fix: some backend bugs (#1438)

* fix: fix setup * fix oidc app change * fix: fix migration and proto * fix: fix granted projects * setup1 apis instead of apps * fix: add object detail with creation date * fix user phone change * add localizer to AddOIDCAppResponse * fix test * fix domain test * fix: converter Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2024-12-04 23:45:07 +00:00 · 2021-03-19 18:46:26 +01:00 · 2021-03-19 18:46:26 +01:00 · 6b1f7ba333
commit 6b1f7ba333
parent 24527bd354
58 changed files with 578 additions and 429 deletions
--- a/cmd/zitadel/setup.yaml
+++ b/cmd/zitadel/setup.yaml
@ -44,10 +44,11 @@ SetUp:
          Password: 'Password1!'
        Projects:
          - Name: 'Zitadel'
-            OIDCApps:
+            APIs:
              - Name: 'Management-API'
              - Name: 'Auth-API'
              - Name: 'Admin-API'
+            OIDCApps:
              - Name: 'Zitadel Console'
                RedirectUris:
                  - '$ZITADEL_CONSOLE/auth/callback'
--- a/internal/api/grpc/admin/iam_member.go
+++ b/internal/api/grpc/admin/iam_member.go
@ -33,7 +33,7 @@ func (s *Server) AddIAMMember(ctx context.Context, req *admin_pb.AddIAMMemberReq
 		return nil, err
 	}
 	return &admin_pb.AddIAMMemberResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			member.Sequence,
 			member.ChangeDate,
 			member.ResourceOwner,
@ -47,7 +47,7 @@ func (s *Server) UpdateIAMMember(ctx context.Context, req *admin_pb.UpdateIAMMem
 		return nil, err
 	}
 	return &admin_pb.UpdateIAMMemberResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			member.Sequence,
 			member.ChangeDate,
 			member.ResourceOwner,
@ -61,6 +61,6 @@ func (s *Server) RemoveIAMMember(ctx context.Context, req *admin_pb.RemoveIAMMem
 		return nil, err
 	}
 	return &admin_pb.RemoveIAMMemberResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/admin/idp.go
+++ b/internal/api/grpc/admin/idp.go
@ -34,7 +34,7 @@ func (s *Server) AddOIDCIDP(ctx context.Context, req *admin_pb.AddOIDCIDPRequest
 	}
 	return &admin_pb.AddOIDCIDPResponse{
 		IdpId: config.AggregateID,
-		Details: object_pb.ToDetailsPb(
+		Details: object_pb.AddToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
@ -48,7 +48,7 @@ func (s *Server) UpdateIDP(ctx context.Context, req *admin_pb.UpdateIDPRequest)
 		return nil, err
 	}
 	return &admin_pb.UpdateIDPResponse{
-		Details: object_pb.ToDetailsPb(
+		Details: object_pb.ChangeToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
@ -61,7 +61,7 @@ func (s *Server) DeactivateIDP(ctx context.Context, req *admin_pb.DeactivateIDPR
 	if err != nil {
 		return nil, err
 	}
-	return &admin_pb.DeactivateIDPResponse{Details: object_pb.DomainToDetailsPb(objectDetails)}, nil
+	return &admin_pb.DeactivateIDPResponse{Details: object_pb.DomainToChangeDetailsPb(objectDetails)}, nil
 }

 func (s *Server) ReactivateIDP(ctx context.Context, req *admin_pb.ReactivateIDPRequest) (*admin_pb.ReactivateIDPResponse, error) {
@ -69,7 +69,7 @@ func (s *Server) ReactivateIDP(ctx context.Context, req *admin_pb.ReactivateIDPR
 	if err != nil {
 		return nil, err
 	}
-	return &admin_pb.ReactivateIDPResponse{Details: object_pb.DomainToDetailsPb(objectDetails)}, nil
+	return &admin_pb.ReactivateIDPResponse{Details: object_pb.DomainToChangeDetailsPb(objectDetails)}, nil
 }

 func (s *Server) RemoveIDP(ctx context.Context, req *admin_pb.RemoveIDPRequest) (*admin_pb.RemoveIDPResponse, error) {
@ -85,7 +85,7 @@ func (s *Server) RemoveIDP(ctx context.Context, req *admin_pb.RemoveIDPRequest)
 	if err != nil {
 		return nil, err
 	}
-	return &admin_pb.RemoveIDPResponse{Details: object_pb.DomainToDetailsPb(objectDetails)}, nil
+	return &admin_pb.RemoveIDPResponse{Details: object_pb.DomainToChangeDetailsPb(objectDetails)}, nil
 }

 func (s *Server) UpdateIDPOIDCConfig(ctx context.Context, req *admin_pb.UpdateIDPOIDCConfigRequest) (*admin_pb.UpdateIDPOIDCConfigResponse, error) {
@ -94,7 +94,7 @@ func (s *Server) UpdateIDPOIDCConfig(ctx context.Context, req *admin_pb.UpdateID
 		return nil, err
 	}
 	return &admin_pb.UpdateIDPOIDCConfigResponse{
-		Details: object_pb.ToDetailsPb(
+		Details: object_pb.ChangeToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
--- a/internal/api/grpc/admin/label_policy.go
+++ b/internal/api/grpc/admin/label_policy.go
@ -22,7 +22,7 @@ func (s *Server) UpdateLabelPolicy(ctx context.Context, req *admin_pb.UpdateLabe
 		return nil, err
 	}
 	return &admin_pb.UpdateLabelPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
--- a/internal/api/grpc/admin/login_policy.go
+++ b/internal/api/grpc/admin/login_policy.go
@ -27,7 +27,7 @@ func (s *Server) UpdateLoginPolicy(ctx context.Context, p *admin_pb.UpdateLoginP
 		return nil, err
 	}
 	return &admin_pb.UpdateLoginPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
@ -52,7 +52,7 @@ func (s *Server) AddIDPToLoginPolicy(ctx context.Context, req *admin_pb.AddIDPTo
 		return nil, err
 	}
 	return &admin_pb.AddIDPToLoginPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			idp.Sequence,
 			idp.ChangeDate,
 			idp.ResourceOwner,
@ -70,7 +70,7 @@ func (s *Server) RemoveIDPFromLoginPolicy(ctx context.Context, req *admin_pb.Rem
 		return nil, err
 	}
 	return &admin_pb.RemoveIDPFromLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -92,7 +92,7 @@ func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, req *admin_pb
 		return nil, err
 	}
 	return &admin_pb.AddSecondFactorToLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToAddDetailsPb(objectDetails),
 	}, nil
 }

@ -102,7 +102,7 @@ func (s *Server) RemoveSecondFactorFromLoginPolicy(ctx context.Context, req *adm
 		return nil, err
 	}
 	return &admin_pb.RemoveSecondFactorFromLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -124,7 +124,7 @@ func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, req *admin_pb.
 		return nil, err
 	}
 	return &admin_pb.AddMultiFactorToLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToAddDetailsPb(objectDetails),
 	}, nil
 }

@ -134,6 +134,6 @@ func (s *Server) RemoveMultiFactorFromLoginPolicy(ctx context.Context, req *admi
 		return nil, err
 	}
 	return &admin_pb.RemoveMultiFactorFromLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@ -42,6 +42,6 @@ func (s *Server) SetUpOrg(ctx context.Context, req *admin_pb.SetUpOrgRequest) (*
 		return nil, err
 	}
 	return &admin_pb.SetUpOrgResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToAddDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/admin/org_iam_policy.go
+++ b/internal/api/grpc/admin/org_iam_policy.go
@ -32,7 +32,7 @@ func (s *Server) AddCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.AddCus
 		return nil, err
 	}
 	return &admin_pb.AddCustomOrgIAMPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
@ -46,7 +46,7 @@ func (s *Server) UpdateOrgIAMPolicy(ctx context.Context, req *admin_pb.UpdateOrg
 		return nil, err
 	}
 	return &admin_pb.UpdateOrgIAMPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
@ -60,7 +60,7 @@ func (s *Server) UpdateCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.Upd
 		return nil, err
 	}
 	return &admin_pb.UpdateCustomOrgIAMPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
--- a/internal/api/grpc/admin/password_age.go
+++ b/internal/api/grpc/admin/password_age.go
@ -24,7 +24,7 @@ func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, req *admin_pb.Upda
 		return nil, err
 	}
 	return &admin_pb.UpdatePasswordAgePolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			result.Sequence,
 			result.ChangeDate,
 			result.ResourceOwner,
--- a/internal/api/grpc/admin/password_complexity.go
+++ b/internal/api/grpc/admin/password_complexity.go
@ -22,7 +22,7 @@ func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, req *admin_
 		return nil, err
 	}
 	return &admin_pb.UpdatePasswordComplexityPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			result.Sequence,
 			result.ChangeDate,
 			result.ResourceOwner,
--- a/internal/api/grpc/admin/password_lockout.go
+++ b/internal/api/grpc/admin/password_lockout.go
@ -22,7 +22,7 @@ func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, req *admin_pb.
 		return nil, err
 	}
 	return &admin_pb.UpdatePasswordLockoutPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
--- a/internal/api/grpc/auth/email.go
+++ b/internal/api/grpc/auth/email.go
@ -31,7 +31,7 @@ func (s *Server) SetMyEmail(ctx context.Context, req *auth_pb.SetMyEmailRequest)
 		return nil, err
 	}
 	return &auth_pb.SetMyEmailResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			email.Sequence,
 			email.ChangeDate,
 			email.ResourceOwner,
@ -46,7 +46,7 @@ func (s *Server) VerifyMyEmail(ctx context.Context, req *auth_pb.VerifyMyEmailRe
 		return nil, err
 	}
 	return &auth_pb.VerifyMyEmailResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -57,6 +57,6 @@ func (s *Server) ResendMyEmailVerification(ctx context.Context, _ *auth_pb.Resen
 		return nil, err
 	}
 	return &auth_pb.ResendMyEmailVerificationResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/auth/idp.go
+++ b/internal/api/grpc/auth/idp.go
@ -29,6 +29,6 @@ func (s *Server) RemoveMyLinkedIDP(ctx context.Context, req *auth_pb.RemoveMyLin
 		return nil, err
 	}
 	return &auth_pb.RemoveMyLinkedIDPResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/auth/multi_factor.go
+++ b/internal/api/grpc/auth/multi_factor.go
@ -29,7 +29,7 @@ func (s *Server) AddMyAuthFactorOTP(ctx context.Context, _ *auth_pb.AddMyAuthFac
 	return &auth_pb.AddMyAuthFactorOTPResponse{
 		Url:    otp.Url,
 		Secret: otp.SecretString,
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			otp.Sequence,
 			otp.ChangeDate,
 			otp.ResourceOwner,
@ -44,7 +44,7 @@ func (s *Server) VerifyMyAuthFactorOTP(ctx context.Context, req *auth_pb.VerifyM
 		return nil, err
 	}
 	return &auth_pb.VerifyMyAuthFactorOTPResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -55,7 +55,7 @@ func (s *Server) RemoveMyAuthFactorOTP(ctx context.Context, _ *auth_pb.RemoveMyA
 		return nil, err
 	}
 	return &auth_pb.RemoveMyAuthFactorOTPResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -70,7 +70,7 @@ func (s *Server) AddMyAuthFactorU2F(ctx context.Context, _ *auth_pb.AddMyAuthFac
 			Id:        u2f.WebAuthNTokenID,
 			PublicKey: u2f.CredentialCreationData,
 		},
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			u2f.Sequence,
 			u2f.ChangeDate,
 			u2f.ResourceOwner,
@ -85,7 +85,7 @@ func (s *Server) VerifyMyAuthFactorU2F(ctx context.Context, req *auth_pb.VerifyM
 		return nil, err
 	}
 	return &auth_pb.VerifyMyAuthFactorU2FResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -96,6 +96,6 @@ func (s *Server) RemoveMyAuthFactorU2F(ctx context.Context, req *auth_pb.RemoveM
 		return nil, err
 	}
 	return &auth_pb.RemoveMyAuthFactorU2FResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/auth/password.go
+++ b/internal/api/grpc/auth/password.go
@ -15,6 +15,6 @@ func (s *Server) UpdateMyPassword(ctx context.Context, req *auth_pb.UpdateMyPass
 		return nil, err
 	}
 	return &auth_pb.UpdateMyPasswordResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/auth/passwordless.go
+++ b/internal/api/grpc/auth/passwordless.go
@ -27,7 +27,7 @@ func (s *Server) AddMyPasswordless(ctx context.Context, _ *auth_pb.AddMyPassword
 	}
 	return &auth_pb.AddMyPasswordlessResponse{
 		Key: user_grpc.WebAuthNTokenToWebAuthNKeyPb(u2f),
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			u2f.Sequence,
 			u2f.ChangeDate,
 			u2f.ResourceOwner,
@ -42,7 +42,7 @@ func (s *Server) VerifyMyPasswordless(ctx context.Context, req *auth_pb.VerifyMy
 		return nil, err
 	}
 	return &auth_pb.VerifyMyPasswordlessResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -53,6 +53,6 @@ func (s *Server) RemoveMyPasswordless(ctx context.Context, req *auth_pb.RemoveMy
 		return nil, err
 	}
 	return &auth_pb.RemoveMyPasswordlessResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/auth/phone.go
+++ b/internal/api/grpc/auth/phone.go
@ -26,12 +26,12 @@ func (s *Server) GetMyPhone(ctx context.Context, _ *auth_pb.GetMyPhoneRequest) (
 }

 func (s *Server) SetMyPhone(ctx context.Context, req *auth_pb.SetMyPhoneRequest) (*auth_pb.SetMyPhoneResponse, error) {
-	phone, err := s.command.ChangeHumanPhone(ctx, UpdateMyPhoneToDomain(ctx, req))
+	phone, err := s.command.ChangeHumanPhone(ctx, UpdateMyPhoneToDomain(ctx, req), authz.GetCtxData(ctx).ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
 	return &auth_pb.SetMyPhoneResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			phone.Sequence,
 			phone.ChangeDate,
 			phone.ResourceOwner,
@ -48,7 +48,7 @@ func (s *Server) VerifyMyPhone(ctx context.Context, req *auth_pb.VerifyMyPhoneRe

 	//TODO: response from business
 	return &auth_pb.VerifyMyPhoneResponse{
-		//Details: object.DomainToDetailsPb(objectDetails),
+		//Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -59,7 +59,7 @@ func (s *Server) ResendMyPhoneVerification(ctx context.Context, _ *auth_pb.Resen
 		return nil, err
 	}
 	return &auth_pb.ResendMyPhoneVerificationResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -70,6 +70,6 @@ func (s *Server) RemoveMyPhone(ctx context.Context, _ *auth_pb.RemoveMyPhoneRequ
 		return nil, err
 	}
 	return &auth_pb.RemoveMyPhoneResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/auth/profile.go
+++ b/internal/api/grpc/auth/profile.go
@ -30,7 +30,7 @@ func (s *Server) UpdateMyProfile(ctx context.Context, req *auth_pb.UpdateMyProfi
 		return nil, err
 	}
 	return &auth_pb.UpdateMyProfileResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			profile.Sequence,
 			profile.ChangeDate,
 			profile.ResourceOwner,
--- a/internal/api/grpc/auth/user.go
+++ b/internal/api/grpc/auth/user.go
@ -50,7 +50,7 @@ func (s *Server) UpdateMyUserName(ctx context.Context, req *auth_pb.UpdateMyUser
 		return nil, err
 	}
 	return &auth_pb.UpdateMyUserNameResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

--- a/internal/api/grpc/idp/converter.go
+++ b/internal/api/grpc/idp/converter.go
@ -232,6 +232,17 @@ func IDPProviderTypeFromPb(typ idp_pb.IDPOwnerType) domain.IdentityProviderType
 	}
 }

+func IDPProviderTypeModelFromPb(typ idp_pb.IDPOwnerType) iam_model.IDPProviderType {
+	switch typ {
+	case idp_pb.IDPOwnerType_IDP_OWNER_TYPE_ORG:
+		return iam_model.IDPProviderTypeOrg
+	case idp_pb.IDPOwnerType_IDP_OWNER_TYPE_SYSTEM:
+		return iam_model.IDPProviderTypeSystem
+	default:
+		return iam_model.IDPProviderTypeOrg
+	}
+}
+
 func IDPIDQueryToModel(query *idp_pb.IDPIDQuery) *iam_model.IDPConfigSearchQuery {
 	return &iam_model.IDPConfigSearchQuery{
 		Key:    iam_model.IDPConfigSearchKeyIdpConfigID, //TODO: whats the difference between idpconfigid and aggregateid search key?
@ -247,3 +258,11 @@ func IDPNameQueryToModel(query *idp_pb.IDPNameQuery) *iam_model.IDPConfigSearchQ
 		Value:  query.Name,
 	}
 }
+
+func IDPOwnerTypeQueryToModel(query *idp_pb.IDPOwnerTypeQuery) *iam_model.IDPConfigSearchQuery {
+	return &iam_model.IDPConfigSearchQuery{
+		Key:    iam_model.IDPConfigSearchKeyName,
+		Method: domain.SearchMethodEquals,
+		Value:  IDPProviderTypeModelFromPb(query.OwnerType),
+	}
+}
--- a/internal/api/grpc/management/idp.go
+++ b/internal/api/grpc/management/idp.go
@ -36,7 +36,7 @@ func (s *Server) AddOrgOIDCIDP(ctx context.Context, req *mgmt_pb.AddOrgOIDCIDPRe
 	}
 	return &mgmt_pb.AddOrgOIDCIDPResponse{
 		IdpId: config.AggregateID,
-		Details: object_pb.ToDetailsPb(
+		Details: object_pb.AddToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
@ -48,14 +48,14 @@ func (s *Server) DeactivateOrgIDP(ctx context.Context, req *mgmt_pb.DeactivateOr
 	if err != nil {
 		return nil, err
 	}
-	return &mgmt_pb.DeactivateOrgIDPResponse{Details: object_pb.DomainToDetailsPb(objectDetails)}, nil
+	return &mgmt_pb.DeactivateOrgIDPResponse{Details: object_pb.DomainToChangeDetailsPb(objectDetails)}, nil
 }
 func (s *Server) ReactivateOrgIDP(ctx context.Context, req *mgmt_pb.ReactivateOrgIDPRequest) (*mgmt_pb.ReactivateOrgIDPResponse, error) {
 	objectDetails, err := s.command.ReactivateDefaultIDPConfig(ctx, req.IdpId)
 	if err != nil {
 		return nil, err
 	}
-	return &mgmt_pb.ReactivateOrgIDPResponse{Details: object_pb.DomainToDetailsPb(objectDetails)}, nil
+	return &mgmt_pb.ReactivateOrgIDPResponse{Details: object_pb.DomainToChangeDetailsPb(objectDetails)}, nil
 }
 func (s *Server) RemoveOrgIDP(ctx context.Context, req *mgmt_pb.RemoveOrgIDPRequest) (*mgmt_pb.RemoveOrgIDPResponse, error) {
 	idpProviders, err := s.org.GetIDPProvidersByIDPConfigID(ctx, authz.GetCtxData(ctx).OrgID, req.IdpId)
@ -78,7 +78,7 @@ func (s *Server) UpdateOrgIDP(ctx context.Context, req *mgmt_pb.UpdateOrgIDPRequ
 		return nil, err
 	}
 	return &mgmt_pb.UpdateOrgIDPResponse{
-		Details: object_pb.ToDetailsPb(
+		Details: object_pb.ChangeToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
--- a/internal/api/grpc/management/idp_converter.go
+++ b/internal/api/grpc/management/idp_converter.go
@ -76,6 +76,8 @@ func idpQueryToModel(query *mgmt_pb.IDPQuery) *iam_model.IDPConfigSearchQuery {
 		return idp_grpc.IDPNameQueryToModel(q.IdpNameQuery)
 	case *mgmt_pb.IDPQuery_IdpIdQuery:
 		return idp_grpc.IDPIDQueryToModel(q.IdpIdQuery)
+	case *mgmt_pb.IDPQuery_OwnerTypeQuery:
+		return idp_grpc.IDPOwnerTypeQueryToModel(q.OwnerTypeQuery)
 	default:
 		return nil
 	}
--- a/internal/api/grpc/management/org.go
+++ b/internal/api/grpc/management/org.go
@ -50,7 +50,7 @@ func (s *Server) AddOrg(ctx context.Context, req *mgmt_pb.AddOrgRequest) (*mgmt_
 	}
 	return &mgmt_pb.AddOrgResponse{
 		Id: org.AggregateID,
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			org.Sequence,
 			org.ChangeDate,
 			org.ResourceOwner,
@ -64,7 +64,7 @@ func (s *Server) DeactivateOrg(ctx context.Context, req *mgmt_pb.DeactivateOrgRe
 		return nil, err
 	}
 	return &mgmt_pb.DeactivateOrgResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -74,7 +74,7 @@ func (s *Server) ReactivateOrg(ctx context.Context, req *mgmt_pb.ReactivateOrgRe
 		return nil, err
 	}
 	return &mgmt_pb.ReactivateOrgResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, err
 }

@ -113,7 +113,7 @@ func (s *Server) AddOrgDomain(ctx context.Context, req *mgmt_pb.AddOrgDomainRequ
 		return nil, err
 	}
 	return &mgmt_pb.AddOrgDomainResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			domain.Sequence,
 			domain.ChangeDate,
 			domain.ResourceOwner,
@ -127,7 +127,7 @@ func (s *Server) RemoveOrgDomain(ctx context.Context, req *mgmt_pb.RemoveOrgDoma
 		return nil, err
 	}
 	return &mgmt_pb.RemoveOrgDomainResponse{
-		Details: object.DomainToDetailsPb(details),
+		Details: object.DomainToChangeDetailsPb(details),
 	}, err
 }

@ -159,7 +159,7 @@ func (s *Server) ValidateOrgDomain(ctx context.Context, req *mgmt_pb.ValidateOrg
 		return nil, err
 	}
 	return &mgmt_pb.ValidateOrgDomainResponse{
-		Details: object.DomainToDetailsPb(details),
+		Details: object.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -169,7 +169,7 @@ func (s *Server) SetPrimaryOrgDomain(ctx context.Context, req *mgmt_pb.SetPrimar
 		return nil, err
 	}
 	return &mgmt_pb.SetPrimaryOrgDomainResponse{
-		Details: object.DomainToDetailsPb(details),
+		Details: object.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -217,7 +217,7 @@ func (s *Server) AddOrgMember(ctx context.Context, req *mgmt_pb.AddOrgMemberRequ
 		return nil, err
 	}
 	return &mgmt_pb.AddOrgMemberResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			addedMember.Sequence,
 			addedMember.ChangeDate,
 			addedMember.ResourceOwner,
@ -231,7 +231,7 @@ func (s *Server) UpdateOrgMember(ctx context.Context, req *mgmt_pb.UpdateOrgMemb
 		return nil, err
 	}
 	return &mgmt_pb.UpdateOrgMemberResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			changedMember.Sequence,
 			changedMember.ChangeDate,
 			changedMember.ResourceOwner,
@ -245,6 +245,6 @@ func (s *Server) RemoveOrgMember(ctx context.Context, req *mgmt_pb.RemoveOrgMemb
 		return nil, err
 	}
 	return &mgmt_pb.RemoveOrgMemberResponse{
-		Details: object.DomainToDetailsPb(details),
+		Details: object.DomainToChangeDetailsPb(details),
 	}, nil
 }
--- a/internal/api/grpc/management/policy_login.go
+++ b/internal/api/grpc/management/policy_login.go
@ -35,7 +35,7 @@ func (s *Server) AddCustomLoginPolicy(ctx context.Context, req *mgmt_pb.AddCusto
 		return nil, err
 	}
 	return &mgmt_pb.AddCustomLoginPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
@ -49,7 +49,7 @@ func (s *Server) UpdateCustomLoginPolicy(ctx context.Context, req *mgmt_pb.Updat
 		return nil, err
 	}
 	return &mgmt_pb.UpdateCustomLoginPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
@ -63,7 +63,7 @@ func (s *Server) ResetLoginPolicyToDefault(ctx context.Context, req *mgmt_pb.Res
 		return nil, err
 	}
 	return &mgmt_pb.ResetLoginPolicyToDefaultResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -84,7 +84,7 @@ func (s *Server) AddIDPToLoginPolicy(ctx context.Context, req *mgmt_pb.AddIDPToL
 		return nil, err
 	}
 	return &mgmt_pb.AddIDPToLoginPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			idp.Sequence,
 			idp.ChangeDate,
 			idp.ResourceOwner,
@ -102,7 +102,7 @@ func (s *Server) RemoveIDPFromLoginPolicy(ctx context.Context, req *mgmt_pb.Remo
 		return nil, err
 	}
 	return &mgmt_pb.RemoveIDPFromLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -124,7 +124,7 @@ func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, req *mgmt_pb.
 		return nil, err
 	}
 	return &mgmt_pb.AddSecondFactorToLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToAddDetailsPb(objectDetails),
 	}, nil
 }

@ -134,7 +134,7 @@ func (s *Server) RemoveSecondFactorFromLoginPolicy(ctx context.Context, req *mgm
 		return nil, err
 	}
 	return &mgmt_pb.RemoveSecondFactorFromLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -156,7 +156,7 @@ func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, req *mgmt_pb.A
 		return nil, err
 	}
 	return &mgmt_pb.AddMultiFactorToLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToAddDetailsPb(objectDetails),
 	}, nil
 }

@ -166,6 +166,6 @@ func (s *Server) RemoveMultiFactorFromLoginPolicy(ctx context.Context, req *mgmt
 		return nil, err
 	}
 	return &mgmt_pb.RemoveMultiFactorFromLoginPolicyResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/management/policy_password_age.go
+++ b/internal/api/grpc/management/policy_password_age.go
@ -34,7 +34,7 @@ func (s *Server) AddCustomPasswordAgePolicy(ctx context.Context, req *mgmt_pb.Ad
 		return nil, err
 	}
 	return &mgmt_pb.AddCustomPasswordAgePolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			result.Sequence,
 			result.ChangeDate,
 			result.ResourceOwner,
@ -48,7 +48,7 @@ func (s *Server) UpdateCustomPasswordAgePolicy(ctx context.Context, req *mgmt_pb
 		return nil, err
 	}
 	return &mgmt_pb.UpdateCustomPasswordAgePolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			result.Sequence,
 			result.ChangeDate,
 			result.ResourceOwner,
@ -62,6 +62,6 @@ func (s *Server) ResetPasswordAgePolicyToDefault(ctx context.Context, req *mgmt_
 		return nil, err
 	}
 	return &mgmt_pb.ResetPasswordAgePolicyToDefaultResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/management/policy_password_complexity.go
+++ b/internal/api/grpc/management/policy_password_complexity.go
@ -30,7 +30,7 @@ func (s *Server) AddCustomPasswordComplexityPolicy(ctx context.Context, req *mgm
 		return nil, err
 	}
 	return &mgmt_pb.AddCustomPasswordComplexityPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			result.Sequence,
 			result.ChangeDate,
 			result.ResourceOwner,
@ -44,7 +44,7 @@ func (s *Server) UpdateCustomPasswordComplexityPolicy(ctx context.Context, req *
 		return nil, err
 	}
 	return &mgmt_pb.UpdateCustomPasswordComplexityPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			result.Sequence,
 			result.ChangeDate,
 			result.ResourceOwner,
@ -58,6 +58,6 @@ func (s *Server) ResetPasswordComplexityPolicyToDefault(ctx context.Context, req
 		return nil, err
 	}
 	return &mgmt_pb.ResetPasswordComplexityPolicyToDefaultResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/management/policy_password_lockout.go
+++ b/internal/api/grpc/management/policy_password_lockout.go
@ -30,7 +30,7 @@ func (s *Server) AddCustomPasswordLockoutPolicy(ctx context.Context, req *mgmt_p
 		return nil, err
 	}
 	return &mgmt_pb.AddCustomPasswordLockoutPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
@ -44,7 +44,7 @@ func (s *Server) UpdateCustomPasswordLockoutPolicy(ctx context.Context, req *mgm
 		return nil, err
 	}
 	return &mgmt_pb.UpdateCustomPasswordLockoutPolicyResponse{
-		Details: object.ToDetailsPb(
+		Details: object.ChangeToDetailsPb(
 			policy.Sequence,
 			policy.ChangeDate,
 			policy.ResourceOwner,
@ -58,6 +58,6 @@ func (s *Server) ResetPasswordLockoutPolicyToDefault(ctx context.Context, req *m
 		return nil, err
 	}
 	return &mgmt_pb.ResetPasswordLockoutPolicyToDefaultResponse{
-		Details: object.DomainToDetailsPb(objectDetails),
+		Details: object.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }
--- a/internal/api/grpc/management/project.go
+++ b/internal/api/grpc/management/project.go
@ -56,7 +56,7 @@ func (s *Server) ListGrantedProjects(ctx context.Context, req *mgmt_pb.ListGrant
 	if err != nil {
 		return nil, err
 	}
-	queries.AppendMyResourceOwnerQuery(authz.GetCtxData(ctx).OrgID)
+	queries.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
 	projects, err := s.project.SearchGrantedProjects(ctx, queries)
 	if err != nil {
 		return nil, err
@ -90,7 +90,7 @@ func (s *Server) AddProject(ctx context.Context, req *mgmt_pb.AddProjectRequest)
 	}
 	return &mgmt_pb.AddProjectResponse{
 		Id: project.AggregateID,
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.AddToDetailsPb(
 			project.Sequence,
 			project.ChangeDate,
 			project.ResourceOwner,
@ -104,7 +104,7 @@ func (s *Server) UpdateProject(ctx context.Context, req *mgmt_pb.UpdateProjectRe
 		return nil, err
 	}
 	return &mgmt_pb.UpdateProjectResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			project.Sequence,
 			project.ChangeDate,
 			project.ResourceOwner,
@ -118,7 +118,7 @@ func (s *Server) DeactivateProject(ctx context.Context, req *mgmt_pb.DeactivateP
 		return nil, err
 	}
 	return &mgmt_pb.DeactivateProjectResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -128,7 +128,7 @@ func (s *Server) ReactivateProject(ctx context.Context, req *mgmt_pb.ReactivateP
 		return nil, err
 	}
 	return &mgmt_pb.ReactivateProjectResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -142,7 +142,7 @@ func (s *Server) RemoveProject(ctx context.Context, req *mgmt_pb.RemoveProjectRe
 		return nil, err
 	}
 	return &mgmt_pb.RemoveProjectResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -172,7 +172,7 @@ func (s *Server) AddProjectRole(ctx context.Context, req *mgmt_pb.AddProjectRole
 		return nil, err
 	}
 	return &mgmt_pb.AddProjectRoleResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.AddToDetailsPb(
 			role.Sequence,
 			role.ChangeDate,
 			role.ResourceOwner,
@ -186,7 +186,7 @@ func (s *Server) BulkAddProjectRoles(ctx context.Context, req *mgmt_pb.BulkAddPr
 		return nil, err
 	}
 	return &mgmt_pb.BulkAddProjectRolesResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToAddDetailsPb(details),
 	}, nil
 }

@ -196,7 +196,7 @@ func (s *Server) UpdateProjectRole(ctx context.Context, req *mgmt_pb.UpdateProje
 		return nil, err
 	}
 	return &mgmt_pb.UpdateProjectRoleResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			role.Sequence,
 			role.ChangeDate,
 			role.ResourceOwner,
@ -218,7 +218,7 @@ func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProje
 		return nil, err
 	}
 	return &mgmt_pb.RemoveProjectRoleResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -256,7 +256,7 @@ func (s *Server) AddProjectMember(ctx context.Context, req *mgmt_pb.AddProjectMe
 		return nil, err
 	}
 	return &mgmt_pb.AddProjectMemberResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.AddToDetailsPb(
 			member.Sequence,
 			member.ChangeDate,
 			member.ResourceOwner,
@ -270,7 +270,7 @@ func (s *Server) UpdateProjectMember(ctx context.Context, req *mgmt_pb.UpdatePro
 		return nil, err
 	}
 	return &mgmt_pb.UpdateProjectMemberResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			member.Sequence,
 			member.ChangeDate,
 			member.ResourceOwner,
@ -284,6 +284,6 @@ func (s *Server) RemoveProjectMember(ctx context.Context, req *mgmt_pb.RemovePro
 		return nil, err
 	}
 	return &mgmt_pb.RemoveProjectMemberResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }
--- a/internal/api/grpc/management/project_application.go
+++ b/internal/api/grpc/management/project_application.go
@ -58,7 +58,7 @@ func (s *Server) AddOIDCApp(ctx context.Context, req *mgmt_pb.AddOIDCAppRequest)
 	}
 	return &mgmt_pb.AddOIDCAppResponse{
 		AppId:              app.AppID,
-		Details:            object_grpc.ToDetailsPb(app.Sequence, app.ChangeDate, app.ResourceOwner),
+		Details:            object_grpc.AddToDetailsPb(app.Sequence, app.ChangeDate, app.ResourceOwner),
 		ClientId:           app.ClientID,
 		ClientSecret:       app.ClientSecretString,
 		NoneCompliant:      app.Compliance.NoneCompliant,
@ -73,7 +73,7 @@ func (s *Server) AddAPIApp(ctx context.Context, req *mgmt_pb.AddAPIAppRequest) (
 	}
 	return &mgmt_pb.AddAPIAppResponse{
 		AppId:        app.AppID,
-		Details:      object_grpc.ToDetailsPb(app.Sequence, app.ChangeDate, app.ResourceOwner),
+		Details:      object_grpc.AddToDetailsPb(app.Sequence, app.ChangeDate, app.ResourceOwner),
 		ClientId:     app.ClientID,
 		ClientSecret: app.ClientSecretString,
 	}, nil
@ -85,7 +85,7 @@ func (s *Server) UpdateApp(ctx context.Context, req *mgmt_pb.UpdateAppRequest) (
 		return nil, err
 	}
 	return &mgmt_pb.UpdateAppResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -95,7 +95,7 @@ func (s *Server) UpdateOIDCAppConfig(ctx context.Context, req *mgmt_pb.UpdateOID
 		return nil, err
 	}
 	return &mgmt_pb.UpdateOIDCAppConfigResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
@ -109,7 +109,7 @@ func (s *Server) UpdateAPIAppConfig(ctx context.Context, req *mgmt_pb.UpdateAPIA
 		return nil, err
 	}
 	return &mgmt_pb.UpdateAPIAppConfigResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
@ -123,7 +123,7 @@ func (s *Server) DeactivateApp(ctx context.Context, req *mgmt_pb.DeactivateAppRe
 		return nil, err
 	}
 	return &mgmt_pb.DeactivateAppResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -133,7 +133,7 @@ func (s *Server) ReactivateApp(ctx context.Context, req *mgmt_pb.ReactivateAppRe
 		return nil, err
 	}
 	return &mgmt_pb.ReactivateAppResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -143,7 +143,7 @@ func (s *Server) RemoveApp(ctx context.Context, req *mgmt_pb.RemoveAppRequest) (
 		return nil, err
 	}
 	return &mgmt_pb.RemoveAppResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -154,7 +154,7 @@ func (s *Server) RegenerateOIDCClientSecret(ctx context.Context, req *mgmt_pb.Re
 	}
 	return &mgmt_pb.RegenerateOIDCClientSecretResponse{
 		ClientSecret: config.ClientSecretString,
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
@ -169,7 +169,7 @@ func (s *Server) RegenerateAPIClientSecret(ctx context.Context, req *mgmt_pb.Reg
 	}
 	return &mgmt_pb.RegenerateAPIClientSecretResponse{
 		ClientSecret: config.ClientSecretString,
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			config.Sequence,
 			config.ChangeDate,
 			config.ResourceOwner,
@ -217,7 +217,7 @@ func (s *Server) AddAppKey(ctx context.Context, req *mgmt_pb.AddAppKeyRequest) (
 	}
 	return &mgmt_pb.AddAppKeyResponse{
 		Id:         key.KeyID,
-		Details:    object_grpc.ToDetailsPb(key.Sequence, key.ChangeDate, key.ResourceOwner),
+		Details:    object_grpc.AddToDetailsPb(key.Sequence, key.ChangeDate, key.ResourceOwner),
 		KeyDetails: keyDetails,
 	}, nil
 }
@ -228,6 +228,6 @@ func (s *Server) RemoveAppKey(ctx context.Context, req *mgmt_pb.RemoveAppKeyRequ
 		return nil, err
 	}
 	return &mgmt_pb.RemoveAppKeyResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }
--- a/internal/api/grpc/management/project_grant.go
+++ b/internal/api/grpc/management/project_grant.go
@ -47,7 +47,7 @@ func (s *Server) AddProjectGrant(ctx context.Context, req *mgmt_pb.AddProjectGra
 	}
 	return &mgmt_pb.AddProjectGrantResponse{
 		GrantId: grant.GrantID,
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.AddToDetailsPb(
 			grant.Sequence,
 			grant.ChangeDate,
 			grant.ResourceOwner,
@ -65,7 +65,7 @@ func (s *Server) UpdateProjectGrant(ctx context.Context, req *mgmt_pb.UpdateProj
 		return nil, err
 	}
 	return &mgmt_pb.UpdateProjectGrantResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			grant.Sequence,
 			grant.ChangeDate,
 			grant.ResourceOwner,
@ -79,7 +79,7 @@ func (s *Server) DeactivateProjectGrant(ctx context.Context, req *mgmt_pb.Deacti
 		return nil, err
 	}
 	return &mgmt_pb.DeactivateProjectGrantResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -89,7 +89,7 @@ func (s *Server) ReactivateProjectGrant(ctx context.Context, req *mgmt_pb.Reacti
 		return nil, err
 	}
 	return &mgmt_pb.ReactivateProjectGrantResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -99,7 +99,7 @@ func (s *Server) RemoveProjectGrant(ctx context.Context, req *mgmt_pb.RemoveProj
 		return nil, err
 	}
 	return &mgmt_pb.RemoveProjectGrantResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -132,7 +132,7 @@ func (s *Server) AddProjectGrantMember(ctx context.Context, req *mgmt_pb.AddProj
 		return nil, err
 	}
 	return &mgmt_pb.AddProjectGrantMemberResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.AddToDetailsPb(
 			member.Sequence,
 			member.ChangeDate,
 			member.ResourceOwner,
@ -146,7 +146,7 @@ func (s *Server) UpdateProjectGrantMember(ctx context.Context, req *mgmt_pb.Upda
 		return nil, err
 	}
 	return &mgmt_pb.UpdateProjectGrantMemberResponse{
-		Details: object_grpc.ToDetailsPb(
+		Details: object_grpc.ChangeToDetailsPb(
 			member.Sequence,
 			member.ChangeDate,
 			member.ResourceOwner,
@ -160,6 +160,6 @@ func (s *Server) RemoveProjectGrantMember(ctx context.Context, req *mgmt_pb.Remo
 		return nil, err
 	}
 	return &mgmt_pb.RemoveProjectGrantMemberResponse{
-		Details: object_grpc.DomainToDetailsPb(details),
+		Details: object_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }
--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@ -79,7 +79,7 @@ func (s *Server) AddHumanUser(ctx context.Context, req *mgmt_pb.AddHumanUserRequ
 	}
 	return &mgmt_pb.AddHumanUserResponse{
 		UserId: human.AggregateID,
-		Details: obj_grpc.ToDetailsPb(
+		Details: obj_grpc.AddToDetailsPb(
 			human.Sequence,
 			human.ChangeDate,
 			human.ResourceOwner,
@ -94,7 +94,7 @@ func (s *Server) AddMachineUser(ctx context.Context, req *mgmt_pb.AddMachineUser
 	}
 	return &mgmt_pb.AddMachineUserResponse{
 		UserId: machine.AggregateID,
-		Details: obj_grpc.ToDetailsPb(
+		Details: obj_grpc.AddToDetailsPb(
 			machine.Sequence,
 			machine.ChangeDate,
 			machine.ResourceOwner,
@ -108,7 +108,7 @@ func (s *Server) DeactivateUser(ctx context.Context, req *mgmt_pb.DeactivateUser
 		return nil, err
 	}
 	return &mgmt_pb.DeactivateUserResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -118,7 +118,7 @@ func (s *Server) ReactivateUser(ctx context.Context, req *mgmt_pb.ReactivateUser
 		return nil, err
 	}
 	return &mgmt_pb.ReactivateUserResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -128,7 +128,7 @@ func (s *Server) LockUser(ctx context.Context, req *mgmt_pb.LockUserRequest) (*m
 		return nil, err
 	}
 	return &mgmt_pb.LockUserResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -138,7 +138,7 @@ func (s *Server) UnlockUser(ctx context.Context, req *mgmt_pb.UnlockUserRequest)
 		return nil, err
 	}
 	return &mgmt_pb.UnlockUserResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -152,7 +152,7 @@ func (s *Server) RemoveUser(ctx context.Context, req *mgmt_pb.RemoveUserRequest)
 		return nil, err
 	}
 	return &mgmt_pb.RemoveUserResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -170,7 +170,7 @@ func (s *Server) UpdateUserName(ctx context.Context, req *mgmt_pb.UpdateUserName
 		return nil, err
 	}
 	return &mgmt_pb.UpdateUserNameResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -196,7 +196,7 @@ func (s *Server) UpdateHumanProfile(ctx context.Context, req *mgmt_pb.UpdateHuma
 		return nil, err
 	}
 	return &mgmt_pb.UpdateHumanProfileResponse{
-		Details: obj_grpc.ToDetailsPb(
+		Details: obj_grpc.ChangeToDetailsPb(
 			profile.Sequence,
 			profile.ChangeDate,
 			profile.ResourceOwner,
@ -226,7 +226,7 @@ func (s *Server) UpdateHumanEmail(ctx context.Context, req *mgmt_pb.UpdateHumanE
 		return nil, err
 	}
 	return &mgmt_pb.UpdateHumanEmailResponse{
-		Details: obj_grpc.ToDetailsPb(
+		Details: obj_grpc.ChangeToDetailsPb(
 			email.Sequence,
 			email.ChangeDate,
 			email.ResourceOwner,
@ -240,7 +240,7 @@ func (s *Server) ResendHumanInitialization(ctx context.Context, req *mgmt_pb.Res
 		return nil, err
 	}
 	return &mgmt_pb.ResendHumanInitializationResponse{
-		Details: obj_grpc.DomainToDetailsPb(details),
+		Details: obj_grpc.DomainToChangeDetailsPb(details),
 	}, nil
 }

@ -250,7 +250,7 @@ func (s *Server) ResendHumanEmailVerification(ctx context.Context, req *mgmt_pb.
 		return nil, err
 	}
 	return &mgmt_pb.ResendHumanEmailVerificationResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -271,12 +271,12 @@ func (s *Server) GetHumanPhone(ctx context.Context, req *mgmt_pb.GetHumanPhoneRe
 }

 func (s *Server) UpdateHumanPhone(ctx context.Context, req *mgmt_pb.UpdateHumanPhoneRequest) (*mgmt_pb.UpdateHumanPhoneResponse, error) {
-	phone, err := s.command.ChangeHumanPhone(ctx, UpdateHumanPhoneRequestToDomain(req))
+	phone, err := s.command.ChangeHumanPhone(ctx, UpdateHumanPhoneRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.UpdateHumanPhoneResponse{
-		Details: obj_grpc.ToDetailsPb(
+		Details: obj_grpc.ChangeToDetailsPb(
 			phone.Sequence,
 			phone.ChangeDate,
 			phone.ResourceOwner,
@ -290,7 +290,7 @@ func (s *Server) RemoveHumanPhone(ctx context.Context, req *mgmt_pb.RemoveHumanP
 		return nil, err
 	}
 	return &mgmt_pb.RemoveHumanPhoneResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -300,7 +300,7 @@ func (s *Server) ResendHumanPhoneVerification(ctx context.Context, req *mgmt_pb.
 		return nil, err
 	}
 	return &mgmt_pb.ResendHumanPhoneVerificationResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -310,7 +310,7 @@ func (s *Server) SetHumanInitialPassword(ctx context.Context, req *mgmt_pb.SetHu
 		return nil, err
 	}
 	return &mgmt_pb.SetHumanInitialPasswordResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -320,7 +320,7 @@ func (s *Server) SendHumanResetPasswordNotification(ctx context.Context, req *mg
 		return nil, err
 	}
 	return &mgmt_pb.SendHumanResetPasswordNotificationResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -340,7 +340,7 @@ func (s *Server) RemoveHumanAuthFactorOTP(ctx context.Context, req *mgmt_pb.Remo
 		return nil, err
 	}
 	return &mgmt_pb.RemoveHumanAuthFactorOTPResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -350,7 +350,7 @@ func (s *Server) RemoveHumanAuthFactorU2F(ctx context.Context, req *mgmt_pb.Remo
 		return nil, err
 	}
 	return &mgmt_pb.RemoveHumanAuthFactorU2FResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -370,7 +370,7 @@ func (s *Server) RemoveHumanPasswordless(ctx context.Context, req *mgmt_pb.Remov
 		return nil, err
 	}
 	return &mgmt_pb.RemoveHumanPasswordlessResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -380,7 +380,7 @@ func (s *Server) UpdateMachine(ctx context.Context, req *mgmt_pb.UpdateMachineRe
 		return nil, err
 	}
 	return &mgmt_pb.UpdateMachineResponse{
-		Details: obj_grpc.ToDetailsPb(
+		Details: obj_grpc.ChangeToDetailsPb(
 			machine.Sequence,
 			machine.ChangeDate,
 			machine.ResourceOwner,
@ -425,7 +425,7 @@ func (s *Server) AddMachineKey(ctx context.Context, req *mgmt_pb.AddMachineKeyRe
 	return &mgmt_pb.AddMachineKeyResponse{
 		KeyId:      key.KeyID,
 		KeyDetails: keyDetails,
-		Details: object.ToDetailsPb(
+		Details: object.AddToDetailsPb(
 			key.Sequence,
 			key.ChangeDate,
 			key.ResourceOwner,
@ -439,7 +439,7 @@ func (s *Server) RemoveMachineKey(ctx context.Context, req *mgmt_pb.RemoveMachin
 		return nil, err
 	}
 	return &mgmt_pb.RemoveMachineKeyResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -463,7 +463,7 @@ func (s *Server) RemoveHumanLinkedIDP(ctx context.Context, req *mgmt_pb.RemoveHu
 		return nil, err
 	}
 	return &mgmt_pb.RemoveHumanLinkedIDPResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

--- a/internal/api/grpc/management/user_converter.go
+++ b/internal/api/grpc/management/user_converter.go
@ -93,6 +93,7 @@ func UpdateHumanProfileRequestToDomain(req *mgmt_pb.UpdateHumanProfileRequest) *

 func UpdateHumanEmailRequestToDomain(req *mgmt_pb.UpdateHumanEmailRequest) *domain.Email {
 	return &domain.Email{
+		ObjectRoot:      models.ObjectRoot{AggregateID: req.UserId},
 		EmailAddress:    req.Email,
 		IsEmailVerified: req.IsEmailVerified,
 	}
@ -100,6 +101,7 @@ func UpdateHumanEmailRequestToDomain(req *mgmt_pb.UpdateHumanEmailRequest) *doma

 func UpdateHumanPhoneRequestToDomain(req *mgmt_pb.UpdateHumanPhoneRequest) *domain.Phone {
 	return &domain.Phone{
+		ObjectRoot:      models.ObjectRoot{AggregateID: req.UserId},
 		PhoneNumber:     req.Phone,
 		IsPhoneVerified: req.IsPhoneVerified,
 	}
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@ -43,7 +43,7 @@ func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequ
 	}
 	return &mgmt_pb.AddUserGrantResponse{
 		UserGrantId: grant.AggregateID,
-		Details: obj_grpc.ToDetailsPb(
+		Details: obj_grpc.AddToDetailsPb(
 			grant.Sequence,
 			grant.ChangeDate,
 			grant.ResourceOwner,
@ -57,7 +57,7 @@ func (s *Server) UpdateUserGrant(ctx context.Context, req *mgmt_pb.UpdateUserGra
 		return nil, err
 	}
 	return &mgmt_pb.UpdateUserGrantResponse{
-		Details: obj_grpc.ToDetailsPb(
+		Details: obj_grpc.ChangeToDetailsPb(
 			grant.Sequence,
 			grant.ChangeDate,
 			grant.ResourceOwner,
@ -71,7 +71,7 @@ func (s *Server) DeactivateUserGrant(ctx context.Context, req *mgmt_pb.Deactivat
 		return nil, err
 	}
 	return &mgmt_pb.DeactivateUserGrantResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -81,7 +81,7 @@ func (s *Server) ReactivateUserGrant(ctx context.Context, req *mgmt_pb.Reactivat
 		return nil, err
 	}
 	return &mgmt_pb.ReactivateUserGrantResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

@ -91,7 +91,7 @@ func (s *Server) RemoveUserGrant(ctx context.Context, req *mgmt_pb.RemoveUserGra
 		return nil, err
 	}
 	return &mgmt_pb.RemoveUserGrantResponse{
-		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+		Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
 	}, nil
 }

--- a/internal/api/grpc/object/converter.go
+++ b/internal/api/grpc/object/converter.go
@ -10,10 +10,18 @@ import (
 	object_pb "github.com/caos/zitadel/pkg/grpc/object"
 )

-func DomainToDetailsPb(objectDetail *domain.ObjectDetails) *object_pb.ObjectDetails {
+func DomainToChangeDetailsPb(objectDetail *domain.ObjectDetails) *object_pb.ObjectDetails {
 	return &object_pb.ObjectDetails{
 		Sequence:      objectDetail.Sequence,
-		ChangeDate:    timestamppb.New(objectDetail.ChangeDate),
+		ChangeDate:    timestamppb.New(objectDetail.EventDate),
+		ResourceOwner: objectDetail.ResourceOwner,
+	}
+}
+
+func DomainToAddDetailsPb(objectDetail *domain.ObjectDetails) *object_pb.ObjectDetails {
+	return &object_pb.ObjectDetails{
+		Sequence:      objectDetail.Sequence,
+		CreationDate:  timestamppb.New(objectDetail.EventDate),
 		ResourceOwner: objectDetail.ResourceOwner,
 	}
 }
@ -32,7 +40,7 @@ func ToViewDetailsPb(
 	}
 }

-func ToDetailsPb(
+func ChangeToDetailsPb(
 	sequence uint64,
 	changeDate time.Time,
 	resourceOwner string,
@ -44,6 +52,18 @@ func ToDetailsPb(
 	}
 }

+func AddToDetailsPb(
+	sequence uint64,
+	creationDate time.Time,
+	resourceOwner string,
+) *object_pb.ObjectDetails {
+	return &object_pb.ObjectDetails{
+		Sequence:      sequence,
+		CreationDate:  timestamppb.New(creationDate),
+		ResourceOwner: resourceOwner,
+	}
+}
+
 func ToListDetails(
 	totalResult,
 	processedSequence uint64,
--- a/internal/api/grpc/org/converter.go
+++ b/internal/api/grpc/org/converter.go
@ -71,10 +71,10 @@ func OrgToPb(org *grant_model.Org) *org_pb.Org {
 		Id:   org.OrgID,
 		Name: org.OrgName,
 		// State: OrgStateToPb(org.State), //TODO: not provided
-		// Details: object.ToDetailsPb(//TODO: not provided
+		// Details: object.ChangeToDetailsPb(//TODO: not provided
 		// 	org.Sequence,//TODO: not provided
 		// 	org.CreationDate,//TODO: not provided
-		// 	org.ChangeDate,//TODO: not provided
+		// 	org.EventDate,//TODO: not provided
 		// 	org.ResourceOwner,//TODO: not provided
 		// ),//TODO: not provided
 	}
--- a/internal/command/converter.go
+++ b/internal/command/converter.go
@ -9,6 +9,6 @@ func writeModelToObjectDetails(writeModel *eventstore.WriteModel) *domain.Object
 	return &domain.ObjectDetails{
 		Sequence:      writeModel.ProcessedSequence,
 		ResourceOwner: writeModel.ResourceOwner,
-		ChangeDate:    writeModel.ChangeDate,
+		EventDate:     writeModel.ChangeDate,
 	}
 }
--- a/internal/command/iam_member.go
+++ b/internal/command/iam_member.go
@ -13,8 +13,15 @@ import (
 )

 func (c *Commands) AddIAMMember(ctx context.Context, member *domain.Member) (*domain.Member, error) {
+	if member.UserID == "" {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-Mf83b", "Errors.IAM.MemberInvalid")
+	}
 	addedMember := NewIAMMemberWriteModel(member.UserID)
 	iamAgg := IAMAggregateFromWriteModel(&addedMember.MemberWriteModel.WriteModel)
+	err := c.checkUserExists(ctx, addedMember.UserID, "")
+	if err != nil {
+		return nil, caos_errs.ThrowPreconditionFailed(err, "IAM-5N9vs", "Errors.User.NotFound")
+	}
 	event, err := c.addIAMMember(ctx, iamAgg, addedMember, member)
 	if err != nil {
 		return nil, err
@ -38,11 +45,7 @@ func (c *Commands) addIAMMember(ctx context.Context, iamAgg *eventstore.Aggregat
 	if len(domain.CheckForInvalidRoles(member.Roles, domain.IAMRolePrefix, c.zitadelRoles)) > 0 {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-4m0fS", "Errors.IAM.MemberInvalid")
 	}
-	err := c.checkUserExists(ctx, addedMember.UserID, "")
-	if err != nil {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "IAM-5N9vs", "Errors.User.NotFound")
-	}
-	err = c.eventstore.FilterToQueryReducer(ctx, addedMember)
+	err := c.eventstore.FilterToQueryReducer(ctx, addedMember)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/command/iam_member_test.go
+++ b/internal/command/iam_member_test.go
@ -50,11 +50,46 @@ func TestCommandSide_AddIAMMember(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "user not existing, precondition error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(),
+				),
+			},
+			args: args{
+				ctx: context.Background(),
+				member: &domain.Member{
+					UserID: "user1",
+					Roles:  []string{"IAM_OWNER"},
+				},
+			},
+			res: res{
+				err: caos_errs.IsPreconditionFailed,
+			},
+		},
 		{
 			name: "invalid roles, error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username1",
+								"firstname1",
+								"lastname1",
+								"nickname1",
+								"displayname1",
+								language.German,
+								domain.GenderMale,
+								"email1",
+								true,
+							),
+						),
+					),
 				),
 			},
 			args: args{
@ -68,30 +103,6 @@ func TestCommandSide_AddIAMMember(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
-		{
-			name: "user not existing, precondition error",
-			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-					expectFilter(),
-				),
-				zitadelRoles: []authz.RoleMapping{
-					{
-						Role: "IAM_OWNER",
-					},
-				},
-			},
-			args: args{
-				ctx: context.Background(),
-				member: &domain.Member{
-					UserID: "user1",
-					Roles:  []string{"IAM_OWNER"},
-				},
-			},
-			res: res{
-				err: caos_errs.IsPreconditionFailed,
-			},
-		},
 		{
 			name: "member already exists, precondition error",
 			fields: fields{
--- a/internal/command/org.go
+++ b/internal/command/org.go
@ -31,7 +31,15 @@ func (c *Commands) checkOrgExists(ctx context.Context, orgID string) error {
 }

 func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) (*domain.ObjectDetails, error) {
-	_, orgWriteModel, _, _, events, err := c.setUpOrg(ctx, organisation, admin)
+	orgIAMPolicy, err := c.getDefaultOrgIAMPolicy(ctx)
+	if err != nil {
+		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.IAM.OrgIAMPolicy.NotFound")
+	}
+	pwPolicy, err := c.getDefaultPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.IAM.PasswordComplexity.NotFound")
+	}
+	_, orgWriteModel, _, _, events, err := c.setUpOrg(ctx, organisation, admin, orgIAMPolicy, pwPolicy)
 	if err != nil {
 		return nil, err
 	}
@ -51,7 +59,6 @@ func (c *Commands) AddOrg(ctx context.Context, name, userID, resourceOwner strin
 	if err != nil {
 		return nil, err
 	}
-
 	err = c.checkUserExists(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
@ -119,13 +126,13 @@ func (c *Commands) ReactivateOrg(ctx context.Context, orgID string) (*domain.Obj
 	return writeModelToObjectDetails(&orgWriteModel.WriteModel), nil
 }

-func (c *Commands) setUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) (orgAgg *eventstore.Aggregate, org *OrgWriteModel, human *HumanWriteModel, orgMember *OrgMemberWriteModel, events []eventstore.EventPusher, err error) {
+func (c *Commands) setUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human, loginPolicy *domain.OrgIAMPolicy, pwPolicy *domain.PasswordComplexityPolicy) (orgAgg *eventstore.Aggregate, org *OrgWriteModel, human *HumanWriteModel, orgMember *OrgMemberWriteModel, events []eventstore.EventPusher, err error) {
 	orgAgg, orgWriteModel, addOrgEvents, err := c.addOrg(ctx, organisation)
 	if err != nil {
 		return nil, nil, nil, nil, nil, err
 	}

-	userEvents, human, err := c.addHuman(ctx, orgAgg.ID, admin)
+	userEvents, human, err := c.addHuman(ctx, orgAgg.ID, admin, loginPolicy, pwPolicy)
 	if err != nil {
 		return nil, nil, nil, nil, nil, err
 	}
--- a/internal/command/org_member.go
+++ b/internal/command/org_member.go
@ -13,8 +13,15 @@ import (
 )

 func (c *Commands) AddOrgMember(ctx context.Context, member *domain.Member) (*domain.Member, error) {
+	if member.UserID == "" {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-u8fkf", "Errors.Org.MemberInvalid")
+	}
 	addedMember := NewOrgMemberWriteModel(member.AggregateID, member.UserID)
 	orgAgg := OrgAggregateFromWriteModel(&addedMember.WriteModel)
+	err := c.checkUserExists(ctx, addedMember.UserID, "")
+	if err != nil {
+		return nil, caos_errs.ThrowPreconditionFailed(err, "Org-2H8ds", "Errors.User.NotFound")
+	}
 	event, err := c.addOrgMember(ctx, orgAgg, addedMember, member)
 	if err != nil {
 		return nil, err
@ -35,13 +42,9 @@ func (c *Commands) addOrgMember(ctx context.Context, orgAgg *eventstore.Aggregat
 		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-W8m4l", "Errors.Org.MemberInvalid")
 	}
 	if len(domain.CheckForInvalidRoles(member.Roles, domain.OrgRolePrefix, c.zitadelRoles)) > 0 {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "IAM-3m9fs", "Errors.Org.MemberInvalid")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-4N8es", "Errors.Org.MemberInvalid")
 	}
-	err := c.checkUserExists(ctx, addedMember.UserID, "")
-	if err != nil {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "ORG-9cmsd", "Errors.User.NotFound")
-	}
-	err = c.eventstore.FilterToQueryReducer(ctx, addedMember)
+	err := c.eventstore.FilterToQueryReducer(ctx, addedMember)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/command/org_member_test.go
+++ b/internal/command/org_member_test.go
@ -57,11 +57,49 @@ func TestCommandSide_AddOrgMember(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "user not existing, precondition error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(),
+				),
+			},
+			args: args{
+				ctx: context.Background(),
+				member: &domain.Member{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID: "org1",
+					},
+					UserID: "user1",
+					Roles:  []string{domain.RoleOrgOwner},
+				},
+			},
+			res: res{
+				err: caos_errs.IsPreconditionFailed,
+			},
+		},
 		{
 			name: "invalid roles, error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username1",
+								"firstname1",
+								"lastname1",
+								"nickname1",
+								"displayname1",
+								language.German,
+								domain.GenderMale,
+								"email1",
+								true,
+							),
+						),
+					),
 				),
 			},
 			args: args{
@ -78,33 +116,6 @@ func TestCommandSide_AddOrgMember(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
-		{
-			name: "user not existing, precondition error",
-			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-					expectFilter(),
-				),
-				zitadelRoles: []authz.RoleMapping{
-					{
-						Role: domain.RoleOrgOwner,
-					},
-				},
-			},
-			args: args{
-				ctx: context.Background(),
-				member: &domain.Member{
-					ObjectRoot: models.ObjectRoot{
-						AggregateID: "org1",
-					},
-					UserID: "user1",
-					Roles:  []string{domain.RoleOrgOwner},
-				},
-			},
-			res: res{
-				err: caos_errs.IsPreconditionFailed,
-			},
-		},
 		{
 			name: "member already exists, precondition error",
 			fields: fields{
--- a/internal/command/org_test.go
+++ b/internal/command/org_test.go
@ -2,6 +2,11 @@ package command

 import (
 	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/text/language"
+
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/domain"
 	caos_errs "github.com/caos/zitadel/internal/errors"
@ -13,9 +18,6 @@ import (
 	"github.com/caos/zitadel/internal/repository/member"
 	"github.com/caos/zitadel/internal/repository/org"
 	"github.com/caos/zitadel/internal/repository/user"
-	"github.com/stretchr/testify/assert"
-	"golang.org/x/text/language"
-	"testing"
 )

 func TestCommandSide_AddOrg(t *testing.T) {
@ -122,22 +124,6 @@ func TestCommandSide_AddOrg(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							user.NewHumanAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
-								"username1",
-								"firstname1",
-								"lastname1",
-								"nickname1",
-								"displayname1",
-								language.German,
-								domain.GenderMale,
-								"email1",
-								true,
-							),
-						),
-					),
 					expectFilterOrgMemberNotFound(),
 					expectPushFailed(caos_errs.ThrowAlreadyExists(nil, "id", "internal"),
 						[]*repository.Event{
@ -207,22 +193,6 @@ func TestCommandSide_AddOrg(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							user.NewHumanAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
-								"username1",
-								"firstname1",
-								"lastname1",
-								"nickname1",
-								"displayname1",
-								language.German,
-								domain.GenderMale,
-								"email1",
-								true,
-							),
-						),
-					),
 					expectFilterOrgMemberNotFound(),
 					expectPushFailed(caos_errs.ThrowInternal(nil, "id", "internal"),
 						[]*repository.Event{
@ -292,22 +262,6 @@ func TestCommandSide_AddOrg(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							user.NewHumanAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
-								"username1",
-								"firstname1",
-								"lastname1",
-								"nickname1",
-								"displayname1",
-								language.German,
-								domain.GenderMale,
-								"email1",
-								true,
-							),
-						),
-					),
 					expectFilterOrgMemberNotFound(),
 					expectPush(
 						[]*repository.Event{
--- a/internal/command/project_application_oidc.go
+++ b/internal/command/project_application_oidc.go
@ -43,8 +43,8 @@ func (c *Commands) AddOIDCApplication(ctx context.Context, application *domain.O
 }

 func (c *Commands) addOIDCApplication(ctx context.Context, projectAgg *eventstore.Aggregate, proj *domain.Project, oidcApp *domain.OIDCApp, resourceOwner string) (events []eventstore.EventPusher, stringPW string, err error) {
-	if !oidcApp.IsValid() {
-		return nil, "", caos_errs.ThrowInvalidArgument(nil, "PROJECT-Bff2g", "Errors.Application.Invalid")
+	if oidcApp.AppName == "" || !oidcApp.IsValid() {
+		return nil, "", caos_errs.ThrowInvalidArgument(nil, "PROJECT-1n8df", "Errors.Application.Invalid")
 	}
 	oidcApp.AppID, err = c.idGenerator.Next()
 	if err != nil {
--- a/internal/command/project_application_oidc_test.go
+++ b/internal/command/project_application_oidc_test.go
@ -2,6 +2,11 @@ package command

 import (
 	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/domain"
 	caos_errs "github.com/caos/zitadel/internal/errors"
@ -11,9 +16,6 @@ import (
 	"github.com/caos/zitadel/internal/id"
 	id_mock "github.com/caos/zitadel/internal/id/mock"
 	"github.com/caos/zitadel/internal/repository/project"
-	"github.com/stretchr/testify/assert"
-	"testing"
-	"time"
 )

 func TestCommandSide_AddOIDCApplication(t *testing.T) {
@ -285,8 +287,9 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 						AggregateID: "project1",
 					},
 					AppID:          "",
-					AppName:        "app",
 					AuthMethodType: domain.OIDCAuthMethodTypePost,
+					GrantTypes:     []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+					ResponseTypes:  []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
 				},
 				resourceOwner: "org1",
 			},
@ -308,8 +311,9 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 						AggregateID: "",
 					},
 					AppID:          "appid",
-					AppName:        "app",
 					AuthMethodType: domain.OIDCAuthMethodTypePost,
+					GrantTypes:     []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+					ResponseTypes:  []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
 				},
 				resourceOwner: "org1",
 			},
@ -331,8 +335,10 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
 					ObjectRoot: models.ObjectRoot{
 						AggregateID: "project1",
 					},
-					AppID:   "app1",
-					AppName: "app",
+					AppID:          "app1",
+					AuthMethodType: domain.OIDCAuthMethodTypePost,
+					GrantTypes:     []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+					ResponseTypes:  []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
 				},
 				resourceOwner: "org1",
 			},
--- a/internal/command/project_grant.go
+++ b/internal/command/project_grant.go
@ -13,7 +13,7 @@ import (

 func (c *Commands) AddProjectGrant(ctx context.Context, grant *domain.ProjectGrant, resourceOwner string) (_ *domain.ProjectGrant, err error) {
 	if !grant.IsValid() {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "PROJECT-Bff2g", "Errors.Project.Grant.Invalid")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "PROJECT-3b8fs", "Errors.Project.Grant.Invalid")
 	}
 	err = c.checkProjectGrantPreCondition(ctx, grant)
 	if err != nil {
--- a/internal/command/setup_step1.go
+++ b/internal/command/setup_step1.go
@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore"

 	"github.com/caos/zitadel/internal/eventstore/v1/models"
@ -23,9 +24,10 @@ const (
 	OIDCApplicationTypeNative      = "NATIVE"
 	OIDCApplicationTypeUserAgent   = "USER_AGENT"
 	OIDCApplicationTypeWeb         = "WEB"
-	OIDCAuthMethodTypeNone         = "NONE"
-	OIDCAuthMethodTypeBasic        = "BASIC"
-	OIDCAuthMethodTypePost         = "POST"
+	AuthMethodTypeNone             = "NONE"
+	AuthMethodTypeBasic            = "BASIC"
+	AuthMethodTypePost             = "POST"
+	AuthMethodTypePrivateKeyJWT    = "PRIVATE_KEY_JWT"
 )

 type Step1 struct {
@ -70,6 +72,7 @@ type Project struct {
 	Users    []User
 	Members  []string
 	OIDCApps []OIDCApp
+	APIs     []API
 }

 type OIDCApp struct {
@ -83,6 +86,11 @@ type OIDCApp struct {
 	DevMode                bool
 }

+type API struct {
+	Name           string
+	AuthMethodType string
+}
+
 func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
 	var events []eventstore.EventPusher
 	iamWriteModel := NewIAMWriteModel()
@ -101,6 +109,13 @@ func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
 	logging.Log("SETUP-sd2hj").Info("default login policy set up")
 	//create orgs
 	for _, organisation := range step1.Orgs {
+		orgIAMPolicy := &domain.OrgIAMPolicy{UserLoginMustBeDomain: true}
+		if organisation.OrgIamPolicy {
+			orgIAMPolicy.UserLoginMustBeDomain = false
+		}
+		pwPolicy := &domain.PasswordComplexityPolicy{
+			MinLength: 1,
+		}
 		orgAgg, _, humanWriteModel, _, setUpOrgEvents, err := c.setUpOrg(ctx,
 			&domain.Org{
 				Name:    organisation.Name,
@ -119,7 +134,7 @@ func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
 					EmailAddress:    organisation.Owner.Email,
 					IsEmailVerified: true,
 				},
-			})
+			}, orgIAMPolicy, pwPolicy)
 		if err != nil {
 			return err
 		}
@ -127,7 +142,7 @@ func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
 		logging.LogWithFields("SETUP-Gdsfg", "id", orgAgg.ID, "name", organisation.Name).Info("org set up")

 		if organisation.OrgIamPolicy {
-			orgIAMPolicyEvent, err := c.addOrgIAMPolicy(ctx, orgAgg, NewORGOrgIAMPolicyWriteModel(orgAgg.ID), &domain.OrgIAMPolicy{UserLoginMustBeDomain: false})
+			orgIAMPolicyEvent, err := c.addOrgIAMPolicy(ctx, orgAgg, NewORGOrgIAMPolicyWriteModel(orgAgg.ID), orgIAMPolicy)
 			if err != nil {
 				return err
 			}
@ -165,7 +180,14 @@ func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
 			}
 			//create applications
 			for _, app := range proj.OIDCApps {
-				applicationEvents, err := setUpApplication(ctx, c, projectWriteModel, project, app, orgAgg.ID)
+				applicationEvents, err := setUpOIDCApplication(ctx, c, projectWriteModel, project, app, orgAgg.ID)
+				if err != nil {
+					return err
+				}
+				events = append(events, applicationEvents...)
+			}
+			for _, app := range proj.APIs {
+				applicationEvents, err := setUpAPI(ctx, c, projectWriteModel, project, app, orgAgg.ID)
 				if err != nil {
 					return err
 				}
@ -183,7 +205,7 @@ func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
 	return nil
 }

-func setUpApplication(ctx context.Context, r *Commands, projectWriteModel *ProjectWriteModel, project *domain.Project, oidcApp OIDCApp, resourceOwner string) ([]eventstore.EventPusher, error) {
+func setUpOIDCApplication(ctx context.Context, r *Commands, projectWriteModel *ProjectWriteModel, project *domain.Project, oidcApp OIDCApp, resourceOwner string) ([]eventstore.EventPusher, error) {
 	app := &domain.OIDCApp{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: projectWriteModel.AggregateID,
@ -206,6 +228,24 @@ func setUpApplication(ctx context.Context, r *Commands, projectWriteModel *Proje
 	return events, nil
 }

+func setUpAPI(ctx context.Context, r *Commands, projectWriteModel *ProjectWriteModel, project *domain.Project, apiApp API, resourceOwner string) ([]eventstore.EventPusher, error) {
+	app := &domain.APIApp{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: projectWriteModel.AggregateID,
+		},
+		AppName:        apiApp.Name,
+		AuthMethodType: getAPIAuthMethod(apiApp.AuthMethodType),
+	}
+
+	projectAgg := ProjectAggregateFromWriteModel(&projectWriteModel.WriteModel)
+	events, _, err := r.addAPIApplication(ctx, projectAgg, project, app, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	logging.LogWithFields("SETUP-Dbgsf", "name", app.AppName, "clientID", app.ClientID).Info("application set up")
+	return events, nil
+}
+
 func getOIDCResponseTypes(responseTypes []string) []domain.OIDCResponseType {
 	types := make([]domain.OIDCResponseType, len(responseTypes))
 	for i, t := range responseTypes {
@ -260,12 +300,24 @@ func getOIDCApplicationType(appType string) domain.OIDCApplicationType {

 func getOIDCAuthMethod(authMethod string) domain.OIDCAuthMethodType {
 	switch authMethod {
-	case OIDCAuthMethodTypeNone:
+	case AuthMethodTypeNone:
 		return domain.OIDCAuthMethodTypeNone
-	case OIDCAuthMethodTypeBasic:
+	case AuthMethodTypeBasic:
 		return domain.OIDCAuthMethodTypeBasic
-	case OIDCAuthMethodTypePost:
+	case AuthMethodTypePost:
 		return domain.OIDCAuthMethodTypePost
+	case AuthMethodTypePrivateKeyJWT:
+		return domain.OIDCAuthMethodTypePrivateKeyJWT
 	}
 	return domain.OIDCAuthMethodTypeBasic
 }
+
+func getAPIAuthMethod(authMethod string) domain.APIAuthMethodType {
+	switch authMethod {
+	case AuthMethodTypeBasic:
+		return domain.APIAuthMethodTypeBasic
+	case AuthMethodTypePrivateKeyJWT:
+		return domain.APIAuthMethodTypePrivateKeyJWT
+	}
+	return domain.APIAuthMethodTypePrivateKeyJWT
+}
--- a/internal/command/user_human.go
+++ b/internal/command/user_human.go
@ -22,7 +22,18 @@ func (c *Commands) getHuman(ctx context.Context, userID, resourceowner string) (
 }

 func (c *Commands) AddHuman(ctx context.Context, orgID string, human *domain.Human) (*domain.Human, error) {
-	events, addedHuman, err := c.addHuman(ctx, orgID, human)
+	if orgID == "" {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-4M90d", "Errors.ResourceOwnerMissing")
+	}
+	orgIAMPolicy, err := c.getOrgIAMPolicy(ctx, orgID)
+	if err != nil {
+		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.Org.OrgIAMPolicy.NotFound")
+	}
+	pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
+	if err != nil {
+		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexity.NotFound")
+	}
+	events, addedHuman, err := c.addHuman(ctx, orgID, human, orgIAMPolicy, pwPolicy)
 	if err != nil {
 		return nil, err
 	}
@ -39,11 +50,11 @@ func (c *Commands) AddHuman(ctx context.Context, orgID string, human *domain.Hum
 	return writeModelToHuman(addedHuman), nil
 }

-func (c *Commands) addHuman(ctx context.Context, orgID string, human *domain.Human) ([]eventstore.EventPusher, *HumanWriteModel, error) {
+func (c *Commands) addHuman(ctx context.Context, orgID string, human *domain.Human, orgIAMPolicy *domain.OrgIAMPolicy, pwPolicy *domain.PasswordComplexityPolicy) ([]eventstore.EventPusher, *HumanWriteModel, error) {
 	if orgID == "" || !human.IsValid() {
 		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-4M90d", "Errors.User.Invalid")
 	}
-	return c.createHuman(ctx, orgID, human, nil, false)
+	return c.createHuman(ctx, orgID, human, nil, false, orgIAMPolicy, pwPolicy)
 }

 func (c *Commands) RegisterHuman(ctx context.Context, orgID string, human *domain.Human, externalIDP *domain.ExternalIDP, orgMemberRoles []string) (*domain.Human, error) {
@ -85,26 +96,26 @@ func (c *Commands) registerHuman(ctx context.Context, orgID string, human *domai
 	if orgID == "" || !human.IsValid() || externalIDP == nil && (human.Password == nil || human.SecretString == "") {
 		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-9dk45", "Errors.User.Invalid")
 	}
-	return c.createHuman(ctx, orgID, human, externalIDP, true)
-}
-
-func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.Human, externalIDP *domain.ExternalIDP, selfregister bool) ([]eventstore.EventPusher, *HumanWriteModel, error) {
-	userID, err := c.idGenerator.Next()
-	if err != nil {
-		return nil, nil, err
-	}
-	human.AggregateID = userID
 	orgIAMPolicy, err := c.getOrgIAMPolicy(ctx, orgID)
 	if err != nil {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.Org.OrgIAMPolicy.NotFound")
 	}
-	if err := human.CheckOrgIAMPolicy(orgIAMPolicy); err != nil {
-		return nil, nil, err
-	}
 	pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
 	if err != nil {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexity.NotFound")
 	}
+	return c.createHuman(ctx, orgID, human, externalIDP, true, orgIAMPolicy, pwPolicy)
+}
+
+func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.Human, externalIDP *domain.ExternalIDP, selfregister bool, orgIAMPolicy *domain.OrgIAMPolicy, pwPolicy *domain.PasswordComplexityPolicy) ([]eventstore.EventPusher, *HumanWriteModel, error) {
+	if err := human.CheckOrgIAMPolicy(orgIAMPolicy); err != nil {
+		return nil, nil, err
+	}
+	userID, err := c.idGenerator.Next()
+	if err != nil {
+		return nil, nil, err
+	}
+	human.AggregateID = userID
 	human.SetNamesAsDisplayname()
 	if err := human.HashPasswordIfExisting(pwPolicy, c.userPasswordAlg, !selfregister); err != nil {
 		return nil, nil, err
--- a/internal/command/user_human_phone.go
+++ b/internal/command/user_human_phone.go
@ -12,12 +12,12 @@ import (
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 )

-func (c *Commands) ChangeHumanPhone(ctx context.Context, phone *domain.Phone) (*domain.Phone, error) {
+func (c *Commands) ChangeHumanPhone(ctx context.Context, phone *domain.Phone, resourceOwner string) (*domain.Phone, error) {
 	if !phone.IsValid() {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-6M0ds", "Errors.Phone.Invalid")
 	}

-	existingPhone, err := c.phoneWriteModelByID(ctx, phone.AggregateID, phone.ResourceOwner)
+	existingPhone, err := c.phoneWriteModelByID(ctx, phone.AggregateID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/command/user_human_phone_test.go
+++ b/internal/command/user_human_phone_test.go
@ -261,7 +261,7 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 				eventstore:            tt.fields.eventstore,
 				phoneVerificationCode: tt.fields.secretGenerator,
 			}
-			got, err := r.ChangeHumanPhone(tt.args.ctx, tt.args.email)
+			got, err := r.ChangeHumanPhone(tt.args.ctx, tt.args.email, tt.args.resourceOwner)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
--- a/internal/command/user_human_test.go
+++ b/internal/command/user_human_test.go
@ -68,27 +68,6 @@ func TestCommandSide_AddHuman(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
-		{
-			name: "user invalid, invalid argument error",
-			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
-			},
-			args: args{
-				ctx:   context.Background(),
-				orgID: "org1",
-				human: &domain.Human{
-					Username: "username",
-					Profile: &domain.Profile{
-						FirstName: "firstname",
-					},
-				},
-			},
-			res: res{
-				err: caos_errs.IsErrorInvalidArgument,
-			},
-		},
 		{
 			name: "org policy not found, precondition error",
 			fields: fields{
@ -97,7 +76,6 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					expectFilter(),
 					expectFilter(),
 				),
-				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 			},
 			args: args{
 				ctx:   context.Background(),
@ -117,40 +95,6 @@ func TestCommandSide_AddHuman(t *testing.T) {
 				err: caos_errs.IsPreconditionFailed,
 			},
 		},
-		{
-			name: "org policy check failed, precondition error",
-			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-					expectFilter(
-						eventFromEventPusher(
-							org.NewOrgIAMPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
-								true,
-							),
-						),
-					),
-				),
-				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-			},
-			args: args{
-				ctx:   context.Background(),
-				orgID: "org1",
-				human: &domain.Human{
-					Username: "email@test.ch",
-					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
-					},
-					Email: &domain.Email{
-						EmailAddress: "email@test.ch",
-					},
-				},
-			},
-			res: res{
-				err: caos_errs.IsPreconditionFailed,
-			},
-		},
 		{
 			name: "password policy not found, precondition error",
 			fields: fields{
@ -167,7 +111,6 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					expectFilter(),
 					expectFilter(),
 				),
-				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 			},
 			args: args{
 				ctx:   context.Background(),
@ -187,6 +130,92 @@ func TestCommandSide_AddHuman(t *testing.T) {
 				err: caos_errs.IsPreconditionFailed,
 			},
 		},
+		{
+			name: "user invalid, invalid argument error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewOrgIAMPolicyAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								1,
+								false,
+								false,
+								false,
+								false,
+							),
+						),
+					),
+				),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				human: &domain.Human{
+					Username: "username",
+					Profile: &domain.Profile{
+						FirstName: "firstname",
+					},
+				},
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "org policy check failed, precondition error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewOrgIAMPolicyAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								1,
+								false,
+								false,
+								false,
+								false,
+							),
+						),
+					),
+				),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				human: &domain.Human{
+					Username: "email@test.ch",
+					Profile: &domain.Profile{
+						FirstName: "firstname",
+						LastName:  "lastname",
+					},
+					Email: &domain.Email{
+						EmailAddress: "email@test.ch",
+					},
+				},
+			},
+			res: res{
+				err: caos_errs.IsPreconditionFailed,
+			},
+		},
 		{
 			name: "add human (with initial code), ok",
 			fields: fields{
@ -747,7 +776,44 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(),
 					expectFilter(),
 				),
-				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				human: &domain.Human{
+					Username: "username",
+					Profile: &domain.Profile{
+						FirstName: "firstname",
+						LastName:  "lastname",
+					},
+					Email: &domain.Email{
+						EmailAddress: "email@test.ch",
+					},
+					Password: &domain.Password{
+						SecretString: "password",
+					},
+				},
+			},
+			res: res{
+				err: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "password policy not found, precondition error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewOrgIAMPolicyAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								true,
+							),
+						),
+					),
+					expectFilter(),
+					expectFilter(),
+				),
 			},
 			args: args{
 				ctx:   context.Background(),
@ -778,13 +844,24 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
+								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								1,
+								false,
+								false,
+								false,
+								false,
+							),
+						),
+					),
 				),
-				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 			},
 			args: args{
 				ctx:   context.Background(),
@ -807,45 +884,6 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 				err: caos_errs.IsPreconditionFailed,
 			},
 		},
-		{
-			name: "password policy not found, precondition error",
-			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-					expectFilter(
-						eventFromEventPusher(
-							org.NewOrgIAMPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
-								true,
-							),
-						),
-					),
-					expectFilter(),
-					expectFilter(),
-				),
-				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-			},
-			args: args{
-				ctx:   context.Background(),
-				orgID: "org1",
-				human: &domain.Human{
-					Username: "username",
-					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
-					},
-					Email: &domain.Email{
-						EmailAddress: "email@test.ch",
-					},
-					Password: &domain.Password{
-						SecretString: "password",
-					},
-				},
-			},
-			res: res{
-				err: caos_errs.IsPreconditionFailed,
-			},
-		},
 		{
 			name: "add human (with password and initial code), ok",
 			fields: fields{
@ -854,7 +892,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
+								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 							),
 						),
@ -862,7 +900,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
+								&org.NewAggregate("org1", "org1").Aggregate,
 								1,
 								false,
 								false,
@ -941,7 +979,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
+								&user.NewAggregate("org1", "org1").Aggregate,
 								true,
 							),
 						),
@ -949,7 +987,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
+								&org.NewAggregate("org1", "org1").Aggregate,
 								1,
 								false,
 								false,
@ -1022,7 +1060,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
+								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 							),
 						),
@ -1030,7 +1068,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
+								&org.NewAggregate("org1", "org1").Aggregate,
 								1,
 								false,
 								false,
@ -1125,7 +1163,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgIAMPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
+								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 							),
 						),
@ -1133,7 +1171,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 					expectFilter(
 						eventFromEventPusher(
 							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
-								&user.NewAggregate("user1", "org1").Aggregate,
+								&org.NewAggregate("org1", "org1").Aggregate,
 								1,
 								false,
 								false,
--- a/internal/domain/application_oidc.go
+++ b/internal/domain/application_oidc.go
@ -113,10 +113,13 @@ const (
 )

 func (a *OIDCApp) IsValid() bool {
-	if a.AppName == "" || a.ClockSkew > time.Second*5 || a.ClockSkew < time.Second*0 {
+	if a.ClockSkew > time.Second*5 || a.ClockSkew < time.Second*0 {
 		return false
 	}
 	grantTypes := a.getRequiredGrantTypes()
+	if len(grantTypes) == 0 {
+		return false
+	}
 	for _, grantType := range grantTypes {
 		ok := containsOIDCGrantType(a.GrantTypes, grantType)
 		if !ok {
--- a/internal/domain/application_oidc_test.go
+++ b/internal/domain/application_oidc_test.go
@ -15,19 +15,6 @@ func TestApplicationValid(t *testing.T) {
 		args   args
 		result bool
 	}{
-		{
-			name: "no app name",
-			args: args{
-				app: &OIDCApp{
-					ObjectRoot:    models.ObjectRoot{AggregateID: "AggregateID"},
-					AppID:         "AppID",
-					AppName:       "",
-					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
-					GrantTypes:    []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
-				},
-			},
-			result: false,
-		},
 		{
 			name: "invalid clock skew",
 			args: args{
--- a/internal/domain/object.go
+++ b/internal/domain/object.go
@ -4,6 +4,6 @@ import "time"

 type ObjectDetails struct {
 	Sequence      uint64
-	ChangeDate    time.Time
+	EventDate     time.Time
 	ResourceOwner string
 }
--- a/internal/iam/repository/view/password_age_policy_view.go
+++ b/internal/iam/repository/view/password_age_policy_view.go
@ -15,7 +15,7 @@ func GetPasswordAgePolicyByAggregateID(db *gorm.DB, table, aggregateID string) (
 	query := repository.PrepareGetByQuery(table, aggregateIDQuery)
 	err := query(db, policy)
 	if caos_errs.IsNotFound(err) {
-		return nil, caos_errs.ThrowNotFound(nil, "VIEW-Lso0cs", "Errors.IAM.PasswordAgePolicy.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "VIEW-6M9vs", "Errors.IAM.PasswordAgePolicy.NotExisting")
 	}
 	return policy, err
 }
--- a/internal/iam/repository/view/password_complexity_policy_view.go
+++ b/internal/iam/repository/view/password_complexity_policy_view.go
@ -15,7 +15,7 @@ func GetPasswordComplexityPolicyByAggregateID(db *gorm.DB, table, aggregateID st
 	query := repository.PrepareGetByQuery(table, aggregateIDQuery)
 	err := query(db, policy)
 	if caos_errs.IsNotFound(err) {
-		return nil, caos_errs.ThrowNotFound(nil, "VIEW-Lso0cs", "Errors.IAM.PasswordComplexityPolicy.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "VIEW-2N9fs", "Errors.IAM.PasswordComplexityPolicy.NotExisting")
 	}
 	return policy, err
 }
--- a/internal/iam/repository/view/password_lockout_policy_view.go
+++ b/internal/iam/repository/view/password_lockout_policy_view.go
@ -15,7 +15,7 @@ func GetPasswordLockoutPolicyByAggregateID(db *gorm.DB, table, aggregateID strin
 	query := repository.PrepareGetByQuery(table, aggregateIDQuery)
 	err := query(db, policy)
 	if caos_errs.IsNotFound(err) {
-		return nil, caos_errs.ThrowNotFound(nil, "VIEW-Lso0cs", "Errors.IAM.PasswordLockoutPolicy.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "VIEW-M9fsf", "Errors.IAM.PasswordLockoutPolicy.NotExisting")
 	}
 	return policy, err
 }
--- a/migrations/cockroach/V1.33__unique_tables.sql
+++ b/migrations/cockroach/V1.33__unique_tables.sql
@ -4,4 +4,4 @@ CREATE TABLE eventstore.unique_constraints (
 	PRIMARY KEY (unique_type, unique_field)
 );

-GRANT DELETE ON TABLE eventstore.unique_constraints to adminapi;
+GRANT DELETE ON TABLE eventstore.unique_constraints to eventstore;
--- a/pkg/grpc/management/app.go
+++ b/pkg/grpc/management/app.go
@ -0,0 +1,19 @@
+package management
+
+import "github.com/caos/zitadel/internal/api/grpc/server/middleware"
+
+func (a *AddOIDCAppResponse) Localizers() []middleware.Localizer {
+	if a == nil {
+		return nil
+	}
+
+	if !a.NoneCompliant {
+		return nil
+	}
+	localizers := make([]middleware.Localizer, len(a.ComplianceProblems))
+	for i, problem := range a.ComplianceProblems {
+		localizers[i] = problem
+	}
+	return localizers
+
+}
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@ -2810,7 +2810,7 @@ message ListUserGrantResponse {
 message AddUserGrantRequest {
    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string project_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string project_grant_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string project_grant_id = 3 [(validate.rules).string = {max_len: 200}];
    repeated string role_keys = 4;
 }