feat: uniqueness (#1190)

* feat: uniqueness on events * fix: some tests * fix: add unique username * fix: nice error message * fix: add unique test * fix: add unique test * fix: add unique constraint to events * fix: correct unique constraint on user events * fix: remove user constraint * fix: add unique constraints * fix: add unique constraints * fix: add unique constraints * fix: unnique constraints without interface * fix: unique idp config * fix: unique constraint comments * fix: unique constraints in one table * fix: unique constraints error * fix: fix unique constraint on create user * fix: fix unique constraint on create project * fix: fix unique constraint on idp configs
2025-08-12 04:07:31 +00:00 · 2021-01-21 10:49:38 +01:00
parent c2e6e782a8
commit 28bfe72930
62 changed files with 1046 additions and 313 deletions
--- a/internal/v2/command/iam_idp_config.go
+++ b/internal/v2/command/iam_idp_config.go
@@ -9,7 +9,6 @@ import (

 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/v2/repository/iam"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )

@@ -110,27 +109,17 @@ func (r *CommandSide) ReactivateDefaultIDPConfig(ctx context.Context, idpID stri
 }

 func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, idpID string) error {
-	_, err := r.pushDefaultIDPWriteModel(ctx, idpID, func(a *iam.Aggregate, _ *IAMIDPConfigWriteModel) *iam.Aggregate {
-		a.Aggregate = *a.PushEvents(iam_repo.NewIDPConfigRemovedEvent(ctx, idpID))
-		return a
-	})
-	return err
-}
-
-func (r *CommandSide) pushDefaultIDPWriteModel(ctx context.Context, idpID string, eventSetter func(*iam.Aggregate, *IAMIDPConfigWriteModel) *iam.Aggregate) (*IAMIDPConfigWriteModel, error) {
-	writeModel := NewIAMIDPConfigWriteModel(idpID)
-	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, idpID)
 	if err != nil {
-		return nil, err
+		return err
 	}
-
-	aggregate := eventSetter(IAMAggregateFromWriteModel(&writeModel.WriteModel), writeModel)
-	err = r.eventstore.PushAggregate(ctx, writeModel, aggregate)
-	if err != nil {
-		return nil, err
+	if existingIDP.State == domain.IDPConfigStateRemoved || existingIDP.State == domain.IDPConfigStateUnspecified {
+		return caos_errs.ThrowNotFound(nil, "IAM-4M0xy", "Errors.IAM.IDPConfig.NotExisting")
 	}
+	iamAgg := IAMAggregateFromWriteModel(&existingIDP.WriteModel)
+	iamAgg.PushEvents(iam_repo.NewIDPConfigRemovedEvent(ctx, existingIDP.ResourceOwner, idpID, existingIDP.Name))

-	return writeModel, nil
+	return r.eventstore.PushAggregate(ctx, existingIDP, iamAgg)
 }

 func (r *CommandSide) iamIDPConfigWriteModelByID(ctx context.Context, idpID string) (policy *IAMIDPConfigWriteModel, err error) {
--- a/internal/v2/command/org.go
+++ b/internal/v2/command/org.go
@@ -122,7 +122,6 @@ func (r *CommandSide) addOrg(ctx context.Context, organisation *domain.Org) (_ *
 	addedOrg := NewOrgWriteModel(organisation.AggregateID)

 	orgAgg := OrgAggregateFromWriteModel(&addedOrg.WriteModel)
-	//TODO: uniqueness org name
 	orgAgg.PushEvents(org.NewOrgAddedEvent(ctx, organisation.Name))
 	for _, orgDomain := range organisation.Domains {
 		if err := r.addOrgDomain(ctx, orgAgg, NewOrgDomainWriteModel(orgAgg.ID(), orgDomain.Domain), orgDomain); err != nil {
--- a/internal/v2/command/org_idp_config.go
+++ b/internal/v2/command/org_idp_config.go
@@ -9,7 +9,6 @@ import (

 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/v2/repository/org"
 	org_repo "github.com/caos/zitadel/internal/v2/repository/org"
 )

@@ -34,6 +33,7 @@ func (r *CommandSide) AddIDPConfig(ctx context.Context, config *domain.IDPConfig
 	orgAgg.PushEvents(
 		org_repo.NewIDPConfigAddedEvent(
 			ctx,
+			orgAgg.ResourceOwner(),
 			idpConfigID,
 			config.Name,
 			config.Type,
@@ -110,27 +110,21 @@ func (r *CommandSide) ReactivateIDPConfig(ctx context.Context, idpID, orgID stri
 }

 func (r *CommandSide) RemoveIDPConfig(ctx context.Context, idpID, orgID string) error {
-	_, err := r.pushIDPWriteModel(ctx, idpID, orgID, func(a *org.Aggregate, _ *OrgIDPConfigWriteModel) *org.Aggregate {
-		a.Aggregate = *a.PushEvents(org_repo.NewIDPConfigRemovedEvent(ctx, idpID))
-		return a
-	})
-	return err
-}
-
-func (r *CommandSide) pushIDPWriteModel(ctx context.Context, idpID, orgID string, eventSetter func(*org.Aggregate, *OrgIDPConfigWriteModel) *org.Aggregate) (*OrgIDPConfigWriteModel, error) {
-	writeModel := NewOrgIDPConfigWriteModel(idpID, orgID)
-	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	existingIDP, err := r.orgIDPConfigWriteModelByID(ctx, idpID, orgID)
 	if err != nil {
-		return nil, err
+		return err
 	}

-	aggregate := eventSetter(OrgAggregateFromWriteModel(&writeModel.WriteModel), writeModel)
-	err = r.eventstore.PushAggregate(ctx, writeModel, aggregate)
-	if err != nil {
-		return nil, err
+	if existingIDP.State == domain.IDPConfigStateRemoved || existingIDP.State == domain.IDPConfigStateUnspecified {
+		return caos_errs.ThrowNotFound(nil, "Org-Yx9vd", "Errors.Org.IDPConfig.NotExisting")
 	}
+	if existingIDP.State != domain.IDPConfigStateInactive {
+		return caos_errs.ThrowPreconditionFailed(nil, "Org-5Mo0d", "Errors.Org.IDPConfig.NotInactive")
+	}
+	orgAgg := OrgAggregateFromWriteModel(&existingIDP.WriteModel)
+	orgAgg.PushEvents(org_repo.NewIDPConfigRemovedEvent(ctx, existingIDP.ResourceOwner, idpID, existingIDP.Name))

-	return writeModel, nil
+	return r.eventstore.PushAggregate(ctx, existingIDP, orgAgg)
 }

 func (r *CommandSide) orgIDPConfigWriteModelByID(ctx context.Context, idpID, orgID string) (policy *OrgIDPConfigWriteModel, err error) {
--- a/internal/v2/command/project.go
+++ b/internal/v2/command/project.go
@@ -29,7 +29,6 @@ func (r *CommandSide) addProject(ctx context.Context, projectAdd *domain.Project
 	if err != nil {
 		return nil, nil, err
 	}
-// TODO: Add uniqueness check
 	addedProject := NewProjectWriteModel(projectAdd.AggregateID, resourceOwner)
 	projectAgg := ProjectAggregateFromWriteModel(&addedProject.WriteModel)

@@ -38,7 +37,7 @@ func (r *CommandSide) addProject(ctx context.Context, projectAdd *domain.Project
 	//	projectRole = domain.RoleProjectOwnerGlobal
 	//}
 	projectAgg.PushEvents(
-		project.NewProjectAddedEvent(ctx, projectAdd.Name),
+		project.NewProjectAddedEvent(ctx, projectAdd.Name, resourceOwner),
 		project.NewMemberAddedEvent(ctx, ownerUserID, projectRole),
 	)
 	return projectAgg, addedProject, nil
--- a/internal/v2/command/setup.go
+++ b/internal/v2/command/setup.go
@@ -88,7 +88,7 @@ func (r *CommandSide) setup(ctx context.Context, step Step, iamAggregateProvider

 	_, err = r.eventstore.PushAggregates(ctx, iamAgg)
 	if err != nil {
-		return caos_errs.ThrowPreconditionFailedf(nil, "EVENT-dbG31", "Setup %s failed", step.Step())
+		return caos_errs.ThrowPreconditionFailedf(nil, "EVENT-dbG31", "Setup %v failed", step.Step())
 	}
 	logging.LogWithFields("SETUP-Sg1t1", "step", step.Step()).Info("setup step done")
 	return nil
--- a/internal/v2/command/user.go
+++ b/internal/v2/command/user.go
@@ -32,9 +32,7 @@ func (r *CommandSide) ChangeUsername(ctx context.Context, orgID, userID, userNam
 		return err
 	}
 	userAgg := UserAggregateFromWriteModel(&existingUser.WriteModel)
-	userAgg.PushEvents(user.NewUsernameChangedEvent(ctx, userName))
-	//TODO: Check Uniqueness
-	//TODO: release old username, set new unique username
+	userAgg.PushEvents(user.NewUsernameChangedEvent(ctx, existingUser.UserName, userName, orgIAMPolicy.UserLoginMustBeDomain))

 	return r.eventstore.PushAggregate(ctx, existingUser, userAgg)
 }
@@ -130,9 +128,12 @@ func (r *CommandSide) RemoveUser(ctx context.Context, userID, resourceOwner stri
 	if existingUser.UserState == domain.UserStateUnspecified || existingUser.UserState == domain.UserStateDeleted {
 		return caos_errs.ThrowNotFound(nil, "COMMAND-5M0od", "Errors.User.NotFound")
 	}
+	orgIAMPolicy, err := r.getOrgIAMPolicy(ctx, existingUser.ResourceOwner)
+	if err != nil {
+		return err
+	}
 	userAgg := UserAggregateFromWriteModel(&existingUser.WriteModel)
-	userAgg.PushEvents(user.NewUserRemovedEvent(ctx))
-	//TODO: release unqie username
+	userAgg.PushEvents(user.NewUserRemovedEvent(ctx, existingUser.ResourceOwner, existingUser.UserName, orgIAMPolicy.UserLoginMustBeDomain))
 	//TODO: remove user grants

 	return r.eventstore.PushAggregate(ctx, existingUser, userAgg)
--- a/internal/v2/command/user_human.go
+++ b/internal/v2/command/user_human.go
@@ -27,6 +27,9 @@ func (r *CommandSide) AddHuman(ctx context.Context, orgID string, human *domain.
 	}
 	err = r.eventstore.PushAggregate(ctx, addedHuman, userAgg)
 	if err != nil {
+		if caos_errs.IsErrorAlreadyExists(err) {
+			return nil, caos_errs.ThrowAlreadyExists(err, "COMMAND-4kSff", "Errors.User.AlreadyExists")
+		}
 		return nil, err
 	}

@@ -47,6 +50,9 @@ func (r *CommandSide) RegisterHuman(ctx context.Context, orgID string, human *do
 	}
 	err = r.eventstore.PushAggregate(ctx, addedHuman, userAgg)
 	if err != nil {
+		if caos_errs.IsErrorAlreadyExists(err) {
+			return nil, caos_errs.ThrowAlreadyExists(err, "COMMAND-4kSff", "Errors.User.AlreadyExists")
+		}
 		return nil, err
 	}

@@ -76,7 +82,6 @@ func (r *CommandSide) createHuman(ctx context.Context, orgID string, human *doma
 	}

 	addedHuman := NewHumanWriteModel(human.AggregateID, orgID)
-	//TODO: Check Unique Username or unique external idp
 	if err := human.CheckOrgIAMPolicy(human.Username, orgIAMPolicy); err != nil {
 		return nil, nil, err
 	}
@@ -88,9 +93,9 @@ func (r *CommandSide) createHuman(ctx context.Context, orgID string, human *doma
 	userAgg := UserAggregateFromWriteModel(&addedHuman.WriteModel)
 	var createEvent eventstore.EventPusher
 	if selfregister {
-		createEvent = createRegisterHumanEvent(ctx, human.Username, human)
+		createEvent = createRegisterHumanEvent(ctx, orgID, human, orgIAMPolicy.UserLoginMustBeDomain)
 	} else {
-		createEvent = createAddHumanEvent(ctx, human.Username, human)
+		createEvent = createAddHumanEvent(ctx, orgID, human, orgIAMPolicy.UserLoginMustBeDomain)
 	}
 	userAgg.PushEvents(createEvent)

@@ -152,10 +157,11 @@ func (r *CommandSide) ResendInitialMail(ctx context.Context, userID, email, reso
 	return r.eventstore.PushAggregate(ctx, existingEmail, userAgg)
 }

-func createAddHumanEvent(ctx context.Context, username string, human *domain.Human) *user.HumanAddedEvent {
+func createAddHumanEvent(ctx context.Context, orgID string, human *domain.Human, userLoginMustBeDomain bool) *user.HumanAddedEvent {
 	addEvent := user.NewHumanAddedEvent(
 		ctx,
-		username,
+		orgID,
+		human.Username,
 		human.FirstName,
 		human.LastName,
 		human.NickName,
@@ -163,6 +169,7 @@ func createAddHumanEvent(ctx context.Context, username string, human *domain.Hum
 		human.PreferredLanguage,
 		human.Gender,
 		human.EmailAddress,
+		userLoginMustBeDomain,
 	)
 	if human.Phone != nil {
 		addEvent.AddPhoneData(human.PhoneNumber)
@@ -181,10 +188,11 @@ func createAddHumanEvent(ctx context.Context, username string, human *domain.Hum
 	return addEvent
 }

-func createRegisterHumanEvent(ctx context.Context, username string, human *domain.Human) *user.HumanRegisteredEvent {
+func createRegisterHumanEvent(ctx context.Context, orgID string, human *domain.Human, userLoginMustBeDomain bool) *user.HumanRegisteredEvent {
 	addEvent := user.NewHumanRegisteredEvent(
 		ctx,
-		username,
+		orgID,
+		human.Username,
 		human.FirstName,
 		human.LastName,
 		human.NickName,
@@ -192,6 +200,7 @@ func createRegisterHumanEvent(ctx context.Context, username string, human *domai
 		human.PreferredLanguage,
 		human.Gender,
 		human.EmailAddress,
+		userLoginMustBeDomain,
 	)
 	if human.Phone != nil {
 		addEvent.AddPhoneData(human.PhoneNumber)
--- a/internal/v2/command/user_human_externalidp.go
+++ b/internal/v2/command/user_human_externalidp.go
@@ -34,8 +34,6 @@ func (r *CommandSide) removeHumanExternalIDP(ctx context.Context, externalIDP *d
 			user.NewHumanExternalIDPCascadeRemovedEvent(ctx, externalIDP.IDPConfigID, externalIDP.ExternalUserID),
 		)
 	}
-
-	//TODO: Release unique externalidp
 	return r.eventstore.PushAggregate(ctx, existingExternalIDP, userAgg)
 }

--- a/internal/v2/command/user_machine.go
+++ b/internal/v2/command/user_machine.go
@@ -16,7 +16,6 @@ func (r *CommandSide) AddMachine(ctx context.Context, orgID string, machine *dom
 	if err != nil {
 		return nil, err
 	}
-	//TODO: Check Unique username
 	machine.AggregateID = userID
 	orgIAMPolicy, err := r.getOrgIAMPolicy(ctx, orgID)
 	if err != nil {
@@ -34,6 +33,7 @@ func (r *CommandSide) AddMachine(ctx context.Context, orgID string, machine *dom
 			machine.Username,
 			machine.Name,
 			machine.Description,
+			orgIAMPolicy.UserLoginMustBeDomain,
 		),
 	)
 	err = r.eventstore.PushAggregate(ctx, addedMachine, userAgg)
--- a/internal/v2/repository/iam/event_iam_project_set.go
+++ b/internal/v2/repository/iam/event_iam_project_set.go
@@ -23,6 +23,10 @@ func (e *ProjectSetEvent) Data() interface{} {
 	return e
 }

+func (e *ProjectSetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewIAMProjectSetEvent(ctx context.Context, projectID string) *ProjectSetEvent {
 	return &ProjectSetEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/iam/event_org_set.go
+++ b/internal/v2/repository/iam/event_org_set.go
@@ -23,6 +23,10 @@ func (e *GlobalOrgSetEvent) Data() interface{} {
 	return e
 }

+func (e *GlobalOrgSetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewGlobalOrgSetEventEvent(ctx context.Context, orgID string) *GlobalOrgSetEvent {
 	return &GlobalOrgSetEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/iam/events_step.go
+++ b/internal/v2/repository/iam/events_step.go
@@ -26,6 +26,10 @@ func (e *SetupStepEvent) Data() interface{} {
 	return e
 }

+func (e *SetupStepEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func SetupStepMapper(event *repository.Event) (eventstore.EventReader, error) {
 	step := &SetupStepEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),
--- a/internal/v2/repository/iam/idp_config.go
+++ b/internal/v2/repository/iam/idp_config.go
@@ -23,7 +23,7 @@ type IDPConfigAddedEvent struct {

 func NewIDPConfigAddedEvent(
 	ctx context.Context,
-	configID string,
+	configID,
 	name string,
 	configType domain.IDPConfigType,
 	stylingType domain.IDPConfigStylingType,
@@ -31,9 +31,10 @@ func NewIDPConfigAddedEvent(

 	return &IDPConfigAddedEvent{
 		IDPConfigAddedEvent: *idpconfig.NewIDPConfigAddedEvent(
-			eventstore.NewBaseEventForPush(
+			eventstore.NewBaseEventForPushWithResourceOwner(
 				ctx,
 				IDPConfigAddedEventType,
+				domain.IAMID,
 			),
 			configID,
 			name,
@@ -87,16 +88,19 @@ type IDPConfigRemovedEvent struct {

 func NewIDPConfigRemovedEvent(
 	ctx context.Context,
-	configID string,
+	resourceOwner,
+	configID,
+	name string,
 ) *IDPConfigRemovedEvent {
-
 	return &IDPConfigRemovedEvent{
 		IDPConfigRemovedEvent: *idpconfig.NewIDPConfigRemovedEvent(
-			eventstore.NewBaseEventForPush(
+			eventstore.NewBaseEventForPushWithResourceOwner(
 				ctx,
 				IDPConfigRemovedEventType,
+				resourceOwner,
 			),
 			configID,
+			name,
 		),
 	}
 }
--- a/internal/v2/repository/idpconfig/idp_config.go
+++ b/internal/v2/repository/idpconfig/idp_config.go
@@ -9,6 +9,23 @@ import (
 	"github.com/caos/zitadel/internal/v2/domain"
 )

+const (
+	uniqueIDPConfigNameType = "idp_config_names"
+)
+
+func NewAddIDPConfigNameUniqueConstraint(idpConfigName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueIDPConfigNameType,
+		idpConfigName+resourceOwner,
+		"Errors.IDPConfig.AlreadyExists")
+}
+
+func NewRemoveIDPConfigNameUniqueConstraint(idpConfigName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		uniqueIDPConfigNameType,
+		idpConfigName+resourceOwner)
+}
+
 type IDPConfigAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

@@ -20,12 +37,11 @@ type IDPConfigAddedEvent struct {

 func NewIDPConfigAddedEvent(
 	base *eventstore.BaseEvent,
-	configID string,
+	configID,
 	name string,
 	configType domain.IDPConfigType,
 	stylingType domain.IDPConfigStylingType,
 ) *IDPConfigAddedEvent {
-
 	return &IDPConfigAddedEvent{
 		BaseEvent:   *base,
 		ConfigID:    configID,
@@ -39,6 +55,10 @@ func (e *IDPConfigAddedEvent) Data() interface{} {
 	return e
 }

+func (e *IDPConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddIDPConfigNameUniqueConstraint(e.Name, e.ResourceOwner())}
+}
+
 func IDPConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
 	e := &IDPConfigAddedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),
@@ -64,6 +84,10 @@ func (e *IDPConfigChangedEvent) Data() interface{} {
 	return e
 }

+func (e *IDPConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewIDPConfigChangedEvent(
 	base *eventstore.BaseEvent,
 	configID string,
@@ -130,6 +154,10 @@ func (e *IDPConfigDeactivatedEvent) Data() interface{} {
 	return e
 }

+func (e *IDPConfigDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func IDPConfigDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
 	e := &IDPConfigDeactivatedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),
@@ -164,6 +192,10 @@ func (e *IDPConfigReactivatedEvent) Data() interface{} {
 	return e
 }

+func (e *IDPConfigReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func IDPConfigReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
 	e := &IDPConfigReactivatedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),
@@ -181,16 +213,19 @@ type IDPConfigRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`

 	ConfigID string `json:"idpConfigId"`
+	Name     string
 }

 func NewIDPConfigRemovedEvent(
 	base *eventstore.BaseEvent,
 	configID string,
+	name string,
 ) *IDPConfigRemovedEvent {

 	return &IDPConfigRemovedEvent{
 		BaseEvent: *base,
 		ConfigID:  configID,
+		Name:      name,
 	}
 }

@@ -198,6 +233,10 @@ func (e *IDPConfigRemovedEvent) Data() interface{} {
 	return e
 }

+func (e *IDPConfigRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveIDPConfigNameUniqueConstraint(e.Name, e.ResourceOwner())}
+}
+
 func IDPConfigRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
 	e := &IDPConfigRemovedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),
--- a/internal/v2/repository/idpconfig/oidc_config.go
+++ b/internal/v2/repository/idpconfig/oidc_config.go
@@ -32,6 +32,10 @@ func (e *OIDCConfigAddedEvent) Data() interface{} {
 	return e
 }

+func (e *OIDCConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewOIDCConfigAddedEvent(
 	base *eventstore.BaseEvent,
 	clientID,
@@ -86,6 +90,10 @@ func (e *OIDCConfigChangedEvent) Data() interface{} {
 	return e
 }

+func (e *OIDCConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewOIDCConfigChangedEvent(
 	base *eventstore.BaseEvent,
 	idpConfigID string,
--- a/internal/v2/repository/member/events.go
+++ b/internal/v2/repository/member/events.go
@@ -24,6 +24,10 @@ func (e *MemberAddedEvent) Data() interface{} {
 	return e
 }

+func (e *MemberAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewMemberAddedEvent(
 	base *eventstore.BaseEvent,
 	userID string,
@@ -61,6 +65,10 @@ func (e *MemberChangedEvent) Data() interface{} {
 	return e
 }

+func (e *MemberChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewMemberChangedEvent(
 	base *eventstore.BaseEvent,
 	userID string,
@@ -96,6 +104,10 @@ func (e *MemberRemovedEvent) Data() interface{} {
 	return e
 }

+func (e *MemberRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewRemovedEvent(
 	base *eventstore.BaseEvent,
 	userID string,
--- a/internal/v2/repository/org/domain.go
+++ b/internal/v2/repository/org/domain.go
@@ -31,6 +31,10 @@ func (e *DomainAddedEvent) Data() interface{} {
 	return e
 }

+func (e *DomainAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewDomainAddedEvent(ctx context.Context, domain string) *DomainAddedEvent {
 	return &DomainAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -65,6 +69,10 @@ func (e *DomainVerificationAddedEvent) Data() interface{} {
 	return e
 }

+func (e *DomainVerificationAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewDomainVerificationAddedEvent(
 	ctx context.Context,
 	domain string,
@@ -103,6 +111,10 @@ func (e *DomainVerificationFailedEvent) Data() interface{} {
 	return e
 }

+func (e *DomainVerificationFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewDomainVerificationFailedEvent(ctx context.Context, domain string) *DomainVerificationFailedEvent {
 	return &DomainVerificationFailedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -135,6 +147,10 @@ func (e *DomainVerifiedEvent) Data() interface{} {
 	return e
 }

+func (e *DomainVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewDomainVerifiedEvent(ctx context.Context, domain string) *DomainVerifiedEvent {
 	return &DomainVerifiedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -167,6 +183,10 @@ func (e *DomainPrimarySetEvent) Data() interface{} {
 	return e
 }

+func (e *DomainPrimarySetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewDomainPrimarySetEvent(ctx context.Context, domain string) *DomainPrimarySetEvent {
 	return &DomainPrimarySetEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -199,6 +219,10 @@ func (e *DomainRemovedEvent) Data() interface{} {
 	return e
 }

+func (e *DomainRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewDomainRemovedEvent(ctx context.Context, domain string) *DomainRemovedEvent {
 	return &DomainRemovedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/org/idp_config.go
+++ b/internal/v2/repository/org/idp_config.go
@@ -22,7 +22,8 @@ type IDPConfigAddedEvent struct {

 func NewIDPConfigAddedEvent(
 	ctx context.Context,
-	configID string,
+	resourceOwner,
+	configID,
 	name string,
 	configType domain.IDPConfigType,
 	stylingType domain.IDPConfigStylingType,
@@ -30,9 +31,10 @@ func NewIDPConfigAddedEvent(

 	return &IDPConfigAddedEvent{
 		IDPConfigAddedEvent: *idpconfig.NewIDPConfigAddedEvent(
-			eventstore.NewBaseEventForPush(
+			eventstore.NewBaseEventForPushWithResourceOwner(
 				ctx,
 				IDPConfigAddedEventType,
+				resourceOwner,
 			),
 			configID,
 			name,
@@ -86,16 +88,20 @@ type IDPConfigRemovedEvent struct {

 func NewIDPConfigRemovedEvent(
 	ctx context.Context,
-	configID string,
+	resourceOwner,
+	configID,
+	name string,
 ) *IDPConfigRemovedEvent {

 	return &IDPConfigRemovedEvent{
 		IDPConfigRemovedEvent: *idpconfig.NewIDPConfigRemovedEvent(
-			eventstore.NewBaseEventForPush(
+			eventstore.NewBaseEventForPushWithResourceOwner(
 				ctx,
 				IDPConfigRemovedEventType,
+				resourceOwner,
 			),
 			configID,
+			name,
 		),
 	}
 }
--- a/internal/v2/repository/org/org.go
+++ b/internal/v2/repository/org/org.go
@@ -10,6 +10,7 @@ import (
 )

 const (
+	uniqueOrgname           = "org_name"
 	OrgAddedEventType       = orgEventTypePrefix + "added"
 	OrgChangedEventType     = orgEventTypePrefix + "changed"
 	OrgDeactivatedEventType = orgEventTypePrefix + "deactivated"
@@ -17,6 +18,25 @@ const (
 	OrgRemovedEventType     = orgEventTypePrefix + "removed"
 )

+type OrgnameUniqueConstraint struct {
+	uniqueType string
+	orgName    string
+	action     eventstore.UniqueConstraintAction
+}
+
+func NewAddOrgnameUniqueConstraint(orgName string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueOrgname,
+		orgName,
+		"Errors.Org.AlreadyExists")
+}
+
+func NewRemoveUsernameUniqueConstraint(orgName string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		uniqueOrgname,
+		orgName)
+}
+
 type OrgAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

@@ -27,6 +47,10 @@ func (e *OrgAddedEvent) Data() interface{} {
 	return e
 }

+func (e *OrgAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddOrgnameUniqueConstraint(e.Name)}
+}
+
 func NewOrgAddedEvent(ctx context.Context, name string) *OrgAddedEvent {
 	return &OrgAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -59,6 +83,10 @@ func (e *OrgChangedEvent) Data() interface{} {
 	return e
 }

+func (e *OrgChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewOrgChangedEvent(ctx context.Context, name string) *OrgChangedEvent {
 	return &OrgChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -89,6 +117,10 @@ func (e *OrgDeactivatedEvent) Data() interface{} {
 	return e
 }

+func (e *OrgDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewOrgDeactivatedEvent(ctx context.Context) *OrgDeactivatedEvent {
 	return &OrgDeactivatedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -118,6 +150,10 @@ func (e *OrgReactivatedEvent) Data() interface{} {
 	return e
 }

+func (e *OrgReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewOrgReactivatedEvent(ctx context.Context) *OrgReactivatedEvent {
 	return &OrgReactivatedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/policy/label.go
+++ b/internal/v2/repository/policy/label.go
@@ -24,6 +24,10 @@ func (e *LabelPolicyAddedEvent) Data() interface{} {
 	return e
 }

+func (e *LabelPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewLabelPolicyAddedEvent(
 	base *eventstore.BaseEvent,
 	primaryColor,
@@ -61,6 +65,10 @@ func (e *LabelPolicyChangedEvent) Data() interface{} {
 	return e
 }

+func (e *LabelPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewLabelPolicyChangedEvent(
 	base *eventstore.BaseEvent,
 	changes []LabelPolicyChanges,
@@ -112,6 +120,10 @@ func (e *LabelPolicyRemovedEvent) Data() interface{} {
 	return nil
 }

+func (e *LabelPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewLabelPolicyRemovedEvent(base *eventstore.BaseEvent) *LabelPolicyRemovedEvent {
 	return &LabelPolicyRemovedEvent{
 		BaseEvent: *base,
--- a/internal/v2/repository/policy/login.go
+++ b/internal/v2/repository/policy/login.go
@@ -29,6 +29,10 @@ func (e *LoginPolicyAddedEvent) Data() interface{} {
 	return e
 }

+func (e *LoginPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewLoginPolicyAddedEvent(
 	base *eventstore.BaseEvent,
 	allowUserNamePassword,
@@ -77,6 +81,10 @@ func (e *LoginPolicyChangedEvent) Data() interface{} {
 	return e
 }

+func (e *LoginPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewLoginPolicyChangedEvent(
 	base *eventstore.BaseEvent,
 	changes []LoginPolicyChanges,
@@ -146,6 +154,10 @@ func (e *LoginPolicyRemovedEvent) Data() interface{} {
 	return nil
 }

+func (e *LoginPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewLoginPolicyRemovedEvent(base *eventstore.BaseEvent) *LoginPolicyRemovedEvent {
 	return &LoginPolicyRemovedEvent{
 		BaseEvent: *base,
--- a/internal/v2/repository/policy/policy_login_factors.go
+++ b/internal/v2/repository/policy/policy_login_factors.go
@@ -51,6 +51,10 @@ func (e *SecondFactorAddedEvent) Data() interface{} {
 	return e
 }

+func (e *SecondFactorAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 type SecondFactorRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 	MFAType              domain.SecondFactorType `json:"mfaType"`
@@ -83,6 +87,10 @@ func (e *SecondFactorRemovedEvent) Data() interface{} {
 	return e
 }

+func (e *SecondFactorRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 type MultiFactorAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

@@ -116,6 +124,10 @@ func (e *MultiFactorAddedEvent) Data() interface{} {
 	return e
 }

+func (e *MultiFactorAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 type MultiFactorRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 	MFAType              domain.MultiFactorType `json:"mfaType"`
@@ -147,3 +159,7 @@ func MultiFactorRemovedEventMapper(event *repository.Event) (eventstore.EventRea
 func (e *MultiFactorRemovedEvent) Data() interface{} {
 	return e
 }
+
+func (e *MultiFactorRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
--- a/internal/v2/repository/policy/policy_login_identity_provider.go
+++ b/internal/v2/repository/policy/policy_login_identity_provider.go
@@ -25,6 +25,10 @@ func (e *IdentityProviderAddedEvent) Data() interface{} {
 	return e
 }

+func (e *IdentityProviderAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewIdentityProviderAddedEvent(
 	base *eventstore.BaseEvent,
 	idpConfigID string,
@@ -61,6 +65,10 @@ func (e *IdentityProviderRemovedEvent) Data() interface{} {
 	return e
 }

+func (e *IdentityProviderRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewIdentityProviderRemovedEvent(
 	base *eventstore.BaseEvent,
 	idpConfigID string,
--- a/internal/v2/repository/policy/policy_org_iam.go
+++ b/internal/v2/repository/policy/policy_org_iam.go
@@ -24,6 +24,10 @@ func (e *OrgIAMPolicyAddedEvent) Data() interface{} {
 	return e
 }

+func (e *OrgIAMPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewOrgIAMPolicyAddedEvent(
 	base *eventstore.BaseEvent,
 	userLoginMustBeDomain bool,
@@ -58,6 +62,10 @@ func (e *OrgIAMPolicyChangedEvent) Data() interface{} {
 	return e
 }

+func (e *OrgIAMPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewOrgIAMPolicyChangedEvent(
 	base *eventstore.BaseEvent,
 	changes []OrgIAMPolicyChanges,
@@ -103,6 +111,10 @@ func (e *OrgIAMPolicyRemovedEvent) Data() interface{} {
 	return nil
 }

+func (e *OrgIAMPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewOrgIAMPolicyRemovedEvent(base *eventstore.BaseEvent) *OrgIAMPolicyRemovedEvent {
 	return &OrgIAMPolicyRemovedEvent{
 		BaseEvent: *base,
--- a/internal/v2/repository/policy/policy_password_age.go
+++ b/internal/v2/repository/policy/policy_password_age.go
@@ -24,6 +24,10 @@ func (e *PasswordAgePolicyAddedEvent) Data() interface{} {
 	return e
 }

+func (e *PasswordAgePolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewPasswordAgePolicyAddedEvent(
 	base *eventstore.BaseEvent,
 	expireWarnDays,
@@ -61,6 +65,10 @@ func (e *PasswordAgePolicyChangedEvent) Data() interface{} {
 	return e
 }

+func (e *PasswordAgePolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewPasswordAgePolicyChangedEvent(
 	base *eventstore.BaseEvent,
 	changes []PasswordAgePolicyChanges,
@@ -112,6 +120,10 @@ func (e *PasswordAgePolicyRemovedEvent) Data() interface{} {
 	return nil
 }

+func (e *PasswordAgePolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewPasswordAgePolicyRemovedEvent(base *eventstore.BaseEvent) *PasswordAgePolicyRemovedEvent {
 	return &PasswordAgePolicyRemovedEvent{
 		BaseEvent: *base,
--- a/internal/v2/repository/policy/policy_password_complexity.go
+++ b/internal/v2/repository/policy/policy_password_complexity.go
@@ -28,6 +28,10 @@ func (e *PasswordComplexityPolicyAddedEvent) Data() interface{} {
 	return e
 }

+func (e *PasswordComplexityPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewPasswordComplexityPolicyAddedEvent(
 	base *eventstore.BaseEvent,
 	minLength uint64,
@@ -73,6 +77,10 @@ func (e *PasswordComplexityPolicyChangedEvent) Data() interface{} {
 	return e
 }

+func (e *PasswordComplexityPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewPasswordComplexityPolicyChangedEvent(
 	base *eventstore.BaseEvent,
 	changes []PasswordComplexityPolicyChanges,
@@ -142,6 +150,10 @@ func (e *PasswordComplexityPolicyRemovedEvent) Data() interface{} {
 	return nil
 }

+func (e *PasswordComplexityPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewPasswordComplexityPolicyRemovedEvent(base *eventstore.BaseEvent) *PasswordComplexityPolicyRemovedEvent {
 	return &PasswordComplexityPolicyRemovedEvent{
 		BaseEvent: *base,
--- a/internal/v2/repository/policy/policy_password_lockout.go
+++ b/internal/v2/repository/policy/policy_password_lockout.go
@@ -25,6 +25,10 @@ func (e *PasswordLockoutPolicyAddedEvent) Data() interface{} {
 	return e
 }

+func (e *PasswordLockoutPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewPasswordLockoutPolicyAddedEvent(
 	base *eventstore.BaseEvent,
 	maxAttempts uint64,
@@ -62,6 +66,10 @@ func (e *PasswordLockoutPolicyChangedEvent) Data() interface{} {
 	return e
 }

+func (e *PasswordLockoutPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewPasswordLockoutPolicyChangedEvent(
 	base *eventstore.BaseEvent,
 	changes []PasswordLockoutPolicyChanges,
@@ -113,6 +121,10 @@ func (e *PasswordLockoutPolicyRemovedEvent) Data() interface{} {
 	return nil
 }

+func (e *PasswordLockoutPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewPasswordLockoutPolicyRemovedEvent(base *eventstore.BaseEvent) *PasswordLockoutPolicyRemovedEvent {
 	return &PasswordLockoutPolicyRemovedEvent{
 		BaseEvent: *base,
--- a/internal/v2/repository/project/application.go
+++ b/internal/v2/repository/project/application.go
@@ -31,6 +31,10 @@ func (e *ApplicationAddedEvent) Data() interface{} {
 	return e
 }

+func (e *ApplicationAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewApplicationAddedEvent(ctx context.Context, appID, name string, appType domain.AppType) *ApplicationAddedEvent {
 	return &ApplicationAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/project/oidc_config.go
+++ b/internal/v2/repository/project/oidc_config.go
@@ -45,6 +45,10 @@ func (e *OIDCConfigAddedEvent) Data() interface{} {
 	return e
 }

+func (e *OIDCConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewOIDCConfigAddedEvent(
 	ctx context.Context,
 	version domain.OIDCVersion,
--- a/internal/v2/repository/project/project.go
+++ b/internal/v2/repository/project/project.go
@@ -10,6 +10,7 @@ import (
 )

 const (
+	uniqueProjectnameTable = "project_names"
 	projectEventTypePrefix = eventstore.EventType("project.")
 	ProjectAdded           = projectEventTypePrefix + "added"
 	ProjectChanged         = projectEventTypePrefix + "changed"
@@ -18,6 +19,19 @@ const (
 	ProjectRemoved         = projectEventTypePrefix + "removed"
 )

+func NewAddProjectNameUniqueConstraint(projectName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueProjectnameTable,
+		projectName+resourceOwner,
+		"Errors.Project.AlreadyExists")
+}
+
+func NewRemoveProjectNameUniqueConstraint(projectName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		uniqueProjectnameTable,
+		projectName+resourceOwner)
+}
+
 type ProjectAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

@@ -30,11 +44,16 @@ func (e *ProjectAddedEvent) Data() interface{} {
 	return e
 }

-func NewProjectAddedEvent(ctx context.Context, name string) *ProjectAddedEvent {
+func (e *ProjectAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddProjectNameUniqueConstraint(e.Name, e.ResourceOwner())}
+}
+
+func NewProjectAddedEvent(ctx context.Context, name, resourceOwner string) *ProjectAddedEvent {
 	return &ProjectAddedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: *eventstore.NewBaseEventForPushWithResourceOwner(
 			ctx,
 			ProjectAdded,
+			resourceOwner,
 		),
 		Name: name,
 	}
--- a/internal/v2/repository/user/human.go
+++ b/internal/v2/repository/user/human.go
@@ -26,7 +26,8 @@ const (
 type HumanAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	UserName string `json:"userName"`
+	UserName              string `json:"userName"`
+	userLoginMustBeDomain bool

 	FirstName         string        `json:"firstName,omitempty"`
 	LastName          string        `json:"lastName,omitempty"`
@@ -53,6 +54,10 @@ func (e *HumanAddedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddUsernameUniqueConstraint(e.UserName, e.ResourceOwner(), e.userLoginMustBeDomain)}
+}
+
 func (e *HumanAddedEvent) AddAddressData(
 	country,
 	locality,
@@ -83,6 +88,7 @@ func (e *HumanAddedEvent) AddPasswordData(

 func NewHumanAddedEvent(
 	ctx context.Context,
+	resourceOwner,
 	userName,
 	firstName,
 	lastName,
@@ -91,20 +97,23 @@ func NewHumanAddedEvent(
 	preferredLanguage language.Tag,
 	gender domain.Gender,
 	emailAddress string,
+	userLoginMustBeDomain bool,
 ) *HumanAddedEvent {
 	return &HumanAddedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: *eventstore.NewBaseEventForPushWithResourceOwner(
 			ctx,
 			HumanAddedType,
+			resourceOwner,
 		),
-		UserName:          userName,
-		FirstName:         firstName,
-		LastName:          lastName,
-		NickName:          nickName,
-		DisplayName:       displayName,
-		PreferredLanguage: preferredLanguage,
-		Gender:            gender,
-		EmailAddress:      emailAddress,
+		UserName:              userName,
+		FirstName:             firstName,
+		LastName:              lastName,
+		NickName:              nickName,
+		DisplayName:           displayName,
+		PreferredLanguage:     preferredLanguage,
+		Gender:                gender,
+		EmailAddress:          emailAddress,
+		userLoginMustBeDomain: userLoginMustBeDomain,
 	}
 }

@@ -123,7 +132,8 @@ func HumanAddedEventMapper(event *repository.Event) (eventstore.EventReader, err
 type HumanRegisteredEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	UserName string `json:"userName"`
+	UserName              string `json:"userName"`
+	userLoginMustBeDomain bool

 	FirstName         string        `json:"firstName,omitempty"`
 	LastName          string        `json:"lastName,omitempty"`
@@ -150,6 +160,10 @@ func (e *HumanRegisteredEvent) Data() interface{} {
 	return e
 }

+func (e *HumanRegisteredEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddUsernameUniqueConstraint(e.UserName, e.ResourceOwner(), e.userLoginMustBeDomain)}
+}
+
 func (e *HumanRegisteredEvent) AddAddressData(
 	country,
 	locality,
@@ -180,6 +194,7 @@ func (e *HumanRegisteredEvent) AddPasswordData(

 func NewHumanRegisteredEvent(
 	ctx context.Context,
+	resourceOwner,
 	userName,
 	firstName,
 	lastName,
@@ -188,20 +203,23 @@ func NewHumanRegisteredEvent(
 	preferredLanguage language.Tag,
 	gender domain.Gender,
 	emailAddress string,
+	userLoginMustBeDomain bool,
 ) *HumanRegisteredEvent {
 	return &HumanRegisteredEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: *eventstore.NewBaseEventForPushWithResourceOwner(
 			ctx,
 			HumanRegisteredType,
+			resourceOwner,
 		),
-		UserName:          userName,
-		FirstName:         firstName,
-		LastName:          lastName,
-		NickName:          nickName,
-		DisplayName:       displayName,
-		PreferredLanguage: preferredLanguage,
-		Gender:            gender,
-		EmailAddress:      emailAddress,
+		UserName:              userName,
+		FirstName:             firstName,
+		LastName:              lastName,
+		NickName:              nickName,
+		DisplayName:           displayName,
+		PreferredLanguage:     preferredLanguage,
+		Gender:                gender,
+		EmailAddress:          emailAddress,
+		userLoginMustBeDomain: userLoginMustBeDomain,
 	}
 }

@@ -227,6 +245,10 @@ func (e *HumanInitialCodeAddedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanInitialCodeAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanInitialCodeAddedEvent(
 	ctx context.Context,
 	code *crypto.CryptoValue,
@@ -262,6 +284,10 @@ func (e *HumanInitialCodeSentEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanInitialCodeSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanInitialCodeSentEvent(ctx context.Context) *HumanInitialCodeSentEvent {
 	return &HumanInitialCodeSentEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -285,6 +311,10 @@ func (e *HumanInitializedCheckSucceededEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanInitializedCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanInitializedCheckSucceededEvent(ctx context.Context) *HumanInitializedCheckSucceededEvent {
 	return &HumanInitializedCheckSucceededEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -308,6 +338,10 @@ func (e *HumanInitializedCheckFailedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanInitializedCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanInitializedCheckFailedEvent(ctx context.Context) *HumanInitializedCheckFailedEvent {
 	return &HumanInitializedCheckFailedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -331,6 +365,10 @@ func (e *HumanSignedOutEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanSignedOutEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanSignedOutEvent(ctx context.Context) *HumanSignedOutEvent {
 	return &HumanSignedOutEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/user/human_address.go
+++ b/internal/v2/repository/user/human_address.go
@@ -27,6 +27,10 @@ func (e *HumanAddressChangedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanAddressChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanAddressChangedEvent(ctx context.Context) *HumanAddressChangedEvent {
 	return &HumanAddressChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/user/human_email.go
+++ b/internal/v2/repository/user/human_email.go
@@ -29,6 +29,10 @@ func (e *HumanEmailChangedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanEmailChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanEmailChangedEvent(ctx context.Context) *HumanEmailChangedEvent {
 	return &HumanEmailChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -60,6 +64,10 @@ func (e *HumanEmailVerifiedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanEmailVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanEmailVerifiedEvent(ctx context.Context) *HumanEmailVerifiedEvent {
 	return &HumanEmailVerifiedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -85,6 +93,10 @@ func (e *HumanEmailVerificationFailedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanEmailVerificationFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanEmailVerificationFailedEvent(ctx context.Context) *HumanEmailVerificationFailedEvent {
 	return &HumanEmailVerificationFailedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -111,6 +123,10 @@ func (e *HumanEmailCodeAddedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanEmailCodeAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanEmailCodeAddedEvent(
 	ctx context.Context,
 	code *crypto.CryptoValue,
@@ -145,6 +161,10 @@ func (e *HumanEmailCodeSentEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanEmailCodeSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanEmailCodeSentEvent(ctx context.Context) *HumanEmailCodeSentEvent {
 	return &HumanEmailCodeSentEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/user/human_external_idp.go
+++ b/internal/v2/repository/user/human_external_idp.go
@@ -9,6 +9,7 @@ import (
 )

 const (
+	uniqueExternalIDPType    = "external_idps"
 	externalIDPEventPrefix   = humanEventPrefix + "externalidp."
 	externalLoginEventPrefix = humanEventPrefix + "externallogin."

@@ -23,38 +24,17 @@ const (
 	HumanExternalLoginCheckSucceededType = externalLoginEventPrefix + "check.succeeded"
 )

-type HumanExternalIDPReservedEvent struct {
-	eventstore.BaseEvent `json:"-"`
+func NewAddExternalIDPUniqueConstraint(idpConfigID, externalUserID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueExternalIDPType,
+		idpConfigID+externalUserID,
+		"Errors.User.ExternalIDP.AlreadyExists")
 }

-func (e *HumanExternalIDPReservedEvent) Data() interface{} {
-	return nil
-}
-
-func NewHumanExternalIDPReservedEvent(ctx context.Context) *HumanExternalIDPReservedEvent {
-	return &HumanExternalIDPReservedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
-			ctx,
-			HumanExternalIDPReservedType,
-		),
-	}
-}
-
-type HumanExternalIDPReleasedEvent struct {
-	eventstore.BaseEvent `json:"-"`
-}
-
-func (e *HumanExternalIDPReleasedEvent) Data() interface{} {
-	return nil
-}
-
-func NewHumanExternalIDPReleasedEvent(ctx context.Context) *HumanExternalIDPReleasedEvent {
-	return &HumanExternalIDPReleasedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
-			ctx,
-			HumanExternalIDPReleasedType,
-		),
-	}
+func NewRemoveExternalIDPUniqueConstraint(idpConfigID, externalUserID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		uniqueExternalIDPType,
+		idpConfigID+externalUserID)
 }

 type HumanExternalIDPAddedEvent struct {
@@ -69,6 +49,10 @@ func (e *HumanExternalIDPAddedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanExternalIDPAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddExternalIDPUniqueConstraint(e.IDPConfigID, e.UserID)}
+}
+
 func NewHumanExternalIDPAddedEvent(ctx context.Context, idpConfigID, displayName string) *HumanExternalIDPAddedEvent {
 	return &HumanExternalIDPAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -104,6 +88,10 @@ func (e *HumanExternalIDPRemovedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanExternalIDPRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveExternalIDPUniqueConstraint(e.IDPConfigID, e.UserID)}
+}
+
 func NewHumanExternalIDPRemovedEvent(ctx context.Context, idpConfigID, externalUserID string) *HumanExternalIDPRemovedEvent {
 	return &HumanExternalIDPRemovedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -139,6 +127,10 @@ func (e *HumanExternalIDPCascadeRemovedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanExternalIDPCascadeRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveExternalIDPUniqueConstraint(e.IDPConfigID, e.UserID)}
+}
+
 func NewHumanExternalIDPCascadeRemovedEvent(ctx context.Context, idpConfigID, externalUserID string) *HumanExternalIDPCascadeRemovedEvent {
 	return &HumanExternalIDPCascadeRemovedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -171,6 +163,10 @@ func (e *HumanExternalIDPCheckSucceededEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanExternalIDPCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanExternalIDPCheckSucceededEvent(ctx context.Context) *HumanExternalIDPCheckSucceededEvent {
 	return &HumanExternalIDPCheckSucceededEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/user/human_mfa_events.go
+++ b/internal/v2/repository/user/human_mfa_events.go
@@ -19,6 +19,10 @@ func (e *HumanMFAInitSkippedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanMFAInitSkippedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanMFAInitSkippedEvent(ctx context.Context) *HumanMFAInitSkippedEvent {
 	return &HumanMFAInitSkippedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/user/human_mfa_otp.go
+++ b/internal/v2/repository/user/human_mfa_otp.go
@@ -28,6 +28,10 @@ func (e *HumanOTPAddedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanOTPAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanOTPAddedEvent(ctx context.Context,
 	secret *crypto.CryptoValue) *HumanOTPAddedEvent {
 	return &HumanOTPAddedEvent{
@@ -59,6 +63,10 @@ func (e *HumanOTPVerifiedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanOTPVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanOTPVerifiedEvent(ctx context.Context, userAgentID string) *HumanOTPVerifiedEvent {
 	return &HumanOTPVerifiedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -83,6 +91,10 @@ func (e *HumanOTPRemovedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanOTPRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanOTPRemovedEvent(ctx context.Context) *HumanOTPRemovedEvent {
 	return &HumanOTPRemovedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -106,6 +118,10 @@ func (e *HumanOTPCheckSucceededEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanOTPCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanOTPCheckSucceededEvent(ctx context.Context) *HumanOTPCheckSucceededEvent {
 	return &HumanOTPCheckSucceededEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -129,6 +145,10 @@ func (e *HumanOTPCheckFailedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanOTPCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanOTPCheckFailedEvent(ctx context.Context) *HumanOTPCheckFailedEvent {
 	return &HumanOTPCheckFailedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/user/human_mfa_web_auth_n.go
+++ b/internal/v2/repository/user/human_mfa_web_auth_n.go
@@ -40,6 +40,10 @@ func (e *HumanWebAuthNAddedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanWebAuthNAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanU2FAddedEvent(
 	ctx context.Context,
 	webAuthNTokenID,
@@ -97,6 +101,10 @@ func (e *HumanWebAuthNVerifiedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanWebAuthNVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanU2FVerifiedEvent(
 	ctx context.Context,
 	webAuthNTokenID,
@@ -169,6 +177,10 @@ func (e *HumanWebAuthNSignCountChangedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanWebAuthNSignCountChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanU2FSignCountChangedEvent(
 	ctx context.Context,
 	webAuthNTokenID string,
@@ -221,6 +233,10 @@ func (e *HumanWebAuthNRemovedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanWebAuthNRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanU2FRemovedEvent(
 	ctx context.Context,
 	webAuthNTokenID string,
@@ -271,6 +287,10 @@ func (e *HumanWebAuthNBeginLoginEvent) Data() interface{} {
 	return e
 }

+func (e *HumanWebAuthNBeginLoginEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanU2FBeginLoginEvent(
 	ctx context.Context,
 	webAuthNTokenID,
@@ -323,6 +343,10 @@ func (e *HumanWebAuthNCheckSucceededEvent) Data() interface{} {
 	return e
 }

+func (e *HumanWebAuthNCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanU2FCheckSucceededEvent(ctx context.Context) *HumanWebAuthNCheckSucceededEvent {
 	return &HumanWebAuthNCheckSucceededEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -363,6 +387,10 @@ func (e *HumanWebAuthNCheckFailedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanWebAuthNCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanU2FCheckFailedEvent(ctx context.Context) *HumanWebAuthNCheckFailedEvent {
 	return &HumanWebAuthNCheckFailedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/user/human_password.go
+++ b/internal/v2/repository/user/human_password.go
@@ -32,6 +32,10 @@ func (e *HumanPasswordChangedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanPasswordChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPasswordChangedEvent(
 	ctx context.Context,
 	secret *crypto.CryptoValue,
@@ -73,6 +77,10 @@ func (e *HumanPasswordCodeAddedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanPasswordCodeAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPasswordCodeAddedEvent(
 	ctx context.Context,
 	code *crypto.CryptoValue,
@@ -110,6 +118,10 @@ func (e *HumanPasswordCodeSentEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanPasswordCodeSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPasswordCodeSentEvent(ctx context.Context) *HumanPasswordCodeSentEvent {
 	return &HumanPasswordCodeSentEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -133,6 +145,10 @@ func (e *HumanPasswordCheckSucceededEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanPasswordCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPasswordCheckSucceededEvent(ctx context.Context) *HumanPasswordCheckSucceededEvent {
 	return &HumanPasswordCheckSucceededEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -156,6 +172,10 @@ func (e *HumanPasswordCheckFailedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanPasswordCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPasswordCheckFailedEvent(ctx context.Context) *HumanPasswordCheckFailedEvent {
 	return &HumanPasswordCheckFailedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/user/human_phone.go
+++ b/internal/v2/repository/user/human_phone.go
@@ -30,6 +30,10 @@ func (e *HumanPhoneChangedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanPhoneChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPhoneChangedEvent(ctx context.Context) *HumanPhoneChangedEvent {
 	return &HumanPhoneChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -59,6 +63,10 @@ func (e *HumanPhoneRemovedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanPhoneRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPhoneRemovedEvent(ctx context.Context) *HumanPhoneRemovedEvent {
 	return &HumanPhoneRemovedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -84,6 +92,10 @@ func (e *HumanPhoneVerifiedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanPhoneVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPhoneVerifiedEvent(ctx context.Context) *HumanPhoneVerifiedEvent {
 	return &HumanPhoneVerifiedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -108,6 +120,10 @@ func (e *HumanPhoneVerificationFailedEvent) Data() interface{} {
 	return nil
 }

+func (e *HumanPhoneVerificationFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPhoneVerificationFailedEvent(ctx context.Context) *HumanPhoneVerificationFailedEvent {
 	return &HumanPhoneVerificationFailedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -134,6 +150,10 @@ func (e *HumanPhoneCodeAddedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanPhoneCodeAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPhoneCodeAddedEvent(
 	ctx context.Context,
 	code *crypto.CryptoValue,
@@ -169,6 +189,10 @@ func (e *HumanPhoneCodeSentEvent) Data() interface{} {
 	return e
 }

+func (e *HumanPhoneCodeSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanPhoneCodeSentEvent(ctx context.Context) *HumanPhoneCodeSentEvent {
 	return &HumanPhoneCodeSentEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
--- a/internal/v2/repository/user/human_profile.go
+++ b/internal/v2/repository/user/human_profile.go
@@ -30,6 +30,10 @@ func (e *HumanProfileChangedEvent) Data() interface{} {
 	return e
 }

+func (e *HumanProfileChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewHumanProfileChangedEvent(
 	ctx context.Context) *HumanProfileChangedEvent {
 	return &HumanProfileChangedEvent{
--- a/internal/v2/repository/user/machine.go
+++ b/internal/v2/repository/user/machine.go
@@ -17,7 +17,8 @@ const (
 type MachineAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	UserName string `json:"userName"`
+	UserName              string `json:"userName"`
+	UserLoginMustBeDomain bool

 	Name        string `json:"name,omitempty"`
 	Description string `json:"description,omitempty"`
@@ -27,20 +28,26 @@ func (e *MachineAddedEvent) Data() interface{} {
 	return e
 }

+func (e *MachineAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddUsernameUniqueConstraint(e.UserName, e.ResourceOwner(), e.UserLoginMustBeDomain)}
+}
+
 func NewMachineAddedEvent(
 	ctx context.Context,
 	userName,
 	name,
 	description string,
+	userLoginMustBeDomain bool,
 ) *MachineAddedEvent {
 	return &MachineAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
 			MachineAddedEventType,
 		),
-		UserName:    userName,
-		Name:        name,
-		Description: description,
+		UserName:              userName,
+		Name:                  name,
+		Description:           description,
+		UserLoginMustBeDomain: userLoginMustBeDomain,
 	}
 }

@@ -69,6 +76,10 @@ func (e *MachineChangedEvent) Data() interface{} {
 	return e
 }

+func (e *MachineChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewMachineChangedEvent(
 	ctx context.Context,
 ) *MachineChangedEvent {
--- a/internal/v2/repository/user/machine_key.go
+++ b/internal/v2/repository/user/machine_key.go
@@ -29,6 +29,10 @@ func (e *MachineKeyAddedEvent) Data() interface{} {
 	return e
 }

+func (e *MachineKeyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewMachineKeyAddedEvent(
 	ctx context.Context,
 	keyID string,
@@ -70,6 +74,10 @@ func (e *MachineKeyRemovedEvent) Data() interface{} {
 	return e
 }

+func (e *MachineKeyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewMachineKeyRemovedEvent(
 	ctx context.Context,
 	keyID string,
--- a/internal/v2/repository/user/user.go
+++ b/internal/v2/repository/user/user.go
@@ -10,6 +10,7 @@ import (
 )

 const (
+	uniqueUsername            = "usernames"
 	userEventTypePrefix       = eventstore.EventType("user.")
 	UserLockedType            = userEventTypePrefix + "locked"
 	UserUnlockedType          = userEventTypePrefix + "unlocked"
@@ -22,6 +23,27 @@ const (
 	UserUserNameChangedType   = userEventTypePrefix + "username.changed"
 )

+func NewAddUsernameUniqueConstraint(userName, resourceOwner string, userLoginMustBeDomain bool) *eventstore.EventUniqueConstraint {
+	uniqueUserName := userName
+	if userLoginMustBeDomain {
+		uniqueUserName = userName + resourceOwner
+	}
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueUsername,
+		uniqueUserName,
+		"Errors.User.AlreadyExists")
+}
+
+func NewRemoveUsernameUniqueConstraint(userName, resourceOwner string, userLoginMustBeDomain bool) *eventstore.EventUniqueConstraint {
+	uniqueUserName := userName
+	if userLoginMustBeDomain {
+		uniqueUserName = userName + resourceOwner
+	}
+	return eventstore.NewRemoveEventUniqueConstraint(
+		uniqueUsername,
+		uniqueUserName)
+}
+
 type UserLockedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 }
@@ -30,6 +52,10 @@ func (e *UserLockedEvent) Data() interface{} {
 	return nil
 }

+func (e *UserLockedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewUserLockedEvent(ctx context.Context) *UserLockedEvent {
 	return &UserLockedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -53,6 +79,10 @@ func (e *UserUnlockedEvent) Data() interface{} {
 	return nil
 }

+func (e *UserUnlockedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewUserUnlockedEvent(ctx context.Context) *UserUnlockedEvent {
 	return &UserUnlockedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -76,6 +106,10 @@ func (e *UserDeactivatedEvent) Data() interface{} {
 	return nil
 }

+func (e *UserDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewUserDeactivatedEvent(ctx context.Context) *UserDeactivatedEvent {
 	return &UserDeactivatedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -99,6 +133,10 @@ func (e *UserReactivatedEvent) Data() interface{} {
 	return nil
 }

+func (e *UserReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewUserReactivatedEvent(ctx context.Context) *UserReactivatedEvent {
 	return &UserReactivatedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -116,18 +154,28 @@ func UserReactivatedEventMapper(event *repository.Event) (eventstore.EventReader

 type UserRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`
+
+	UserName              string
+	UserLoginMustBeDomain bool
 }

 func (e *UserRemovedEvent) Data() interface{} {
 	return nil
 }

-func NewUserRemovedEvent(ctx context.Context) *UserRemovedEvent {
+func (e *UserRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveUsernameUniqueConstraint(e.UserName, e.ResourceOwner(), e.UserLoginMustBeDomain)}
+}
+
+func NewUserRemovedEvent(ctx context.Context, resourceOwner, userName string, userLoginMustBeDomain bool) *UserRemovedEvent {
 	return &UserRemovedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: *eventstore.NewBaseEventForPushWithResourceOwner(
 			ctx,
 			UserRemovedType,
+			resourceOwner,
 		),
+		UserName:              userName,
+		UserLoginMustBeDomain: userLoginMustBeDomain,
 	}
 }

@@ -153,6 +201,10 @@ func (e *UserTokenAddedEvent) Data() interface{} {
 	return e
 }

+func (e *UserTokenAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewUserTokenAddedEvent(
 	ctx context.Context,
 	tokenID,
@@ -168,12 +220,13 @@ func NewUserTokenAddedEvent(
 			ctx,
 			UserTokenAddedType,
 		),
-		TokenID:       tokenID,
-		ApplicationID: applicationID,
-		UserAgentID:   userAgentID,
-		Audience:      audience,
-		Scopes:        scopes,
-		Expiration:    expiration,
+		TokenID:           tokenID,
+		ApplicationID:     applicationID,
+		UserAgentID:       userAgentID,
+		Audience:          audience,
+		Scopes:            scopes,
+		Expiration:        expiration,
+		PreferredLanguage: preferredLanguage,
 	}
 }

@@ -199,6 +252,10 @@ func (e *DomainClaimedEvent) Data() interface{} {
 	return e
 }

+func (e *DomainClaimedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewDomainClaimedEvent(
 	ctx context.Context,
 	userName string,
@@ -232,6 +289,10 @@ func (e *DomainClaimedSentEvent) Data() interface{} {
 	return nil
 }

+func (e *DomainClaimedSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
 func NewDomainClaimedSentEvent(
 	ctx context.Context,
 ) *DomainClaimedSentEvent {
@@ -252,23 +313,36 @@ func DomainClaimedSentEventMapper(event *repository.Event) (eventstore.EventRead
 type UsernameChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	UserName string `json:"userName"`
+	UserName              string `json:"userName"`
+	OldUserName           string
+	UserLoginMustBeDomain bool
 }

 func (e *UsernameChangedEvent) Data() interface{} {
 	return e
 }

+func (e *UsernameChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{
+		NewRemoveUsernameUniqueConstraint(e.OldUserName, e.ResourceOwner(), e.UserLoginMustBeDomain),
+		NewAddUsernameUniqueConstraint(e.UserName, e.ResourceOwner(), e.UserLoginMustBeDomain),
+	}
+}
+
 func NewUsernameChangedEvent(
 	ctx context.Context,
-	userName string,
+	oldUserName,
+	newUserName string,
+	userLoginMustBeDomain bool,
 ) *UsernameChangedEvent {
 	return &UsernameChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
 			UserUserNameChangedType,
 		),
-		UserName: userName,
+		UserName:              newUserName,
+		OldUserName:           oldUserName,
+		UserLoginMustBeDomain: userLoginMustBeDomain,
 	}
 }

--- a/internal/v2/view/iam.go
+++ b/internal/v2/view/iam.go
@@ -2,14 +2,15 @@ package view

 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

 type IAM struct {
 	eventstore.ReadModel

-	SetUpStarted iam.Step
-	SetUpDone    iam.Step
+	SetUpStarted domain.Step
+	SetUpDone    domain.Step

 	GlobalOrgID string
 	ProjectID   string