fix: import user, hide login name suffix (#1474)

* fix: import user, and label policy command side * feat: Import user and hide loginname suffix (#1464) * fix: import user * fix: label policy * fix: label policy * fix: label policy * fix: migrations * fix: migrations * fix: migrations * fix: label policy * loginSuffix in login ui * suffix * fix cursor on disabled user selection Co-authored-by: Livio Amstutz <livio.a@gmail.com> (cherry picked from commit 03ddb8fc388494d6ec99b1db9e16d16c28ee9649) * feat: Import user and hide loginname suffix (#1464) * fix: import user * fix: label policy * fix: label policy * fix: label policy * fix: migrations * fix: migrations * fix: migrations * fix: label policy * loginSuffix in login ui * suffix * fix cursor on disabled user selection Co-authored-by: Livio Amstutz <livio.a@gmail.com> (cherry picked from commit 03ddb8fc388494d6ec99b1db9e16d16c28ee9649) * feat: Import user and hide loginname suffix (#1464) * fix: import user * fix: label policy * fix: label policy * fix: label policy * fix: migrations * fix: migrations * fix: migrations * fix: label policy * loginSuffix in login ui * suffix * fix cursor on disabled user selection Co-authored-by: Livio Amstutz <livio.a@gmail.com> (cherry picked from commit 03ddb8fc388494d6ec99b1db9e16d16c28ee9649) * fix: label policy events * loginname placeholder * fix: tests * fix: tests * Update internal/command/iam_policy_label_model.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-07-12 01:58:32 +00:00 · 2021-03-25 14:41:07 +01:00 · 2021-03-25 14:41:07 +01:00 · 4d10f3e715
commit 4d10f3e715
parent d7255130a4
58 changed files with 1444 additions and 309 deletions
--- a/internal/api/grpc/admin/label_policy_converter.go
+++ b/internal/api/grpc/admin/label_policy_converter.go
@ -9,5 +9,6 @@ func updateLabelPolicyToDomain(policy *admin_pb.UpdateLabelPolicyRequest) *domai
 	return &domain.LabelPolicy{
 		PrimaryColor:        policy.PrimaryColor,
 		SecondaryColor:      policy.SecondaryColor,
 		HideLoginNameSuffix: policy.HideLoginNameSuffix,
 	}
 }
--- a/internal/api/grpc/management/policy_label.go
+++ b/internal/api/grpc/management/policy_label.go
@ -0,0 +1,64 @@
 package management
 import (
 	"context"
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 func (s *Server) GetLabelPolicy(ctx context.Context, req *mgmt_pb.GetLabelPolicyRequest) (*mgmt_pb.GetLabelPolicyResponse, error) {
 	policy, err := s.org.GetLabelPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.GetLabelPolicyResponse{Policy: policy_grpc.ModelLabelPolicyToPb(policy)}, nil
 }
 func (s *Server) GetDefaultLabelPolicy(ctx context.Context, req *mgmt_pb.GetDefaultLabelPolicyRequest) (*mgmt_pb.GetDefaultLabelPolicyResponse, error) {
 	policy, err := s.org.GetDefaultLabelPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.GetDefaultLabelPolicyResponse{Policy: policy_grpc.ModelLabelPolicyToPb(policy)}, nil
 }
 func (s *Server) AddCustomLabelPolicy(ctx context.Context, req *mgmt_pb.AddCustomLabelPolicyRequest) (*mgmt_pb.AddCustomLabelPolicyResponse, error) {
 	policy, err := s.command.AddLabelPolicy(ctx, authz.GetCtxData(ctx).OrgID, addLabelPolicyToDomain(req))
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.AddCustomLabelPolicyResponse{
 		Details: object.AddToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
 		),
 	}, nil
 }
 func (s *Server) UpdateCustomLabelPolicy(ctx context.Context, req *mgmt_pb.UpdateCustomLabelPolicyRequest) (*mgmt_pb.UpdateCustomLabelPolicyResponse, error) {
 	policy, err := s.command.ChangeLabelPolicy(ctx, authz.GetCtxData(ctx).OrgID, updateLabelPolicyToDomain(req))
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.UpdateCustomLabelPolicyResponse{
 		Details: object.ChangeToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
 		),
 	}, nil
 }
 func (s *Server) ResetLabelPolicyToDefault(ctx context.Context, req *mgmt_pb.ResetLabelPolicyToDefaultRequest) (*mgmt_pb.ResetLabelPolicyToDefaultResponse, error) {
 	objectDetails, err := s.command.RemoveLabelPolicy(ctx, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.ResetLabelPolicyToDefaultResponse{
 		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/management/policy_label_converter.go
+++ b/internal/api/grpc/management/policy_label_converter.go
@ -0,0 +1,22 @@
 package management
 import (
 	"github.com/caos/zitadel/internal/domain"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 func addLabelPolicyToDomain(p *mgmt_pb.AddCustomLabelPolicyRequest) *domain.LabelPolicy {
 	return &domain.LabelPolicy{
 		PrimaryColor:        p.PrimaryColor,
 		SecondaryColor:      p.SecondaryColor,
 		HideLoginNameSuffix: p.HideLoginNameSuffix,
 	}
 }
 func updateLabelPolicyToDomain(p *mgmt_pb.UpdateCustomLabelPolicyRequest) *domain.LabelPolicy {
 	return &domain.LabelPolicy{
 		PrimaryColor:        p.PrimaryColor,
 		SecondaryColor:      p.SecondaryColor,
 		HideLoginNameSuffix: p.HideLoginNameSuffix,
 	}
 }
--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@ -87,6 +87,21 @@ func (s *Server) AddHumanUser(ctx context.Context, req *mgmt_pb.AddHumanUserRequ
 	}, nil
 }
 func (s *Server) ImportHumanUser(ctx context.Context, req *mgmt_pb.ImportHumanUserRequest) (*mgmt_pb.ImportHumanUserResponse, error) {
 	human, err := s.command.ImportHuman(ctx, authz.GetCtxData(ctx).OrgID, ImportHumanUserRequestToDomain(req))
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.ImportHumanUserResponse{
 		UserId: human.AggregateID,
 		Details: obj_grpc.AddToDetailsPb(
 			human.Sequence,
 			human.ChangeDate,
 			human.ResourceOwner,
 		),
 	}, nil
 }
 func (s *Server) AddMachineUser(ctx context.Context, req *mgmt_pb.AddMachineUserRequest) (*mgmt_pb.AddMachineUserResponse, error) {
 	machine, err := s.command.AddMachine(ctx, authz.GetCtxData(ctx).OrgID, AddMachineUserRequestToDomain(req))
 	if err != nil {
--- a/internal/api/grpc/management/user_converter.go
+++ b/internal/api/grpc/management/user_converter.go
@ -69,6 +69,38 @@ func AddHumanUserRequestToDomain(req *mgmt_pb.AddHumanUserRequest) *domain.Human
 	return h
 }
 func ImportHumanUserRequestToDomain(req *mgmt_pb.ImportHumanUserRequest) *domain.Human {
 	h := &domain.Human{
 		Username: req.UserName,
 	}
 	preferredLanguage, err := language.Parse(req.Profile.PreferredLanguage)
 	logging.Log("MANAG-3GUFJ").OnError(err).Debug("language malformed")
 	h.Profile = &domain.Profile{
 		FirstName:         req.Profile.FirstName,
 		LastName:          req.Profile.LastName,
 		NickName:          req.Profile.NickName,
 		DisplayName:       req.Profile.DisplayName,
 		PreferredLanguage: preferredLanguage,
 		Gender:            user_grpc.GenderToDomain(req.Profile.Gender),
 	}
 	h.Email = &domain.Email{
 		EmailAddress:    req.Email.Email,
 		IsEmailVerified: req.Email.IsEmailVerified,
 	}
 	if req.Phone != nil {
 		h.Phone = &domain.Phone{
 			PhoneNumber:     req.Phone.Phone,
 			IsPhoneVerified: req.Phone.IsPhoneVerified,
 		}
 	}
 	if req.Password != "" {
 		h.Password = &domain.Password{SecretString: req.Password}
 		h.Password.ChangeRequired = true
 	}
 	return h
 }
 func AddMachineUserRequestToDomain(req *mgmt_pb.AddMachineUserRequest) *domain.Machine {
 	return &domain.Machine{
 		Username:    req.UserName,
--- a/internal/api/grpc/policy/label_policy.go
+++ b/internal/api/grpc/policy/label_policy.go
@ -11,6 +11,7 @@ func ModelLabelPolicyToPb(policy *model.LabelPolicyView) *policy_pb.LabelPolicy
 		IsDefault:           policy.Default,
 		PrimaryColor:        policy.PrimaryColor,
 		SecondaryColor:      policy.SecondaryColor,
 		HideLoginNameSuffix: policy.HideLoginNameSuffix,
 		Details: object.ToViewDetailsPb(
 			policy.Sequence,
 			policy.CreationDate,
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@ -244,7 +244,7 @@ func (repo *AuthRequestRepo) SelectUser(ctx context.Context, id, userID, userAge
 	if request.RequestedOrgID != "" && request.RequestedOrgID != user.ResourceOwner {
 		return errors.ThrowPreconditionFailed(nil, "EVENT-fJe2a", "Errors.User.NotAllowedOrg")
 	}
-	request.SetUserInfo(user.ID, user.PreferredLoginName, user.DisplayName, user.ResourceOwner)
+	request.SetUserInfo(user.ID, user.UserName, user.PreferredLoginName, user.DisplayName, user.ResourceOwner)
 	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
 }
@ -425,21 +425,30 @@ func (repo *AuthRequestRepo) fillLoginPolicy(ctx context.Context, request *domai
 		orgID = repo.IAMID
 	}
-	policy, idpProviders, err := repo.getLoginPolicyAndIDPProviders(ctx, orgID)
+	loginPolicy, idpProviders, err := repo.getLoginPolicyAndIDPProviders(ctx, orgID)
 	if err != nil {
 		return err
 	}
-	request.LoginPolicy = policy
+	request.LoginPolicy = loginPolicy
 	if idpProviders != nil {
 		request.AllowedExternalIDPs = idpProviders
 	}
 	labelPolicy, err := repo.getLabelPolicy(ctx, orgID)
 	if err != nil {
 		return err
 	}
 	request.LabelPolicy = labelPolicy
 	return nil
 }
 func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain.AuthRequest, loginName string) (err error) {
 	user := new(user_view_model.UserView)
 	if request.RequestedOrgID != "" {
-		user, err = repo.View.UserByLoginNameAndResourceOwner(loginName, request.RequestedOrgID)
+		preferredLoginName := loginName
 		if request.RequestedOrgID != "" {
 			preferredLoginName += "@" + request.RequestedPrimaryDomain
 		}
 		user, err = repo.View.UserByLoginNameAndResourceOwner(preferredLoginName, request.RequestedOrgID)
 	} else {
 		user, err = repo.View.UserByLoginName(loginName)
 		if err == nil {
@ -453,7 +462,7 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain
 		return err
 	}
-	request.SetUserInfo(user.ID, loginName, "", user.ResourceOwner)
+	request.SetUserInfo(user.ID, loginName, user.PreferredLoginName, "", user.ResourceOwner)
 	return nil
 }
@ -496,7 +505,7 @@ func (repo *AuthRequestRepo) checkExternalUserLogin(request *domain.AuthRequest,
 	if err != nil {
 		return err
 	}
-	request.SetUserInfo(externalIDP.UserID, "", "", externalIDP.ResourceOwner)
+	request.SetUserInfo(externalIDP.UserID, "", "", "", externalIDP.ResourceOwner)
 	return nil
 }
@ -599,6 +608,7 @@ func (repo *AuthRequestRepo) usersForUserSelection(request *domain.AuthRequest)
 		users[i] = domain.UserSelection{
 			UserID:            session.UserID,
 			DisplayName:       session.DisplayName,
 			UserName:          session.UserName,
 			LoginName:         session.LoginName,
 			UserSessionState:  auth_req_model.UserSessionStateToDomain(session.State),
 			SelectionPossible: request.RequestedOrgID == "" || request.RequestedOrgID == session.ResourceOwner,
@ -695,6 +705,21 @@ func (repo *AuthRequestRepo) getLoginPolicy(ctx context.Context, orgID string) (
 	return iam_es_model.LoginPolicyViewToModel(policy), err
 }
 func (repo *AuthRequestRepo) getLabelPolicy(ctx context.Context, orgID string) (*domain.LabelPolicy, error) {
 	policy, err := repo.View.LabelPolicyByAggregateID(orgID)
 	if errors.IsNotFound(err) {
 		policy, err = repo.View.LabelPolicyByAggregateID(repo.IAMID)
 		if err != nil {
 			return nil, err
 		}
 		policy.Default = true
 	}
 	if err != nil {
 		return nil, err
 	}
 	return policy.ToDomain(), err
 }
 func setOrgID(orgViewProvider orgViewProvider, request *domain.AuthRequest) error {
 	primaryDomain := request.GetScopeOrgPrimaryDomain()
 	if primaryDomain == "" {
@ -707,6 +732,7 @@ func setOrgID(orgViewProvider orgViewProvider, request *domain.AuthRequest) erro
 	}
 	request.RequestedOrgID = org.ID
 	request.RequestedOrgName = org.Name
 	request.RequestedPrimaryDomain = primaryDomain
 	return nil
 }
--- a/internal/auth/repository/eventsourcing/handler/handler.go
+++ b/internal/auth/repository/eventsourcing/handler/handler.go
@ -67,6 +67,7 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
 		newOrgIAMPolicy(
 			handler{view, bulkLimit, configs.cycleDuration("OrgIAMPolicy"), errorCount, es}),
 		newProjectRole(handler{view, bulkLimit, configs.cycleDuration("ProjectRole"), errorCount, es}),
 		newLabelPolicy(handler{view, bulkLimit, configs.cycleDuration("LabelPolicy"), errorCount, es}),
 	}
 }
--- a/internal/auth/repository/eventsourcing/handler/label_policy.go
+++ b/internal/auth/repository/eventsourcing/handler/label_policy.go
@ -0,0 +1,104 @@
 package handler
 import (
 	"github.com/caos/logging"
 	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
 	"github.com/caos/zitadel/internal/eventstore/v1/query"
 	"github.com/caos/zitadel/internal/eventstore/v1/spooler"
 	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
 )
 const (
 	labelPolicyTable = "auth.label_policies"
 )
 type LabelPolicy struct {
 	handler
 	subscription *v1.Subscription
 }
 func newLabelPolicy(handler handler) *LabelPolicy {
 	h := &LabelPolicy{
 		handler: handler,
 	}
 	h.subscribe()
 	return h
 }
 func (m *LabelPolicy) subscribe() {
 	m.subscription = m.es.Subscribe(m.AggregateTypes()...)
 	go func() {
 		for event := range m.subscription.Events {
 			query.ReduceEvent(m, event)
 		}
 	}()
 }
 func (m *LabelPolicy) ViewModel() string {
 	return labelPolicyTable
 }
 func (_ *LabelPolicy) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
 }
 func (m *LabelPolicy) CurrentSequence() (uint64, error) {
 	sequence, err := m.view.GetLatestLabelPolicySequence()
 	if err != nil {
 		return 0, err
 	}
 	return sequence.CurrentSequence, nil
 }
 func (m *LabelPolicy) EventQuery() (*models.SearchQuery, error) {
 	sequence, err := m.view.GetLatestLabelPolicySequence()
 	if err != nil {
 		return nil, err
 	}
 	return es_models.NewSearchQuery().
 		AggregateTypeFilter(m.AggregateTypes()...).
 		LatestSequenceFilter(sequence.CurrentSequence), nil
 }
 func (m *LabelPolicy) Reduce(event *models.Event) (err error) {
 	switch event.AggregateType {
 	case model.OrgAggregate, iam_es_model.IAMAggregate:
 		err = m.processLabelPolicy(event)
 	}
 	return err
 }
 func (m *LabelPolicy) processLabelPolicy(event *models.Event) (err error) {
 	policy := new(iam_model.LabelPolicyView)
 	switch event.Type {
 	case iam_es_model.LabelPolicyAdded, model.LabelPolicyAdded:
 		err = policy.AppendEvent(event)
 	case iam_es_model.LabelPolicyChanged, model.LabelPolicyChanged:
 		policy, err = m.view.LabelPolicyByAggregateID(event.AggregateID)
 		if err != nil {
 			return err
 		}
 		err = policy.AppendEvent(event)
 	default:
 		return m.view.ProcessedLabelPolicySequence(event)
 	}
 	if err != nil {
 		return err
 	}
 	return m.view.PutLabelPolicy(policy, event)
 }
 func (m *LabelPolicy) OnError(event *models.Event, err error) error {
 	logging.LogWithFields("SPOOL-4Djo9", "id", event.AggregateID).WithError(err).Warn("something went wrong in label policy handler")
 	return spooler.HandleError(event, err, m.view.GetLatestLabelPolicyFailedEvent, m.view.ProcessedLabelPolicyFailedEvent, m.view.ProcessedLabelPolicySequence, m.errorCountUntilSkip)
 }
 func (m *LabelPolicy) OnSuccess() error {
 	return spooler.HandleSuccess(m.view.UpdateLabelPolicySpoolerRunTimestamp)
 }
--- a/internal/auth/repository/eventsourcing/view/label_policies.go
+++ b/internal/auth/repository/eventsourcing/view/label_policies.go
@ -0,0 +1,53 @@
 package view
 import (
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	"github.com/caos/zitadel/internal/iam/repository/view"
 	"github.com/caos/zitadel/internal/iam/repository/view/model"
 	global_view "github.com/caos/zitadel/internal/view/repository"
 )
 const (
 	labelPolicyTable = "auth.label_policies"
 )
 func (v *View) LabelPolicyByAggregateID(aggregateID string) (*model.LabelPolicyView, error) {
 	return view.GetLabelPolicyByAggregateID(v.Db, labelPolicyTable, aggregateID)
 }
 func (v *View) PutLabelPolicy(policy *model.LabelPolicyView, event *models.Event) error {
 	err := view.PutLabelPolicy(v.Db, labelPolicyTable, policy)
 	if err != nil {
 		return err
 	}
 	return v.ProcessedLabelPolicySequence(event)
 }
 func (v *View) DeleteLabelPolicy(aggregateID string, event *models.Event) error {
 	err := view.DeleteLabelPolicy(v.Db, labelPolicyTable, aggregateID)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	return v.ProcessedLabelPolicySequence(event)
 }
 func (v *View) GetLatestLabelPolicySequence() (*global_view.CurrentSequence, error) {
 	return v.latestSequence(labelPolicyTable)
 }
 func (v *View) ProcessedLabelPolicySequence(event *models.Event) error {
 	return v.saveCurrentSequence(labelPolicyTable, event)
 }
 func (v *View) UpdateLabelPolicySpoolerRunTimestamp() error {
 	return v.updateSpoolerRunSequence(labelPolicyTable)
 }
 func (v *View) GetLatestLabelPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
 	return v.latestFailedEvent(labelPolicyTable, sequence)
 }
 func (v *View) ProcessedLabelPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
 	return v.saveFailedEvent(failedEvent)
 }
--- a/internal/auth_request/model/auth_request.go
+++ b/internal/auth_request/model/auth_request.go
@ -29,11 +29,13 @@ type AuthRequest struct {
 	levelOfAssurance       LevelOfAssurance
 	UserID                 string
 	UserName               string
 	LoginName              string
 	DisplayName            string
 	UserOrgID              string
 	RequestedOrgID         string
 	RequestedOrgName       string
 	RequestedPrimaryDomain string
 	SelectedIDPConfigID    string
 	LinkingUsers           []*ExternalUser
 	PossibleSteps          []NextStep
@ -43,6 +45,7 @@ type AuthRequest struct {
 	AuthTime               time.Time
 	Code                   string
 	LoginPolicy            *model.LoginPolicyView
 	LabelPolicy            *model.LabelPolicyView
 	AllowedExternalIDPs    []*model.IDPProviderView
 }
@ -123,8 +126,9 @@ func (a *AuthRequest) WithCurrentInfo(info *BrowserInfo) *AuthRequest {
 	return a
 }
-func (a *AuthRequest) SetUserInfo(userID, loginName, displayName, userOrgID string) {
+func (a *AuthRequest) SetUserInfo(userID, userName, loginName, displayName, userOrgID string) {
 	a.UserID = userID
 	a.UserName = userName
 	a.LoginName = loginName
 	a.DisplayName = displayName
 	a.UserOrgID = userOrgID
--- a/internal/auth_request/model/next_step.go
+++ b/internal/auth_request/model/next_step.go
@ -54,6 +54,7 @@ func (s *SelectUserStep) Type() NextStepType {
 type UserSelection struct {
 	UserID            string
 	DisplayName       string
 	UserName          string
 	LoginName         string
 	UserSessionState  UserSessionState
 	SelectionPossible bool
--- a/internal/command/iam_converter.go
+++ b/internal/command/iam_converter.go
@ -49,6 +49,7 @@ func writeModelToLabelPolicy(wm *LabelPolicyWriteModel) *domain.LabelPolicy {
 		ObjectRoot:          writeModelToObjectRoot(wm.WriteModel),
 		PrimaryColor:        wm.PrimaryColor,
 		SecondaryColor:      wm.SecondaryColor,
 		HideLoginNameSuffix: wm.HideLoginNameSuffix,
 	}
 }
--- a/internal/command/iam_policy_label.go
+++ b/internal/command/iam_policy_label.go
@ -40,7 +40,7 @@ func (c *Commands) addDefaultLabelPolicy(ctx context.Context, iamAgg *eventstore
 		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LabelPolicy.AlreadyExists")
 	}
-	return iam_repo.NewLabelPolicyAddedEvent(ctx, iamAgg, policy.PrimaryColor, policy.SecondaryColor), nil
+	return iam_repo.NewLabelPolicyAddedEvent(ctx, iamAgg, policy.PrimaryColor, policy.SecondaryColor, policy.HideLoginNameSuffix), nil
 }
@ -57,7 +57,7 @@ func (c *Commands) ChangeDefaultLabelPolicy(ctx context.Context, policy *domain.
 		return nil, caos_errs.ThrowNotFound(nil, "IAM-0K9dq", "Errors.IAM.LabelPolicy.NotFound")
 	}
 	iamAgg := IAMAggregateFromWriteModel(&existingPolicy.LabelPolicyWriteModel.WriteModel)
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, iamAgg, policy.PrimaryColor, policy.SecondaryColor)
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, iamAgg, policy.PrimaryColor, policy.SecondaryColor, policy.HideLoginNameSuffix)
 	if !hasChanged {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-4M9vs", "Errors.IAM.LabelPolicy.NotChanged")
 	}
--- a/internal/command/iam_policy_label_model.go
+++ b/internal/command/iam_policy_label_model.go
@ -53,6 +53,7 @@ func (wm *IAMLabelPolicyWriteModel) NewChangedEvent(
 	aggregate *eventstore.Aggregate,
 	primaryColor,
 	secondaryColor string,
 	hideLoginNameSuffix bool,
 ) (*iam.LabelPolicyChangedEvent, bool) {
 	changes := make([]policy.LabelPolicyChanges, 0)
 	if wm.PrimaryColor != primaryColor {
@ -61,6 +62,9 @@ func (wm *IAMLabelPolicyWriteModel) NewChangedEvent(
 	if wm.SecondaryColor != secondaryColor {
 		changes = append(changes, policy.ChangeSecondaryColor(secondaryColor))
 	}
 	if wm.HideLoginNameSuffix != hideLoginNameSuffix {
 		changes = append(changes, policy.ChangeHideLoginNameSuffix(hideLoginNameSuffix))
 	}
 	if len(changes) == 0 {
 		return nil, false
 	}
--- a/internal/command/iam_policy_label_test.go
+++ b/internal/command/iam_policy_label_test.go
@ -60,6 +60,7 @@ func TestCommandSide_AddDefaultLabelPolicy(t *testing.T) {
 								&iam.NewAggregate().Aggregate,
 								"primary-color",
 								"secondary-color",
 								true,
 							),
 						),
 					),
@ -70,6 +71,7 @@ func TestCommandSide_AddDefaultLabelPolicy(t *testing.T) {
 				policy: &domain.LabelPolicy{
 					PrimaryColor:        "primary-color",
 					SecondaryColor:      "secondary-color",
 					HideLoginNameSuffix: true,
 				},
 			},
 			res: res{
@ -89,6 +91,7 @@ func TestCommandSide_AddDefaultLabelPolicy(t *testing.T) {
 									&iam.NewAggregate().Aggregate,
 									"primary-color",
 									"secondary-color",
 									true,
 								),
 							),
 						},
@ -100,6 +103,7 @@ func TestCommandSide_AddDefaultLabelPolicy(t *testing.T) {
 				policy: &domain.LabelPolicy{
 					PrimaryColor:        "primary-color",
 					SecondaryColor:      "secondary-color",
 					HideLoginNameSuffix: true,
 				},
 			},
 			res: res{
@ -110,6 +114,7 @@ func TestCommandSide_AddDefaultLabelPolicy(t *testing.T) {
 					},
 					PrimaryColor:        "primary-color",
 					SecondaryColor:      "secondary-color",
 					HideLoginNameSuffix: true,
 				},
 			},
 		},
@ -199,6 +204,7 @@ func TestCommandSide_ChangeDefaultLabelPolicy(t *testing.T) {
 								&iam.NewAggregate().Aggregate,
 								"primary-color",
 								"secondary-color",
 								true,
 							),
 						),
 					),
@ -209,6 +215,7 @@ func TestCommandSide_ChangeDefaultLabelPolicy(t *testing.T) {
 				policy: &domain.LabelPolicy{
 					PrimaryColor:        "primary-color",
 					SecondaryColor:      "secondary-color",
 					HideLoginNameSuffix: true,
 				},
 			},
 			res: res{
@ -226,13 +233,14 @@ func TestCommandSide_ChangeDefaultLabelPolicy(t *testing.T) {
 								&iam.NewAggregate().Aggregate,
 								"primary-color",
 								"secondary-color",
 								true,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
-								newDefaultLabelPolicyChangedEvent(context.Background(), "primary-color-change", "secondary-color-change"),
+								newDefaultLabelPolicyChangedEvent(context.Background(), "primary-color-change", "secondary-color-change", false),
 							),
 						},
 					),
@ -243,6 +251,7 @@ func TestCommandSide_ChangeDefaultLabelPolicy(t *testing.T) {
 				policy: &domain.LabelPolicy{
 					PrimaryColor:        "primary-color-change",
 					SecondaryColor:      "secondary-color-change",
 					HideLoginNameSuffix: false,
 				},
 			},
 			res: res{
@ -253,6 +262,7 @@ func TestCommandSide_ChangeDefaultLabelPolicy(t *testing.T) {
 					},
 					PrimaryColor:        "primary-color-change",
 					SecondaryColor:      "secondary-color-change",
 					HideLoginNameSuffix: false,
 				},
 			},
 		},
@ -276,12 +286,13 @@ func TestCommandSide_ChangeDefaultLabelPolicy(t *testing.T) {
 	}
 }
-func newDefaultLabelPolicyChangedEvent(ctx context.Context, primaryColor, secondaryColor string) *iam.LabelPolicyChangedEvent {
+func newDefaultLabelPolicyChangedEvent(ctx context.Context, primaryColor, secondaryColor string, hideLoginNameSuffix bool) *iam.LabelPolicyChangedEvent {
 	event, _ := iam.NewLabelPolicyChangedEvent(ctx,
 		&iam.NewAggregate().Aggregate,
 		[]policy.LabelPolicyChanges{
 			policy.ChangePrimaryColor(primaryColor),
 			policy.ChangeSecondaryColor(secondaryColor),
 			policy.ChangeHideLoginNameSuffix(hideLoginNameSuffix),
 		},
 	)
 	return event
--- a/internal/command/org_policy_label.go
+++ b/internal/command/org_policy_label.go
@ -25,7 +25,7 @@ func (c *Commands) AddLabelPolicy(ctx context.Context, resourceOwner string, pol
 	}
 	orgAgg := OrgAggregateFromWriteModel(&addedPolicy.LabelPolicyWriteModel.WriteModel)
-	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewLabelPolicyAddedEvent(ctx, orgAgg, policy.PrimaryColor, policy.SecondaryColor))
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewLabelPolicyAddedEvent(ctx, orgAgg, policy.PrimaryColor, policy.SecondaryColor, policy.HideLoginNameSuffix))
 	if err != nil {
 		return nil, err
 	}
@ -53,7 +53,7 @@ func (c *Commands) ChangeLabelPolicy(ctx context.Context, resourceOwner string,
 	}
 	orgAgg := OrgAggregateFromWriteModel(&existingPolicy.LabelPolicyWriteModel.WriteModel)
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.PrimaryColor, policy.SecondaryColor)
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.PrimaryColor, policy.SecondaryColor, policy.HideLoginNameSuffix)
 	if !hasChanged {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "Org-4M9vs", "Errors.Org.LabelPolicy.NotChanged")
 	}
@ -69,19 +69,26 @@ func (c *Commands) ChangeLabelPolicy(ctx context.Context, resourceOwner string,
 	return writeModelToLabelPolicy(&existingPolicy.LabelPolicyWriteModel), nil
 }
-func (c *Commands) RemoveLabelPolicy(ctx context.Context, orgID string) error {
+func (c *Commands) RemoveLabelPolicy(ctx context.Context, orgID string) (*domain.ObjectDetails, error) {
 	if orgID == "" {
-		return caos_errs.ThrowInvalidArgument(nil, "Org-Mf9sf", "Errors.ResourceOwnerMissing")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-Mf9sf", "Errors.ResourceOwnerMissing")
 	}
 	existingPolicy := NewOrgLabelPolicyWriteModel(orgID)
 	err := c.eventstore.FilterToQueryReducer(ctx, existingPolicy)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "Org-3M9df", "Errors.Org.LabelPolicy.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "Org-3M9df", "Errors.Org.LabelPolicy.NotFound")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&existingPolicy.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org.NewLabelPolicyRemovedEvent(ctx, orgAgg))
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewLabelPolicyRemovedEvent(ctx, orgAgg))
-	return err
+	if err != nil {
 		return nil, err
 	}
 	err = AppendAndReduce(existingPolicy, pushedEvents...)
 	if err != nil {
 		return nil, err
 	}
 	return writeModelToObjectDetails(&existingPolicy.LabelPolicyWriteModel.WriteModel), nil
 }
--- a/internal/command/org_policy_label_model.go
+++ b/internal/command/org_policy_label_model.go
@ -52,6 +52,7 @@ func (wm *OrgLabelPolicyWriteModel) NewChangedEvent(
 	aggregate *eventstore.Aggregate,
 	primaryColor,
 	secondaryColor string,
 	hideLoginNameSuffix bool,
 ) (*org.LabelPolicyChangedEvent, bool) {
 	changes := make([]policy.LabelPolicyChanges, 0)
 	if wm.PrimaryColor != primaryColor {
@ -60,6 +61,9 @@ func (wm *OrgLabelPolicyWriteModel) NewChangedEvent(
 	if wm.SecondaryColor != secondaryColor {
 		changes = append(changes, policy.ChangeSecondaryColor(secondaryColor))
 	}
 	if wm.HideLoginNameSuffix != hideLoginNameSuffix {
 		changes = append(changes, policy.ChangeHideLoginNameSuffix(hideLoginNameSuffix))
 	}
 	if len(changes) == 0 {
 		return nil, false
 	}
--- a/internal/command/org_policy_label_test.go
+++ b/internal/command/org_policy_label_test.go
@ -82,6 +82,7 @@ func TestCommandSide_AddLabelPolicy(t *testing.T) {
 								&org.NewAggregate("org1", "org1").Aggregate,
 								"primary-color",
 								"secondary-color",
 								true,
 							),
 						),
 					),
@ -93,6 +94,7 @@ func TestCommandSide_AddLabelPolicy(t *testing.T) {
 				policy: &domain.LabelPolicy{
 					PrimaryColor:        "primary-color",
 					SecondaryColor:      "secondary-color",
 					HideLoginNameSuffix: true,
 				},
 			},
 			res: res{
@ -112,6 +114,7 @@ func TestCommandSide_AddLabelPolicy(t *testing.T) {
 									&org.NewAggregate("org1", "org1").Aggregate,
 									"primary-color",
 									"secondary-color",
 									true,
 								),
 							),
 						},
@ -124,6 +127,7 @@ func TestCommandSide_AddLabelPolicy(t *testing.T) {
 				policy: &domain.LabelPolicy{
 					PrimaryColor:        "primary-color",
 					SecondaryColor:      "secondary-color",
 					HideLoginNameSuffix: true,
 				},
 			},
 			res: res{
@ -134,6 +138,7 @@ func TestCommandSide_AddLabelPolicy(t *testing.T) {
 					},
 					PrimaryColor:        "primary-color",
 					SecondaryColor:      "secondary-color",
 					HideLoginNameSuffix: true,
 				},
 			},
 		},
@ -244,6 +249,7 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 								&org.NewAggregate("org1", "org1").Aggregate,
 								"primary-color",
 								"secondary-color",
 								true,
 							),
 						),
 					),
@ -255,6 +261,7 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 				policy: &domain.LabelPolicy{
 					PrimaryColor:        "primary-color",
 					SecondaryColor:      "secondary-color",
 					HideLoginNameSuffix: true,
 				},
 			},
 			res: res{
@ -272,13 +279,14 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 								&org.NewAggregate("org1", "org1").Aggregate,
 								"primary-color",
 								"secondary-color",
 								true,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
-								newLabelPolicyChangedEvent(context.Background(), "org1", "primary-color-change", "secondary-color-change"),
+								newLabelPolicyChangedEvent(context.Background(), "org1", "primary-color-change", "secondary-color-change", false),
 							),
 						},
 					),
@ -290,6 +298,7 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 				policy: &domain.LabelPolicy{
 					PrimaryColor:        "primary-color-change",
 					SecondaryColor:      "secondary-color-change",
 					HideLoginNameSuffix: false,
 				},
 			},
 			res: res{
@ -300,6 +309,7 @@ func TestCommandSide_ChangeLabelPolicy(t *testing.T) {
 					},
 					PrimaryColor:        "primary-color-change",
 					SecondaryColor:      "secondary-color-change",
 					HideLoginNameSuffix: false,
 				},
 			},
 		},
@ -381,6 +391,7 @@ func TestCommandSide_RemoveLabelPolicy(t *testing.T) {
 								&org.NewAggregate("org1", "org1").Aggregate,
 								"primary-color",
 								"secondary-color",
 								true,
 							),
 						),
 					),
@ -406,7 +417,7 @@ func TestCommandSide_RemoveLabelPolicy(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore,
 			}
-			err := r.RemoveLabelPolicy(tt.args.ctx, tt.args.orgID)
+			_, err := r.RemoveLabelPolicy(tt.args.ctx, tt.args.orgID)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@ -417,12 +428,13 @@ func TestCommandSide_RemoveLabelPolicy(t *testing.T) {
 	}
 }
-func newLabelPolicyChangedEvent(ctx context.Context, orgID, primaryColor, secondaryColor string) *org.LabelPolicyChangedEvent {
+func newLabelPolicyChangedEvent(ctx context.Context, orgID, primaryColor, secondaryColor string, hideLoginNameSuffix bool) *org.LabelPolicyChangedEvent {
 	event, _ := org.NewLabelPolicyChangedEvent(ctx,
 		&org.NewAggregate(orgID, orgID).Aggregate,
 		[]policy.LabelPolicyChanges{
 			policy.ChangePrimaryColor(primaryColor),
 			policy.ChangeSecondaryColor(secondaryColor),
 			policy.ChangeHideLoginNameSuffix(hideLoginNameSuffix),
 		},
 	)
 	return event
--- a/internal/command/policy_label_model.go
+++ b/internal/command/policy_label_model.go
@ -11,6 +11,7 @@ type LabelPolicyWriteModel struct {
 	PrimaryColor        string
 	SecondaryColor      string
 	HideLoginNameSuffix bool
 	State domain.PolicyState
 }
@ -21,6 +22,7 @@ func (wm *LabelPolicyWriteModel) Reduce() error {
 		case *policy.LabelPolicyAddedEvent:
 			wm.PrimaryColor = e.PrimaryColor
 			wm.SecondaryColor = e.SecondaryColor
 			wm.HideLoginNameSuffix = e.HideLoginNameSuffix
 			wm.State = domain.PolicyStateActive
 		case *policy.LabelPolicyChangedEvent:
 			if e.PrimaryColor != nil {
@ -29,6 +31,9 @@ func (wm *LabelPolicyWriteModel) Reduce() error {
 			if e.SecondaryColor != nil {
 				wm.SecondaryColor = *e.SecondaryColor
 			}
 			if e.HideLoginNameSuffix != nil {
 				wm.HideLoginNameSuffix = *e.HideLoginNameSuffix
 			}
 		case *policy.LabelPolicyRemovedEvent:
 			wm.State = domain.PolicyStateRemoved
 		}
--- a/internal/command/user_human.go
+++ b/internal/command/user_human.go
@ -50,7 +50,46 @@ func (c *Commands) AddHuman(ctx context.Context, orgID string, human *domain.Hum
 	return writeModelToHuman(addedHuman), nil
 }
 func (c *Commands) ImportHuman(ctx context.Context, orgID string, human *domain.Human) (*domain.Human, error) {
 	if orgID == "" {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-5N8fs", "Errors.ResourceOwnerMissing")
 	}
 	orgIAMPolicy, err := c.getOrgIAMPolicy(ctx, orgID)
 	if err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-2N9fs", "Errors.Org.OrgIAMPolicy.NotFound")
 	}
 	pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
 	if err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-4N8gs", "Errors.Org.PasswordComplexity.NotFound")
 	}
 	events, addedHuman, err := c.importHuman(ctx, orgID, human, orgIAMPolicy, pwPolicy)
 	if err != nil {
 		return nil, err
 	}
 	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
 	if err != nil {
 		return nil, err
 	}
 	err = AppendAndReduce(addedHuman, pushedEvents...)
 	if err != nil {
 		return nil, err
 	}
 	return writeModelToHuman(addedHuman), nil
 }
 func (c *Commands) addHuman(ctx context.Context, orgID string, human *domain.Human, orgIAMPolicy *domain.OrgIAMPolicy, pwPolicy *domain.PasswordComplexityPolicy) ([]eventstore.EventPusher, *HumanWriteModel, error) {
 	if orgID == "" || !human.IsValid() {
 		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-4M90d", "Errors.User.Invalid")
 	}
 	if human.Password != nil && human.SecretString != "" {
 		human.ChangeRequired = true
 	}
 	return c.createHuman(ctx, orgID, human, nil, false, orgIAMPolicy, pwPolicy)
 }
 func (c *Commands) importHuman(ctx context.Context, orgID string, human *domain.Human, orgIAMPolicy *domain.OrgIAMPolicy, pwPolicy *domain.PasswordComplexityPolicy) ([]eventstore.EventPusher, *HumanWriteModel, error) {
 	if orgID == "" || !human.IsValid() {
 		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-4M90d", "Errors.User.Invalid")
 	}
@ -104,6 +143,9 @@ func (c *Commands) registerHuman(ctx context.Context, orgID string, human *domai
 	if err != nil {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexity.NotFound")
 	}
 	if human.Password != nil && human.SecretString != "" {
 		human.ChangeRequired = false
 	}
 	return c.createHuman(ctx, orgID, human, externalIDP, true, orgIAMPolicy, pwPolicy)
 }
@ -117,9 +159,12 @@ func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.
 	}
 	human.AggregateID = userID
 	human.SetNamesAsDisplayname()
-	if err := human.HashPasswordIfExisting(pwPolicy, c.userPasswordAlg, !selfregister); err != nil {
+	if human.Password != nil {
 		if err := human.HashPasswordIfExisting(pwPolicy, c.userPasswordAlg, human.ChangeRequired); err != nil {
 			return nil, nil, err
 		}
 	}
 	addedHuman := NewHumanWriteModel(human.AggregateID, orgID)
 	//TODO: adlerhurst maybe we could simplify the code below
 	userAgg := UserAggregateFromWriteModel(&addedHuman.WriteModel)
--- a/internal/command/user_human_test.go
+++ b/internal/command/user_human_test.go
@ -171,51 +171,6 @@ func TestCommandSide_AddHuman(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
 		{
 			name: "org policy check failed, precondition error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 							),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								1,
 								false,
 								false,
 								false,
 								false,
 							),
 						),
 					),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 				human: &domain.Human{
 					Username: "email@test.ch",
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 						LastName:  "lastname",
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 				},
 			},
 			res: res{
 				err: caos_errs.IsPreconditionFailed,
 			},
 		},
 		{
 			name: "add human (with initial code), ok",
 			fields: fields{
@ -695,6 +650,553 @@ func TestCommandSide_AddHuman(t *testing.T) {
 	}
 }
 func TestCommandSide_ImportHuman(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
 		idGenerator     id.Generator
 		secretGenerator crypto.Generator
 		userPasswordAlg crypto.HashAlgorithm
 	}
 	type args struct {
 		ctx   context.Context
 		orgID string
 		human *domain.Human
 	}
 	type res struct {
 		want *domain.Human
 		err  func(error) bool
 	}
 	tests := []struct {
 		name   string
 		fields fields
 		args   args
 		res    res
 	}{
 		{
 			name: "orgid missing, invalid argument error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "",
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 						LastName:  "lastname",
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 				},
 			},
 			res: res{
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
 		{
 			name: "org policy not found, precondition error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(),
 					expectFilter(),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 						LastName:  "lastname",
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 				},
 			},
 			res: res{
 				err: caos_errs.IsPreconditionFailed,
 			},
 		},
 		{
 			name: "password policy not found, precondition error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 							),
 						),
 					),
 					expectFilter(),
 					expectFilter(),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 						LastName:  "lastname",
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 				},
 			},
 			res: res{
 				err: caos_errs.IsPreconditionFailed,
 			},
 		},
 		{
 			name: "user invalid, invalid argument error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 							),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								1,
 								false,
 								false,
 								false,
 								false,
 							),
 						),
 					),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 					},
 				},
 			},
 			res: res{
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
 		{
 			name: "add human (with password and initial code), ok",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 							),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								1,
 								false,
 								false,
 								false,
 								false,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
 								newAddHumanEvent("password", true, ""),
 							),
 							eventFromEventPusher(
 								user.NewHumanInitialCodeAddedEvent(context.Background(),
 									&user.NewAggregate("user1", "org1").Aggregate,
 									&crypto.CryptoValue{
 										CryptoType: crypto.TypeEncryption,
 										Algorithm:  "enc",
 										KeyID:      "id",
 										Crypted:    []byte("a"),
 									},
 									time.Hour*1,
 								),
 							),
 						},
 						uniqueConstraintsFromEventConstraint(user.NewAddUsernameUniqueConstraint("username", "org1", true)),
 					),
 				),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				secretGenerator: GetMockSecretGenerator(t),
 				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 				human: &domain.Human{
 					Username: "username",
 					Password: &domain.Password{
 						SecretString:   "password",
 						ChangeRequired: true,
 					},
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 						LastName:  "lastname",
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 				},
 			},
 			res: res{
 				want: &domain.Human{
 					ObjectRoot: models.ObjectRoot{
 						AggregateID:   "user1",
 						ResourceOwner: "org1",
 					},
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
 						PreferredLanguage: language.Und,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 					State: domain.UserStateInitial,
 				},
 			},
 		},
 		{
 			name: "add human email verified password change not required, ok",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 							),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								1,
 								false,
 								false,
 								false,
 								false,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
 								newAddHumanEvent("password", false, ""),
 							),
 							eventFromEventPusher(
 								user.NewHumanEmailVerifiedEvent(context.Background(),
 									&user.NewAggregate("user1", "org1").Aggregate),
 							),
 						},
 						uniqueConstraintsFromEventConstraint(user.NewAddUsernameUniqueConstraint("username", "org1", true)),
 					),
 				),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				secretGenerator: GetMockSecretGenerator(t),
 				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 				human: &domain.Human{
 					Username: "username",
 					Password: &domain.Password{
 						SecretString:   "password",
 						ChangeRequired: false,
 					},
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 						LastName:  "lastname",
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
 						IsEmailVerified: true,
 					},
 				},
 			},
 			res: res{
 				want: &domain.Human{
 					ObjectRoot: models.ObjectRoot{
 						AggregateID:   "user1",
 						ResourceOwner: "org1",
 					},
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
 						PreferredLanguage: language.Und,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
 						IsEmailVerified: true,
 					},
 					State: domain.UserStateActive,
 				},
 			},
 		},
 		{
 			name: "add human (with phone), ok",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 							),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								1,
 								false,
 								false,
 								false,
 								false,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
 								newAddHumanEvent("password", false, "+41711234567"),
 							),
 							eventFromEventPusher(
 								user.NewHumanInitialCodeAddedEvent(context.Background(),
 									&user.NewAggregate("user1", "org1").Aggregate,
 									&crypto.CryptoValue{
 										CryptoType: crypto.TypeEncryption,
 										Algorithm:  "enc",
 										KeyID:      "id",
 										Crypted:    []byte("a"),
 									},
 									time.Hour*1,
 								),
 							),
 							eventFromEventPusher(
 								user.NewHumanPhoneCodeAddedEvent(context.Background(),
 									&user.NewAggregate("user1", "org1").Aggregate,
 									&crypto.CryptoValue{
 										CryptoType: crypto.TypeEncryption,
 										Algorithm:  "enc",
 										KeyID:      "id",
 										Crypted:    []byte("a"),
 									},
 									time.Hour*1)),
 						},
 						uniqueConstraintsFromEventConstraint(user.NewAddUsernameUniqueConstraint("username", "org1", true)),
 					),
 				),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				secretGenerator: GetMockSecretGenerator(t),
 				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 						LastName:  "lastname",
 					},
 					Password: &domain.Password{
 						SecretString:   "password",
 						ChangeRequired: false,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 					Phone: &domain.Phone{
 						PhoneNumber: "+41711234567",
 					},
 				},
 			},
 			res: res{
 				want: &domain.Human{
 					ObjectRoot: models.ObjectRoot{
 						AggregateID:   "user1",
 						ResourceOwner: "org1",
 					},
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
 						PreferredLanguage: language.Und,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 					Phone: &domain.Phone{
 						PhoneNumber: "+41711234567",
 					},
 					State: domain.UserStateInitial,
 				},
 			},
 		},
 		{
 			name: "add human (with verified phone), ok",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 							),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								1,
 								false,
 								false,
 								false,
 								false,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
 								newAddHumanEvent("password", false, "+41711234567"),
 							),
 							eventFromEventPusher(
 								user.NewHumanInitialCodeAddedEvent(context.Background(),
 									&user.NewAggregate("user1", "org1").Aggregate,
 									&crypto.CryptoValue{
 										CryptoType: crypto.TypeEncryption,
 										Algorithm:  "enc",
 										KeyID:      "id",
 										Crypted:    []byte("a"),
 									},
 									time.Hour*1,
 								),
 							),
 							eventFromEventPusher(
 								user.NewHumanPhoneVerifiedEvent(context.Background(),
 									&user.NewAggregate("user1", "org1").Aggregate),
 							),
 						},
 						uniqueConstraintsFromEventConstraint(user.NewAddUsernameUniqueConstraint("username", "org1", true)),
 					),
 				),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				secretGenerator: GetMockSecretGenerator(t),
 				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 						LastName:  "lastname",
 					},
 					Password: &domain.Password{
 						SecretString:   "password",
 						ChangeRequired: false,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 					Phone: &domain.Phone{
 						PhoneNumber:     "+41711234567",
 						IsPhoneVerified: true,
 					},
 				},
 			},
 			res: res{
 				want: &domain.Human{
 					ObjectRoot: models.ObjectRoot{
 						AggregateID:   "user1",
 						ResourceOwner: "org1",
 					},
 					Username: "username",
 					Profile: &domain.Profile{
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
 						PreferredLanguage: language.Und,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 					Phone: &domain.Phone{
 						PhoneNumber: "+41711234567",
 					},
 					State: domain.UserStateInitial,
 				},
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
 				eventstore:            tt.fields.eventstore,
 				idGenerator:           tt.fields.idGenerator,
 				initializeUserCode:    tt.fields.secretGenerator,
 				phoneVerificationCode: tt.fields.secretGenerator,
 				userPasswordAlg:       tt.fields.userPasswordAlg,
 			}
 			got, err := r.ImportHuman(tt.args.ctx, tt.args.orgID, tt.args.human)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
 			if tt.res.err != nil && !tt.res.err(err) {
 				t.Errorf("got wrong err: %v ", err)
 			}
 			if tt.res.err == nil {
 				assert.Equal(t, tt.res.want, got)
 			}
 		})
 	}
 }
 func TestCommandSide_RegisterHuman(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
@ -836,54 +1338,6 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 				err: caos_errs.IsPreconditionFailed,
 			},
 		},
 		{
 			name: "org policy check failed, precondition error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 							),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								1,
 								false,
 								false,
 								false,
 								false,
 							),
 						),
 					),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 				human: &domain.Human{
 					Username: "email@test.ch",
 					Profile: &domain.Profile{
 						FirstName: "firstname",
 						LastName:  "lastname",
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
 					},
 					Password: &domain.Password{
 						SecretString: "password",
 					},
 				},
 			},
 			res: res{
 				err: caos_errs.IsPreconditionFailed,
 			},
 		},
 		{
 			name: "add human (with password and initial code), ok",
 			fields: fields{
--- a/internal/domain/auth_request.go
+++ b/internal/domain/auth_request.go
@ -1,10 +1,12 @@
 package domain
 import (
 	"github.com/caos/zitadel/internal/errors"
 	"golang.org/x/text/language"
 	"strings"
 	"time"
 	"golang.org/x/text/language"
 	"github.com/caos/zitadel/internal/errors"
 )
 type AuthRequest struct {
@ -25,11 +27,13 @@ type AuthRequest struct {
 	levelOfAssurance       LevelOfAssurance
 	UserID                 string
 	UserName               string
 	LoginName              string
 	DisplayName            string
 	UserOrgID              string
 	RequestedOrgID         string
 	RequestedOrgName       string
 	RequestedPrimaryDomain string
 	SelectedIDPConfigID    string
 	LinkingUsers           []*ExternalUser
 	PossibleSteps          []NextStep
@ -40,6 +44,7 @@ type AuthRequest struct {
 	Code                   string
 	LoginPolicy            *LoginPolicy
 	AllowedExternalIDPs    []*IDPProvider
 	LabelPolicy            *LabelPolicy
 }
 type ExternalUser struct {
@ -103,8 +108,9 @@ func (a *AuthRequest) WithCurrentInfo(info *BrowserInfo) *AuthRequest {
 	return a
 }
-func (a *AuthRequest) SetUserInfo(userID, loginName, displayName, userOrgID string) {
+func (a *AuthRequest) SetUserInfo(userID, userName, loginName, displayName, userOrgID string) {
 	a.UserID = userID
 	a.UserName = userName
 	a.LoginName = loginName
 	a.DisplayName = displayName
 	a.UserOrgID = userOrgID
--- a/internal/domain/human.go
+++ b/internal/domain/human.go
@ -1,11 +1,11 @@
 package domain
 import (
 	"time"
 	"github.com/caos/zitadel/internal/crypto"
 	caos_errors "github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
 	"strings"
 	"time"
 )
 type Human struct {
@ -59,9 +59,6 @@ func (u *Human) CheckOrgIAMPolicy(policy *OrgIAMPolicy) error {
 	if policy == nil {
 		return caos_errors.ThrowPreconditionFailed(nil, "DOMAIN-zSH7j", "Errors.Users.OrgIamPolicyNil")
 	}
 	if policy.UserLoginMustBeDomain && strings.Contains(u.Username, "@") {
 		return caos_errors.ThrowPreconditionFailed(nil, "DOMAIN-se4sJ", "Errors.User.EmailAsUsernameNotAllowed")
 	}
 	if !policy.UserLoginMustBeDomain && u.Profile != nil && u.Username == "" && u.Email != nil {
 		u.Username = u.EmailAddress
 	}
--- a/internal/domain/next_step.go
+++ b/internal/domain/next_step.go
@ -42,6 +42,7 @@ func (s *SelectUserStep) Type() NextStepType {
 type UserSelection struct {
 	UserID            string
 	UserName          string
 	DisplayName       string
 	LoginName         string
 	UserSessionState  UserSessionState
--- a/internal/domain/policy_label.go
+++ b/internal/domain/policy_label.go
@ -10,6 +10,7 @@ type LabelPolicy struct {
 	Default             bool
 	PrimaryColor        string
 	SecondaryColor      string
 	HideLoginNameSuffix bool
 }
 func (p *LabelPolicy) IsValid() bool {
--- a/internal/iam/model/label_policy.go
+++ b/internal/iam/model/label_policy.go
@ -11,6 +11,7 @@ type LabelPolicy struct {
 	Default             bool
 	PrimaryColor        string
 	SecondaryColor      string
 	HideLoginNameSuffix bool
 }
 func (p *LabelPolicy) IsValid() bool {
--- a/internal/iam/model/label_policy_view.go
+++ b/internal/iam/model/label_policy_view.go
@ -9,6 +9,7 @@ type LabelPolicyView struct {
 	AggregateID         string
 	PrimaryColor        string
 	SecondaryColor      string
 	HideLoginNameSuffix bool
 	Default             bool
 	CreationDate time.Time
--- a/internal/iam/repository/eventsourcing/model/label_policy.go
+++ b/internal/iam/repository/eventsourcing/model/label_policy.go
@ -13,6 +13,7 @@ type LabelPolicy struct {
 	State               int32  `json:"-"`
 	PrimaryColor        string `json:"primaryColor"`
 	SecondaryColor      string `json:"secondaryColor"`
 	HideLoginNameSuffix bool   `json:"hideLoginNameSuffix"`
 }
 func LabelPolicyToModel(policy *LabelPolicy) *iam_model.LabelPolicy {
@ -21,6 +22,7 @@ func LabelPolicyToModel(policy *LabelPolicy) *iam_model.LabelPolicy {
 		State:               iam_model.PolicyState(policy.State),
 		PrimaryColor:        policy.PrimaryColor,
 		SecondaryColor:      policy.SecondaryColor,
 		HideLoginNameSuffix: policy.HideLoginNameSuffix,
 	}
 }
@ -30,6 +32,7 @@ func LabelPolicyFromModel(policy *iam_model.LabelPolicy) *LabelPolicy {
 		State:               int32(policy.State),
 		PrimaryColor:        policy.PrimaryColor,
 		SecondaryColor:      policy.SecondaryColor,
 		HideLoginNameSuffix: policy.HideLoginNameSuffix,
 	}
 }
--- a/internal/iam/repository/view/model/label_policy.go
+++ b/internal/iam/repository/view/model/label_policy.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"time"
 	"github.com/caos/zitadel/internal/domain"
 	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
 	es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
@ -26,20 +27,24 @@ type LabelPolicyView struct {
 	PrimaryColor        string `json:"primaryColor" gorm:"column:primary_color"`
 	SecondaryColor      string `json:"secondaryColor" gorm:"column:secondary_color"`
 	HideLoginNameSuffix bool   `json:"hideLoginNameSuffix" gorm:"column:hide_login_name_suffix"`
 	Default             bool   `json:"-" gorm:"-"`
 	Sequence uint64 `json:"-" gorm:"column:sequence"`
 }
-func LabelPolicyViewFromModel(policy *model.LabelPolicyView) *LabelPolicyView {
+func (p *LabelPolicyView) ToDomain() *domain.LabelPolicy {
-	return &LabelPolicyView{
+	return &domain.LabelPolicy{
-		AggregateID:    policy.AggregateID,
+		ObjectRoot: models.ObjectRoot{
-		Sequence:       policy.Sequence,
+			AggregateID:  p.AggregateID,
-		CreationDate:   policy.CreationDate,
+			CreationDate: p.CreationDate,
-		ChangeDate:     policy.ChangeDate,
+			ChangeDate:   p.ChangeDate,
-		PrimaryColor:   policy.PrimaryColor,
+			Sequence:     p.Sequence,
-		SecondaryColor: policy.SecondaryColor,
+		},
-		Default:        policy.Default,
+		Default:             p.Default,
 		PrimaryColor:        p.PrimaryColor,
 		SecondaryColor:      p.SecondaryColor,
 		HideLoginNameSuffix: p.HideLoginNameSuffix,
 	}
 }
@ -51,6 +56,7 @@ func LabelPolicyViewToModel(policy *LabelPolicyView) *model.LabelPolicyView {
 		ChangeDate:          policy.ChangeDate,
 		PrimaryColor:        policy.PrimaryColor,
 		SecondaryColor:      policy.SecondaryColor,
 		HideLoginNameSuffix: policy.HideLoginNameSuffix,
 		Default:             policy.Default,
 	}
 }
--- a/internal/management/repository/eventsourcing/eventstore/org.go
+++ b/internal/management/repository/eventsourcing/eventstore/org.go
@ -199,6 +199,32 @@ func (repo *OrgRepository) GetLabelPolicy(ctx context.Context) (*iam_model.Label
 	return iam_es_model.LabelPolicyViewToModel(policy), err
 }
 func (repo *OrgRepository) GetDefaultLabelPolicy(ctx context.Context) (*iam_model.LabelPolicyView, error) {
 	policy, viewErr := repo.View.LabelPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if viewErr != nil && !errors.IsNotFound(viewErr) {
 		return nil, viewErr
 	}
 	if errors.IsNotFound(viewErr) {
 		policy = new(iam_es_model.LabelPolicyView)
 	}
 	events, esErr := repo.getIAMEvents(ctx, policy.Sequence)
 	if errors.IsNotFound(viewErr) && len(events) == 0 {
 		return nil, errors.ThrowNotFound(nil, "EVENT-3Nf8sd", "Errors.IAM.LabelPolicy.NotFound")
 	}
 	if esErr != nil {
 		logging.Log("EVENT-28uLp").WithError(esErr).Debug("error retrieving new events")
 		return iam_es_model.LabelPolicyViewToModel(policy), nil
 	}
 	policyCopy := *policy
 	for _, event := range events {
 		if err := policyCopy.AppendEvent(event); err != nil {
 			return iam_es_model.LabelPolicyViewToModel(policy), nil
 		}
 	}
 	policy.Default = true
 	return iam_es_model.LabelPolicyViewToModel(policy), nil
 }
 func (repo *OrgRepository) GetLoginPolicy(ctx context.Context) (*iam_model.LoginPolicyView, error) {
 	policy, viewErr := repo.View.LoginPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
 	if viewErr != nil && !errors.IsNotFound(viewErr) {
--- a/internal/management/repository/org.go
+++ b/internal/management/repository/org.go
@ -45,4 +45,7 @@ type OrgRepository interface {
 	GetDefaultMailTexts(ctx context.Context) (*iam_model.MailTextsView, error)
 	GetMailTexts(ctx context.Context) (*iam_model.MailTextsView, error)
 	GetLabelPolicy(ctx context.Context) (*iam_model.LabelPolicyView, error)
 	GetDefaultLabelPolicy(ctx context.Context) (*iam_model.LabelPolicyView, error)
 }
--- a/internal/repository/iam/policy_label.go
+++ b/internal/repository/iam/policy_label.go
@ -22,6 +22,7 @@ func NewLabelPolicyAddedEvent(
 	aggregate *eventstore.Aggregate,
 	primaryColor,
 	secondaryColor string,
 	hideLoginNameSuffix bool,
 ) *LabelPolicyAddedEvent {
 	return &LabelPolicyAddedEvent{
 		LabelPolicyAddedEvent: *policy.NewLabelPolicyAddedEvent(
@ -30,7 +31,8 @@ func NewLabelPolicyAddedEvent(
 				aggregate,
 				LabelPolicyAddedEventType),
 			primaryColor,
-			secondaryColor),
+			secondaryColor,
 			hideLoginNameSuffix),
 	}
 }
--- a/internal/repository/org/policy_label.go
+++ b/internal/repository/org/policy_label.go
@ -23,6 +23,7 @@ func NewLabelPolicyAddedEvent(
 	aggregate *eventstore.Aggregate,
 	primaryColor,
 	secondaryColor string,
 	hideLoginNameSuffix bool,
 ) *LabelPolicyAddedEvent {
 	return &LabelPolicyAddedEvent{
 		LabelPolicyAddedEvent: *policy.NewLabelPolicyAddedEvent(
@ -31,7 +32,8 @@ func NewLabelPolicyAddedEvent(
 				aggregate,
 				LabelPolicyAddedEventType),
 			primaryColor,
-			secondaryColor),
+			secondaryColor,
 			hideLoginNameSuffix),
 	}
 }
--- a/internal/repository/policy/label.go
+++ b/internal/repository/policy/label.go
@ -18,6 +18,7 @@ type LabelPolicyAddedEvent struct {
 	PrimaryColor        string `json:"primaryColor,omitempty"`
 	SecondaryColor      string `json:"secondaryColor,omitempty"`
 	HideLoginNameSuffix bool   `json:"hideLoginNameSuffix,omitempty"`
 }
 func (e *LabelPolicyAddedEvent) Data() interface{} {
@ -32,12 +33,14 @@ func NewLabelPolicyAddedEvent(
 	base *eventstore.BaseEvent,
 	primaryColor,
 	secondaryColor string,
 	hideLoginNameSuffix bool,
 ) *LabelPolicyAddedEvent {
 	return &LabelPolicyAddedEvent{
 		BaseEvent:           *base,
 		PrimaryColor:        primaryColor,
 		SecondaryColor:      secondaryColor,
 		HideLoginNameSuffix: hideLoginNameSuffix,
 	}
 }
@ -59,6 +62,7 @@ type LabelPolicyChangedEvent struct {
 	PrimaryColor        *string `json:"primaryColor,omitempty"`
 	SecondaryColor      *string `json:"secondaryColor,omitempty"`
 	HideLoginNameSuffix *bool   `json:"hideLoginNameSuffix,omitempty"`
 }
 func (e *LabelPolicyChangedEvent) Data() interface{} {
@ -99,6 +103,12 @@ func ChangeSecondaryColor(secondaryColor string) func(*LabelPolicyChangedEvent)
 	}
 }
 func ChangeHideLoginNameSuffix(hideLoginNameSuffix bool) func(*LabelPolicyChangedEvent) {
 	return func(e *LabelPolicyChangedEvent) {
 		e.HideLoginNameSuffix = &hideLoginNameSuffix
 	}
 }
 func LabelPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
 	e := &LabelPolicyChangedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),
--- a/internal/ui/login/handler/login_handler.go
+++ b/internal/ui/login/handler/login_handler.go
@ -54,7 +54,8 @@ func (l *Login) handleLoginNameCheck(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.authRepo.CheckLoginName(r.Context(), authReq.ID, data.LoginName, userAgentID)
+	loginName := data.LoginName
 	err = l.authRepo.CheckLoginName(r.Context(), authReq.ID, loginName, userAgentID)
 	if err != nil {
 		l.renderLogin(w, r, authReq, err)
 		return
@ -73,7 +74,7 @@ func (l *Login) renderLogin(w http.ResponseWriter, r *http.Request, authReq *dom
 			return authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowUsernamePassword
 		},
 		"hasExternalLogin": func() bool {
-			return authReq.LoginPolicy.AllowExternalIDP && authReq.AllowedExternalIDPs != nil && len(authReq.AllowedExternalIDPs) > 0
+			return authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowExternalIDP && authReq.AllowedExternalIDPs != nil && len(authReq.AllowedExternalIDPs) > 0
 		},
 	}
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplLogin], data, funcs)
--- a/internal/ui/login/handler/renderer.go
+++ b/internal/ui/login/handler/renderer.go
@ -271,6 +271,8 @@ func (l *Login) getBaseData(r *http.Request, authReq *domain.AuthRequest, title
 		ThemeMode:              l.getThemeMode(r),
 		OrgID:                  l.getOrgID(authReq),
 		OrgName:                l.getOrgName(authReq),
 		PrimaryDomain:          l.getOrgPrimaryDomain(authReq),
 		DisplayLoginNameSuffix: l.isDisplayLoginNameSuffix(authReq),
 		AuthReqID:              getRequestID(authReq, r),
 		CSRF:                   csrf.TemplateField(r),
 		Nonce:                  http_mw.GetNonce(r),
@ -283,12 +285,14 @@ func (l *Login) getBaseData(r *http.Request, authReq *domain.AuthRequest, title
 }
 func (l *Login) getProfileData(authReq *domain.AuthRequest) profileData {
-	var loginName, displayName string
+	var userName, loginName, displayName string
 	if authReq != nil {
 		userName = authReq.UserName
 		loginName = authReq.LoginName
 		displayName = authReq.DisplayName
 	}
 	return profileData{
 		UserName:    userName,
 		LoginName:   loginName,
 		DisplayName: displayName,
 	}
@ -329,6 +333,23 @@ func (l *Login) getOrgName(authReq *domain.AuthRequest) string {
 	return authReq.RequestedOrgName
 }
 func (l *Login) getOrgPrimaryDomain(authReq *domain.AuthRequest) string {
 	if authReq == nil {
 		return ""
 	}
 	return authReq.RequestedPrimaryDomain
 }
 func (l *Login) isDisplayLoginNameSuffix(authReq *domain.AuthRequest) bool {
 	if authReq == nil {
 		return false
 	}
 	if authReq.RequestedOrgID == "" {
 		return false
 	}
 	return authReq.LabelPolicy != nil && !authReq.LabelPolicy.HideLoginNameSuffix
 }
 func getRequestID(authReq *domain.AuthRequest, r *http.Request) string {
 	if authReq != nil {
 		return authReq.ID
@ -357,6 +378,8 @@ type baseData struct {
 	ThemeMode              string
 	OrgID                  string
 	OrgName                string
 	PrimaryDomain          string
 	DisplayLoginNameSuffix bool
 	AuthReqID              string
 	CSRF                   template.HTML
 	Nonce                  string
@ -380,6 +403,7 @@ type userData struct {
 type profileData struct {
 	LoginName   string
 	UserName    string
 	DisplayName string
 }
--- a/internal/ui/login/static/i18n/de.yaml
+++ b/internal/ui/login/static/i18n/de.yaml
@ -1,19 +1,10 @@
 Password:
  Title: Willkommen zurück!
  Description: Gib deine Benutzerdaten ein.
  Password: Passwort
  MinLength: Mindestlänge
  HasUppercase: Grossbuchstaben
  HasLowercase: Kleinbuchstaben
  HasNumber: Nummer
  HasSymbol: Symbol
 Login:
  Title: Anmeldung
  Description: Mit ZITADEL-Konto anmelden.
  TitleLinking: Anmeldung für Benutzer Linking
  DescriptionLinking: Gib deine Benutzerdaten ein um den externen Benutzer mit einem ZITADEL Benutzer zu linken.
  Loginname: Loginname
  UsernamePlaceHolder: username
  LoginnamePlaceHolder: username@domain
  ExternalLogin: Melde dich mit einem externen Benutzer an
  MustBeMemberOfOrg: Der Benutzer muss der Organisation {{.OrgName}} angehören.
@ -28,6 +19,16 @@ UserSelection:
  SessionState1: inaktiv
  MustBeMemberOfOrg: Der Benutzer muss der Organisation {{.OrgName}} angehören.
 Password:
  Title: Willkommen zurück!
  Description: Gib deine Benutzerdaten ein.
  Password: Passwort
  MinLength: Mindestlänge
  HasUppercase: Grossbuchstaben
  HasLowercase: Kleinbuchstaben
  HasNumber: Nummer
  HasSymbol: Symbol
 UsernameChange:
  Title: Usernamen ändern
  Description: Wähle deinen neuen Benutzernamen
--- a/internal/ui/login/static/i18n/en.yaml
+++ b/internal/ui/login/static/i18n/en.yaml
@ -4,9 +4,10 @@ Login:
  TitleLinking: Login for userlinking
  DescriptionLinking: Enter your login data to link your external user with a ZITADEL user.
  Loginname: Loginname
  UsernamePlaceHolder: username
  LoginnamePlaceHolder: username@domain
  ExternalLogin: Login with an external user.
-  MustBeMemberOfOrg: The user must be mermber of the {{.OrgDomain}} organisation.
+  MustBeMemberOfOrg: The user must be mermber of the {{.OrgName}} organisation.
 UserSelection:
  Title: Select account
@ -16,7 +17,7 @@ UserSelection:
  OtherUser: Other User
  SessionState0: active
  SessionState1: inactive
-  MustBeMemberOfOrg: The user must be mermber of the {{.OrgDomain}} organisation.
+  MustBeMemberOfOrg: The user must be mermber of the {{.OrgName}} organisation.
 Password:
  Title: Password
--- a/internal/ui/login/static/resources/themes/scss/styles/account_selection/account_selection.scss
+++ b/internal/ui/login/static/resources/themes/scss/styles/account_selection/account_selection.scss
@ -12,6 +12,11 @@ $lgn-container-margin: 0px auto 50px auto;
        align-items: center;
        border: none;
        outline: none;
        cursor: pointer;
        &:disabled {
            cursor: not-allowed;
        }
        .left {
            padding: .5rem 1rem;
--- a/internal/ui/login/static/resources/themes/scss/styles/account_selection/account_selection_theme.scss
+++ b/internal/ui/login/static/resources/themes/scss/styles/account_selection/account_selection_theme.scss
@ -25,7 +25,6 @@
            color: inherit;
            background: transparent;
            box-shadow: inset 0 -1px lgn-color($foreground, footer-line);
            cursor: pointer;
            &:hover {
                $primary: map-get($config, primary);
--- a/internal/ui/login/static/resources/themes/zitadel/css/bundle.css
+++ b/internal/ui/login/static/resources/themes/zitadel/css/bundle.css
@ -440,6 +440,10 @@ i {
  align-items: center;
  border: none;
  outline: none;
  cursor: pointer;
 }
 .lgn-account-selection .lgn-account:disabled {
  cursor: not-allowed;
 }
 .lgn-account-selection .lgn-account .left {
  padding: 0.5rem 1rem;
@ -1298,6 +1302,10 @@ i {
  align-items: center;
  border: none;
  outline: none;
  cursor: pointer;
 }
 .lgn-account-selection .lgn-account:disabled {
  cursor: not-allowed;
 }
 .lgn-account-selection .lgn-account .left {
  padding: 0.5rem 1rem;
--- a/internal/ui/login/static/resources/themes/zitadel/css/bundle.css.map
+++ b/internal/ui/login/static/resources/themes/zitadel/css/bundle.css.map
--- a/internal/ui/login/static/resources/themes/zitadel/css/zitadel.css
+++ b/internal/ui/login/static/resources/themes/zitadel/css/zitadel.css
@ -440,6 +440,10 @@ i {
  align-items: center;
  border: none;
  outline: none;
  cursor: pointer;
 }
 .lgn-account-selection .lgn-account:disabled {
  cursor: not-allowed;
 }
 .lgn-account-selection .lgn-account .left {
  padding: 0.5rem 1rem;
@ -1202,7 +1206,6 @@ a:hover, a:active {
  color: inherit;
  background: transparent;
  box-shadow: inset 0 -1px #303131;
  cursor: pointer;
 }
 .lgn-account-selection .lgn-account:hover {
  background-color: rgba(255, 255, 255, 0.02);
@ -1522,7 +1525,6 @@ a:hover, a:active {
  color: inherit;
  background: transparent;
  box-shadow: inset 0 -1px #303131;
  cursor: pointer;
 }
 .lgn-dark-theme .lgn-account-selection .lgn-account:hover {
  background-color: rgba(255, 255, 255, 0.02);
@ -1836,7 +1838,6 @@ a:hover, a:active {
  color: inherit;
  background: transparent;
  box-shadow: inset 0 -1px #e3e8ee;
  cursor: pointer;
 }
 .lgn-light-theme .lgn-account-selection .lgn-account:hover {
  background-color: rgba(0, 0, 0, 0.02);
--- a/internal/ui/login/static/resources/themes/zitadel/css/zitadel.css.map
+++ b/internal/ui/login/static/resources/themes/zitadel/css/zitadel.css.map
--- a/internal/ui/login/static/templates/login.html
+++ b/internal/ui/login/static/templates/login.html
@ -20,8 +20,13 @@
    {{if hasUsernamePasswordLogin }}
    <div class="fields">
        <label class="lgn-label" for="loginName">{{t "Login.Loginname"}}</label>
-            <input class="lgn-input lgn-suffix-input" type="text" id="loginName" name="loginName" placeholder="{{t "Login.LoginnamePlaceHolder"}}"
+        <div class="lgn-suffix-wrapper">
-            value="{{ .LoginName }}" {{if .ErrMessage}}shake {{end}} autocomplete="username" autofocus required>
+            <input class="lgn-input lgn-suffix-input" type="text" id="loginName" name="loginName" placeholder="{{if .OrgID }}{{t "Login.UsernamePlaceHolder"}}{{else}}{{t "Login.LoginnamePlaceHolder"}}{{end}}"
            value="{{ .UserName }}" {{if .ErrMessage}}shake {{end}} autocomplete="username" autofocus required>
            {{if .DisplayLoginNameSuffix}}
                <span id="default-login-suffix" lgnsuffix class="loginname-suffix">@{{.PrimaryDomain}}</span>
            {{end}}
        </div>
    </div>
    {{end}}
@ -53,5 +58,6 @@
 <script src="{{ resourceUrl "scripts/form_submit.js" }}"></script>
 <script src="{{ resourceUrl "scripts/default_form_validation.js" }}"></script>
 <script src="{{ resourceUrl "scripts/input_suffix_offset.js" }}"></script>
 {{template "main-bottom" .}}
--- a/internal/ui/login/static/templates/select_user.html
+++ b/internal/ui/login/static/templates/select_user.html
@ -23,10 +23,11 @@
    <div class="lgn-account-selection">
        {{ if .Users }}
        {{ $displayLoginNameSuffix := and .OrgID (not .DisplayLoginNameSuffix)}}
        {{ range $user := .Users }}
        {{ $sessionState := (printf "UserSelection.SessionState%v" $user.UserSessionState) }}
        <button type="submit" name="userID" value="{{$user.UserID}}" class="lgn-account" 
-        {{if not $user.SelectionPossible}}disabled title="{{t " Errors.User.NotAllowedOrg"}}"{{end}}>
+        {{if not $user.SelectionPossible}}disabled title="{{t "Errors.User.NotAllowedOrg"}}"{{end}}>
            <div class="left">
                <div class="lgn-avatar" displayname="{{$user.DisplayName}}">
                    <span class="initials">A</span>
@ -34,7 +35,7 @@
            </div>
            <div class="lgn-names">
                <p class="lgn-displayname">{{$user.DisplayName}}</p>
-                <p class="lgn-loginname">{{$user.LoginName}}</p>
+                <p class="lgn-loginname">{{if and $displayLoginNameSuffix $user.SelectionPossible}}{{$user.UserName}}{{else}}{{$user.LoginName}}{{end}}</p>
                <p class="lgn-session-state i{{$user.UserSessionState}}">{{t $sessionState}}</p>
            </div>
            <span class="fill-space"></span>
--- a/internal/ui/login/static/templates/user_profile.html
+++ b/internal/ui/login/static/templates/user_profile.html
@ -1,5 +1,5 @@
 {{define "user-profile"}}
-{{if .LoginName}}
+{{if or .LoginName .UserName}}
 <div class="lgn-login-profile">
    <div class="lgn-profile-image"></div>
    <div class="lgn-names">
@ -9,7 +9,7 @@
            </div>
        </div>
        <div class="lgn-loginname">
-            <p>{{.LoginName}}</p>
+            <p>{{if .DisplayLoginNameSuffix}}{{.LoginName}}{{else}}{{.UserName}}{{end}}</p>
        </div>
    </div>
 </div>
--- a/migrations/cockroach/V1.33__label_policy.sql
+++ b/migrations/cockroach/V1.33__label_policy.sql
@ -0,0 +1,21 @@
 ALTER TABLE management.label_policies ADD COLUMN hide_login_name_suffix BOOLEAN;
 ALTER TABLE adminapi.label_policies ADD COLUMN hide_login_name_suffix BOOLEAN;
 CREATE TABLE auth.label_policies (
   aggregate_id TEXT,
   creation_date TIMESTAMPTZ,
   change_date TIMESTAMPTZ,
   label_policy_state SMALLINT,
   sequence BIGINT,
   primary_color TEXT,
   secondary_color TEXT,
   hide_login_name_suffix BOOLEAN,
   PRIMARY KEY (aggregate_id)
 );
 GRANT SELECT ON TABLE auth.label_policies TO notification;
--- a/migrations/cockroach/V1.33__unique_tables.sql
+++ b/migrations/cockroach/V1.33__unique_tables.sql
@ -1,7 +0,0 @@
 CREATE TABLE eventstore.unique_constraints (
    unique_type TEXT,
 	unique_field TEXT,
 	PRIMARY KEY (unique_type, unique_field)
 );
 GRANT DELETE ON TABLE eventstore.unique_constraints to eventstore;
--- a/migrations/cockroach/V1.34__new_eventstore.sql
+++ b/migrations/cockroach/V1.34__new_eventstore.sql
@ -0,0 +1,23 @@
 CREATE TABLE eventstore.unique_constraints (
    unique_type TEXT,
 	unique_field TEXT,
 	PRIMARY KEY (unique_type, unique_field)
 );
 GRANT DELETE ON TABLE eventstore.unique_constraints to eventstore;
 ALTER TABLE management.login_policies ADD COLUMN default_policy BOOLEAN;
 ALTER TABLE adminapi.login_policies ADD COLUMN default_policy BOOLEAN;
 ALTER TABLE auth.login_policies ADD COLUMN default_policy BOOLEAN;
 CREATE INDEX event_type ON eventstore.events (event_type);
 CREATE INDEX resource_owner ON eventstore.events (resource_owner);
 CREATE USER queries WITH PASSWORD ${queriespassword};
 GRANT SELECT ON TABLE eventstore.events TO queries;
 ALTER TABLE management.org_members ADD COLUMN preferred_login_name TEXT;
 ALTER TABLE management.project_members ADD COLUMN preferred_login_name TEXT;
 ALTER TABLE management.project_grant_members ADD COLUMN preferred_login_name TEXT;
 ALTER TABLE adminapi.iam_members ADD COLUMN preferred_login_name TEXT;
--- a/migrations/cockroach/V1.34__policies.sql
+++ b/migrations/cockroach/V1.34__policies.sql
@ -1,3 +0,0 @@
 ALTER TABLE management.login_policies ADD COLUMN default_policy BOOLEAN;
 ALTER TABLE adminapi.login_policies ADD COLUMN default_policy BOOLEAN;
 ALTER TABLE auth.login_policies ADD COLUMN default_policy BOOLEAN;
--- a/migrations/cockroach/V1.35__indexes.sql
+++ b/migrations/cockroach/V1.35__indexes.sql
@ -1,2 +0,0 @@
 CREATE INDEX event_type ON eventstore.events (event_type);
 CREATE INDEX resource_owner ON eventstore.events (resource_owner);
--- a/migrations/cockroach/V1.36__queries.sql
+++ b/migrations/cockroach/V1.36__queries.sql
@ -1,2 +0,0 @@
 CREATE USER queries WITH PASSWORD ${queriespassword};
 GRANT SELECT ON TABLE eventstore.events TO queries;
--- a/migrations/cockroach/V1.37__members.sql
+++ b/migrations/cockroach/V1.37__members.sql
@ -1,5 +0,0 @@
 ALTER TABLE management.org_members ADD COLUMN preferred_login_name TEXT;
 ALTER TABLE management.project_members ADD COLUMN preferred_login_name TEXT;
 ALTER TABLE management.project_grant_members ADD COLUMN preferred_login_name TEXT;
 ALTER TABLE adminapi.iam_members ADD COLUMN preferred_login_name TEXT;
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@ -755,6 +755,7 @@ message GetLabelPolicyResponse {
 message UpdateLabelPolicyRequest {
    string primary_color = 1 [(validate.rules).string = {min_len: 1, max_len: 50}];
    string secondary_color = 2 [(validate.rules).string = {min_len: 1, max_len: 50}];
    bool hide_login_name_suffix = 3;
 }
 message UpdateLabelPolicyResponse {
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@ -162,6 +162,17 @@ service ManagementService {
        };
    }
    rpc ImportHumanUser(ImportHumanUserRequest) returns (ImportHumanUserResponse) {
        option (google.api.http) = {
            post: "/users/human/_import"
            body: "*"
        };
        option (zitadel.v1.auth_option) = {
            permission: "user.write"
        };
    }
    rpc AddMachineUser(AddMachineUserRequest) returns (AddMachineUserResponse) {
        option (google.api.http) = {
            post: "/users/machine"
@ -1641,6 +1652,58 @@ service ManagementService {
        };
    }
    rpc GetLabelPolicy(GetLabelPolicyRequest) returns (GetLabelPolicyResponse) {
        option (google.api.http) = {
            get: "/policies/label"
        };
        option (zitadel.v1.auth_option) = {
            permission: "policy.read"
        };
    }
    rpc GetDefaultLabelPolicy(GetDefaultLabelPolicyRequest) returns (GetDefaultLabelPolicyResponse) {
        option (google.api.http) = {
            get: "/policies/default/label"
        };
        option (zitadel.v1.auth_option) = {
            permission: "policy.read"
        };
    }
    rpc AddCustomLabelPolicy(AddCustomLabelPolicyRequest) returns (AddCustomLabelPolicyResponse) {
        option (google.api.http) = {
            post: "/policies/label"
            body: "*"
        };
        option (zitadel.v1.auth_option) = {
            permission: "policy.write"
        };
    }
    rpc UpdateCustomLabelPolicy(UpdateCustomLabelPolicyRequest) returns (UpdateCustomLabelPolicyResponse) {
        option (google.api.http) = {
            put: "/policies/label"
            body: "*"
        };
        option (zitadel.v1.auth_option) = {
            permission: "policy.write"
        };
    }
    rpc ResetLabelPolicyToDefault(ResetLabelPolicyToDefaultRequest) returns (ResetLabelPolicyToDefaultResponse) {
        option (google.api.http) = {
            delete: "/policies/label"
        };
        option (zitadel.v1.auth_option) = {
            permission: "policy.delete"
        };
    }
    rpc GetOrgIDPByID(GetOrgIDPByIDRequest) returns (GetOrgIDPByIDResponse) {
        option (google.api.http) = {
            get: "/idps/{id}"
@ -1825,6 +1888,39 @@ message AddHumanUserResponse {
    zitadel.v1.ObjectDetails details = 2;
 }
 message ImportHumanUserRequest {
    message Profile {
        string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
        string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
        string nick_name = 3 [(validate.rules).string = {max_len: 200}];
        string display_name = 4 [(validate.rules).string = {max_len: 200}];
        string preferred_language = 5 [(validate.rules).string = {max_len: 10}];
        zitadel.user.v1.Gender gender = 6;
    }
    message Email {
        string email = 1 [(validate.rules).string.email = true];  //TODO: check if no value is allowed
        bool is_email_verified = 2;
    }
    message Phone {
        // has to be a global number
        string phone = 1 [(validate.rules).string = {min_len: 1, max_len: 50, prefix: "+"}];
        bool is_phone_verified = 2;
    }
    string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    Profile profile = 2 [(validate.rules).message.required = true];
    Email email = 3 [(validate.rules).message.required = true];
    Phone phone = 4;
    string password = 5;
    bool password_change_required = 6;
 }
 message ImportHumanUserResponse {
    string user_id = 1;
    zitadel.v1.ObjectDetails details = 2;
 }
 message AddMachineUserRequest {
    string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
@ -3097,6 +3193,45 @@ message ResetPasswordLockoutPolicyToDefaultResponse {
    zitadel.v1.ObjectDetails details = 1;
 }
 message GetLabelPolicyRequest {}
 message GetLabelPolicyResponse {
    zitadel.policy.v1.LabelPolicy policy = 1;
    bool is_default = 2;
 }
 message GetDefaultLabelPolicyRequest {}
 message GetDefaultLabelPolicyResponse {
    zitadel.policy.v1.LabelPolicy policy = 1;
 }
 message AddCustomLabelPolicyRequest {
    string primary_color = 1 [(validate.rules).string = {min_len: 1, max_len: 50}];
    string secondary_color = 2 [(validate.rules).string = {min_len: 1, max_len: 50}];
    bool hide_login_name_suffix = 3;
 }
 message AddCustomLabelPolicyResponse {
    zitadel.v1.ObjectDetails details = 1;
 }
 message UpdateCustomLabelPolicyRequest {
    string primary_color = 1 [(validate.rules).string = {min_len: 1, max_len: 50}];
    string secondary_color = 2 [(validate.rules).string = {min_len: 1, max_len: 50}];
    bool hide_login_name_suffix = 3;
 }
 message UpdateCustomLabelPolicyResponse {
    zitadel.v1.ObjectDetails details = 1;
 }
 message ResetLabelPolicyToDefaultRequest {}
 message ResetLabelPolicyToDefaultResponse {
    zitadel.v1.ObjectDetails details = 1;
 }
 message GetOrgIDPByIDRequest {
    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
 }
--- a/proto/zitadel/policy.proto
+++ b/proto/zitadel/policy.proto
@ -17,6 +17,7 @@ message LabelPolicy {
    string primary_color = 2;
    string secondary_color = 3;
    bool is_default = 4;
    bool hide_login_name_suffix = 5;
 }
 message LoginPolicy {
		`@ -1,2 +0,0 @@`
			`CREATE INDEX event_type ON eventstore.events (event_type);`
			`CREATE INDEX resource_owner ON eventstore.events (resource_owner);`
		`@ -1,2 +0,0 @@`
			`CREATE USER queries WITH PASSWORD ${queriespassword};`
			`GRANT SELECT ON TABLE eventstore.events TO queries;`