcModel
 
 
-class RpcDataSecrecyWaiver(RpcModel):
-    organization_id: int = -1
-    access_start: datetime = Field(default_factory=timezone.now)
-    access_end: datetime = Field(default_factory=timezone.now)
-    zendesk_tickets: list[str] = Field(default_factory=list)
+class RpcEffectiveGrantStatus(RpcModel):
+    """
+    Simplified model for access control - only contains essential, aggregated grant information.
+    """
+
+    organization_id: int
+    access_start: datetime
+    access_end: datetime
@@ -1,11 +1,18 @@
-from sentry.data_secrecy.models.datasecrecywaiver import DataSecrecyWaiver
-from sentry.data_secrecy.service.model import RpcDataSecrecyWaiver
+from datetime import datetime
+from typing import Any
 
+from sentry.data_secrecy.service.model import RpcEffectiveGrantStatus
 
-def serialize_data_secrecy_waiver(data_secrecy_waiver: DataSecrecyWaiver) -> RpcDataSecrecyWaiver:
-    return RpcDataSecrecyWaiver(
-        organization_id=data_secrecy_waiver.organization.id,
-        access_start=data_secrecy_waiver.access_start,
-        access_end=data_secrecy_waiver.access_end,
-        zendesk_tickets=data_secrecy_waiver.zendesk_tickets,
+
+def serialize_effective_grant_status(
+    grant_status: dict[str, Any], organization_id: int
+) -> RpcEffectiveGrantStatus:
+    """
+    Convert cached grant status to simplified RpcGrantStatus model for access control.
+    """
+
+    return RpcEffectiveGrantStatus(
+        organization_id=organization_id,
+        access_start=datetime.fromisoformat(grant_status["access_start"]),
+        access_end=datetime.fromisoformat(grant_status["access_end"]),
     )
@@ -5,26 +5,25 @@
 
 import abc
 
-from sentry.data_secrecy.service.model import RpcDataSecrecyWaiver
-from sentry.hybridcloud.rpc.resolvers import ByOrganizationId
-from sentry.hybridcloud.rpc.service import RpcService, regional_rpc_method
+from sentry.data_secrecy.service.model import RpcEffectiveGrantStatus
+from sentry.hybridcloud.rpc.service import RpcService, rpc_method
 from sentry.silo.base import SiloMode
 
 
-class DataSecrecyService(RpcService):
-    key = "data_secrecy"
-    local_mode = SiloMode.REGION
+class DataAccessGrantService(RpcService):
+    key = "data_access_grant"
+    local_mode = SiloMode.CONTROL
 
     @classmethod
     def get_local_implementation(cls) -> RpcService:
-        from sentry.data_secrecy.service.impl import DatabaseBackedDataSecrecyService
+        from sentry.data_secrecy.service.impl import DatabaseBackedDataAccessGrantService
 
-        return DatabaseBackedDataSecrecyService()
+        return DatabaseBackedDataAccessGrantService()
 
-    @regional_rpc_method(resolve=ByOrganizationId())
+    @rpc_method
     @abc.abstractmethod
-    def get_data_secrecy_waiver(self, *, organization_id: int) -> RpcDataSecrecyWaiver | None:
+    def get_effective_grant_status(self, *, organization_id: int) -> RpcEffectiveGrantStatus | None:
         pass
 
 
-data_secrecy_service = DataSecrecyService.create_delegation()
+data_access_grant_service = DataAccessGrantService.create_delegation()