feat: org and policies commands (#1167)

* add setup steps * refactoring * omitempty * cleanup * begin org * create org * setup org * setup org * merge * fixes * fixes * fixes * add project * add oidc application * fix app creation * add resourceOwner to writemodels * resource owner * cleanup * global org, iam project and iam member in setup * logs * logs * logs * cleanup * Update internal/v2/command/project.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * check project state * add org domain commands * add org status changes and member commands * fixes * policies * login policy * fix iam project event * mapper * label policy * change to command * fix * fix * handle change event differently and lot of fixes * fixes * changedEvent handling Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 00:27:31 +00:00 · 2021-01-18 11:24:15 +01:00
parent 959530ddad
commit 3eb909c4b4
88 changed files with 2586 additions and 518 deletions
--- a/internal/api/grpc/admin/iam_member_converter.go
+++ b/internal/api/grpc/admin/iam_member_converter.go
@@ -11,17 +11,11 @@ import (
 )

 func addIamMemberToDomain(member *admin.AddIamMemberRequest) *domain.Member {
-	return &domain.Member{
-		UserID: member.UserId,
-		Roles:  member.Roles,
-	}
+	return domain.NewMember(domain.IAMID, member.UserId, member.Roles...)
 }

 func changeIamMemberToDomain(member *admin.ChangeIamMemberRequest) *domain.Member {
-	return &domain.Member{
-		UserID: member.UserId,
-		Roles:  member.Roles,
-	}
+	return domain.NewMember(domain.IAMID, member.UserId, member.Roles...)
 }

 func iamMemberFromDomain(member *domain.Member) *admin.IamMember {
--- a/internal/api/grpc/admin/idp_config.go
+++ b/internal/api/grpc/admin/idp_config.go
@@ -47,9 +47,8 @@ func (s *Server) ReactivateIdpConfig(ctx context.Context, id *admin.IdpID) (*adm
 	return idpFromDomain(config), nil
 }

-//TODO: Change To V2
 func (s *Server) RemoveIdpConfig(ctx context.Context, id *admin.IdpID) (*empty.Empty, error) {
-	err := s.iam.RemoveIDPConfig(ctx, id.Id)
+	err := s.command.RemoveDefaultIDPConfig(ctx, id.Id)
 	return &empty.Empty{}, err
 }

--- a/internal/api/grpc/admin/login_policy.go
+++ b/internal/api/grpc/admin/login_policy.go
@@ -38,9 +38,8 @@ func (s *Server) AddIdpProviderToDefaultLoginPolicy(ctx context.Context, provide
 	return idpProviderFromDomain(result), nil
 }

-//TODO: Change to v2
 func (s *Server) RemoveIdpProviderFromDefaultLoginPolicy(ctx context.Context, provider *admin.IdpProviderID) (*empty.Empty, error) {
-	err := s.iam.RemoveIDPProviderFromLoginPolicy(ctx, idpProviderToModel(provider))
+	err := s.command.RemoveIDPProviderFromDefaultLoginPolicy(ctx, idpProviderToDomain(provider))
 	return &empty.Empty{}, err
 }

@@ -53,15 +52,15 @@ func (s *Server) GetDefaultLoginPolicySecondFactors(ctx context.Context, _ *empt
 }

 func (s *Server) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*admin.SecondFactor, error) {
-	result, err := s.command.AddSecondFactorToDefaultLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	result, err := s.command.AddSecondFactorToDefaultLoginPolicy(ctx, secondFactorTypeToDomain(mfa))
 	if err != nil {
 		return nil, err
 	}
-	return secondFactorFromModel(result), nil
+	return secondFactorFromDomain(result), nil
 }

 func (s *Server) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*empty.Empty, error) {
-	err := s.command.RemoveSecondFactorFromDefaultLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	err := s.command.RemoveSecondFactorFromDefaultLoginPolicy(ctx, secondFactorTypeToDomain(mfa))
 	return &empty.Empty{}, err
 }

@@ -74,14 +73,14 @@ func (s *Server) GetDefaultLoginPolicyMultiFactors(ctx context.Context, _ *empty
 }

 func (s *Server) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*admin.MultiFactor, error) {
-	result, err := s.command.AddMultiFactorToDefaultLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	result, err := s.command.AddMultiFactorToDefaultLoginPolicy(ctx, multiFactorTypeToDomain(mfa))
 	if err != nil {
 		return nil, err
 	}
-	return multiFactorFromModel(result), nil
+	return multiFactorFromDomain(result), nil
 }

 func (s *Server) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*empty.Empty, error) {
-	err := s.command.RemoveMultiFactorFromDefaultLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	err := s.command.RemoveMultiFactorFromDefaultLoginPolicy(ctx, multiFactorTypeToDomain(mfa))
 	return &empty.Empty{}, err
 }
--- a/internal/api/grpc/admin/login_policy_converter.go
+++ b/internal/api/grpc/admin/login_policy_converter.go
@@ -128,9 +128,20 @@ func secondFactorsResultFromModel(result *iam_model.SecondFactorsSearchResponse)
 	}
 }

-func secondFactorFromModel(mfaType iam_model.SecondFactorType) *admin.SecondFactor {
+func secondFactorFromDomain(mfaType domain.SecondFactorType) *admin.SecondFactor {
 	return &admin.SecondFactor{
-		SecondFactor: secondFactorTypeFromModel(mfaType),
+		SecondFactor: secondFactorTypeFromDomain(mfaType),
+	}
+}
+
+func secondFactorTypeFromDomain(mfaType domain.SecondFactorType) admin.SecondFactorType {
+	switch mfaType {
+	case domain.SecondFactorTypeOTP:
+		return admin.SecondFactorType_SECONDFACTORTYPE_OTP
+	case domain.SecondFactorTypeU2F:
+		return admin.SecondFactorType_SECONDFACTORTYPE_U2F
+	default:
+		return admin.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
 	}
 }

@@ -145,14 +156,14 @@ func secondFactorTypeFromModel(mfaType iam_model.SecondFactorType) admin.SecondF
 	}
 }

-func secondFactorTypeToModel(mfaType *admin.SecondFactor) iam_model.SecondFactorType {
+func secondFactorTypeToDomain(mfaType *admin.SecondFactor) domain.SecondFactorType {
 	switch mfaType.SecondFactor {
 	case admin.SecondFactorType_SECONDFACTORTYPE_OTP:
-		return iam_model.SecondFactorTypeOTP
+		return domain.SecondFactorTypeOTP
 	case admin.SecondFactorType_SECONDFACTORTYPE_U2F:
-		return iam_model.SecondFactorTypeU2F
+		return domain.SecondFactorTypeU2F
 	default:
-		return iam_model.SecondFactorTypeUnspecified
+		return domain.SecondFactorTypeUnspecified
 	}
 }

@@ -184,9 +195,18 @@ func multiFactorResultFromModel(result *iam_model.MultiFactorsSearchResponse) *a
 	}
 }

-func multiFactorFromModel(mfaType iam_model.MultiFactorType) *admin.MultiFactor {
+func multiFactorFromDomain(mfaType domain.MultiFactorType) *admin.MultiFactor {
 	return &admin.MultiFactor{
-		MultiFactor: multiFactorTypeFromModel(mfaType),
+		MultiFactor: multiFactorTypeFromDomain(mfaType),
+	}
+}
+
+func multiFactorTypeFromDomain(mfaType domain.MultiFactorType) admin.MultiFactorType {
+	switch mfaType {
+	case domain.MultiFactorTypeU2FWithPIN:
+		return admin.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
+	default:
+		return admin.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
 	}
 }

@@ -199,11 +219,11 @@ func multiFactorTypeFromModel(mfaType iam_model.MultiFactorType) admin.MultiFact
 	}
 }

-func multiFactorTypeToModel(mfaType *admin.MultiFactor) iam_model.MultiFactorType {
+func multiFactorTypeToDomain(mfaType *admin.MultiFactor) domain.MultiFactorType {
 	switch mfaType.MultiFactor {
 	case admin.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN:
-		return iam_model.MultiFactorTypeU2FWithPIN
+		return domain.MultiFactorTypeU2FWithPIN
 	default:
-		return iam_model.MultiFactorTypeUnspecified
+		return domain.MultiFactorTypeUnspecified
 	}
 }
--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@@ -81,6 +81,6 @@ func (s *Server) UpdateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyR
 }

 func (s *Server) RemoveOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *empty.Empty, err error) {
-	err = s.org.RemoveOrgIAMPolicy(ctx, in.OrgId)
+	err = s.command.RemoveOrgIAMPolicy(ctx, in.OrgId)
 	return &empty.Empty{}, err
 }
--- a/internal/api/grpc/management/login_policy.go
+++ b/internal/api/grpc/management/login_policy.go
@@ -2,8 +2,11 @@ package management

 import (
 	"context"
-	"github.com/caos/zitadel/pkg/grpc/management"
+
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )

 func (s *Server) GetLoginPolicy(ctx context.Context, _ *empty.Empty) (*management.LoginPolicyView, error) {
@@ -23,23 +26,23 @@ func (s *Server) GetDefaultLoginPolicy(ctx context.Context, _ *empty.Empty) (*ma
 }

 func (s *Server) CreateLoginPolicy(ctx context.Context, policy *management.LoginPolicyRequest) (*management.LoginPolicy, error) {
-	result, err := s.org.AddLoginPolicy(ctx, loginPolicyRequestToModel(policy))
+	result, err := s.command.AddLoginPolicy(ctx, loginPolicyRequestToDomain(ctx, policy))
 	if err != nil {
 		return nil, err
 	}
-	return loginPolicyFromModel(result), nil
+	return loginPolicyFromDomain(result), nil
 }

 func (s *Server) UpdateLoginPolicy(ctx context.Context, policy *management.LoginPolicyRequest) (*management.LoginPolicy, error) {
-	result, err := s.org.ChangeLoginPolicy(ctx, loginPolicyRequestToModel(policy))
+	result, err := s.command.ChangeLoginPolicy(ctx, loginPolicyRequestToDomain(ctx, policy))
 	if err != nil {
 		return nil, err
 	}
-	return loginPolicyFromModel(result), nil
+	return loginPolicyFromDomain(result), nil
 }

 func (s *Server) RemoveLoginPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.org.RemoveLoginPolicy(ctx)
+	err := s.command.RemoveLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }

@@ -52,15 +55,15 @@ func (s *Server) GetLoginPolicyIdpProviders(ctx context.Context, request *manage
 }

 func (s *Server) AddIdpProviderToLoginPolicy(ctx context.Context, provider *management.IdpProviderAdd) (*management.IdpProvider, error) {
-	result, err := s.org.AddIDPProviderToLoginPolicy(ctx, idpProviderAddToModel(provider))
+	result, err := s.command.AddIDPProviderToLoginPolicy(ctx, idpProviderAddToDomain(ctx, provider))
 	if err != nil {
 		return nil, err
 	}
-	return idpProviderFromModel(result), nil
+	return idpProviderFromDomain(result), nil
 }

 func (s *Server) RemoveIdpProviderFromLoginPolicy(ctx context.Context, provider *management.IdpProviderID) (*empty.Empty, error) {
-	err := s.org.RemoveIDPProviderFromLoginPolicy(ctx, idpProviderToModel(provider))
+	err := s.command.RemoveIDPProviderFromLoginPolicy(ctx, idpProviderIDToDomain(ctx, provider))
 	return &empty.Empty{}, err
 }

@@ -73,15 +76,15 @@ func (s *Server) GetLoginPolicySecondFactors(ctx context.Context, _ *empty.Empty
 }

 func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, mfa *management.SecondFactor) (*management.SecondFactor, error) {
-	result, err := s.org.AddSecondFactorToLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	result, err := s.command.AddSecondFactorToLoginPolicy(ctx, secondFactorTypeToDomain(mfa), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return secondFactorFromModel(result), nil
+	return secondFactorFromDomain(result), nil
 }

 func (s *Server) RemoveSecondFactorFromLoginPolicy(ctx context.Context, mfa *management.SecondFactor) (*empty.Empty, error) {
-	err := s.org.RemoveSecondFactorFromLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	err := s.command.RemoveSecondFactorFromLoginPolicy(ctx, secondFactorTypeToDomain(mfa), authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }

@@ -94,14 +97,14 @@ func (s *Server) GetLoginPolicyMultiFactors(ctx context.Context, _ *empty.Empty)
 }

 func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, mfa *management.MultiFactor) (*management.MultiFactor, error) {
-	result, err := s.org.AddMultiFactorToLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	result, err := s.command.AddMultiFactorToLoginPolicy(ctx, multiFactorTypeToDomain(mfa), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return multiFactorFromModel(result), nil
+	return multiFactorFromDomain(result), nil
 }

 func (s *Server) RemoveMultiFactorFromLoginPolicy(ctx context.Context, mfa *management.MultiFactor) (*empty.Empty, error) {
-	err := s.org.RemoveMultiFactorFromLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	err := s.command.RemoveMultiFactorFromLoginPolicy(ctx, multiFactorTypeToDomain(mfa), authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }
--- a/internal/api/grpc/management/login_policy_converter.go
+++ b/internal/api/grpc/management/login_policy_converter.go
@@ -1,37 +1,41 @@
 package management

 import (
+	"context"
+
 	"github.com/caos/logging"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )

-func loginPolicyRequestToModel(policy *management.LoginPolicyRequest) *iam_model.LoginPolicy {
-	return &iam_model.LoginPolicy{
+func loginPolicyRequestToDomain(ctx context.Context, policy *management.LoginPolicyRequest) *domain.LoginPolicy {
+	return &domain.LoginPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
 		ForceMFA:              policy.ForceMfa,
-		PasswordlessType:      passwordlessTypeToModel(policy.PasswordlessType),
+		PasswordlessType:      passwordlessTypeToDomain(policy.PasswordlessType),
 	}
 }

-func loginPolicyFromModel(policy *iam_model.LoginPolicy) *management.LoginPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-2Fsm8").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-3Flo0").OnError(err).Debug("date parse failed")
-
+func loginPolicyFromDomain(policy *domain.LoginPolicy) *management.LoginPolicy {
 	return &management.LoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
-		CreationDate:          creationDate,
-		ChangeDate:            changeDate,
+		CreationDate:          timestamppb.New(policy.CreationDate),
+		ChangeDate:            timestamppb.New(policy.ChangeDate),
 		ForceMfa:              policy.ForceMFA,
-		PasswordlessType:      passwordlessTypeFromModel(policy.PasswordlessType),
+		PasswordlessType:      passwordlessTypeFromDomain(policy.PasswordlessType),
 	}
 }

@@ -70,17 +74,22 @@ func idpProviderSearchResponseFromModel(response *iam_model.IDPProviderSearchRes
 	}
 }

-func idpProviderToModel(provider *management.IdpProviderID) *iam_model.IDPProvider {
-	return &iam_model.IDPProvider{
+func idpProviderIDToDomain(ctx context.Context, provider *management.IdpProviderID) *domain.IDPProvider {
+	return &domain.IDPProvider{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		IDPConfigID: provider.IdpConfigId,
-		Type:        iam_model.IDPProviderTypeSystem,
 	}
 }

-func idpProviderAddToModel(provider *management.IdpProviderAdd) *iam_model.IDPProvider {
-	return &iam_model.IDPProvider{
+func idpProviderAddToDomain(ctx context.Context, provider *management.IdpProviderAdd) *domain.IDPProvider {
+	return &domain.IDPProvider{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		IDPConfigID: provider.IdpConfigId,
-		Type:        idpProviderTypeToModel(provider.IdpProviderType),
+		Type:        idpProviderTypeToDomain(provider.IdpProviderType),
 	}
 }

@@ -90,10 +99,10 @@ func idpProviderIDFromModel(provider *iam_model.IDPProvider) *management.IdpProv
 	}
 }

-func idpProviderFromModel(provider *iam_model.IDPProvider) *management.IdpProvider {
+func idpProviderFromDomain(provider *domain.IDPProvider) *management.IdpProvider {
 	return &management.IdpProvider{
 		IdpConfigId:      provider.IDPConfigID,
-		IdpProvider_Type: idpProviderTypeFromModel(provider.Type),
+		IdpProvider_Type: idpProviderTypeFromDomain(provider.Type),
 	}
 }

@@ -125,14 +134,25 @@ func idpConfigTypeToModel(providerType iam_model.IdpConfigType) management.IdpTy
 	}
 }

-func idpProviderTypeToModel(providerType management.IdpProviderType) iam_model.IDPProviderType {
+func idpProviderTypeToDomain(providerType management.IdpProviderType) domain.IdentityProviderType {
 	switch providerType {
 	case management.IdpProviderType_IDPPROVIDERTYPE_SYSTEM:
-		return iam_model.IDPProviderTypeSystem
+		return domain.IdentityProviderTypeSystem
 	case management.IdpProviderType_IDPPROVIDERTYPE_ORG:
-		return iam_model.IDPProviderTypeOrg
+		return domain.IdentityProviderTypeOrg
 	default:
-		return iam_model.IDPProviderTypeSystem
+		return domain.IdentityProviderTypeSystem
+	}
+}
+
+func idpProviderTypeFromDomain(providerType domain.IdentityProviderType) management.IdpProviderType {
+	switch providerType {
+	case domain.IdentityProviderTypeSystem:
+		return management.IdpProviderType_IDPPROVIDERTYPE_SYSTEM
+	case domain.IdentityProviderTypeOrg:
+		return management.IdpProviderType_IDPPROVIDERTYPE_ORG
+	default:
+		return management.IdpProviderType_IDPPROVIDERTYPE_UNSPECIFIED
 	}
 }

@@ -157,12 +177,29 @@ func secondFactorResultFromModel(result *iam_model.SecondFactorsSearchResponse)
 	}
 }

+func secondFactorFromDomain(mfaType domain.SecondFactorType) *management.SecondFactor {
+	return &management.SecondFactor{
+		SecondFactor: secondFactorTypeFromDomain(mfaType),
+	}
+}
+
 func secondFactorFromModel(mfaType iam_model.SecondFactorType) *management.SecondFactor {
 	return &management.SecondFactor{
 		SecondFactor: secondFactorTypeFromModel(mfaType),
 	}
 }

+func secondFactorTypeFromDomain(mfaType domain.SecondFactorType) management.SecondFactorType {
+	switch mfaType {
+	case domain.SecondFactorTypeOTP:
+		return management.SecondFactorType_SECONDFACTORTYPE_OTP
+	case domain.SecondFactorTypeU2F:
+		return management.SecondFactorType_SECONDFACTORTYPE_U2F
+	default:
+		return management.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
+	}
+}
+
 func secondFactorTypeFromModel(mfaType iam_model.SecondFactorType) management.SecondFactorType {
 	switch mfaType {
 	case iam_model.SecondFactorTypeOTP:
@@ -174,14 +211,14 @@ func secondFactorTypeFromModel(mfaType iam_model.SecondFactorType) management.Se
 	}
 }

-func secondFactorTypeToModel(mfaType *management.SecondFactor) iam_model.SecondFactorType {
+func secondFactorTypeToDomain(mfaType *management.SecondFactor) domain.SecondFactorType {
 	switch mfaType.SecondFactor {
 	case management.SecondFactorType_SECONDFACTORTYPE_OTP:
-		return iam_model.SecondFactorTypeOTP
+		return domain.SecondFactorTypeOTP
 	case management.SecondFactorType_SECONDFACTORTYPE_U2F:
-		return iam_model.SecondFactorTypeU2F
+		return domain.SecondFactorTypeU2F
 	default:
-		return iam_model.SecondFactorTypeUnspecified
+		return domain.SecondFactorTypeUnspecified
 	}
 }

@@ -195,9 +232,18 @@ func multiFactorResultFromModel(result *iam_model.MultiFactorsSearchResponse) *m
 	}
 }

-func multiFactorFromModel(mfaType iam_model.MultiFactorType) *management.MultiFactor {
+func multiFactorFromDomain(mfaType domain.MultiFactorType) *management.MultiFactor {
 	return &management.MultiFactor{
-		MultiFactor: multiFactorTypeFromModel(mfaType),
+		MultiFactor: multiFactorTypeFromDomain(mfaType),
+	}
+}
+
+func multiFactorTypeFromDomain(mfaType domain.MultiFactorType) management.MultiFactorType {
+	switch mfaType {
+	case domain.MultiFactorTypeU2FWithPIN:
+		return management.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
+	default:
+		return management.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
 	}
 }

@@ -210,12 +256,12 @@ func multiFactorTypeFromModel(mfaType iam_model.MultiFactorType) management.Mult
 	}
 }

-func multiFactorTypeToModel(mfaType *management.MultiFactor) iam_model.MultiFactorType {
+func multiFactorTypeToDomain(mfaType *management.MultiFactor) domain.MultiFactorType {
 	switch mfaType.MultiFactor {
 	case management.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN:
-		return iam_model.MultiFactorTypeU2FWithPIN
+		return domain.MultiFactorTypeU2FWithPIN
 	default:
-		return iam_model.MultiFactorTypeUnspecified
+		return domain.MultiFactorTypeUnspecified
 	}
 }

@@ -228,11 +274,20 @@ func passwordlessTypeFromModel(passwordlessType iam_model.PasswordlessType) mana
 	}
 }

-func passwordlessTypeToModel(passwordlessType management.PasswordlessType) iam_model.PasswordlessType {
+func passwordlessTypeFromDomain(passwordlessType domain.PasswordlessType) management.PasswordlessType {
 	switch passwordlessType {
-	case management.PasswordlessType_PASSWORDLESSTYPE_ALLOWED:
-		return iam_model.PasswordlessTypeAllowed
+	case domain.PasswordlessTypeAllowed:
+		return management.PasswordlessType_PASSWORDLESSTYPE_ALLOWED
 	default:
-		return iam_model.PasswordlessTypeNotAllowed
+		return management.PasswordlessType_PASSWORDLESSTYPE_NOT_ALLOWED
+	}
+}
+
+func passwordlessTypeToDomain(passwordlessType management.PasswordlessType) domain.PasswordlessType {
+	switch passwordlessType {
+	case management.PasswordlessType_PASSWORDLESSTYPE_ALLOWED:
+		return domain.PasswordlessTypeAllowed
+	default:
+		return domain.PasswordlessTypeNotAllowed
 	}
 }
--- a/internal/api/grpc/management/org.go
+++ b/internal/api/grpc/management/org.go
@@ -10,11 +10,12 @@ import (
 )

 func (s *Server) CreateOrg(ctx context.Context, request *management.OrgCreateRequest) (_ *management.Org, err error) {
-	org, err := s.org.CreateOrg(ctx, request.Name)
+	ctxData := authz.GetCtxData(ctx)
+	org, err := s.command.AddOrg(ctx, request.Name, ctxData.UserID, ctxData.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
-	return orgFromModel(org), err
+	return orgFromDomain(org), err
 }

 func (s *Server) GetMyOrg(ctx context.Context, _ *empty.Empty) (*management.OrgView, error) {
@@ -33,20 +34,14 @@ func (s *Server) GetOrgByDomainGlobal(ctx context.Context, in *management.Domain
 	return orgViewFromModel(org), nil
 }

-func (s *Server) DeactivateMyOrg(ctx context.Context, _ *empty.Empty) (*management.Org, error) {
-	org, err := s.org.DeactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return orgFromModel(org), nil
+func (s *Server) DeactivateMyOrg(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	err := s.command.DeactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	return &empty.Empty{}, err
 }

-func (s *Server) ReactivateMyOrg(ctx context.Context, _ *empty.Empty) (*management.Org, error) {
-	org, err := s.org.ReactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return orgFromModel(org), nil
+func (s *Server) ReactivateMyOrg(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	err := s.command.ReactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	return &empty.Empty{}, err
 }

 func (s *Server) SearchMyOrgDomains(ctx context.Context, in *management.OrgDomainSearchRequest) (*management.OrgDomainSearchResponse, error) {
@@ -58,15 +53,15 @@ func (s *Server) SearchMyOrgDomains(ctx context.Context, in *management.OrgDomai
 }

 func (s *Server) AddMyOrgDomain(ctx context.Context, in *management.AddOrgDomainRequest) (*management.OrgDomain, error) {
-	domain, err := s.org.AddMyOrgDomain(ctx, addOrgDomainToModel(in))
+	domain, err := s.command.AddOrgDomain(ctx, addOrgDomainToDomain(ctx, in))
 	if err != nil {
 		return nil, err
 	}
-	return orgDomainFromModel(domain), nil
+	return orgDomainFromDomain(domain), nil
 }

 func (s *Server) GenerateMyOrgDomainValidation(ctx context.Context, in *management.OrgDomainValidationRequest) (*management.OrgDomainValidationResponse, error) {
-	token, url, err := s.org.GenerateMyOrgDomainValidation(ctx, orgDomainValidationToModel(in))
+	token, url, err := s.command.GenerateOrgDomainValidation(ctx, orgDomainValidationToDomain(ctx, in))
 	if err != nil {
 		return nil, err
 	}
@@ -77,16 +72,16 @@ func (s *Server) GenerateMyOrgDomainValidation(ctx context.Context, in *manageme
 }

 func (s *Server) ValidateMyOrgDomain(ctx context.Context, in *management.ValidateOrgDomainRequest) (*empty.Empty, error) {
-	err := s.org.ValidateMyOrgDomain(ctx, validateOrgDomainToModel(in))
+	err := s.command.ValidateOrgDomain(ctx, validateOrgDomainToDomain(ctx, in))
 	return &empty.Empty{}, err
 }
 func (s *Server) SetMyPrimaryOrgDomain(ctx context.Context, in *management.PrimaryOrgDomainRequest) (*empty.Empty, error) {
-	err := s.org.SetMyPrimaryOrgDomain(ctx, primaryOrgDomainToModel(in))
+	err := s.command.SetPrimaryOrgDomain(ctx, primaryOrgDomainToDomain(ctx, in))
 	return &empty.Empty{}, err
 }

 func (s *Server) RemoveMyOrgDomain(ctx context.Context, in *management.RemoveOrgDomainRequest) (*empty.Empty, error) {
-	err := s.org.RemoveMyOrgDomain(ctx, in.Domain)
+	err := s.command.RemoveOrgDomain(ctx, removeOrgDomainToDomain(ctx, in))
 	return &empty.Empty{}, err
 }

--- a/internal/api/grpc/management/org_converter.go
+++ b/internal/api/grpc/management/org_converter.go
@@ -1,8 +1,15 @@
 package management

 import (
+	"context"
 	"encoding/json"
+
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"

 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
@@ -14,27 +21,13 @@ import (
 	"github.com/caos/zitadel/pkg/grpc/message"
 )

-func orgsFromModel(orgs []*org_model.Org) []*management.Org {
-	orgList := make([]*management.Org, len(orgs))
-	for i, org := range orgs {
-		orgList[i] = orgFromModel(org)
-	}
-	return orgList
-}
-
-func orgFromModel(org *org_model.Org) *management.Org {
-	creationDate, err := ptypes.TimestampProto(org.CreationDate)
-	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
-
-	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
-	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
-
+func orgFromDomain(org *domain.Org) *management.Org {
 	return &management.Org{
-		ChangeDate:   changeDate,
-		CreationDate: creationDate,
+		ChangeDate:   timestamppb.New(org.ChangeDate),
+		CreationDate: timestamppb.New(org.CreationDate),
 		Id:           org.AggregateID,
 		Name:         org.Name,
-		State:        orgStateFromModel(org.State),
+		State:        orgStateFromDomain(org.State),
 	}
 }

@@ -54,6 +47,17 @@ func orgViewFromModel(org *org_model.OrgView) *management.OrgView {
 	}
 }

+func orgStateFromDomain(state domain.OrgState) management.OrgState {
+	switch state {
+	case domain.OrgStateActive:
+		return management.OrgState_ORGSTATE_ACTIVE
+	case domain.OrgStateInactive:
+		return management.OrgState_ORGSTATE_INACTIVE
+	default:
+		return management.OrgState_ORGSTATE_UNSPECIFIED
+	}
+}
+
 func orgStateFromModel(state org_model.OrgState) management.OrgState {
 	switch state {
 	case org_model.OrgStateActive:
@@ -65,29 +69,42 @@ func orgStateFromModel(state org_model.OrgState) management.OrgState {
 	}
 }

-func addOrgDomainToModel(domain *management.AddOrgDomainRequest) *org_model.OrgDomain {
-	return &org_model.OrgDomain{Domain: domain.Domain}
-}
-
-func orgDomainValidationToModel(domain *management.OrgDomainValidationRequest) *org_model.OrgDomain {
-	return &org_model.OrgDomain{
-		Domain:         domain.Domain,
-		ValidationType: orgDomainValidationTypeToModel(domain.Type),
+func addOrgDomainToDomain(ctx context.Context, orgDomain *management.AddOrgDomainRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain: orgDomain.Domain,
 	}
 }

-func validateOrgDomainToModel(domain *management.ValidateOrgDomainRequest) *org_model.OrgDomain {
-	return &org_model.OrgDomain{Domain: domain.Domain}
+func orgDomainValidationToDomain(ctx context.Context, orgDomain *management.OrgDomainValidationRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain:         orgDomain.Domain,
+		ValidationType: orgDomainValidationTypeToDomain(orgDomain.Type),
+	}
 }

-func orgDomainValidationTypeToModel(key management.OrgDomainValidationType) org_model.OrgDomainValidationType {
-	switch key {
+func validateOrgDomainToDomain(ctx context.Context, orgDomain *management.ValidateOrgDomainRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain: orgDomain.Domain,
+	}
+}
+
+func orgDomainValidationTypeToDomain(validationType management.OrgDomainValidationType) domain.OrgDomainValidationType {
+	switch validationType {
 	case management.OrgDomainValidationType_ORGDOMAINVALIDATIONTYPE_HTTP:
-		return org_model.OrgDomainValidationTypeHTTP
+		return domain.OrgDomainValidationTypeHTTP
 	case management.OrgDomainValidationType_ORGDOMAINVALIDATIONTYPE_DNS:
-		return org_model.OrgDomainValidationTypeDNS
+		return domain.OrgDomainValidationTypeDNS
 	default:
-		return org_model.OrgDomainValidationTypeUnspecified
+		return domain.OrgDomainValidationTypeUnspecified
 	}
 }

@@ -102,24 +119,32 @@ func orgDomainValidationTypeFromModel(key org_model.OrgDomainValidationType) man
 	}
 }

-func primaryOrgDomainToModel(domain *management.PrimaryOrgDomainRequest) *org_model.OrgDomain {
-	return &org_model.OrgDomain{Domain: domain.Domain}
+func primaryOrgDomainToDomain(ctx context.Context, ordDomain *management.PrimaryOrgDomainRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain: ordDomain.Domain,
+	}
 }

-func orgDomainFromModel(domain *org_model.OrgDomain) *management.OrgDomain {
-	creationDate, err := ptypes.TimestampProto(domain.CreationDate)
-	logging.Log("GRPC-u8Ksj").OnError(err).Debug("unable to get timestamp from time")
-
-	changeDate, err := ptypes.TimestampProto(domain.ChangeDate)
-	logging.Log("GRPC-9osFS").OnError(err).Debug("unable to get timestamp from time")
+func removeOrgDomainToDomain(ctx context.Context, ordDomain *management.RemoveOrgDomainRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain: ordDomain.Domain,
+	}
+}

+func orgDomainFromDomain(orgDomain *domain.OrgDomain) *management.OrgDomain {
 	return &management.OrgDomain{
-		ChangeDate:   changeDate,
-		CreationDate: creationDate,
-		OrgId:        domain.AggregateID,
-		Domain:       domain.Domain,
-		Verified:     domain.Verified,
-		Primary:      domain.Primary,
+		ChangeDate:   timestamppb.New(orgDomain.ChangeDate),
+		CreationDate: timestamppb.New(orgDomain.CreationDate),
+		OrgId:        orgDomain.AggregateID,
+		Domain:       orgDomain.Domain,
+		Verified:     orgDomain.Verified,
+		Primary:      orgDomain.Primary,
 	}
 }

--- a/internal/api/grpc/management/org_member.go
+++ b/internal/api/grpc/management/org_member.go
@@ -5,6 +5,7 @@ import (

 	"github.com/golang/protobuf/ptypes/empty"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/pkg/grpc/management"
 )

@@ -21,23 +22,23 @@ func (s *Server) SearchMyOrgMembers(ctx context.Context, in *management.OrgMembe
 }

 func (s *Server) AddMyOrgMember(ctx context.Context, member *management.AddOrgMemberRequest) (*management.OrgMember, error) {
-	addedMember, err := s.org.AddMyOrgMember(ctx, addOrgMemberToModel(member))
+	addedMember, err := s.command.AddOrgMember(ctx, addOrgMemberToDomain(ctx, member))
 	if err != nil {
 		return nil, err
 	}

-	return orgMemberFromModel(addedMember), nil
+	return orgMemberFromDomain(addedMember), nil
 }

 func (s *Server) ChangeMyOrgMember(ctx context.Context, member *management.ChangeOrgMemberRequest) (*management.OrgMember, error) {
-	changedMember, err := s.org.ChangeMyOrgMember(ctx, changeOrgMemberToModel(member))
+	changedMember, err := s.command.ChangeOrgMember(ctx, changeOrgMemberToModel(ctx, member))
 	if err != nil {
 		return nil, err
 	}
-	return orgMemberFromModel(changedMember), nil
+	return orgMemberFromDomain(changedMember), nil
 }

 func (s *Server) RemoveMyOrgMember(ctx context.Context, member *management.RemoveOrgMemberRequest) (*empty.Empty, error) {
-	err := s.org.RemoveMyOrgMember(ctx, member.UserId)
+	err := s.command.RemoveOrgMember(ctx, authz.GetCtxData(ctx).OrgID, member.UserId)
 	return &empty.Empty{}, err
 }
--- a/internal/api/grpc/management/org_member_converter.go
+++ b/internal/api/grpc/management/org_member_converter.go
@@ -1,43 +1,32 @@
 package management

 import (
+	"context"
+
 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/management"
 )

-func addOrgMemberToModel(member *management.AddOrgMemberRequest) *org_model.OrgMember {
-	memberModel := &org_model.OrgMember{
-		UserID: member.UserId,
-	}
-	memberModel.Roles = member.Roles
-
-	return memberModel
+func addOrgMemberToDomain(ctx context.Context, member *management.AddOrgMemberRequest) *domain.Member {
+	return domain.NewMember(authz.GetCtxData(ctx).OrgID, member.UserId, member.Roles...)
 }

-func changeOrgMemberToModel(member *management.ChangeOrgMemberRequest) *org_model.OrgMember {
-	memberModel := &org_model.OrgMember{
-		UserID: member.UserId,
-	}
-	memberModel.Roles = member.Roles
-
-	return memberModel
+func changeOrgMemberToModel(ctx context.Context, member *management.ChangeOrgMemberRequest) *domain.Member {
+	return domain.NewMember(authz.GetCtxData(ctx).OrgID, member.UserId, member.Roles...)
 }

-func orgMemberFromModel(member *org_model.OrgMember) *management.OrgMember {
-	creationDate, err := ptypes.TimestampProto(member.CreationDate)
-	logging.Log("GRPC-jC5wY").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
-	logging.Log("GRPC-Nc2jJ").OnError(err).Debug("date parse failed")
-
+func orgMemberFromDomain(member *domain.Member) *management.OrgMember {
 	return &management.OrgMember{
 		UserId:       member.UserID,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
+		CreationDate: timestamppb.New(member.CreationDate),
+		ChangeDate:   timestamppb.New(member.ChangeDate),
 		Roles:        member.Roles,
 		Sequence:     member.Sequence,
 	}
--- a/internal/api/grpc/management/password_age_policy.go
+++ b/internal/api/grpc/management/password_age_policy.go
@@ -2,6 +2,7 @@ package management

 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes/empty"
 )
@@ -23,22 +24,22 @@ func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, _ *empty.Empty
 }

 func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyRequest) (*management.PasswordAgePolicy, error) {
-	result, err := s.org.AddPasswordAgePolicy(ctx, passwordAgePolicyRequestToModel(policy))
+	result, err := s.command.AddPasswordAgePolicy(ctx, passwordAgePolicyRequestToDomain(ctx, policy))
 	if err != nil {
 		return nil, err
 	}
-	return passwordAgePolicyFromModel(result), nil
+	return passwordAgePolicyFromDomain(result), nil
 }

 func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyRequest) (*management.PasswordAgePolicy, error) {
-	result, err := s.org.ChangePasswordAgePolicy(ctx, passwordAgePolicyRequestToModel(policy))
+	result, err := s.command.ChangePasswordAgePolicy(ctx, passwordAgePolicyRequestToDomain(ctx, policy))
 	if err != nil {
 		return nil, err
 	}
-	return passwordAgePolicyFromModel(result), nil
+	return passwordAgePolicyFromDomain(result), nil
 }

 func (s *Server) RemovePasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.org.RemovePasswordAgePolicy(ctx)
+	err := s.command.RemovePasswordAgePolicy(ctx, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }
--- a/internal/api/grpc/management/password_age_policy_converter.go
+++ b/internal/api/grpc/management/password_age_policy_converter.go
@@ -1,31 +1,34 @@
 package management

 import (
+	"context"
+
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )

-func passwordAgePolicyRequestToModel(policy *management.PasswordAgePolicyRequest) *iam_model.PasswordAgePolicy {
-	return &iam_model.PasswordAgePolicy{
+func passwordAgePolicyRequestToDomain(ctx context.Context, policy *management.PasswordAgePolicyRequest) *domain.PasswordAgePolicy {
+	return &domain.PasswordAgePolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		MaxAgeDays:     policy.MaxAgeDays,
 		ExpireWarnDays: policy.ExpireWarnDays,
 	}
 }

-func passwordAgePolicyFromModel(policy *iam_model.PasswordAgePolicy) *management.PasswordAgePolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-bMd9o").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-jFs89").OnError(err).Debug("date parse failed")
-
+func passwordAgePolicyFromDomain(policy *domain.PasswordAgePolicy) *management.PasswordAgePolicy {
 	return &management.PasswordAgePolicy{
 		MaxAgeDays:     policy.MaxAgeDays,
 		ExpireWarnDays: policy.ExpireWarnDays,
-		CreationDate:   changeDate,
-		ChangeDate:     creationDate,
+		CreationDate:   timestamppb.New(policy.CreationDate),
+		ChangeDate:     timestamppb.New(policy.ChangeDate),
 	}
 }

--- a/internal/api/grpc/management/password_complexity_policy.go
+++ b/internal/api/grpc/management/password_complexity_policy.go
@@ -2,6 +2,7 @@ package management

 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes/empty"
 )
@@ -23,22 +24,22 @@ func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empt
 }

 func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) (*management.PasswordComplexityPolicy, error) {
-	result, err := s.org.AddPasswordComplexityPolicy(ctx, passwordComplexityPolicyRequestToModel(policy))
+	result, err := s.command.AddPasswordComplexityPolicy(ctx, passwordComplexityPolicyRequestToDomain(ctx, policy))
 	if err != nil {
 		return nil, err
 	}
-	return passwordComplexityPolicyFromModel(result), nil
+	return passwordComplexityPolicyFromDomain(result), nil
 }

 func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) (*management.PasswordComplexityPolicy, error) {
-	result, err := s.org.ChangePasswordComplexityPolicy(ctx, passwordComplexityPolicyRequestToModel(policy))
+	result, err := s.command.ChangePasswordComplexityPolicy(ctx, passwordComplexityPolicyRequestToDomain(ctx, policy))
 	if err != nil {
 		return nil, err
 	}
-	return passwordComplexityPolicyFromModel(result), nil
+	return passwordComplexityPolicyFromDomain(result), nil
 }

 func (s *Server) RemovePasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.org.RemovePasswordComplexityPolicy(ctx)
+	err := s.command.RemovePasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }
--- a/internal/api/grpc/management/password_complexity_policy_converter.go
+++ b/internal/api/grpc/management/password_complexity_policy_converter.go
@@ -1,14 +1,23 @@
 package management

 import (
+	"context"
+
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )

-func passwordComplexityPolicyRequestToModel(policy *management.PasswordComplexityPolicyRequest) *iam_model.PasswordComplexityPolicy {
-	return &iam_model.PasswordComplexityPolicy{
+func passwordComplexityPolicyRequestToDomain(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) *domain.PasswordComplexityPolicy {
+	return &domain.PasswordComplexityPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		MinLength:    policy.MinLength,
 		HasLowercase: policy.HasLowercase,
 		HasUppercase: policy.HasUppercase,
@@ -17,21 +26,15 @@ func passwordComplexityPolicyRequestToModel(policy *management.PasswordComplexit
 	}
 }

-func passwordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicy) *management.PasswordComplexityPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-5Gslo").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-Bmd9e").OnError(err).Debug("date parse failed")
-
+func passwordComplexityPolicyFromDomain(policy *domain.PasswordComplexityPolicy) *management.PasswordComplexityPolicy {
 	return &management.PasswordComplexityPolicy{
 		MinLength:    policy.MinLength,
 		HasLowercase: policy.HasLowercase,
 		HasUppercase: policy.HasUppercase,
 		HasSymbol:    policy.HasSymbol,
 		HasNumber:    policy.HasNumber,
-		CreationDate: changeDate,
-		ChangeDate:   creationDate,
+		CreationDate: timestamppb.New(policy.CreationDate),
+		ChangeDate:   timestamppb.New(policy.ChangeDate),
 	}
 }

--- a/internal/api/grpc/management/password_lockout_policy.go
+++ b/internal/api/grpc/management/password_lockout_policy.go
@@ -2,6 +2,7 @@ package management

 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes/empty"
 )
@@ -23,22 +24,22 @@ func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, _ *empty.E
 }

 func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) (*management.PasswordLockoutPolicy, error) {
-	result, err := s.org.AddPasswordLockoutPolicy(ctx, passwordLockoutPolicyRequestToModel(policy))
+	result, err := s.command.AddPasswordLockoutPolicy(ctx, passwordLockoutPolicyRequestToDomain(ctx, policy))
 	if err != nil {
 		return nil, err
 	}
-	return passwordLockoutPolicyFromModel(result), nil
+	return passwordLockoutPolicyFromDomain(result), nil
 }

 func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) (*management.PasswordLockoutPolicy, error) {
-	result, err := s.org.ChangePasswordLockoutPolicy(ctx, passwordLockoutPolicyRequestToModel(policy))
+	result, err := s.command.ChangePasswordLockoutPolicy(ctx, passwordLockoutPolicyRequestToDomain(ctx, policy))
 	if err != nil {
 		return nil, err
 	}
-	return passwordLockoutPolicyFromModel(result), nil
+	return passwordLockoutPolicyFromDomain(result), nil
 }

 func (s *Server) RemovePasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.org.RemovePasswordLockoutPolicy(ctx)
+	err := s.command.RemovePasswordLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }
--- a/internal/api/grpc/management/password_lockout_policy_converter.go
+++ b/internal/api/grpc/management/password_lockout_policy_converter.go
@@ -1,31 +1,34 @@
 package management

 import (
+	"context"
+
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )

-func passwordLockoutPolicyRequestToModel(policy *management.PasswordLockoutPolicyRequest) *iam_model.PasswordLockoutPolicy {
-	return &iam_model.PasswordLockoutPolicy{
+func passwordLockoutPolicyRequestToDomain(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
+	return &domain.PasswordLockoutPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		MaxAttempts:         policy.MaxAttempts,
 		ShowLockOutFailures: policy.ShowLockoutFailure,
 	}
 }

-func passwordLockoutPolicyFromModel(policy *iam_model.PasswordLockoutPolicy) *management.PasswordLockoutPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-bMd9o").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-jFs89").OnError(err).Debug("date parse failed")
-
+func passwordLockoutPolicyFromDomain(policy *domain.PasswordLockoutPolicy) *management.PasswordLockoutPolicy {
 	return &management.PasswordLockoutPolicy{
 		MaxAttempts:        policy.MaxAttempts,
 		ShowLockoutFailure: policy.ShowLockOutFailures,
-		CreationDate:       changeDate,
-		ChangeDate:         creationDate,
+		CreationDate:       timestamppb.New(policy.CreationDate),
+		ChangeDate:         timestamppb.New(policy.ChangeDate),
 	}
 }