diff --git a/go.mod b/go.mod
index dd140d4f54..9438f935a4 100644
--- a/go.mod
+++ b/go.mod
@@ -20,6 +20,7 @@ require (
 	github.com/caos/orbos v1.5.14-0.20210428081839-983ffc569980
 	github.com/cockroachdb/cockroach-go/v2 v2.1.0
 	github.com/duo-labs/webauthn v0.0.0-20200714211715-1daaee874e43
+	github.com/envoyproxy/protoc-gen-validate v0.1.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/golang/mock v1.6.0
@@ -72,7 +73,7 @@ require (
 	golang.org/x/tools v0.1.1
 	google.golang.org/api v0.34.0
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20210406143921-e86de6bf7a46 // indirect
+	google.golang.org/genproto v0.0.0-20210406143921-e86de6bf7a46
 	google.golang.org/grpc v1.36.1
 	google.golang.org/protobuf v1.26.0
 	gopkg.in/square/go-jose.v2 v2.6.0
diff --git a/go.sum b/go.sum
index 3467d872f4..36319c4d8e 100644
--- a/go.sum
+++ b/go.sum
@@ -229,6 +229,7 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
diff --git a/internal/command/user_grant.go b/internal/command/user_grant.go
index 4ecdd4940b..1d28e6a842 100644
--- a/internal/command/user_grant.go
+++ b/internal/command/user_grant.go
@@ -92,7 +92,7 @@ func (c *Commands) changeUserGrant(ctx context.Context, userGrant *domain.UserGr
 	if reflect.DeepEqual(existingUserGrant.RoleKeys, userGrant.RoleKeys) {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Rs8fy", "Errors.UserGrant.NotChanged")
 	}
-	err = c.checkUserGrantPreCondition(ctx, userGrantWriteModelToUserGrant(existingUserGrant))
+	err = c.checkUserGrantPreCondition(ctx, userGrant)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/internal/command/user_grant_model.go b/internal/command/user_grant_model.go
index f20bc24688..e5a8171364 100644
--- a/internal/command/user_grant_model.go
+++ b/internal/command/user_grant_model.go
@@ -117,15 +117,18 @@ func (wm *UserGrantPreConditionReadModel) Reduce() error {
 		case *project.GrantAddedEvent:
 			if wm.ProjectGrantID == e.GrantID {
 				wm.ProjectGrantExists = true
+				wm.ExistingRoleKeys = e.RoleKeys
 			}
-			wm.ExistingRoleKeys = e.RoleKeys
 		case *project.GrantChangedEvent:
-			wm.ExistingRoleKeys = e.RoleKeys
+			if wm.ProjectGrantID == e.GrantID {
+				wm.ProjectGrantExists = true
+				wm.ExistingRoleKeys = e.RoleKeys
+			}
 		case *project.GrantRemovedEvent:
 			if wm.ProjectGrantID == e.GrantID {
 				wm.ProjectGrantExists = false
+				wm.ExistingRoleKeys = []string{}
 			}
-			wm.ExistingRoleKeys = []string{}
 		case *project.RoleAddedEvent:
 			if wm.ProjectGrantID != "" {
 				continue