fix: refactor setup (#1152)

* add setup steps * refactoring * omitempty * cleanup * fixes
2025-08-11 17:27:31 +00:00 · 2021-01-06 10:47:55 +01:00
parent dc56e298ae
commit 61d16e4621
45 changed files with 708 additions and 1041 deletions
--- a/internal/v2/command/command.go
+++ b/internal/v2/command/command.go
@@ -62,7 +62,7 @@ func (r *CommandSide) iamByID(ctx context.Context, id string) (_ *IAMWriteModel,
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMriteModel(id)
+	writeModel := NewIAMWriteModel(id)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam.go
+++ b/internal/v2/command/iam.go
@@ -0,0 +1,16 @@
+package command
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/v2/domain"
+)
+
+func (r *CommandSide) GetIAM(ctx context.Context, aggregateID string) (*domain.IAM, error) {
+	iamWriteModel := NewIAMWriteModel(aggregateID)
+	err := r.eventstore.FilterToQueryReducer(ctx, iamWriteModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToIAM(iamWriteModel), nil
+}
--- a/internal/v2/command/iam_converter.go
+++ b/internal/v2/command/iam_converter.go
@@ -3,7 +3,6 @@ package command
 import (
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/v2"
-	"github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 )

@@ -16,8 +15,8 @@ func writeModelToObjectRoot(writeModel eventstore.WriteModel) models.ObjectRoot
 	}
 }

-func writeModelToIAM(wm *IAMWriteModel) *model.IAM {
-	return &model.IAM{
+func writeModelToIAM(wm *IAMWriteModel) *domain.IAM {
+	return &domain.IAM{
 		ObjectRoot:   writeModelToObjectRoot(wm.WriteModel),
 		SetUpStarted: wm.SetUpStarted,
 		SetUpDone:    wm.SetUpDone,
--- a/internal/v2/command/iam_model.go
+++ b/internal/v2/command/iam_model.go
@@ -16,7 +16,7 @@ type IAMWriteModel struct {
 	ProjectID   string
 }

-func NewIAMriteModel(iamID string) *IAMWriteModel {
+func NewIAMWriteModel(iamID string) *IAMWriteModel {
 	return &IAMWriteModel{
 		WriteModel: eventstore.WriteModel{
 			AggregateID: iamID,
--- a/internal/v2/command/iam_policy_label.go
+++ b/internal/v2/command/iam_policy_label.go
@@ -11,16 +11,11 @@ import (
 func (r *CommandSide) AddDefaultLabelPolicy(ctx context.Context, policy *domain.LabelPolicy) (*domain.LabelPolicy, error) {
 	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMLabelPolicyWriteModel(policy.AggregateID)
-	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.LabelPolicyWriteModel.WriteModel)
+	err := r.addDefaultLabelPolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
 		return nil, err
 	}
-	if addedPolicy.IsActive {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LabelPolicy.AlreadyExists")
-	}
-
-	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.LabelPolicyWriteModel.WriteModel)
-	iamAgg.PushEvents(iam_repo.NewLabelPolicyAddedEvent(ctx, policy.PrimaryColor, policy.SecondaryColor))

 	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
 	if err != nil {
@@ -30,6 +25,20 @@ func (r *CommandSide) AddDefaultLabelPolicy(ctx context.Context, policy *domain.
 	return writeModelToLabelPolicy(addedPolicy), nil
 }

+func (r *CommandSide) addDefaultLabelPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, addedPolicy *IAMLabelPolicyWriteModel, policy *domain.LabelPolicy) error {
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return err
+	}
+	if addedPolicy.IsActive {
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LabelPolicy.AlreadyExists")
+	}
+
+	iamAgg.PushEvents(iam_repo.NewLabelPolicyAddedEvent(ctx, policy.PrimaryColor, policy.SecondaryColor))
+
+	return nil
+}
+
 func (r *CommandSide) ChangeDefaultLabelPolicy(ctx context.Context, policy *domain.LabelPolicy) (*domain.LabelPolicy, error) {
 	policy.AggregateID = r.iamID
 	existingPolicy, err := r.defaultLabelPolicyWriteModelByID(ctx, policy.AggregateID)
--- a/internal/v2/command/iam_policy_login.go
+++ b/internal/v2/command/iam_policy_login.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
@@ -9,10 +10,22 @@ import (
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )

+func (r *CommandSide) GetDefaultLoginPolicy(ctx context.Context) (*domain.LoginPolicy, error) {
+	policyWriteModel := NewIAMLoginPolicyWriteModel(r.iamID)
+	err := r.eventstore.FilterToQueryReducer(ctx, policyWriteModel)
+	if err != nil {
+		return nil, err
+	}
+	policy := writeModelToLoginPolicy(policyWriteModel)
+	policy.Default = true
+	return policy, nil
+}
+
 func (r *CommandSide) AddDefaultLoginPolicy(ctx context.Context, policy *domain.LoginPolicy) (*domain.LoginPolicy, error) {
 	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMLoginPolicyWriteModel(policy.AggregateID)
-	iamAgg, err := r.addDefaultLoginPolicy(ctx, addedPolicy, policy)
+	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
+	err := r.addDefaultLoginPolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
 		return nil, err
 	}
@@ -24,37 +37,28 @@ func (r *CommandSide) AddDefaultLoginPolicy(ctx context.Context, policy *domain.
 	return writeModelToLoginPolicy(addedPolicy), nil
 }

-func (r *CommandSide) addDefaultLoginPolicy(ctx context.Context, addedPolicy *IAMLoginPolicyWriteModel, policy *domain.LoginPolicy) (*iam_repo.Aggregate, error) {
+func (r *CommandSide) addDefaultLoginPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, addedPolicy *IAMLoginPolicyWriteModel, policy *domain.LoginPolicy) error {
 	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if addedPolicy.IsActive {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LoginPolicy.AlreadyExists")
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LoginPolicy.AlreadyExists")
 	}

-	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.LoginPolicyWriteModel.WriteModel)
 	iamAgg.PushEvents(iam_repo.NewLoginPolicyAddedEvent(ctx, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIdp, policy.ForceMFA, policy.PasswordlessType))

-	return iamAgg, nil
+	return nil
 }

 func (r *CommandSide) ChangeDefaultLoginPolicy(ctx context.Context, policy *domain.LoginPolicy) (*domain.LoginPolicy, error) {
 	policy.AggregateID = r.iamID
-	existingPolicy, err := r.defaultLoginPolicyWriteModelByID(ctx, policy.AggregateID)
+	existingPolicy := NewIAMLoginPolicyWriteModel(r.iamID)
+	iamAgg := IAMAggregateFromWriteModel(&existingPolicy.LoginPolicyWriteModel.WriteModel)
+	err := r.changeDefaultLoginPolicy(ctx, iamAgg, existingPolicy, policy)
 	if err != nil {
 		return nil, err
 	}
-	if !existingPolicy.IsActive {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-M0sif", "Errors.IAM.LoginPolicy.NotFound")
-	}
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIdp, policy.ForceMFA, domain.PasswordlessType(policy.PasswordlessType))
-	if !hasChanged {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-5M9vdd", "Errors.IAM.LoginPolicy.NotChanged")
-	}
-	iamAgg := IAMAggregateFromWriteModel(&existingPolicy.LoginPolicyWriteModel.WriteModel)
-	iamAgg.PushEvents(changedEvent)
-
 	err = r.eventstore.PushAggregate(ctx, existingPolicy, iamAgg)
 	if err != nil {
 		return nil, err
@@ -63,6 +67,24 @@ func (r *CommandSide) ChangeDefaultLoginPolicy(ctx context.Context, policy *doma
 	return writeModelToLoginPolicy(existingPolicy), nil
 }

+func (r *CommandSide) changeDefaultLoginPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, existingPolicy *IAMLoginPolicyWriteModel, policy *domain.LoginPolicy) error {
+	policy.AggregateID = r.iamID
+	err := r.defaultLoginPolicyWriteModelByID(ctx, existingPolicy)
+	if err != nil {
+		return err
+	}
+	if !existingPolicy.IsActive {
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-M0sif", "Errors.IAM.LoginPolicy.NotFound")
+	}
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIdp, policy.ForceMFA, domain.PasswordlessType(policy.PasswordlessType))
+	if !hasChanged {
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-5M9vdd", "Errors.IAM.LoginPolicy.NotChanged")
+	}
+	iamAgg.PushEvents(changedEvent)
+
+	return nil
+}
+
 func (r *CommandSide) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, idpProvider *domain.IDPProvider) (*domain.IDPProvider, error) {
 	idpProvider.AggregateID = r.iamID
 	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.AggregateID, idpProvider.IDPConfigID)
@@ -102,18 +124,12 @@ func (r *CommandSide) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Contex

 func (r *CommandSide) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, secondFactor iam_model.SecondFactorType) (iam_model.SecondFactorType, error) {
 	secondFactorModel := NewIAMSecondFactorWriteModel(r.iamID)
-	err := r.eventstore.FilterToQueryReducer(ctx, secondFactorModel)
+	iamAgg := IAMAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
+	err := r.addSecondFactorToDefaultLoginPolicy(ctx, nil, secondFactorModel, secondFactor)
 	if err != nil {
 		return iam_model.SecondFactorTypeUnspecified, err
 	}

-	if secondFactorModel.IsActive {
-		return iam_model.SecondFactorTypeUnspecified, caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LoginPolicy.MFA.AlreadyExists")
-	}
-
-	iamAgg := IAMAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
-	iamAgg.PushEvents(iam_repo.NewLoginPolicySecondFactorAddedEvent(ctx, domain.SecondFactorType(secondFactor)))
-
 	if err = r.eventstore.PushAggregate(ctx, secondFactorModel, iamAgg); err != nil {
 		return iam_model.SecondFactorTypeUnspecified, err
 	}
@@ -121,6 +137,21 @@ func (r *CommandSide) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, s
 	return iam_model.SecondFactorType(secondFactorModel.MFAType), nil
 }

+func (r *CommandSide) addSecondFactorToDefaultLoginPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, secondFactorModel *IAMSecondFactorWriteModel, secondFactor iam_model.SecondFactorType) error {
+	err := r.eventstore.FilterToQueryReducer(ctx, secondFactorModel)
+	if err != nil {
+		return err
+	}
+
+	if secondFactorModel.IsActive {
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LoginPolicy.MFA.AlreadyExists")
+	}
+
+	iamAgg.PushEvents(iam_repo.NewLoginPolicySecondFactorAddedEvent(ctx, domain.SecondFactorType(secondFactor)))
+
+	return nil
+}
+
 func (r *CommandSide) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, secondFactor iam_model.SecondFactorType) error {
 	secondFactorModel := NewIAMSecondFactorWriteModel(r.iamID)
 	err := r.eventstore.FilterToQueryReducer(ctx, secondFactorModel)
@@ -138,15 +169,11 @@ func (r *CommandSide) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Conte

 func (r *CommandSide) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, multiFactor iam_model.MultiFactorType) (iam_model.MultiFactorType, error) {
 	multiFactorModel := NewIAMMultiFactorWriteModel(r.iamID)
-	err := r.eventstore.FilterToQueryReducer(ctx, multiFactorModel)
+	iamAgg := IAMAggregateFromWriteModel(&multiFactorModel.MultiFactoryWriteModel.WriteModel)
+	err := r.addMultiFactorToDefaultLoginPolicy(ctx, iamAgg, multiFactorModel, multiFactor)
 	if err != nil {
 		return iam_model.MultiFactorTypeUnspecified, err
 	}
-	if multiFactorModel.IsActive {
-		return iam_model.MultiFactorTypeUnspecified, caos_errs.ThrowAlreadyExists(nil, "IAM-3M9od", "Errors.IAM.LoginPolicy.MFA.AlreadyExists")
-	}
-	iamAgg := IAMAggregateFromWriteModel(&multiFactorModel.MultiFactoryWriteModel.WriteModel)
-	iamAgg.PushEvents(iam_repo.NewLoginPolicyMultiFactorAddedEvent(ctx, domain.MultiFactorType(multiFactor)))

 	if err = r.eventstore.PushAggregate(ctx, multiFactorModel, iamAgg); err != nil {
 		return iam_model.MultiFactorTypeUnspecified, err
@@ -155,6 +182,20 @@ func (r *CommandSide) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, mu
 	return iam_model.MultiFactorType(multiFactorModel.MultiFactoryWriteModel.MFAType), nil
 }

+func (r *CommandSide) addMultiFactorToDefaultLoginPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, multiFactorModel *IAMMultiFactorWriteModel, multiFactor iam_model.MultiFactorType) error {
+	err := r.eventstore.FilterToQueryReducer(ctx, multiFactorModel)
+	if err != nil {
+		return err
+	}
+	if multiFactorModel.IsActive {
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-3M9od", "Errors.IAM.LoginPolicy.MFA.AlreadyExists")
+	}
+
+	iamAgg.PushEvents(iam_repo.NewLoginPolicyMultiFactorAddedEvent(ctx, domain.MultiFactorType(multiFactor)))
+
+	return nil
+}
+
 func (r *CommandSide) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, multiFactor iam_model.MultiFactorType) error {
 	multiFactorModel := NewIAMMultiFactorWriteModel(r.iamID)
 	err := r.eventstore.FilterToQueryReducer(ctx, multiFactorModel)
@@ -170,14 +211,13 @@ func (r *CommandSide) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Contex
 	return r.eventstore.PushAggregate(ctx, multiFactorModel, iamAgg)
 }

-func (r *CommandSide) defaultLoginPolicyWriteModelByID(ctx context.Context, iamID string) (policy *IAMLoginPolicyWriteModel, err error) {
+func (r *CommandSide) defaultLoginPolicyWriteModelByID(ctx context.Context, writeModel *IAMLoginPolicyWriteModel) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMLoginPolicyWriteModel(iamID)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
-		return nil, err
+		return err
 	}
-	return writeModel, nil
+	return nil
 }
--- a/internal/v2/command/iam_policy_org_iam.go
+++ b/internal/v2/command/iam_policy_org_iam.go
@@ -22,15 +22,11 @@ func (r *CommandSide) GetDefaultOrgIAMPolicy(ctx context.Context) (*domain.OrgIA
 func (r *CommandSide) AddDefaultOrgIAMPolicy(ctx context.Context, policy *domain.OrgIAMPolicy) (*domain.OrgIAMPolicy, error) {
 	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMOrgIAMPolicyWriteModel(policy.AggregateID)
-	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
+	err := r.addDefaultOrgIAMPolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
 		return nil, err
 	}
-	if addedPolicy.IsActive {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-Lk0dS", "Errors.IAM.OrgIAMPolicy.AlreadyExists")
-	}
-	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.PolicyOrgIAMWriteModel.WriteModel)
-	iamAgg.PushEvents(iam_repo.NewOrgIAMPolicyAddedEvent(ctx, policy.UserLoginMustBeDomain))

 	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
 	if err != nil {
@@ -40,6 +36,19 @@ func (r *CommandSide) AddDefaultOrgIAMPolicy(ctx context.Context, policy *domain
 	return writeModelToOrgIAMPolicy(addedPolicy), nil
 }

+func (r *CommandSide) addDefaultOrgIAMPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, addedPolicy *IAMOrgIAMPolicyWriteModel, policy *domain.OrgIAMPolicy) error {
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return err
+	}
+	if addedPolicy.IsActive {
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-Lk0dS", "Errors.IAM.OrgIAMPolicy.AlreadyExists")
+	}
+	iamAgg.PushEvents(iam_repo.NewOrgIAMPolicyAddedEvent(ctx, policy.UserLoginMustBeDomain))
+
+	return nil
+}
+
 func (r *CommandSide) ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *domain.OrgIAMPolicy) (*domain.OrgIAMPolicy, error) {
 	policy.AggregateID = r.iamID
 	existingPolicy, err := r.defaultOrgIAMPolicyWriteModelByID(ctx, policy.AggregateID)
--- a/internal/v2/command/iam_policy_password_age.go
+++ b/internal/v2/command/iam_policy_password_age.go
@@ -11,16 +11,11 @@ import (
 func (r *CommandSide) AddDefaultPasswordAgePolicy(ctx context.Context, policy *domain.PasswordAgePolicy) (*domain.PasswordAgePolicy, error) {
 	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMPasswordAgePolicyWriteModel(policy.AggregateID)
-	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
+	err := r.addDefaultPasswordAgePolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
 		return nil, err
 	}
-	if addedPolicy.IsActive {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.PasswordAgePolicy.AlreadyExists")
-	}
-
-	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.PasswordAgePolicyWriteModel.WriteModel)
-	iamAgg.PushEvents(iam_repo.NewPasswordAgePolicyAddedEvent(ctx, policy.ExpireWarnDays, policy.MaxAgeDays))

 	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
 	if err != nil {
@@ -30,6 +25,20 @@ func (r *CommandSide) AddDefaultPasswordAgePolicy(ctx context.Context, policy *d
 	return writeModelToPasswordAgePolicy(addedPolicy), nil
 }

+func (r *CommandSide) addDefaultPasswordAgePolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, addedPolicy *IAMPasswordAgePolicyWriteModel, policy *domain.PasswordAgePolicy) error {
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return err
+	}
+	if addedPolicy.IsActive {
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-Lk0dS", "Errors.IAM.PasswordAgePolicy.AlreadyExists")
+	}
+
+	iamAgg.PushEvents(iam_repo.NewPasswordAgePolicyAddedEvent(ctx, policy.ExpireWarnDays, policy.MaxAgeDays))
+
+	return nil
+}
+
 func (r *CommandSide) ChangeDefaultPasswordAgePolicy(ctx context.Context, policy *domain.PasswordAgePolicy) (*domain.PasswordAgePolicy, error) {
 	policy.AggregateID = r.iamID
 	existingPolicy, err := r.defaultPasswordAgePolicyWriteModelByID(ctx, policy.AggregateID)
--- a/internal/v2/command/iam_policy_password_complexity.go
+++ b/internal/v2/command/iam_policy_password_complexity.go
@@ -22,7 +22,8 @@ func (r *CommandSide) GetDefaultPasswordComplexityPolicy(ctx context.Context) (*
 func (r *CommandSide) AddDefaultPasswordComplexityPolicy(ctx context.Context, policy *domain.PasswordComplexityPolicy) (*domain.PasswordComplexityPolicy, error) {
 	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMPasswordComplexityPolicyWriteModel(policy.AggregateID)
-	iamAgg, err := r.addDefaultPasswordComplexityPolicy(ctx, addedPolicy, policy)
+	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
+	err := r.addDefaultPasswordComplexityPolicy(ctx, iamAgg, addedPolicy, policy)
 	if err != nil {
 		return nil, err
 	}
@@ -35,23 +36,22 @@ func (r *CommandSide) AddDefaultPasswordComplexityPolicy(ctx context.Context, po
 	return writeModelToPasswordComplexityPolicy(addedPolicy), nil
 }

-func (r *CommandSide) addDefaultPasswordComplexityPolicy(ctx context.Context, addedPolicy *IAMPasswordComplexityPolicyWriteModel, policy *domain.PasswordComplexityPolicy) (*iam_repo.Aggregate, error) {
+func (r *CommandSide) addDefaultPasswordComplexityPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, addedPolicy *IAMPasswordComplexityPolicyWriteModel, policy *domain.PasswordComplexityPolicy) error {
 	if err := policy.IsValid(); err != nil {
-		return nil, err
+		return err
 	}

 	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if addedPolicy.IsActive {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-Lk0dS", "Errors.IAM.PasswordComplexityPolicy.AlreadyExists")
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-Lk0dS", "Errors.IAM.PasswordComplexityPolicy.AlreadyExists")
 	}

-	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.PasswordComplexityPolicyWriteModel.WriteModel)
 	iamAgg.PushEvents(iam_repo.NewPasswordComplexityPolicyAddedEvent(ctx, policy.MinLength, policy.HasLowercase, policy.HasUppercase, policy.HasNumber, policy.HasSymbol))

-	return iamAgg, nil
+	return nil
 }

 func (r *CommandSide) ChangeDefaultPasswordComplexityPolicy(ctx context.Context, policy *domain.PasswordComplexityPolicy) (*domain.PasswordComplexityPolicy, error) {
--- a/internal/v2/command/iam_policy_password_lockout.go
+++ b/internal/v2/command/iam_policy_password_lockout.go
@@ -11,16 +11,11 @@ import (
 func (r *CommandSide) AddDefaultPasswordLockoutPolicy(ctx context.Context, policy *domain.PasswordLockoutPolicy) (*domain.PasswordLockoutPolicy, error) {
 	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMPasswordLockoutPolicyWriteModel(policy.AggregateID)
-	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
+	err := r.addDefaultPasswordLockoutPolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
 		return nil, err
 	}
-	if addedPolicy.IsActive {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-0olDf", "Errors.IAM.PasswordLockoutPolicy.AlreadyExists")
-	}
-
-	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.PasswordLockoutPolicyWriteModel.WriteModel)
-	iamAgg.PushEvents(iam_repo.NewPasswordLockoutPolicyAddedEvent(ctx, policy.MaxAttempts, policy.ShowLockOutFailures))

 	err = r.eventstore.PushAggregate(ctx, addedPolicy, iamAgg)
 	if err != nil {
@@ -30,6 +25,20 @@ func (r *CommandSide) AddDefaultPasswordLockoutPolicy(ctx context.Context, polic
 	return writeModelToPasswordLockoutPolicy(addedPolicy), nil
 }

+func (r *CommandSide) addDefaultPasswordLockoutPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, addedPolicy *IAMPasswordLockoutPolicyWriteModel, policy *domain.PasswordLockoutPolicy) error {
+	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
+	if err != nil {
+		return err
+	}
+	if addedPolicy.IsActive {
+		return caos_errs.ThrowAlreadyExists(nil, "IAM-0olDf", "Errors.IAM.PasswordLockoutPolicy.AlreadyExists")
+	}
+
+	iamAgg.PushEvents(iam_repo.NewPasswordLockoutPolicyAddedEvent(ctx, policy.MaxAttempts, policy.ShowLockOutFailures))
+
+	return nil
+}
+
 func (r *CommandSide) ChangeDefaultPasswordLockoutPolicy(ctx context.Context, policy *domain.PasswordLockoutPolicy) (*domain.PasswordLockoutPolicy, error) {
 	policy.AggregateID = r.iamID
 	existingPolicy, err := r.defaultPasswordLockoutPolicyWriteModelByID(ctx, policy.AggregateID)
--- a/internal/v2/command/setup.go
+++ b/internal/v2/command/setup.go
@@ -3,13 +3,59 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/api/authz"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )

-func (r *CommandSide) StartSetup(ctx context.Context, iamID string, step domain.Step) (*iam_model.IAM, error) {
+type Step interface {
+	Step() domain.Step
+	execute(context.Context, *CommandSide) error
+}
+
+const (
+	SetupUser = "SETUP"
+)
+
+func (r *CommandSide) ExecuteSetupSteps(ctx context.Context, steps []Step) error {
+	iam, err := r.GetIAM(ctx, r.iamID)
+	if err != nil && !caos_errs.IsNotFound(err) {
+		return err
+	}
+	if iam != nil && (iam.SetUpDone == domain.StepCount-1 || iam.SetUpStarted != iam.SetUpDone) {
+		logging.Log("COMMA-dgd2z").Info("all steps done")
+		return nil
+	}
+
+	if iam == nil {
+		iam = &domain.IAM{ObjectRoot: models.ObjectRoot{AggregateID: r.iamID}}
+	}
+
+	ctx = setSetUpContextData(ctx, r.iamID)
+
+	for _, step := range steps {
+		iam, err = r.StartSetup(ctx, r.iamID, step.Step())
+		if err != nil {
+			return err
+		}
+
+		err = step.execute(ctx, r)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func setSetUpContextData(ctx context.Context, orgID string) context.Context {
+	return authz.SetCtxData(ctx, authz.CtxData{UserID: SetupUser, OrgID: orgID})
+}
+
+func (r *CommandSide) StartSetup(ctx context.Context, iamID string, step domain.Step) (*domain.IAM, error) {
 	iamWriteModel, err := r.iamByID(ctx, iamID)
 	if err != nil && !caos_errs.IsNotFound(err) {
 		return nil, err
@@ -25,6 +71,27 @@ func (r *CommandSide) StartSetup(ctx context.Context, iamID string, step domain.
 	return writeModelToIAM(iamWriteModel), nil
 }

+func (r *CommandSide) setup(ctx context.Context, step Step, iamAggregateProvider func(*IAMWriteModel) (*iam_repo.Aggregate, error)) error {
+	iam, err := r.iamByID(ctx, r.iamID)
+	if err != nil && !caos_errs.IsNotFound(err) {
+		return err
+	}
+	if iam.SetUpStarted != step.Step() && iam.SetUpDone+1 != step.Step() {
+		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-Dge32", "wrong step")
+	}
+	iamAgg, err := iamAggregateProvider(iam)
+	if err != nil {
+		return err
+	}
+	iamAgg.PushEvents(iam_repo.NewSetupStepDoneEvent(ctx, step.Step()))
+
+	_, err = r.eventstore.PushAggregates(ctx, iamAgg)
+	if err != nil {
+		return caos_errs.ThrowPreconditionFailedf(nil, "EVENT-dbG31", "Setup %s failed", step.Step())
+	}
+	return nil
+}
+
 //func (r *CommandSide) setupDone(ctx context.Context, iamAgg *iam_repo.Aggregate, event eventstore.EventPusher, aggregates ...eventstore.Aggregater) error {
 //	aggregate := iamAgg.PushEvents(event)
 //
--- a/internal/v2/command/setup_step1.go
+++ b/internal/v2/command/setup_step1.go
@@ -22,6 +22,14 @@ type Step1 struct {
 	//pwComplexityPolicy *iam_model.PasswordComplexityPolicyView
 }

+func (s *Step1) Step() domain.Step {
+	return domain.Step1
+}
+
+func (s *Step1) execute(ctx context.Context, commandSide *CommandSide) error {
+	return commandSide.SetupStep1(ctx, commandSide.iamID, s)
+}
+
 type LoginPolicy struct {
 	AllowRegister         bool
 	AllowUsernamePassword bool
@@ -63,14 +71,10 @@ type OIDCApp struct {
 	DevMode                bool
 }

-func (r *CommandSide) SetupStep1(ctx context.Context, iamID string, step1 Step1) error {
-	iam, err := r.iamByID(ctx, iamID)
-	if err != nil && !caos_errs.IsNotFound(err) {
-		return err
-	}
+func (r *CommandSide) SetupStep1(ctx context.Context, iamID string, step1 *Step1) error {
+	iamAgg := iam_repo.NewAggregate(r.iamID, "", 0)
 	//create default login policy
-	iamAgg, err := r.addDefaultLoginPolicy(ctx,
-		NewIAMLoginPolicyWriteModel(iam.AggregateID),
+	err := r.addDefaultLoginPolicy(ctx, iamAgg, NewIAMLoginPolicyWriteModel(iamAgg.ID()),
 		&domain.LoginPolicy{
 			AllowUsernamePassword: step1.DefaultLoginPolicy.AllowUsernamePassword,
 			AllowRegister:         step1.DefaultLoginPolicy.AllowRegister,
--- a/internal/v2/command/setup_step2.go
+++ b/internal/v2/command/setup_step2.go
@@ -3,7 +3,6 @@ package command
 import (
 	"context"

-	caos_errs "github.com/caos/zitadel/internal/errors"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
@@ -13,26 +12,28 @@ type Step2 struct {
 	DefaultPasswordComplexityPolicy iam_model.PasswordComplexityPolicy
 }

-func (r *CommandSide) SetupStep2(ctx context.Context, iamID string, step Step2) error {
-	iam, err := r.iamByID(ctx, iamID)
-	if err != nil && !caos_errs.IsNotFound(err) {
-		return err
-	}
-	iamAgg, err := r.addDefaultPasswordComplexityPolicy(ctx, NewIAMPasswordComplexityPolicyWriteModel(iam.AggregateID), &domain.PasswordComplexityPolicy{
-		MinLength:    step.DefaultPasswordComplexityPolicy.MinLength,
-		HasLowercase: step.DefaultPasswordComplexityPolicy.HasLowercase,
-		HasUppercase: step.DefaultPasswordComplexityPolicy.HasUppercase,
-		HasNumber:    step.DefaultPasswordComplexityPolicy.HasNumber,
-		HasSymbol:    step.DefaultPasswordComplexityPolicy.HasSymbol,
-	})
-	if err != nil {
-		return err
-	}
-	iamAgg.PushEvents(iam_repo.NewSetupStepDoneEvent(ctx, domain.Step1))
-
-	_, err = r.eventstore.PushAggregates(ctx, iamAgg)
-	if err != nil {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-HR2na", "Setup Step2 failed")
-	}
-	return nil
+func (s *Step2) Step() domain.Step {
+	return domain.Step2
+}
+
+func (s *Step2) execute(ctx context.Context, commandSide *CommandSide) error {
+	return commandSide.SetupStep2(ctx, s)
+}
+
+func (r *CommandSide) SetupStep2(ctx context.Context, step *Step2) error {
+	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
+		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
+		err := r.addDefaultPasswordComplexityPolicy(ctx, iamAgg, NewIAMPasswordComplexityPolicyWriteModel(iam.AggregateID), &domain.PasswordComplexityPolicy{
+			MinLength:    step.DefaultPasswordComplexityPolicy.MinLength,
+			HasLowercase: step.DefaultPasswordComplexityPolicy.HasLowercase,
+			HasUppercase: step.DefaultPasswordComplexityPolicy.HasUppercase,
+			HasNumber:    step.DefaultPasswordComplexityPolicy.HasNumber,
+			HasSymbol:    step.DefaultPasswordComplexityPolicy.HasSymbol,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return iamAgg, err
+	}
+	return r.setup(ctx, step, fn)
 }
--- a/internal/v2/command/setup_step3.go
+++ b/internal/v2/command/setup_step3.go
@@ -0,0 +1,36 @@
+package command
+
+import (
+	"context"
+
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+)
+
+type Step3 struct {
+	DefaultPasswordAgePolicy iam_model.PasswordAgePolicy
+}
+
+func (s *Step3) Step() domain.Step {
+	return domain.Step3
+}
+
+func (s *Step3) execute(ctx context.Context, commandSide *CommandSide) error {
+	return commandSide.SetupStep3(ctx, s)
+}
+
+func (r *CommandSide) SetupStep3(ctx context.Context, step *Step3) error {
+	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
+		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
+		err := r.addDefaultPasswordAgePolicy(ctx, iamAgg, NewIAMPasswordAgePolicyWriteModel(iam.AggregateID), &domain.PasswordAgePolicy{
+			MaxAgeDays:     step.DefaultPasswordAgePolicy.MaxAgeDays,
+			ExpireWarnDays: step.DefaultPasswordAgePolicy.ExpireWarnDays,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return iamAgg, nil
+	}
+	return r.setup(ctx, step, fn)
+}
--- a/internal/v2/command/setup_step4.go
+++ b/internal/v2/command/setup_step4.go
@@ -0,0 +1,36 @@
+package command
+
+import (
+	"context"
+
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+)
+
+type Step4 struct {
+	DefaultPasswordLockoutPolicy iam_model.PasswordLockoutPolicy
+}
+
+func (s *Step4) Step() domain.Step {
+	return domain.Step4
+}
+
+func (s *Step4) execute(ctx context.Context, commandSide *CommandSide) error {
+	return commandSide.SetupStep4(ctx, s)
+}
+
+func (r *CommandSide) SetupStep4(ctx context.Context, step *Step4) error {
+	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
+		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
+		err := r.addDefaultPasswordLockoutPolicy(ctx, iamAgg, NewIAMPasswordLockoutPolicyWriteModel(iam.AggregateID), &domain.PasswordLockoutPolicy{
+			MaxAttempts:         step.DefaultPasswordLockoutPolicy.MaxAttempts,
+			ShowLockOutFailures: step.DefaultPasswordLockoutPolicy.ShowLockOutFailures,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return iamAgg, nil
+	}
+	return r.setup(ctx, step, fn)
+}
--- a/internal/v2/command/setup_step5.go
+++ b/internal/v2/command/setup_step5.go
@@ -0,0 +1,35 @@
+package command
+
+import (
+	"context"
+
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+)
+
+type Step5 struct {
+	DefaultOrgIAMPolicy iam_model.OrgIAMPolicy
+}
+
+func (s *Step5) Step() domain.Step {
+	return domain.Step5
+}
+
+func (s *Step5) execute(ctx context.Context, commandSide *CommandSide) error {
+	return commandSide.SetupStep5(ctx, s)
+}
+
+func (r *CommandSide) SetupStep5(ctx context.Context, step *Step5) error {
+	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
+		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
+		err := r.addDefaultOrgIAMPolicy(ctx, iamAgg, NewIAMOrgIAMPolicyWriteModel(iam.AggregateID), &domain.OrgIAMPolicy{
+			UserLoginMustBeDomain: step.DefaultOrgIAMPolicy.UserLoginMustBeDomain,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return iamAgg, nil
+	}
+	return r.setup(ctx, step, fn)
+}
--- a/internal/v2/command/setup_step6.go
+++ b/internal/v2/command/setup_step6.go
@@ -0,0 +1,36 @@
+package command
+
+import (
+	"context"
+
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+)
+
+type Step6 struct {
+	DefaultLabelPolicy iam_model.LabelPolicy
+}
+
+func (s *Step6) Step() domain.Step {
+	return domain.Step6
+}
+
+func (s *Step6) execute(ctx context.Context, commandSide *CommandSide) error {
+	return commandSide.SetupStep6(ctx, s)
+}
+
+func (r *CommandSide) SetupStep6(ctx context.Context, step *Step6) error {
+	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
+		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
+		err := r.addDefaultLabelPolicy(ctx, iamAgg, NewIAMLabelPolicyWriteModel(iam.AggregateID), &domain.LabelPolicy{
+			PrimaryColor:   step.DefaultLabelPolicy.PrimaryColor,
+			SecondaryColor: step.DefaultLabelPolicy.SecondaryColor,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return iamAgg, nil
+	}
+	return r.setup(ctx, step, fn)
+}
--- a/internal/v2/command/setup_step7.go
+++ b/internal/v2/command/setup_step7.go
@@ -0,0 +1,37 @@
+package command
+
+import (
+	"context"
+
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+)
+
+type Step7 struct {
+	OTP bool
+}
+
+func (s *Step7) Step() domain.Step {
+	return domain.Step7
+}
+
+func (s *Step7) execute(ctx context.Context, commandSide *CommandSide) error {
+	return commandSide.SetupStep7(ctx, s)
+}
+
+func (r *CommandSide) SetupStep7(ctx context.Context, step *Step7) error {
+	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
+		secondFactorModel := NewIAMSecondFactorWriteModel(iam.AggregateID)
+		iamAgg := IAMAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
+		if !step.OTP {
+			return iamAgg, nil
+		}
+		err := r.addSecondFactorToDefaultLoginPolicy(ctx, iamAgg, secondFactorModel, iam_model.SecondFactorTypeOTP)
+		if err != nil {
+			return nil, err
+		}
+		return iamAgg, nil
+	}
+	return r.setup(ctx, step, fn)
+}
--- a/internal/v2/command/setup_step8.go
+++ b/internal/v2/command/setup_step8.go
@@ -0,0 +1,37 @@
+package command
+
+import (
+	"context"
+
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+)
+
+type Step8 struct {
+	U2F bool
+}
+
+func (s *Step8) Step() domain.Step {
+	return domain.Step8
+}
+
+func (s *Step8) execute(ctx context.Context, commandSide *CommandSide) error {
+	return commandSide.SetupStep8(ctx, s)
+}
+
+func (r *CommandSide) SetupStep8(ctx context.Context, step *Step8) error {
+	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
+		secondFactorModel := NewIAMSecondFactorWriteModel(iam.AggregateID)
+		iamAgg := IAMAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
+		if !step.U2F {
+			return iamAgg, nil
+		}
+		err := r.addSecondFactorToDefaultLoginPolicy(ctx, iamAgg, secondFactorModel, iam_model.SecondFactorTypeU2F)
+		if err != nil {
+			return nil, err
+		}
+		return iamAgg, nil
+	}
+	return r.setup(ctx, step, fn)
+}
--- a/internal/v2/command/setup_step9.go
+++ b/internal/v2/command/setup_step9.go
@@ -0,0 +1,50 @@
+package command
+
+import (
+	"context"
+
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
+	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+)
+
+type Step9 struct {
+	Passwordless bool
+}
+
+func (s *Step9) Step() domain.Step {
+	return domain.Step9
+}
+
+func (s *Step9) execute(ctx context.Context, commandSide *CommandSide) error {
+	return commandSide.SetupStep9(ctx, s)
+}
+
+func (r *CommandSide) SetupStep9(ctx context.Context, step *Step9) error {
+	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
+		multiFactorModel := NewIAMMultiFactorWriteModel(iam.AggregateID)
+		iamAgg := IAMAggregateFromWriteModel(&multiFactorModel.MultiFactoryWriteModel.WriteModel)
+		if !step.Passwordless {
+			return iamAgg, nil
+		}
+		err := setPasswordlessAllowedInPolicy(ctx, r, iamAgg)
+		if err != nil {
+			return nil, err
+		}
+		err = r.addMultiFactorToDefaultLoginPolicy(ctx, iamAgg, multiFactorModel, iam_model.MultiFactorTypeU2FWithPIN)
+		if err != nil {
+			return nil, err
+		}
+		return iamAgg, err
+	}
+	return r.setup(ctx, step, fn)
+}
+
+func setPasswordlessAllowedInPolicy(ctx context.Context, c *CommandSide, iamAgg *iam_repo.Aggregate) error {
+	policy, err := c.GetDefaultLoginPolicy(ctx)
+	if err != nil {
+		return err
+	}
+	policy.PasswordlessType = domain.PasswordlessTypeAllowed
+	return c.changeDefaultLoginPolicy(ctx, iamAgg, NewIAMLoginPolicyWriteModel(iamAgg.ID()), policy)
+}
--- a/internal/v2/domain/iam.go
+++ b/internal/v2/domain/iam.go
@@ -0,0 +1,22 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type IAM struct {
+	models.ObjectRoot
+
+	GlobalOrgID                     string
+	IAMProjectID                    string
+	SetUpDone                       Step
+	SetUpStarted                    Step
+	Members                         []*IAMMember
+	IDPs                            []*IDPConfig
+	DefaultLoginPolicy              *LoginPolicy
+	DefaultLabelPolicy              *LabelPolicy
+	DefaultOrgIAMPolicy             *OrgIAMPolicy
+	DefaultPasswordComplexityPolicy *PasswordComplexityPolicy
+	DefaultPasswordAgePolicy        *PasswordAgePolicy
+	DefaultPasswordLockoutPolicy    *PasswordLockoutPolicy
+}
--- a/internal/v2/domain/step.go
+++ b/internal/v2/domain/step.go
@@ -11,6 +11,7 @@ const (
 	Step6
 	Step7
 	Step8
+	Step9
 	//StepCount marks the the length of possible steps (StepCount-1 == last possible step)
 	StepCount
 )
--- a/internal/v2/repository/policy/login.go
+++ b/internal/v2/repository/policy/login.go
@@ -18,11 +18,11 @@ const (
 type LoginPolicyAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	AllowUserNamePassword bool                    `json:"allowUsernamePassword"`
-	AllowRegister         bool                    `json:"allowRegister"`
-	AllowExternalIDP      bool                    `json:"allowExternalIdp"`
-	ForceMFA              bool                    `json:"forceMFA"`
-	PasswordlessType      domain.PasswordlessType `json:"passwordlessType"`
+	AllowUserNamePassword bool                    `json:"allowUsernamePassword,omitempty"`
+	AllowRegister         bool                    `json:"allowRegister,omitempty"`
+	AllowExternalIDP      bool                    `json:"allowExternalIdp,omitempty"`
+	ForceMFA              bool                    `json:"forceMFA,omitempty"`
+	PasswordlessType      domain.PasswordlessType `json:"passwordlessType,omitempty"`
 }

 func (e *LoginPolicyAddedEvent) Data() interface{} {
@@ -64,10 +64,10 @@ type LoginPolicyChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

 	AllowUserNamePassword bool                    `json:"allowUsernamePassword,omitempty"`
-	AllowRegister         bool                    `json:"allowRegister"`
-	AllowExternalIDP      bool                    `json:"allowExternalIdp"`
-	ForceMFA              bool                    `json:"forceMFA"`
-	PasswordlessType      domain.PasswordlessType `json:"passwordlessType"`
+	AllowRegister         bool                    `json:"allowRegister,omitempty"`
+	AllowExternalIDP      bool                    `json:"allowExternalIdp,omitempty"`
+	ForceMFA              bool                    `json:"forceMFA,omitempty"`
+	PasswordlessType      domain.PasswordlessType `json:"passwordlessType,omitempty"`
 }

 type LoginPolicyEventData struct {
--- a/internal/v2/repository/policy/policy_login_factors.go
+++ b/internal/v2/repository/policy/policy_login_factors.go
@@ -21,7 +21,7 @@ const (
 type SecondFactorAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	MFAType domain.SecondFactorType `json:"mfaType"`
+	MFAType domain.SecondFactorType `json:"mfaType,omitempty"`
 }

 func NewSecondFactorAddedEvent(
--- a/internal/v2/repository/policy/policy_login_identity_provider.go
+++ b/internal/v2/repository/policy/policy_login_identity_provider.go
@@ -17,8 +17,8 @@ const (
 type IdentityProviderAddedEvent struct {
 	eventstore.BaseEvent

-	IDPConfigID     string                      `json:"idpConfigId"`
-	IDPProviderType domain.IdentityProviderType `json:"idpProviderType"`
+	IDPConfigID     string                      `json:"idpConfigId,omitempty"`
+	IDPProviderType domain.IdentityProviderType `json:"idpProviderType,omitempty"`
 }

 func (e *IdentityProviderAddedEvent) Data() interface{} {
--- a/internal/v2/repository/policy/policy_org_iam.go
+++ b/internal/v2/repository/policy/policy_org_iam.go
@@ -15,7 +15,7 @@ const (
 type OrgIAMPolicyAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	UserLoginMustBeDomain bool `json:"userLoginMustBeDomain"`
+	UserLoginMustBeDomain bool `json:"userLoginMustBeDomain,omitempty"`
 }

 func (e *OrgIAMPolicyAddedEvent) Data() interface{} {
@@ -49,7 +49,7 @@ func OrgIAMPolicyAddedEventMapper(event *repository.Event) (eventstore.EventRead
 type OrgIAMPolicyChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	UserLoginMustBeDomain bool `json:"userLoginMustBeDomain"`
+	UserLoginMustBeDomain bool `json:"userLoginMustBeDomain,omitempty"`
 }

 func (e *OrgIAMPolicyChangedEvent) Data() interface{} {
--- a/internal/v2/repository/policy/policy_password_age.go
+++ b/internal/v2/repository/policy/policy_password_age.go
@@ -16,8 +16,8 @@ const (
 type PasswordAgePolicyAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	ExpireWarnDays uint64 `json:"expireWarnDays"`
-	MaxAgeDays     uint64 `json:"maxAgeDays"`
+	ExpireWarnDays uint64 `json:"expireWarnDays,omitempty"`
+	MaxAgeDays     uint64 `json:"maxAgeDays,omitempty"`
 }

 func (e *PasswordAgePolicyAddedEvent) Data() interface{} {
--- a/internal/v2/repository/policy/policy_password_complexity.go
+++ b/internal/v2/repository/policy/policy_password_complexity.go
@@ -17,10 +17,10 @@ type PasswordComplexityPolicyAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

 	MinLength    uint64 `json:"minLength,omitempty"`
-	HasLowercase bool   `json:"hasLowercase"`
-	HasUpperCase bool   `json:"hasUppercase"`
-	HasNumber    bool   `json:"hasNumber"`
-	HasSymbol    bool   `json:"hasSymbol"`
+	HasLowercase bool   `json:"hasLowercase,omitempty"`
+	HasUpperCase bool   `json:"hasUppercase,omitempty"`
+	HasNumber    bool   `json:"hasNumber,omitempty"`
+	HasSymbol    bool   `json:"hasSymbol,omitempty"`
 }

 func (e *PasswordComplexityPolicyAddedEvent) Data() interface{} {
@@ -61,11 +61,11 @@ func PasswordComplexityPolicyAddedEventMapper(event *repository.Event) (eventsto
 type PasswordComplexityPolicyChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	MinLength    uint64 `json:"minLength"`
-	HasLowercase bool   `json:"hasLowercase"`
-	HasUpperCase bool   `json:"hasUppercase"`
-	HasNumber    bool   `json:"hasNumber"`
-	HasSymbol    bool   `json:"hasSymbol"`
+	MinLength    uint64 `json:"minLength,omitempty"`
+	HasLowercase bool   `json:"hasLowercase,omitempty"`
+	HasUpperCase bool   `json:"hasUppercase,omitempty"`
+	HasNumber    bool   `json:"hasNumber,omitempty"`
+	HasSymbol    bool   `json:"hasSymbol,omitempty"`
 }

 func (e *PasswordComplexityPolicyChangedEvent) Data() interface{} {
--- a/internal/v2/repository/policy/policy_password_lockout.go
+++ b/internal/v2/repository/policy/policy_password_lockout.go
@@ -17,7 +17,7 @@ type PasswordLockoutPolicyAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

 	MaxAttempts         uint64 `json:"maxAttempts,omitempty"`
-	ShowLockOutFailures bool   `json:"showLockOutFailures"`
+	ShowLockOutFailures bool   `json:"showLockOutFailures,omitempty"`
 }

 func (e *PasswordLockoutPolicyAddedEvent) Data() interface{} {