feat: delete (#243)

* feat: project role remove * feat: search queries * feat: search queries * feat: cascade remove/change project role * fix: comment in project grant * fix: remove projecr grant * fix: only search usergrants of my org * fix: delete usergrants * fix: delete usergrants * fix: check if role exists on project grant * feat: bulk add project role * fix: tests * fix: update user grants on project update * fix: return roles * feat: add resourceowner name on project grants * fix: migration number * fix: tests * fix: generate protos * fix: some unnecessary code
2025-08-11 21:47:32 +00:00 · 2020-06-19 15:32:03 +02:00
parent 8f49f2c2d8
commit 710652ef24
55 changed files with 4404 additions and 2668 deletions
--- a/internal/auth/repository/eventsourcing/handler/user_grant.go
+++ b/internal/auth/repository/eventsourcing/handler/user_grant.go
@@ -89,6 +89,7 @@ func (u *UserGrant) processUserGrant(event *models.Event) (err error) {
 		}
 		err = u.fillData(grant, event.ResourceOwner)
 	case grant_es_model.UserGrantChanged,
+		grant_es_model.UserGrantCascadeChanged,
 		grant_es_model.UserGrantDeactivated,
 		grant_es_model.UserGrantReactivated:
 		grant, err = u.view.UserGrantByID(event.AggregateID)
@@ -96,8 +97,8 @@ func (u *UserGrant) processUserGrant(event *models.Event) (err error) {
 			return err
 		}
 		err = grant.AppendEvent(event)
-	case grant_es_model.UserGrantRemoved:
-		err = u.view.DeleteUserGrant(event.AggregateID, event.Sequence)
+	case grant_es_model.UserGrantRemoved, grant_es_model.UserGrantCascadeRemoved:
+		return u.view.DeleteUserGrant(event.AggregateID, event.Sequence)
 	default:
 		return u.view.ProcessedUserGrantSequence(event.Sequence)
 	}
@@ -204,7 +205,6 @@ func (u *UserGrant) processIamMember(event *models.Event, rolePrefix string, suf
 			} else {
 				grant.RoleKeys = newRoles
 			}
-
 		}
 		grant.Sequence = event.Sequence
 		grant.ChangeDate = event.CreationDate
--- a/internal/authz/repository/eventsourcing/handler/user_grant.go
+++ b/internal/authz/repository/eventsourcing/handler/user_grant.go
@@ -123,7 +123,6 @@ func (u *UserGrant) processIamMember(event *models.Event, rolePrefix string, suf
 			} else {
 				grant.RoleKeys = newRoles
 			}
-
 		}
 		grant.Sequence = event.Sequence
 		grant.ChangeDate = event.CreationDate
--- a/internal/eventstore/sdk/sdk.go
+++ b/internal/eventstore/sdk/sdk.go
@@ -59,6 +59,9 @@ func PushAggregates(ctx context.Context, push pushFunc, appender appendFunc, agg
 	if err != nil {
 		return err
 	}
+	if appender == nil {
+		return nil
+	}

 	return appendAggregates(appender, aggregates)
 }
--- a/internal/management/repository/eventsourcing/eventstore/project.go
+++ b/internal/management/repository/eventsourcing/eventstore/project.go
@@ -2,6 +2,14 @@ package eventstore

 import (
 	"context"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	es_int "github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	es_sdk "github.com/caos/zitadel/internal/eventstore/sdk"
+	es_proj_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
+	usr_grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	usr_grant_event "github.com/caos/zitadel/internal/usergrant/repository/eventsourcing"
 	"strings"

 	"github.com/caos/zitadel/internal/api/auth"
@@ -15,10 +23,12 @@ import (
 )

 type ProjectRepo struct {
-	SearchLimit   uint64
-	ProjectEvents *proj_event.ProjectEventstore
-	View          *view.View
-	Roles         []string
+	es_int.Eventstore
+	SearchLimit     uint64
+	ProjectEvents   *proj_event.ProjectEventstore
+	UserGrantEvents *usr_grant_event.UserGrantEventStore
+	View            *view.View
+	Roles           []string
 }

 func (repo *ProjectRepo) ProjectByID(ctx context.Context, id string) (project *proj_model.Project, err error) {
@@ -48,7 +58,7 @@ func (repo *ProjectRepo) SearchProjects(ctx context.Context, request *proj_model
 	permissions := auth.GetPermissionsFromCtx(ctx)
 	if !auth.HasGlobalPermission(permissions) {
 		ids := auth.GetPermissionCtxIDs(permissions)
-		request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.PROJECTSEARCHKEY_PROJECTID, Method: global_model.SEARCHMETHOD_IN, Value: ids})
+		request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.PROJECTSEARCHKEY_PROJECTID, Method: global_model.SEARCHMETHOD_IS_ONE_OF, Value: ids})
 	}

 	projects, count, err := repo.View.SearchProjects(request)
@@ -103,8 +113,13 @@ func (repo *ProjectRepo) SearchProjectMembers(ctx context.Context, request *proj
 	}, nil
 }

-func (repo *ProjectRepo) AddProjectRole(ctx context.Context, member *proj_model.ProjectRole) (*proj_model.ProjectRole, error) {
-	return repo.ProjectEvents.AddProjectRole(ctx, member)
+func (repo *ProjectRepo) AddProjectRole(ctx context.Context, role *proj_model.ProjectRole) (*proj_model.ProjectRole, error) {
+	return repo.ProjectEvents.AddProjectRoles(ctx, role)
+}
+
+func (repo *ProjectRepo) BulkAddProjectRole(ctx context.Context, roles []*proj_model.ProjectRole) error {
+	_, err := repo.ProjectEvents.AddProjectRoles(ctx, roles...)
+	return err
 }

 func (repo *ProjectRepo) ChangeProjectRole(ctx context.Context, member *proj_model.ProjectRole) (*proj_model.ProjectRole, error) {
@@ -112,8 +127,40 @@ func (repo *ProjectRepo) ChangeProjectRole(ctx context.Context, member *proj_mod
 }

 func (repo *ProjectRepo) RemoveProjectRole(ctx context.Context, projectID, key string) error {
-	member := proj_model.NewProjectRole(projectID, key)
-	return repo.ProjectEvents.RemoveProjectRole(ctx, member)
+	role := proj_model.NewProjectRole(projectID, key)
+	aggregates := make([]*es_models.Aggregate, 0)
+	project, agg, err := repo.ProjectEvents.PrepareRemoveProjectRole(ctx, role)
+	if err != nil {
+		return err
+	}
+	aggregates = append(aggregates, agg)
+
+	usergrants, err := repo.View.UserGrantsByProjectIDAndRoleKey(projectID, key)
+	if err != nil {
+		return err
+	}
+	for _, grant := range usergrants {
+		changed := &usr_grant_model.UserGrant{
+			ObjectRoot: models.ObjectRoot{AggregateID: grant.ID, Sequence: grant.Sequence, ResourceOwner: grant.ResourceOwner},
+			RoleKeys:   grant.RoleKeys,
+			ProjectID:  grant.ProjectID,
+			UserID:     grant.UserID,
+		}
+		changed.RemoveRoleKeyIfExisting(key)
+		_, agg, err := repo.UserGrantEvents.PrepareChangeUserGrant(ctx, changed, true)
+		if err != nil {
+			return err
+		}
+		aggregates = append(aggregates, agg)
+	}
+	if err != nil {
+		return err
+	}
+	err = es_sdk.PushAggregates(ctx, repo.Eventstore.PushAggregates, project.AppendEvents, aggregates...)
+	if err != nil {
+		return err
+	}
+	return nil
 }

 func (repo *ProjectRepo) SearchProjectRoles(ctx context.Context, request *proj_model.ProjectRoleSearchRequest) (*proj_model.ProjectRoleSearchResponse, error) {
@@ -211,25 +258,100 @@ func (repo *ProjectRepo) SearchProjectGrants(ctx context.Context, request *proj_
 	}, nil
 }

-func (repo *ProjectRepo) AddProjectGrant(ctx context.Context, app *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) {
-	return repo.ProjectEvents.AddProjectGrant(ctx, app)
+func (repo *ProjectRepo) AddProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) {
+	return repo.ProjectEvents.AddProjectGrant(ctx, grant)
 }

-func (repo *ProjectRepo) ChangeProjectGrant(ctx context.Context, app *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) {
-	return repo.ProjectEvents.ChangeProjectGrant(ctx, app)
+func (repo *ProjectRepo) ChangeProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) {
+	project, aggFunc, removedRoles, err := repo.ProjectEvents.PrepareChangeProjectGrant(ctx, grant)
+	if err != nil {
+		return nil, err
+	}
+	agg, err := aggFunc(ctx)
+	if err != nil {
+		return nil, err
+	}
+	aggregates := make([]*es_models.Aggregate, 0)
+	aggregates = append(aggregates, agg)
+
+	usergrants, err := repo.View.UserGrantsByProjectID(grant.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+	for _, grant := range usergrants {
+		changed := &usr_grant_model.UserGrant{
+			ObjectRoot: models.ObjectRoot{AggregateID: grant.ID, Sequence: grant.Sequence, ResourceOwner: grant.ResourceOwner},
+			RoleKeys:   grant.RoleKeys,
+			ProjectID:  grant.ProjectID,
+			UserID:     grant.UserID,
+		}
+		existing := changed.RemoveRoleKeysIfExisting(removedRoles)
+		if existing {
+			_, agg, err := repo.UserGrantEvents.PrepareChangeUserGrant(ctx, changed, true)
+			if err != nil {
+				return nil, err
+			}
+			aggregates = append(aggregates, agg)
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+	err = es_sdk.PushAggregates(ctx, repo.Eventstore.PushAggregates, project.AppendEvents, aggregates...)
+	if err != nil {
+		return nil, err
+	}
+	if _, g := es_proj_model.GetProjectGrant(project.Grants, grant.GrantID); g != nil {
+		return es_proj_model.GrantToModel(g), nil
+	}
+	return nil, caos_errs.ThrowInternal(nil, "EVENT-dksi8", "Could not find app in list")
 }

-func (repo *ProjectRepo) DeactivateProjectGrant(ctx context.Context, projectID, appID string) (*proj_model.ProjectGrant, error) {
-	return repo.ProjectEvents.DeactivateProjectGrant(ctx, projectID, appID)
+func (repo *ProjectRepo) DeactivateProjectGrant(ctx context.Context, projectID, grantID string) (*proj_model.ProjectGrant, error) {
+	return repo.ProjectEvents.DeactivateProjectGrant(ctx, projectID, grantID)
 }

-func (repo *ProjectRepo) ReactivateProjectGrant(ctx context.Context, projectID, appID string) (*proj_model.ProjectGrant, error) {
-	return repo.ProjectEvents.ReactivateProjectGrant(ctx, projectID, appID)
+func (repo *ProjectRepo) ReactivateProjectGrant(ctx context.Context, projectID, grantID string) (*proj_model.ProjectGrant, error) {
+	return repo.ProjectEvents.ReactivateProjectGrant(ctx, projectID, grantID)
 }

-func (repo *ProjectRepo) RemoveProjectGrant(ctx context.Context, projectID, appID string) error {
-	app := proj_model.NewProjectGrant(projectID, appID)
-	return repo.ProjectEvents.RemoveProjectGrant(ctx, app)
+func (repo *ProjectRepo) RemoveProjectGrant(ctx context.Context, projectID, grantID string) error {
+	grant, err := repo.ProjectEvents.ProjectGrantByIDs(ctx, projectID, grantID)
+	if err != nil {
+		return err
+	}
+	aggregates := make([]*es_models.Aggregate, 0)
+	project, aggFunc, err := repo.ProjectEvents.PrepareRemoveProjectGrant(ctx, grant)
+	if err != nil {
+		return err
+	}
+	agg, err := aggFunc(ctx)
+	if err != nil {
+		return err
+	}
+	aggregates = append(aggregates, agg)
+
+	usergrants, err := repo.View.UserGrantsByOrgIDAndProjectID(grant.GrantedOrgID, projectID)
+	if err != nil {
+		return err
+	}
+	for _, grant := range usergrants {
+		_, grantAggregates, err := repo.UserGrantEvents.PrepareRemoveUserGrant(ctx, grant.ID, true)
+		if err != nil {
+			return err
+		}
+		for _, agg := range grantAggregates {
+			aggregates = append(aggregates, agg)
+		}
+	}
+	if err != nil {
+		return err
+	}
+	err = es_sdk.PushAggregates(ctx, repo.Eventstore.PushAggregates, project.AppendEvents, aggregates...)
+	if err != nil {
+		return err
+	}
+	return nil
 }

 func (repo *ProjectRepo) ProjectGrantMemberByID(ctx context.Context, projectID, grantID, userID string) (member *proj_model.ProjectGrantMember, err error) {
--- a/internal/management/repository/eventsourcing/eventstore/user_grant.go
+++ b/internal/management/repository/eventsourcing/eventstore/user_grant.go
@@ -38,6 +38,18 @@ func (repo *UserGrantRepo) RemoveUserGrant(ctx context.Context, grantID string)
 	return repo.UserGrantEvents.RemoveUserGrant(ctx, grantID)
 }

+func (repo *UserGrantRepo) BulkAddUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
+	return repo.UserGrantEvents.AddUserGrants(ctx, grants...)
+}
+
+func (repo *UserGrantRepo) BulkChangeUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
+	return repo.UserGrantEvents.ChangeUserGrants(ctx, grants...)
+}
+
+func (repo *UserGrantRepo) BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error {
+	return repo.UserGrantEvents.RemoveUserGrants(ctx, grantIDs...)
+}
+
 func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_model.UserGrantSearchRequest) (*grant_model.UserGrantSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
 	grants, count, err := repo.View.SearchUserGrants(request)
--- a/internal/management/repository/eventsourcing/handler/project_grant.go
+++ b/internal/management/repository/eventsourcing/handler/project_grant.go
@@ -66,8 +66,12 @@ func (p *ProjectGrant) Process(event *models.Event) (err error) {
 		if err != nil {
 			return err
 		}
-		p.fillOrgData(grantedProject, org)
-	case es_model.ProjectGrantChanged:
+		resourceOwner, err := p.orgEvents.OrgByID(context.TODO(), org_model.NewOrg(grantedProject.ResourceOwner))
+		if err != nil {
+			return err
+		}
+		p.fillOrgData(grantedProject, org, resourceOwner)
+	case es_model.ProjectGrantChanged, es_model.ProjectGrantCascadeChanged:
 		grant := new(view_model.ProjectGrant)
 		err := grant.SetData(event)
 		if err != nil {
@@ -94,8 +98,9 @@ func (p *ProjectGrant) Process(event *models.Event) (err error) {
 	return p.view.PutProjectGrant(grantedProject)
 }

-func (p *ProjectGrant) fillOrgData(grantedProject *view_model.ProjectGrantView, org *org_model.Org) {
+func (p *ProjectGrant) fillOrgData(grantedProject *view_model.ProjectGrantView, org, resourceOwner *org_model.Org) {
 	grantedProject.OrgName = org.Name
+	grantedProject.ResourceOwnerName = resourceOwner.Name
 }

 func (p *ProjectGrant) getProject(projectID string) (*proj_model.Project, error) {
--- a/internal/management/repository/eventsourcing/handler/project_role.go
+++ b/internal/management/repository/eventsourcing/handler/project_role.go
@@ -56,7 +56,7 @@ func (p *ProjectRole) Process(event *models.Event) (err error) {
 		if err != nil {
 			return err
 		}
-		err = p.removeRoleFromAllResourceowners(event, role)
+		return p.view.DeleteProjectRole(event.AggregateID, event.ResourceOwner, role.Key, event.Sequence)
 	case es_model.ProjectGrantAdded:
 		return p.addGrantRoles(event)
 	case es_model.ProjectGrantChanged:
--- a/internal/management/repository/eventsourcing/handler/user_grant.go
+++ b/internal/management/repository/eventsourcing/handler/user_grant.go
@@ -73,6 +73,7 @@ func (u *UserGrant) processUserGrant(event *models.Event) (err error) {
 		}
 		err = u.fillData(grant, event.ResourceOwner)
 	case grant_es_model.UserGrantChanged,
+		grant_es_model.UserGrantCascadeChanged,
 		grant_es_model.UserGrantDeactivated,
 		grant_es_model.UserGrantReactivated:
 		grant, err = u.view.UserGrantByID(event.AggregateID)
@@ -80,8 +81,8 @@ func (u *UserGrant) processUserGrant(event *models.Event) (err error) {
 			return err
 		}
 		err = grant.AppendEvent(event)
-	case grant_es_model.UserGrantRemoved:
-		err = u.view.DeleteUserGrant(event.AggregateID, event.Sequence)
+	case grant_es_model.UserGrantRemoved, grant_es_model.UserGrantCascadeRemoved:
+		return u.view.DeleteUserGrant(event.AggregateID, event.Sequence)
 	default:
 		return u.view.ProcessedUserGrantSequence(event.Sequence)
 	}
--- a/internal/management/repository/eventsourcing/repository.go
+++ b/internal/management/repository/eventsourcing/repository.go
@@ -96,7 +96,7 @@ func Start(conf Config, systemDefaults sd.SystemDefaults, roles []string) (*EsRe
 	return &EsRepository{
 		spooler:       spool,
 		OrgRepository: eventstore.OrgRepository{conf.SearchLimit, org, view, roles},
-		ProjectRepo:   eventstore.ProjectRepo{conf.SearchLimit, project, view, roles},
+		ProjectRepo:   eventstore.ProjectRepo{es, conf.SearchLimit, project, usergrant, view, roles},
 		UserRepo:      eventstore.UserRepo{conf.SearchLimit, user, policy, org, view},
 		UserGrantRepo: eventstore.UserGrantRepo{conf.SearchLimit, usergrant, view},
 		PolicyRepo:    eventstore.PolicyRepo{policy},
--- a/internal/management/repository/eventsourcing/view/project_grant.go
+++ b/internal/management/repository/eventsourcing/view/project_grant.go
@@ -23,6 +23,10 @@ func (v *View) ProjectGrantsByProjectID(projectID string) ([]*model.ProjectGrant
 	return view.ProjectGrantsByProjectID(v.Db, grantedProjectTable, projectID)
 }

+func (v *View) ProjectGrantsByProjectIDAndRoleKey(projectID, key string) ([]*model.ProjectGrantView, error) {
+	return view.ProjectGrantsByProjectIDAndRoleKey(v.Db, grantedProjectTable, projectID, key)
+}
+
 func (v *View) SearchProjectGrants(request *proj_model.ProjectGrantViewSearchRequest) ([]*model.ProjectGrantView, int, error) {
 	return view.SearchProjectGrants(v.Db, grantedProjectTable, request)
 }
@@ -38,7 +42,7 @@ func (v *View) PutProjectGrant(project *model.ProjectGrantView) error {
 func (v *View) DeleteProjectGrant(grantID string, eventSequence uint64) error {
 	err := view.DeleteProjectGrant(v.Db, grantedProjectTable, grantID)
 	if err != nil {
-		return nil
+		return err
 	}
 	return v.ProcessedProjectGrantSequence(eventSequence)
 }
--- a/internal/management/repository/eventsourcing/view/user_grant.go
+++ b/internal/management/repository/eventsourcing/view/user_grant.go
@@ -31,6 +31,14 @@ func (v *View) UserGrantsByOrgID(orgID string) ([]*model.UserGrantView, error) {
 	return view.UserGrantsByOrgID(v.Db, userGrantTable, orgID)
 }

+func (v *View) UserGrantsByProjectIDAndRoleKey(projectID, roleKey string) ([]*model.UserGrantView, error) {
+	return view.UserGrantsByProjectIDAndRole(v.Db, userGrantTable, projectID, roleKey)
+}
+
+func (v *View) UserGrantsByOrgIDAndProjectID(orgID, projectID string) ([]*model.UserGrantView, error) {
+	return view.UserGrantsByOrgIDAndProjectID(v.Db, userGrantTable, orgID, projectID)
+}
+
 func (v *View) PutUserGrant(grant *model.UserGrantView, sequence uint64) error {
 	err := view.PutUserGrant(v.Db, userGrantTable, grant)
 	if err != nil {
--- a/internal/management/repository/project.go
+++ b/internal/management/repository/project.go
@@ -28,6 +28,7 @@ type ProjectRepository interface {
 	RemoveProjectRole(ctx context.Context, projectID, key string) error
 	SearchProjectRoles(ctx context.Context, request *model.ProjectRoleSearchRequest) (*model.ProjectRoleSearchResponse, error)
 	ProjectChanges(ctx context.Context, id string, lastSequence uint64, limit uint64) (*model.ProjectChanges, error)
+	BulkAddProjectRole(ctx context.Context, role []*model.ProjectRole) error

 	ApplicationByID(ctx context.Context, projectID, appID string) (*model.Application, error)
 	AddApplication(ctx context.Context, app *model.Application) (*model.Application, error)
@@ -41,8 +42,8 @@ type ProjectRepository interface {
 	ApplicationChanges(ctx context.Context, id string, secId string, lastSequence uint64, limit uint64) (*model.ApplicationChanges, error)

 	ProjectGrantByID(ctx context.Context, projectID, grantID string) (*model.ProjectGrant, error)
-	AddProjectGrant(ctx context.Context, app *model.ProjectGrant) (*model.ProjectGrant, error)
-	ChangeProjectGrant(ctx context.Context, app *model.ProjectGrant) (*model.ProjectGrant, error)
+	AddProjectGrant(ctx context.Context, grant *model.ProjectGrant) (*model.ProjectGrant, error)
+	ChangeProjectGrant(ctx context.Context, grant *model.ProjectGrant) (*model.ProjectGrant, error)
 	DeactivateProjectGrant(ctx context.Context, projectID, grantID string) (*model.ProjectGrant, error)
 	ReactivateProjectGrant(ctx context.Context, projectID, grantID string) (*model.ProjectGrant, error)
 	RemoveProjectGrant(ctx context.Context, projectID, grantID string) error
--- a/internal/management/repository/user_grant.go
+++ b/internal/management/repository/user_grant.go
@@ -13,4 +13,8 @@ type UserGrantRepository interface {
 	ReactivateUserGrant(ctx context.Context, grantID string) (*model.UserGrant, error)
 	RemoveUserGrant(ctx context.Context, grantID string) error
 	SearchUserGrants(ctx context.Context, request *model.UserGrantSearchRequest) (*model.UserGrantSearchResponse, error)
+
+	BulkAddUserGrant(ctx context.Context, grant ...*model.UserGrant) error
+	BulkChangeUserGrant(ctx context.Context, grant ...*model.UserGrant) error
+	BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error
 }
--- a/internal/model/search_method.go
+++ b/internal/model/search_method.go
@@ -12,6 +12,6 @@ const (
 	SEARCHMETHOD_NOT_EQUALS
 	SEARCHMETHOD_GREATER_THAN
 	SEARCHMETHOD_LESS_THAN
-	SEARCHMETHOD_IN
-	SEARCHMETHOD_EQUALS_IN_ARRAY
+	SEARCHMETHOD_IS_ONE_OF
+	SEARCHMETHOD_LIST_CONTAINS
 )
--- a/internal/project/model/project_grant.go
+++ b/internal/project/model/project_grant.go
@@ -14,6 +14,11 @@ type ProjectGrant struct {
 	Members      []*ProjectGrantMember
 }

+type ProjectGrantIDs struct {
+	ProjectID string
+	GrantID   string
+}
+
 type ProjectGrantState int32

 const (
@@ -41,3 +46,22 @@ func (p *ProjectGrant) GetMember(userID string) (int, *ProjectGrantMember) {
 	}
 	return -1, nil
 }
+
+func (p *ProjectGrant) GetRemovedRoles(roleKeys []string) []string {
+	removed := make([]string, 0)
+	for _, role := range p.RoleKeys {
+		if !containsKey(roleKeys, role) {
+			removed = append(removed, role)
+		}
+	}
+	return removed
+}
+
+func containsKey(roles []string, key string) bool {
+	for _, role := range roles {
+		if role == key {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/project/model/project_grant_view.go
+++ b/internal/project/model/project_grant_view.go
@@ -6,18 +6,19 @@ import (
 )

 type ProjectGrantView struct {
-	ProjectID       string
-	Name            string
-	CreationDate    time.Time
-	ChangeDate      time.Time
-	State           ProjectState
-	ResourceOwner   string
-	OrgID           string
-	OrgName         string
-	OrgDomain       string
-	Sequence        uint64
-	GrantID         string
-	GrantedRoleKeys []string
+	ProjectID         string
+	Name              string
+	CreationDate      time.Time
+	ChangeDate        time.Time
+	State             ProjectState
+	ResourceOwner     string
+	ResourceOwnerName string
+	OrgID             string
+	OrgName           string
+	OrgDomain         string
+	Sequence          uint64
+	GrantID           string
+	GrantedRoleKeys   []string
 }

 type ProjectGrantViewSearchRequest struct {
@@ -37,6 +38,7 @@ const (
 	GRANTEDPROJECTSEARCHKEY_GRANTID
 	GRANTEDPROJECTSEARCHKEY_ORGID
 	GRANTEDPROJECTSEARCHKEY_RESOURCE_OWNER
+	GRANTEDPROJECTSEARCHKEY_ROLE_KEYS
 )

 type ProjectGrantViewSearchQuery struct {
--- a/internal/project/repository/eventsourcing/eventstore.go
+++ b/internal/project/repository/eventsourcing/eventstore.go
@@ -248,28 +248,37 @@ func (es *ProjectEventstore) RemoveProjectMember(ctx context.Context, member *pr
 	return err
 }

-func (es *ProjectEventstore) AddProjectRole(ctx context.Context, role *proj_model.ProjectRole) (*proj_model.ProjectRole, error) {
-	if !role.IsValid() {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-idue3", "Key is required")
+func (es *ProjectEventstore) AddProjectRoles(ctx context.Context, roles ...*proj_model.ProjectRole) (*proj_model.ProjectRole, error) {
+	if roles == nil || len(roles) == 0 {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-idue3", "must be at least one role")
 	}
-	existing, err := es.ProjectByID(ctx, role.AggregateID)
+	for _, role := range roles {
+		if !role.IsValid() {
+			return nil, caos_errs.ThrowPreconditionFailedf(nil, "EVENT-idue3", "role is invalid %v", role)
+		}
+	}
+	existing, err := es.ProjectByID(ctx, roles[0].AggregateID)
 	if err != nil {
 		return nil, err
 	}
-	if existing.ContainsRole(role) {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "EVENT-sk35t", "Project contains role with same key")
+	for _, role := range roles {
+		if existing.ContainsRole(role) {
+			return nil, caos_errs.ThrowAlreadyExists(nil, "EVENT-sk35t", "Project contains role with same key")
+		}
 	}
+
 	repoProject := model.ProjectFromModel(existing)
-	repoRole := model.ProjectRoleFromModel(role)
-	projectAggregate := ProjectRoleAddedAggregate(es.Eventstore.AggregateCreator(), repoProject, repoRole)
+	repoRoles := model.ProjectRolesFromModel(roles)
+	projectAggregate := ProjectRoleAddedAggregate(es.Eventstore.AggregateCreator(), repoProject, repoRoles...)
 	err = es_sdk.Push(ctx, es.PushAggregates, repoProject.AppendEvents, projectAggregate)
 	if err != nil {
 		return nil, err
 	}
-
+	if len(repoRoles) > 1 {
+		return nil, nil
+	}
 	es.projectCache.cacheProject(repoProject)
-
-	if _, r := model.GetProjectRole(repoProject.Roles, role.Key); r != nil {
+	if _, r := model.GetProjectRole(repoProject.Roles, repoRoles[0].Key); r != nil {
 		return model.ProjectRoleToModel(r), nil
 	}
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-sie83", "Could not find role in list")
@@ -302,25 +311,52 @@ func (es *ProjectEventstore) ChangeProjectRole(ctx context.Context, role *proj_m
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-sl1or", "Could not find role in list")
 }

-func (es *ProjectEventstore) RemoveProjectRole(ctx context.Context, role *proj_model.ProjectRole) error {
+func (es *ProjectEventstore) PrepareRemoveProjectRole(ctx context.Context, role *proj_model.ProjectRole) (*model.Project, *es_models.Aggregate, error) {
 	if role.Key == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-id823", "Key is required")
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-id823", "Key is required")
 	}
 	existing, err := es.ProjectByID(ctx, role.AggregateID)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}
 	if !existing.ContainsRole(role) {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-oe823", "Role doesn't exist on project")
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-oe823", "Role doesn't exist on project")
 	}
 	repoProject := model.ProjectFromModel(existing)
 	repoRole := model.ProjectRoleFromModel(role)
-	projectAggregate := ProjectRoleRemovedAggregate(es.Eventstore.AggregateCreator(), repoProject, repoRole)
-	err = es_sdk.Push(ctx, es.PushAggregates, repoProject.AppendEvents, projectAggregate)
+	grants := es.RemoveRoleFromGrants(repoProject, role.Key)
+	projectAggregate, err := ProjectRoleRemovedAggregate(ctx, es.Eventstore.AggregateCreator(), repoProject, repoRole, grants)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoProject, projectAggregate, nil
+}
+
+func (es *ProjectEventstore) RemoveRoleFromGrants(existing *model.Project, roleKey string) []*model.ProjectGrant {
+	grants := make([]*model.ProjectGrant, 0)
+	for _, grant := range existing.Grants {
+		for i, role := range grant.RoleKeys {
+			if role == roleKey {
+				grant.RoleKeys[i] = grant.RoleKeys[len(grant.RoleKeys)-1]
+				grant.RoleKeys[len(grant.RoleKeys)-1] = ""
+				grant.RoleKeys = grant.RoleKeys[:len(grant.RoleKeys)-1]
+				grants = append(grants, grant)
+			}
+		}
+	}
+	return grants
+}
+
+func (es *ProjectEventstore) RemoveProjectRole(ctx context.Context, role *proj_model.ProjectRole) error {
+	project, aggregate, err := es.PrepareRemoveProjectRole(ctx, role)
 	if err != nil {
 		return err
 	}
-	es.projectCache.cacheProject(repoProject)
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, project.AppendEvents, aggregate)
+	if err != nil {
+		return err
+	}
+	es.projectCache.cacheProject(project)
 	return nil
 }

@@ -766,50 +802,34 @@ func (es *ProjectEventstore) AddProjectGrant(ctx context.Context, grant *proj_mo
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-sk3t5", "Could not find grant in list")
 }

-func (es *ProjectEventstore) ChangeProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) {
+func (es *ProjectEventstore) PrepareChangeProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*model.Project, func(ctx context.Context) (*es_models.Aggregate, error), []string, error) {
 	if grant == nil && grant.GrantID == "" {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-8sie3", "invalid grant")
+		return nil, nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-8sie3", "invalid grant")
 	}
 	existing, err := es.ProjectByID(ctx, grant.AggregateID)
 	if err != nil {
-		return nil, err
+		return nil, nil, nil, err
 	}
-	if _, g := existing.GetGrant(grant.GrantID); g == nil {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-die83", "Grant not existing on project")
+	_, existingGrant := existing.GetGrant(grant.GrantID)
+	if existingGrant == nil {
+		return nil, nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-die83", "Grant not existing on project")
 	}
 	if !existing.ContainsRoles(grant.RoleKeys) {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-di83d", "One role doesnt exist in Project")
+		return nil, nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-di83d", "One role doesnt exist in Project")
 	}
+	removedRoles := existingGrant.GetRemovedRoles(grant.RoleKeys)
 	repoProject := model.ProjectFromModel(existing)
 	repoGrant := model.GrantFromModel(grant)

 	projectAggregate := ProjectGrantChangedAggregate(es.Eventstore.AggregateCreator(), repoProject, repoGrant)
-	err = es_sdk.Push(ctx, es.PushAggregates, repoProject.AppendEvents, projectAggregate)
-	if err != nil {
-		return nil, err
-	}
-	es.projectCache.cacheProject(repoProject)
-
-	if _, g := model.GetProjectGrant(repoProject.Grants, grant.GrantID); g != nil {
-		return model.GrantToModel(g), nil
-	}
-	return nil, caos_errs.ThrowInternal(nil, "EVENT-dksi8", "Could not find app in list")
+	return repoProject, projectAggregate, removedRoles, nil
 }

 func (es *ProjectEventstore) RemoveProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) error {
-	if grant.GrantID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-8eud6", "GrantId is required")
-	}
-	existing, err := es.ProjectByID(ctx, grant.AggregateID)
+	repoProject, projectAggregate, err := es.PrepareRemoveProjectGrant(ctx, grant)
 	if err != nil {
 		return err
 	}
-	if _, g := existing.GetGrant(grant.GrantID); g == nil {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-9ie3s", "Grant doesn't exist on project")
-	}
-	repoProject := model.ProjectFromModel(existing)
-	grantRepo := model.GrantFromModel(grant)
-	projectAggregate := ProjectGrantRemovedAggregate(es.Eventstore.AggregateCreator(), repoProject, grantRepo)
 	err = es_sdk.Push(ctx, es.PushAggregates, repoProject.AppendEvents, projectAggregate)
 	if err != nil {
 		return err
@@ -818,6 +838,39 @@ func (es *ProjectEventstore) RemoveProjectGrant(ctx context.Context, grant *proj
 	return nil
 }

+func (es *ProjectEventstore) RemoveProjectGrants(ctx context.Context, grants ...*proj_model.ProjectGrant) error {
+	aggregates := make([]*es_models.Aggregate, len(grants))
+	for i, grant := range grants {
+		_, projectAggregate, err := es.PrepareRemoveProjectGrant(ctx, grant)
+		if err != nil {
+			return err
+		}
+		agg, err := projectAggregate(ctx)
+		if err != nil {
+			return err
+		}
+		aggregates[i] = agg
+	}
+	return es_sdk.PushAggregates(ctx, es.PushAggregates, nil, aggregates...)
+}
+
+func (es *ProjectEventstore) PrepareRemoveProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*model.Project, func(ctx context.Context) (*es_models.Aggregate, error), error) {
+	if grant.GrantID == "" {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-8eud6", "GrantId is required")
+	}
+	existing, err := es.ProjectByID(ctx, grant.AggregateID)
+	if err != nil {
+		return nil, nil, err
+	}
+	if _, g := existing.GetGrant(grant.GrantID); g == nil {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9ie3s", "Grant doesn't exist on project")
+	}
+	repoProject := model.ProjectFromModel(existing)
+	grantRepo := model.GrantFromModel(grant)
+	projectAggregate := ProjectGrantRemovedAggregate(es.Eventstore.AggregateCreator(), repoProject, grantRepo)
+	return repoProject, projectAggregate, nil
+}
+
 func (es *ProjectEventstore) DeactivateProjectGrant(ctx context.Context, projectID, grantID string) (*proj_model.ProjectGrant, error) {
 	if grantID == "" {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-7due2", "grantID missing")
--- a/internal/project/repository/eventsourcing/eventstore_test.go
+++ b/internal/project/repository/eventsourcing/eventstore_test.go
@@ -3,7 +3,6 @@ package eventsourcing
 import (
 	"context"
 	"encoding/json"
-	"reflect"
 	"testing"

 	"github.com/caos/zitadel/internal/api/auth"
@@ -707,9 +706,9 @@ func TestRemoveProjectMember(t *testing.T) {
 func TestAddProjectRole(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	type args struct {
-		es   *ProjectEventstore
-		ctx  context.Context
-		role *model.ProjectRole
+		es    *ProjectEventstore
+		ctx   context.Context
+		roles []*model.ProjectRole
 	}
 	type res struct {
 		result  *model.ProjectRole
@@ -724,9 +723,9 @@ func TestAddProjectRole(t *testing.T) {
 		{
 			name: "add project role, ok",
 			args: args{
-				es:   GetMockManipulateProject(ctrl),
-				ctx:  auth.NewMockContext("orgID", "userID"),
-				role: &model.ProjectRole{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Key: "Key", DisplayName: "DisplayName", Group: "Group"},
+				es:    GetMockManipulateProject(ctrl),
+				ctx:   auth.NewMockContext("orgID", "userID"),
+				roles: []*model.ProjectRole{&model.ProjectRole{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Key: "Key", DisplayName: "DisplayName", Group: "Group"}},
 			},
 			res: res{
 				result: &model.ProjectRole{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Key: "Key", DisplayName: "DisplayName", Group: "Group"},
@@ -735,9 +734,9 @@ func TestAddProjectRole(t *testing.T) {
 		{
 			name: "no key",
 			args: args{
-				es:   GetMockManipulateProject(ctrl),
-				ctx:  auth.NewMockContext("orgID", "userID"),
-				role: &model.ProjectRole{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, DisplayName: "DisplayName", Group: "Group"},
+				es:    GetMockManipulateProject(ctrl),
+				ctx:   auth.NewMockContext("orgID", "userID"),
+				roles: []*model.ProjectRole{&model.ProjectRole{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, DisplayName: "DisplayName", Group: "Group"}},
 			},
 			res: res{
 				wantErr: true,
@@ -747,9 +746,9 @@ func TestAddProjectRole(t *testing.T) {
 		{
 			name: "role already existing",
 			args: args{
-				es:   GetMockManipulateProjectWithRole(ctrl),
-				ctx:  auth.NewMockContext("orgID", "userID"),
-				role: &model.ProjectRole{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Key: "Key", DisplayName: "DisplayName", Group: "Group"},
+				es:    GetMockManipulateProjectWithRole(ctrl),
+				ctx:   auth.NewMockContext("orgID", "userID"),
+				roles: []*model.ProjectRole{&model.ProjectRole{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Key: "Key", DisplayName: "DisplayName", Group: "Group"}},
 			},
 			res: res{
 				wantErr: true,
@@ -759,9 +758,9 @@ func TestAddProjectRole(t *testing.T) {
 		{
 			name: "existing project not found",
 			args: args{
-				es:   GetMockManipulateProjectNoEvents(ctrl),
-				ctx:  auth.NewMockContext("orgID", "userID"),
-				role: &model.ProjectRole{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Key: "Key", DisplayName: "DisplayName", Group: "Group"},
+				es:    GetMockManipulateProjectNoEvents(ctrl),
+				ctx:   auth.NewMockContext("orgID", "userID"),
+				roles: []*model.ProjectRole{&model.ProjectRole{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Key: "Key", DisplayName: "DisplayName", Group: "Group"}},
 			},
 			res: res{
 				wantErr: true,
@@ -771,7 +770,7 @@ func TestAddProjectRole(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := tt.args.es.AddProjectRole(tt.args.ctx, tt.args.role)
+			result, err := tt.args.es.AddProjectRoles(tt.args.ctx, tt.args.roles...)

 			if !tt.res.wantErr && result.AggregateID == "" {
 				t.Errorf("result has no id")
@@ -1950,126 +1949,6 @@ func TestAddProjectGrant(t *testing.T) {
 	}
 }

-func TestChangeProjectGrant(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	type args struct {
-		es    *ProjectEventstore
-		ctx   context.Context
-		grant *model.ProjectGrant
-	}
-	type res struct {
-		result  *model.ProjectGrant
-		wantErr bool
-		errFunc func(err error) bool
-	}
-	tests := []struct {
-		name string
-		args args
-		res  res
-	}{
-		{
-			name: "change grant, ok",
-			args: args{
-				es:  GetMockManipulateProjectWithGrantExistingRole(ctrl),
-				ctx: auth.NewMockContext("orgID", "userID"),
-				grant: &model.ProjectGrant{ObjectRoot: es_models.ObjectRoot{AggregateID: "ID", Sequence: 1},
-					GrantID:      "GrantID",
-					GrantedOrgID: "GrantedOrgID",
-					RoleKeys:     []string{"KeyChanged"},
-				},
-			},
-			res: res{
-				result: &model.ProjectGrant{ObjectRoot: es_models.ObjectRoot{AggregateID: "ID", Sequence: 1},
-					GrantID:      "GrantID",
-					GrantedOrgID: "GrantedOrgID",
-					RoleKeys:     []string{"KeyChanged"},
-				},
-			},
-		},
-		{
-			name: "invalid grant",
-			args: args{
-				es:  GetMockManipulateProject(ctrl),
-				ctx: auth.NewMockContext("orgID", "userID"),
-				grant: &model.ProjectGrant{ObjectRoot: es_models.ObjectRoot{AggregateID: "ID", Sequence: 1},
-					GrantID:  "GrantID",
-					RoleKeys: []string{"KeyChanged"},
-				},
-			},
-			res: res{
-				wantErr: true,
-				errFunc: caos_errs.IsPreconditionFailed,
-			},
-		},
-		{
-			name: "grant not existing",
-			args: args{
-				es:  GetMockManipulateProject(ctrl),
-				ctx: auth.NewMockContext("orgID", "userID"),
-				grant: &model.ProjectGrant{ObjectRoot: es_models.ObjectRoot{AggregateID: "ID", Sequence: 1},
-					GrantID:      "GrantID",
-					GrantedOrgID: "GrantedOrgID",
-					RoleKeys:     []string{"KeyChanged"},
-				},
-			},
-			res: res{
-				wantErr: true,
-				errFunc: caos_errs.IsPreconditionFailed,
-			},
-		},
-		{
-			name: "role not existing",
-			args: args{
-				es:  GetMockManipulateProjectWithGrant(ctrl),
-				ctx: auth.NewMockContext("orgID", "userID"),
-				grant: &model.ProjectGrant{ObjectRoot: es_models.ObjectRoot{AggregateID: "ID", Sequence: 1},
-					GrantID:      "GrantID",
-					GrantedOrgID: "GrantedOrgID",
-					RoleKeys:     []string{"KeyChanged"},
-				},
-			},
-			res: res{
-				wantErr: true,
-				errFunc: caos_errs.IsPreconditionFailed,
-			},
-		},
-		{
-			name: "existing project not found",
-			args: args{
-				es:  GetMockManipulateProjectNoEvents(ctrl),
-				ctx: auth.NewMockContext("orgID", "userID"),
-				grant: &model.ProjectGrant{ObjectRoot: es_models.ObjectRoot{AggregateID: "ID", Sequence: 1},
-					GrantID:      "GrantID",
-					GrantedOrgID: "GrantedOrgID",
-					RoleKeys:     []string{"KeyChanged"},
-				},
-			},
-			res: res{
-				wantErr: true,
-				errFunc: caos_errs.IsNotFound,
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result, err := tt.args.es.ChangeProjectGrant(tt.args.ctx, tt.args.grant)
-
-			if !tt.res.wantErr && result.AggregateID == "" {
-				t.Errorf("result has no id")
-			}
-			if !tt.res.wantErr && result.GrantID != tt.res.result.GrantID {
-				t.Errorf("got wrong result GrantID: expected: %v, actual: %v ", tt.res.result.GrantID, result.GrantID)
-			}
-			if !tt.res.wantErr && !reflect.DeepEqual(result.RoleKeys, tt.res.result.RoleKeys) {
-				t.Errorf("got wrong result name: expected: %v, actual: %v ", tt.res.result.RoleKeys, result.GrantID)
-			}
-			if tt.res.wantErr && !tt.res.errFunc(err) {
-				t.Errorf("got wrong err: %v ", err)
-			}
-		})
-	}
-}
-
 func TestRemoveProjectGrant(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	type args struct {
--- a/internal/project/repository/eventsourcing/model/project.go
+++ b/internal/project/repository/eventsourcing/model/project.go
@@ -127,7 +127,7 @@ func (p *Project) AppendEvent(event *es_models.Event) error {
 		return p.appendChangeOIDCConfigEvent(event)
 	case ProjectGrantAdded:
 		return p.appendAddGrantEvent(event)
-	case ProjectGrantChanged:
+	case ProjectGrantChanged, ProjectGrantCascadeChanged:
 		return p.appendChangeGrantEvent(event)
 	case ProjectGrantDeactivated:
 		return p.appendGrantStateEvent(event, model.PROJECTGRANTSTATE_INACTIVE)
--- a/internal/project/repository/eventsourcing/model/project_grant.go
+++ b/internal/project/repository/eventsourcing/model/project_grant.go
@@ -31,9 +31,9 @@ func GetProjectGrant(grants []*ProjectGrant, id string) (int, *ProjectGrant) {
 	return -1, nil
 }

-func GetProjectGrantByResourceOwner(grants []*ProjectGrant, resourceOwner string) (int, *ProjectGrant) {
+func GetProjectGrantByOrgID(grants []*ProjectGrant, resourceOwner string) (int, *ProjectGrant) {
 	for i, g := range grants {
-		if g.ResourceOwner == resourceOwner {
+		if g.GrantedOrgID == resourceOwner {
 			return i, g
 		}
 	}
--- a/internal/project/repository/eventsourcing/model/types.go
+++ b/internal/project/repository/eventsourcing/model/types.go
@@ -19,11 +19,12 @@ const (
 	ProjectRoleChanged models.EventType = "project.role.changed"
 	ProjectRoleRemoved models.EventType = "project.role.removed"

-	ProjectGrantAdded       models.EventType = "project.grant.added"
-	ProjectGrantChanged     models.EventType = "project.grant.changed"
-	ProjectGrantRemoved     models.EventType = "project.grant.removed"
-	ProjectGrantDeactivated models.EventType = "project.grant.deactivated"
-	ProjectGrantReactivated models.EventType = "project.grant.reactivated"
+	ProjectGrantAdded          models.EventType = "project.grant.added"
+	ProjectGrantChanged        models.EventType = "project.grant.changed"
+	ProjectGrantRemoved        models.EventType = "project.grant.removed"
+	ProjectGrantDeactivated    models.EventType = "project.grant.deactivated"
+	ProjectGrantReactivated    models.EventType = "project.grant.reactivated"
+	ProjectGrantCascadeChanged models.EventType = "project.grant.cascade.changed"

 	ProjectGrantMemberAdded   models.EventType = "project.grant.member.added"
 	ProjectGrantMemberChanged models.EventType = "project.grant.member.changed"
--- a/internal/project/repository/eventsourcing/project.go
+++ b/internal/project/repository/eventsourcing/project.go
@@ -144,16 +144,22 @@ func ProjectMemberRemovedAggregate(aggCreator *es_models.AggregateCreator, exist
 	}
 }

-func ProjectRoleAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Project, role *model.ProjectRole) func(ctx context.Context) (*es_models.Aggregate, error) {
+func ProjectRoleAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Project, roles ...*model.ProjectRole) func(ctx context.Context) (*es_models.Aggregate, error) {
 	return func(ctx context.Context) (*es_models.Aggregate, error) {
-		if role == nil {
-			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-sleo9", "role should not be nil")
+		if roles == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-sleo9", "roles should not be nil")
 		}
 		agg, err := ProjectAggregate(ctx, aggCreator, existing)
 		if err != nil {
 			return nil, err
 		}
-		return agg.AppendEvent(model.ProjectRoleAdded, role)
+		for _, role := range roles {
+			agg, err = agg.AppendEvent(model.ProjectRoleAdded, role)
+			if err != nil {
+				return nil, err
+			}
+		}
+		return agg, nil
 	}
 }

@@ -170,17 +176,29 @@ func ProjectRoleChangedAggregate(aggCreator *es_models.AggregateCreator, existin
 	}
 }

-func ProjectRoleRemovedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Project, role *model.ProjectRole) func(ctx context.Context) (*es_models.Aggregate, error) {
-	return func(ctx context.Context) (*es_models.Aggregate, error) {
-		if role == nil {
-			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-d8eis", "member should not be nil")
-		}
-		agg, err := ProjectAggregate(ctx, aggCreator, existing)
-		if err != nil {
-			return nil, err
-		}
-		return agg.AppendEvent(model.ProjectRoleRemoved, role)
+func ProjectRoleRemovedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.Project, role *model.ProjectRole, grants []*model.ProjectGrant) (*es_models.Aggregate, error) {
+	if role == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-d8eis", "member should not be nil")
 	}
+	agg, err := ProjectAggregate(ctx, aggCreator, existing)
+	if err != nil {
+		return nil, err
+	}
+	agg, err = agg.AppendEvent(model.ProjectRoleRemoved, role)
+	if err != nil {
+		return nil, err
+	}
+	for _, grant := range grants {
+		var changes map[string]interface{}
+		if _, g := model.GetProjectGrant(existing.Grants, grant.GrantID); grant != nil {
+			changes = g.Changes(grant)
+			agg, err = agg.AppendEvent(model.ProjectGrantCascadeChanged, changes)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+	return agg, nil
 }

 func ApplicationAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Project, app *model.Application) func(ctx context.Context) (*es_models.Aggregate, error) {
--- a/internal/project/repository/eventsourcing/project_test.go
+++ b/internal/project/repository/eventsourcing/project_test.go
@@ -694,7 +694,7 @@ func TestProjectRoleAddedAggregate(t *testing.T) {
 	type args struct {
 		ctx        context.Context
 		existing   *model.Project
-		new        *model.ProjectRole
+		new        []*model.ProjectRole
 		aggCreator *models.AggregateCreator
 	}
 	type res struct {
@@ -713,7 +713,7 @@ func TestProjectRoleAddedAggregate(t *testing.T) {
 			args: args{
 				ctx:        auth.NewMockContext("orgID", "userID"),
 				existing:   &model.Project{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, Name: "ProjectName", State: int32(proj_model.PROJECTSTATE_ACTIVE)},
-				new:        &model.ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, Key: "Key"},
+				new:        []*model.ProjectRole{&model.ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, Key: "Key"}},
 				aggCreator: models.NewAggregateCreator("Test"),
 			},
 			res: res{
@@ -721,6 +721,22 @@ func TestProjectRoleAddedAggregate(t *testing.T) {
 				eventType: model.ProjectRoleAdded,
 			},
 		},
+		{
+			name: "projectrole multiple added ok",
+			args: args{
+				ctx:      auth.NewMockContext("orgID", "userID"),
+				existing: &model.Project{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, Name: "ProjectName", State: int32(proj_model.PROJECTSTATE_ACTIVE)},
+				new: []*model.ProjectRole{
+					&model.ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, Key: "Key"},
+					&model.ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, Key: "Key2"},
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:  2,
+				eventType: model.ProjectRoleAdded,
+			},
+		},
 		{
 			name: "existing project nil",
 			args: args{
@@ -753,7 +769,7 @@ func TestProjectRoleAddedAggregate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			agg, err := ProjectRoleAddedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+			agg, err := ProjectRoleAddedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new...)(tt.args.ctx)

 			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
 				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
@@ -857,13 +873,14 @@ func TestProjectRoleRemovedAggregate(t *testing.T) {
 		ctx        context.Context
 		existing   *model.Project
 		new        *model.ProjectRole
+		grants     []*model.ProjectGrant
 		aggCreator *models.AggregateCreator
 	}
 	type res struct {
-		eventLen  int
-		eventType models.EventType
-		wantErr   bool
-		errFunc   func(err error) bool
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
 	}
 	tests := []struct {
 		name string
@@ -879,8 +896,27 @@ func TestProjectRoleRemovedAggregate(t *testing.T) {
 				aggCreator: models.NewAggregateCreator("Test"),
 			},
 			res: res{
-				eventLen:  1,
-				eventType: model.ProjectRoleRemoved,
+				eventLen:   1,
+				eventTypes: []models.EventType{model.ProjectRoleRemoved},
+			},
+		},
+		{
+			name: "projectrole changed with grant",
+			args: args{
+				ctx: auth.NewMockContext("orgID", "userID"),
+				existing: &model.Project{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					Name:       "ProjectName",
+					State:      int32(proj_model.PROJECTSTATE_ACTIVE),
+					Grants:     []*model.ProjectGrant{&model.ProjectGrant{ObjectRoot: models.ObjectRoot{AggregateID: "ID"}, GrantID: "GrantID", GrantedOrgID: "OrgID", RoleKeys: []string{"ROLE"}}},
+				},
+				new:        &model.ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, Key: "Key"},
+				grants:     []*model.ProjectGrant{&model.ProjectGrant{ObjectRoot: models.ObjectRoot{AggregateID: "ID"}, GrantID: "GrantID", GrantedOrgID: "OrgID", RoleKeys: []string{}}},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   2,
+				eventTypes: []models.EventType{model.ProjectRoleRemoved, model.ProjectGrantCascadeChanged},
 			},
 		},
 		{
@@ -891,10 +927,8 @@ func TestProjectRoleRemovedAggregate(t *testing.T) {
 				aggCreator: models.NewAggregateCreator("Test"),
 			},
 			res: res{
-				eventLen:  1,
-				eventType: model.ProjectRoleRemoved,
-				wantErr:   true,
-				errFunc:   caos_errs.IsPreconditionFailed,
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
 			},
 		},
 		{
@@ -906,26 +940,29 @@ func TestProjectRoleRemovedAggregate(t *testing.T) {
 				aggCreator: models.NewAggregateCreator("Test"),
 			},
 			res: res{
-				eventLen:  1,
-				eventType: model.ProjectRoleRemoved,
-				wantErr:   true,
-				errFunc:   caos_errs.IsPreconditionFailed,
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			agg, err := ProjectRoleRemovedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+			agg, err := ProjectRoleRemovedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existing, tt.args.new, tt.args.grants)

 			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
 				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
 			}
-			if !tt.res.wantErr && agg.Events[0].Type != tt.res.eventType {
-				t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventType, agg.Events[0].Type.String())
-			}
-			if !tt.res.wantErr && agg.Events[0].Data == nil {
-				t.Errorf("should have data in event")
+			if agg != nil {
+				for i, _ := range agg.Events {
+					if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+						t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+					}
+					if !tt.res.wantErr && agg.Events[i].Data == nil {
+						t.Errorf("should have data in event")
+					}
+				}
 			}
+
 			if tt.res.wantErr && !tt.res.errFunc(err) {
 				t.Errorf("got wrong err: %v ", err)
 			}
--- a/internal/project/repository/view/model/project_grant.go
+++ b/internal/project/repository/view/model/project_grant.go
@@ -17,20 +17,22 @@ const (
 	ProjectGrantKeyOrgID         = "org_id"
 	ProjectGrantKeyResourceOwner = "resource_owner"
 	ProjectGrantKeyName          = "project_name"
+	ProjectGrantKeyRoleKeys      = "granted_role_keys"
 )

 type ProjectGrantView struct {
-	GrantID         string         `json:"-" gorm:"column:grant_id;primary_key"`
-	ProjectID       string         `json:"-" gorm:"column:project_id"`
-	OrgID           string         `json:"-" gorm:"column:org_id"`
-	Name            string         `json:"name" gorm:"column:project_name"`
-	CreationDate    time.Time      `json:"-" gorm:"column:creation_date"`
-	ChangeDate      time.Time      `json:"-" gorm:"column:change_date"`
-	State           int32          `json:"-" gorm:"column:project_state"`
-	ResourceOwner   string         `json:"-" gorm:"column:resource_owner"`
-	OrgName         string         `json:"-" gorm:"column:org_name"`
-	Sequence        uint64         `json:"-" gorm:"column:sequence"`
-	GrantedRoleKeys pq.StringArray `json:"-" gorm:"column:granted_role_keys"`
+	GrantID           string         `json:"-" gorm:"column:grant_id;primary_key"`
+	ProjectID         string         `json:"-" gorm:"column:project_id"`
+	OrgID             string         `json:"-" gorm:"column:org_id"`
+	Name              string         `json:"name" gorm:"column:project_name"`
+	CreationDate      time.Time      `json:"-" gorm:"column:creation_date"`
+	ChangeDate        time.Time      `json:"-" gorm:"column:change_date"`
+	State             int32          `json:"-" gorm:"column:project_state"`
+	ResourceOwner     string         `json:"-" gorm:"column:resource_owner"`
+	ResourceOwnerName string         `json:"-" gorm:"column:resource_owner_name"`
+	OrgName           string         `json:"-" gorm:"column:org_name"`
+	Sequence          uint64         `json:"-" gorm:"column:sequence"`
+	GrantedRoleKeys   pq.StringArray `json:"-" gorm:"column:granted_role_keys"`
 }

 type ProjectGrant struct {
@@ -41,32 +43,35 @@ type ProjectGrant struct {

 func ProjectGrantFromModel(project *model.ProjectGrantView) *ProjectGrantView {
 	return &ProjectGrantView{
-		ProjectID:       project.ProjectID,
-		OrgID:           project.OrgID,
-		Name:            project.Name,
-		ChangeDate:      project.ChangeDate,
-		CreationDate:    project.CreationDate,
-		State:           int32(project.State),
-		ResourceOwner:   project.ResourceOwner,
-		OrgName:         project.OrgName,
-		GrantID:         project.GrantID,
-		GrantedRoleKeys: project.GrantedRoleKeys,
-		Sequence:        project.Sequence,
+		ProjectID:         project.ProjectID,
+		OrgID:             project.OrgID,
+		Name:              project.Name,
+		ChangeDate:        project.ChangeDate,
+		CreationDate:      project.CreationDate,
+		State:             int32(project.State),
+		ResourceOwner:     project.ResourceOwner,
+		ResourceOwnerName: project.ResourceOwnerName,
+		OrgName:           project.OrgName,
+		GrantID:           project.GrantID,
+		GrantedRoleKeys:   project.GrantedRoleKeys,
+		Sequence:          project.Sequence,
 	}
 }

 func ProjectGrantToModel(project *ProjectGrantView) *model.ProjectGrantView {
 	return &model.ProjectGrantView{
-		ProjectID:     project.ProjectID,
-		OrgID:         project.OrgID,
-		Name:          project.Name,
-		ChangeDate:    project.ChangeDate,
-		CreationDate:  project.CreationDate,
-		State:         model.ProjectState(project.State),
-		ResourceOwner: project.ResourceOwner,
-		OrgName:       project.OrgName,
-		GrantID:       project.GrantID,
-		Sequence:      project.Sequence,
+		ProjectID:         project.ProjectID,
+		OrgID:             project.OrgID,
+		Name:              project.Name,
+		ChangeDate:        project.ChangeDate,
+		CreationDate:      project.CreationDate,
+		State:             model.ProjectState(project.State),
+		ResourceOwner:     project.ResourceOwner,
+		ResourceOwnerName: project.ResourceOwnerName,
+		OrgName:           project.OrgName,
+		GrantID:           project.GrantID,
+		Sequence:          project.Sequence,
+		GrantedRoleKeys:   project.GrantedRoleKeys,
 	}
 }

@@ -87,7 +92,7 @@ func (p *ProjectGrantView) AppendEvent(event *models.Event) (err error) {
 		p.CreationDate = event.CreationDate
 		p.setRootData(event)
 		err = p.setProjectGrantData(event)
-	case es_model.ProjectGrantChanged:
+	case es_model.ProjectGrantChanged, es_model.ProjectGrantCascadeChanged:
 		err = p.setProjectGrantData(event)
 	case es_model.ProjectGrantDeactivated:
 		p.State = int32(model.PROJECTSTATE_INACTIVE)
--- a/internal/project/repository/view/model/project_grant_query.go
+++ b/internal/project/repository/view/model/project_grant_query.go
@@ -61,6 +61,8 @@ func (key ProjectGrantSearchKey) ToColumnName() string {
 		return ProjectGrantKeyProjectID
 	case proj_model.GRANTEDPROJECTSEARCHKEY_RESOURCE_OWNER:
 		return ProjectGrantKeyResourceOwner
+	case proj_model.GRANTEDPROJECTSEARCHKEY_ROLE_KEYS:
+		return ProjectGrantKeyRoleKeys
 	default:
 		return ""
 	}
--- a/internal/project/repository/view/project_grant_view.go
+++ b/internal/project/repository/view/project_grant_view.go
@@ -39,6 +39,20 @@ func ProjectGrantsByProjectID(db *gorm.DB, table, projectID string) ([]*model.Pr
 	return projects, nil
 }

+func ProjectGrantsByProjectIDAndRoleKey(db *gorm.DB, table, projectID, roleKey string) ([]*model.ProjectGrantView, error) {
+	projects := make([]*model.ProjectGrantView, 0)
+	queries := []*proj_model.ProjectGrantViewSearchQuery{
+		&proj_model.ProjectGrantViewSearchQuery{Key: proj_model.GRANTEDPROJECTSEARCHKEY_PROJECTID, Value: projectID, Method: global_model.SEARCHMETHOD_EQUALS},
+		&proj_model.ProjectGrantViewSearchQuery{Key: proj_model.GRANTEDPROJECTSEARCHKEY_ROLE_KEYS, Value: roleKey, Method: global_model.SEARCHMETHOD_LIST_CONTAINS},
+	}
+	query := view.PrepareSearchQuery(table, model.ProjectGrantSearchRequest{Queries: queries})
+	_, err := query(db, &projects)
+	if err != nil {
+		return nil, err
+	}
+	return projects, nil
+}
+
 func SearchProjectGrants(db *gorm.DB, table string, req *proj_model.ProjectGrantViewSearchRequest) ([]*model.ProjectGrantView, int, error) {
 	projects := make([]*model.ProjectGrantView, 0)
 	query := view.PrepareSearchQuery(table, model.ProjectGrantSearchRequest{Limit: req.Limit, Offset: req.Offset, Queries: req.Queries})
@@ -55,6 +69,6 @@ func PutProjectGrant(db *gorm.DB, table string, project *model.ProjectGrantView)
 }

 func DeleteProjectGrant(db *gorm.DB, table, grantID string) error {
-	delete := view.PrepareDeleteByKey(table, model.ProjectSearchKey(proj_model.PROJECTGRANTMEMBERSEARCHKEY_GRANT_ID), grantID)
+	delete := view.PrepareDeleteByKey(table, model.ProjectSearchKey(proj_model.GRANTEDPROJECTSEARCHKEY_GRANTID), grantID)
 	return delete(db)
 }
--- a/internal/protoc/protoc-base/protoc_helper.go
+++ b/internal/protoc/protoc-base/protoc_helper.go
@@ -65,6 +65,7 @@ func Run(generator ProtocGenerator) {
 	}

 	registry := descriptor.NewRegistry()
+	registry.SetAllowDeleteBody(true)
 	if err = registry.Load(req); err != nil {
 		glog.Fatal(err)
 	}
--- a/internal/protoc/protoc-gen-authoption/templates.go
+++ b/internal/protoc/protoc-gen-authoption/templates.go
@@ -83,7 +83,7 @@ func templatesAuth_method_mappingGoTmpl() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "templates/auth_method_mapping.go.tmpl", size: 1013, mode: os.FileMode(420), modTime: time.Unix(1586333177, 0)}
+	info := bindataFileInfo{name: "templates/auth_method_mapping.go.tmpl", size: 1013, mode: os.FileMode(420), modTime: time.Unix(1585815980, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -182,6 +182,7 @@ type bintree struct {
 	Func     func() (*asset, error)
 	Children map[string]*bintree
 }
+
 var _bintree = &bintree{nil, map[string]*bintree{
 	"templates": &bintree{nil, map[string]*bintree{
 		"auth_method_mapping.go.tmpl": &bintree{templatesAuth_method_mappingGoTmpl, map[string]*bintree{}},
@@ -234,4 +235,3 @@ func _filePath(dir, name string) string {
 	cannonicalName := strings.Replace(name, "\\", "/", -1)
 	return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...)
 }
-
--- a/internal/user/repository/view/user_view.go
+++ b/internal/user/repository/view/user_view.go
@@ -34,7 +34,7 @@ func UserByLoginName(db *gorm.DB, table, loginName string) (*model.UserView, err
 	user := new(model.UserView)
 	loginNameQuery := &model.UserSearchQuery{
 		Key:    usr_model.USERSEARCHKEY_LOGIN_NAMES,
-		Method: global_model.SEARCHMETHOD_EQUALS_IN_ARRAY,
+		Method: global_model.SEARCHMETHOD_LIST_CONTAINS,
 		Value:  pq.Array([]string{loginName}),
 	}
 	query := view.PrepareGetByQuery(table, loginNameQuery)
--- a/internal/usergrant/model/user_grant.go
+++ b/internal/usergrant/model/user_grant.go
@@ -30,3 +30,26 @@ func (u *UserGrant) IsActive() bool {
 func (u *UserGrant) IsInactive() bool {
 	return u.State == USERGRANTSTATE_INACTIVE
 }
+
+func (u *UserGrant) RemoveRoleKeyIfExisting(key string) bool {
+	for i, role := range u.RoleKeys {
+		if role == key {
+			u.RoleKeys[i] = u.RoleKeys[len(u.RoleKeys)-1]
+			u.RoleKeys[len(u.RoleKeys)-1] = ""
+			u.RoleKeys = u.RoleKeys[:len(u.RoleKeys)-1]
+			return true
+		}
+	}
+	return false
+}
+
+func (u *UserGrant) RemoveRoleKeysIfExisting(keys []string) bool {
+	exists := false
+	for _, key := range keys {
+		keyExists := u.RemoveRoleKeyIfExisting(key)
+		if keyExists {
+			exists = true
+		}
+	}
+	return exists
+}
--- a/internal/usergrant/model/user_grant_view.go
+++ b/internal/usergrant/model/user_grant_view.go
@@ -44,12 +44,13 @@ const (
 	USERGRANTSEARCHKEY_STATE
 	USERGRANTSEARCHKEY_GRANT_ID
 	USERGRANTSEARCHKEY_ORG_NAME
+	USERGRANTSEARCHKEY_ROLE_KEY
 )

 type UserGrantSearchQuery struct {
 	Key    UserGrantSearchKey
 	Method model.SearchMethod
-	Value  string
+	Value  interface{}
 }

 type UserGrantSearchResponse struct {
--- a/internal/usergrant/repository/eventsourcing/eventstore.go
+++ b/internal/usergrant/repository/eventsourcing/eventstore.go
@@ -6,6 +6,7 @@ import (
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	es_int "github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	es_sdk "github.com/caos/zitadel/internal/eventstore/sdk"
 	"github.com/caos/zitadel/internal/id"
 	grant_model "github.com/caos/zitadel/internal/usergrant/model"
@@ -54,18 +55,7 @@ func (es *UserGrantEventStore) UserGrantByID(ctx context.Context, id string) (*g
 }

 func (es *UserGrantEventStore) AddUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
-	if grant == nil || !grant.IsValid() {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-sdiw3", "User grant invalid")
-	}
-	id, err := es.idGenerator.Next()
-	if err != nil {
-		return nil, err
-	}
-	grant.AggregateID = id
-
-	repoGrant := model.UserGrantFromModel(grant)
-
-	addAggregates, err := UserGrantAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoGrant)
+	repoGrant, addAggregates, err := es.PrepareAddUserGrant(ctx, grant)
 	if err != nil {
 		return nil, err
 	}
@@ -76,19 +66,65 @@ func (es *UserGrantEventStore) AddUserGrant(ctx context.Context, grant *grant_mo
 	return model.UserGrantToModel(repoGrant), nil
 }

-func (es *UserGrantEventStore) ChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
+func (es *UserGrantEventStore) AddUserGrants(ctx context.Context, grants ...*grant_model.UserGrant) error {
+	aggregates := make([]*es_models.Aggregate, 0)
+	for _, grant := range grants {
+		_, addAggregates, err := es.PrepareAddUserGrant(ctx, grant)
+		if err != nil {
+			return err
+		}
+		for _, agg := range addAggregates {
+			aggregates = append(aggregates, agg)
+		}
+	}
+	return es_sdk.PushAggregates(ctx, es.PushAggregates, nil, aggregates...)
+}
+
+func (es *UserGrantEventStore) PrepareAddUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*model.UserGrant, []*es_models.Aggregate, error) {
+	if grant == nil || !grant.IsValid() {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-sdiw3", "User grant invalid")
+	}
+	id, err := es.idGenerator.Next()
+	if err != nil {
+		return nil, nil, err
+	}
+	grant.AggregateID = id
+
+	repoGrant := model.UserGrantFromModel(grant)
+
+	addAggregates, err := UserGrantAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoGrant)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoGrant, addAggregates, nil
+}
+
+func (es *UserGrantEventStore) PrepareChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant, cascade bool) (*model.UserGrant, *es_models.Aggregate, error) {
 	if grant == nil {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo0s9", "invalid grant")
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo0s9", "invalid grant")
 	}
 	existing, err := es.UserGrantByID(ctx, grant.AggregateID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	repoExisting := model.UserGrantFromModel(existing)
 	repoGrant := model.UserGrantFromModel(grant)

-	projectAggregate := UserGrantChangedAggregate(es.Eventstore.AggregateCreator(), repoExisting, repoGrant)
-	err = es_sdk.Push(ctx, es.PushAggregates, repoExisting.AppendEvents, projectAggregate)
+	aggFunc := UserGrantChangedAggregate(es.Eventstore.AggregateCreator(), repoExisting, repoGrant, cascade)
+	projectAggregate, err := aggFunc(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoExisting, projectAggregate, err
+}
+
+func (es *UserGrantEventStore) ChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
+	repoExisting, agg, err := es.PrepareChangeUserGrant(ctx, grant, false)
+	if err != nil {
+		return nil, err
+	}
+
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoExisting.AppendEvents, agg)
 	if err != nil {
 		return nil, err
 	}
@@ -96,23 +132,57 @@ func (es *UserGrantEventStore) ChangeUserGrant(ctx context.Context, grant *grant
 	return model.UserGrantToModel(repoExisting), nil
 }

+func (es *UserGrantEventStore) ChangeUserGrants(ctx context.Context, grants ...*grant_model.UserGrant) error {
+	aggregates := make([]*es_models.Aggregate, len(grants))
+	for i, grant := range grants {
+		_, agg, err := es.PrepareChangeUserGrant(ctx, grant, false)
+		if err != nil {
+			return err
+		}
+		aggregates[i] = agg
+	}
+	return es_sdk.PushAggregates(ctx, es.PushAggregates, nil, aggregates...)
+}
+
 func (es *UserGrantEventStore) RemoveUserGrant(ctx context.Context, grantID string) error {
-	existing, err := es.UserGrantByID(ctx, grantID)
+	existing, projectAggregates, err := es.PrepareRemoveUserGrant(ctx, grantID, false)
 	if err != nil {
 		return err
 	}
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, existing.AppendEvents, projectAggregates...)
+	if err != nil {
+		return err
+	}
+	es.userGrantCache.cacheUserGrant(existing)
+	return nil
+}
+
+func (es *UserGrantEventStore) RemoveUserGrants(ctx context.Context, grantIDs ...string) error {
+	aggregates := make([]*es_models.Aggregate, 0)
+	for _, grantID := range grantIDs {
+		_, aggs, err := es.PrepareRemoveUserGrant(ctx, grantID, false)
+		if err != nil {
+			return err
+		}
+		for _, agg := range aggs {
+			aggregates = append(aggregates, agg)
+		}
+	}
+	return es_sdk.PushAggregates(ctx, es.PushAggregates, nil, aggregates...)
+}
+
+func (es *UserGrantEventStore) PrepareRemoveUserGrant(ctx context.Context, grantID string, cascade bool) (*model.UserGrant, []*es_models.Aggregate, error) {
+	existing, err := es.UserGrantByID(ctx, grantID)
+	if err != nil {
+		return nil, nil, err
+	}
 	repoExisting := model.UserGrantFromModel(existing)
 	repoGrant := &model.UserGrant{ObjectRoot: models.ObjectRoot{AggregateID: grantID}}
-	projectAggregates, err := UserGrantRemovedAggregate(ctx, es.Eventstore.AggregateCreator(), repoExisting, repoGrant)
+	projectAggregates, err := UserGrantRemovedAggregate(ctx, es.Eventstore.AggregateCreator(), repoExisting, repoGrant, cascade)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}
-	err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoExisting.AppendEvents, projectAggregates...)
-	if err != nil {
-		return err
-	}
-	es.userGrantCache.cacheUserGrant(repoExisting)
-	return nil
+	return repoExisting, projectAggregates, nil
 }

 func (es *UserGrantEventStore) DeactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
--- a/internal/usergrant/repository/eventsourcing/model/types.go
+++ b/internal/usergrant/repository/eventsourcing/model/types.go
@@ -13,4 +13,7 @@ const (
 	UserGrantReactivated models.EventType = "user.grant.reactivated"
 	UserGrantReserved    models.EventType = "user.grant.reserved"
 	UserGrantReleased    models.EventType = "user.grant.released"
+
+	UserGrantCascadeRemoved models.EventType = "user.grant.cascade.removed"
+	UserGrantCascadeChanged models.EventType = "user.grant.cascade.changed"
 )
--- a/internal/usergrant/repository/eventsourcing/model/user_grant.go
+++ b/internal/usergrant/repository/eventsourcing/model/user_grant.go
@@ -68,13 +68,15 @@ func (g *UserGrant) AppendEvent(event *es_models.Event) error {
 	g.ObjectRoot.AppendEvent(event)
 	switch event.Type {
 	case UserGrantAdded,
-		UserGrantChanged:
+		UserGrantChanged,
+		UserGrantCascadeChanged:
 		return g.setData(event)
 	case UserGrantDeactivated:
 		g.appendGrantStateEvent(model.USERGRANTSTATE_INACTIVE)
 	case UserGrantReactivated:
 		g.appendGrantStateEvent(model.USERGRANTSTATE_ACTIVE)
-	case UserGrantRemoved:
+	case UserGrantRemoved,
+		UserGrantCascadeRemoved:
 		g.appendGrantStateEvent(model.USERGRANTSTATE_REMOVED)
 	}
 	return nil
--- a/internal/usergrant/repository/eventsourcing/user_grant.go
+++ b/internal/usergrant/repository/eventsourcing/user_grant.go
@@ -95,7 +95,7 @@ func releasedUniqueUserGrantAggregate(ctx context.Context, aggCreator *es_models
 	return aggregate.SetPrecondition(UserGrantUniqueQuery(grant.ResourceOwner, grant.ProjectID, grant.UserID), isEventValidation(aggregate, model.UserGrantReleased)), nil
 }

-func UserGrantChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.UserGrant, grant *model.UserGrant) func(ctx context.Context) (*es_models.Aggregate, error) {
+func UserGrantChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.UserGrant, grant *model.UserGrant, cascade bool) func(ctx context.Context) (*es_models.Aggregate, error) {
 	return func(ctx context.Context) (*es_models.Aggregate, error) {
 		if grant == nil {
 			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-osl8x", "grant should not be nil")
@@ -105,7 +105,10 @@ func UserGrantChangedAggregate(aggCreator *es_models.AggregateCreator, existing
 			return nil, err
 		}
 		changes := existing.Changes(grant)
-		return agg.AppendEvent(model.UserGrantChanged, changes)
+		if !cascade {
+			return agg.AppendEvent(model.UserGrantChanged, changes)
+		}
+		return agg.AppendEvent(model.UserGrantCascadeChanged, changes)
 	}
 }

@@ -135,7 +138,7 @@ func UserGrantReactivatedAggregate(aggCreator *es_models.AggregateCreator, exist
 	}
 }

-func UserGrantRemovedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.UserGrant, grant *model.UserGrant) ([]*es_models.Aggregate, error) {
+func UserGrantRemovedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.UserGrant, grant *model.UserGrant, cascade bool) ([]*es_models.Aggregate, error) {
 	if grant == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-lo21s", "grant should not be nil")
 	}
@@ -143,7 +146,11 @@ func UserGrantRemovedAggregate(ctx context.Context, aggCreator *es_models.Aggreg
 	if err != nil {
 		return nil, err
 	}
-	agg, err = agg.AppendEvent(model.UserGrantRemoved, nil)
+	eventType := model.UserGrantRemoved
+	if cascade {
+		eventType = model.UserGrantCascadeRemoved
+	}
+	agg, err = agg.AppendEvent(eventType, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -196,37 +203,43 @@ func addUserGrantValidation(resourceOwner string, grant *model.UserGrant) func(.
 				project.AppendEvent(event)
 			}
 		}
-		if existsOrg && existsUser && checkProjectConditions(resourceOwner, grant, project) {
-			return nil
+		if !existsOrg {
+			return errors.ThrowPreconditionFailed(nil, "EVENT-3OfIm", "org doesn't exist")
 		}
-		return errors.ThrowPreconditionFailed(nil, "EVENT-3OfIm", "conditions not met")
+		if !existsUser {
+			return errors.ThrowPreconditionFailed(nil, "EVENT-Sl8uS", "user doesn't exist")
+		}
+		if err := checkProjectConditions(resourceOwner, grant, project); err != nil {
+			return err
+		}
+		return nil
 	}
 }

-func checkProjectConditions(resourceOwner string, grant *model.UserGrant, project *proj_es_model.Project) bool {
+func checkProjectConditions(resourceOwner string, grant *model.UserGrant, project *proj_es_model.Project) error {
 	if project.State == int32(proj_model.PROJECTSTATE_REMOVED) {
-		return false
+		return errors.ThrowPreconditionFailed(nil, "EVENT-Lxp0s", "project doesn't exist")
 	}
 	if resourceOwner == project.ResourceOwner {
 		return checkIfProjectHasRoles(grant.RoleKeys, project.Roles)
 	}

-	if _, projectGrant := proj_es_model.GetProjectGrantByResourceOwner(project.Grants, resourceOwner); projectGrant != nil {
+	if _, projectGrant := proj_es_model.GetProjectGrantByOrgID(project.Grants, resourceOwner); projectGrant != nil {
 		return checkIfProjectGrantHasRoles(grant.RoleKeys, projectGrant.RoleKeys)
 	}
-	return false
+	return nil
 }

-func checkIfProjectHasRoles(roles []string, existing []*proj_es_model.ProjectRole) bool {
+func checkIfProjectHasRoles(roles []string, existing []*proj_es_model.ProjectRole) error {
 	for _, roleKey := range roles {
 		if _, role := proj_es_model.GetProjectRole(existing, roleKey); role == nil {
-			return false
+			return errors.ThrowPreconditionFailedf(nil, "EVENT-Lxp0s", "project doesn't have role %v", roleKey)
 		}
 	}
-	return true
+	return nil
 }

-func checkIfProjectGrantHasRoles(roles []string, existing []string) bool {
+func checkIfProjectGrantHasRoles(roles []string, existing []string) error {
 	roleExists := false
 	for _, roleKey := range roles {
 		for _, existingRoleKey := range existing {
@@ -236,8 +249,8 @@ func checkIfProjectGrantHasRoles(roles []string, existing []string) bool {
 			}
 		}
 		if !roleExists {
-			return false
+			return errors.ThrowPreconditionFailed(nil, "EVENT-LSpwi", "project grant doesn't have role")
 		}
 	}
-	return true
+	return nil
 }
--- a/internal/usergrant/repository/eventsourcing/user_grant_test.go
+++ b/internal/usergrant/repository/eventsourcing/user_grant_test.go
@@ -74,6 +74,7 @@ func TestUserGrantChangedAggregate(t *testing.T) {
 		ctx        context.Context
 		existing   *model.UserGrant
 		new        *model.UserGrant
+		cascade    bool
 		aggCreator *models.AggregateCreator
 	}
 	type res struct {
@@ -108,6 +109,29 @@ func TestUserGrantChangedAggregate(t *testing.T) {
 				eventTypes: []models.EventType{model.UserGrantChanged},
 			},
 		},
+		{
+			name: "change project grant cascade",
+			args: args{
+				ctx: auth.NewMockContext("orgID", "userID"),
+				existing: &model.UserGrant{
+					ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
+					UserID:     "UserID",
+					ProjectID:  "ProjectID",
+					RoleKeys:   []string{"Key"}},
+				new: &model.UserGrant{
+					ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
+					UserID:     "UserID",
+					ProjectID:  "ProjectID",
+					RoleKeys:   []string{"KeyChanged"},
+				},
+				cascade:    true,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.UserGrantCascadeChanged},
+			},
+		},
 		{
 			name: "existing grant nil",
 			args: args{
@@ -143,7 +167,7 @@ func TestUserGrantChangedAggregate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			agg, err := UserGrantChangedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+			agg, err := UserGrantChangedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new, tt.args.cascade)(tt.args.ctx)

 			if tt.res.errFunc == nil && len(agg.Events) != tt.res.eventLen {
 				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
@@ -169,6 +193,7 @@ func TestUserGrantRemovedAggregate(t *testing.T) {
 		ctx        context.Context
 		existing   *model.UserGrant
 		new        *model.UserGrant
+		cascade    bool
 		aggCreator *models.AggregateCreator
 	}
 	type res struct {
@@ -200,6 +225,26 @@ func TestUserGrantRemovedAggregate(t *testing.T) {
 				eventTypes: []models.EventType{model.UserGrantRemoved},
 			},
 		},
+		{
+			name: "remove app cascade",
+			args: args{
+				ctx: auth.NewMockContext("orgID", "userID"),
+				existing: &model.UserGrant{
+					ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
+					UserID:     "UserID",
+					ProjectID:  "ProjectID",
+					RoleKeys:   []string{"Key"}},
+				new: &model.UserGrant{
+					ObjectRoot: models.ObjectRoot{AggregateID: "ID"},
+				},
+				cascade:    true,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.UserGrantCascadeRemoved},
+			},
+		},
 		{
 			name: "existing project nil",
 			args: args{
@@ -230,7 +275,7 @@ func TestUserGrantRemovedAggregate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			aggregates, err := UserGrantRemovedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existing, tt.args.new)
+			aggregates, err := UserGrantRemovedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existing, tt.args.new, tt.args.cascade)

 			if tt.res.errFunc == nil && len(aggregates[0].Events) != tt.res.eventLen {
 				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(aggregates[0].Events))
--- a/internal/usergrant/repository/view/model/user_grant.go
+++ b/internal/usergrant/repository/view/model/user_grant.go
@@ -19,6 +19,7 @@ const (
 	UserGrantKeyResourceOwner = "resource_owner"
 	UserGrantKeyState         = "state"
 	UserGrantKeyOrgName       = "org_name"
+	UserGrantKeyRole          = "role_keys"
 )

 type UserGrantView struct {
@@ -98,7 +99,7 @@ func (g *UserGrantView) AppendEvent(event *models.Event) (err error) {
 		g.CreationDate = event.CreationDate
 		g.setRootData(event)
 		err = g.setData(event)
-	case es_model.UserGrantChanged:
+	case es_model.UserGrantChanged, es_model.UserGrantCascadeChanged:
 		err = g.setData(event)
 	case es_model.UserGrantDeactivated:
 		g.State = int32(model.USERGRANTSTATE_INACTIVE)
--- a/internal/usergrant/repository/view/model/user_grant_query.go
+++ b/internal/usergrant/repository/view/model/user_grant_query.go
@@ -63,6 +63,8 @@ func (key UserGrantSearchKey) ToColumnName() string {
 		return UserGrantKeyID
 	case grant_model.USERGRANTSEARCHKEY_ORG_NAME:
 		return UserGrantKeyOrgName
+	case grant_model.USERGRANTSEARCHKEY_ROLE_KEY:
+		return UserGrantKeyRole
 	default:
 		return ""
 	}
--- a/internal/usergrant/repository/view/user_grant_view.go
+++ b/internal/usergrant/repository/view/user_grant_view.go
@@ -62,6 +62,34 @@ func UserGrantsByProjectID(db *gorm.DB, table, projectID string) ([]*model.UserG
 	return users, nil
 }

+func UserGrantsByProjectIDAndRole(db *gorm.DB, table, projectID, roleKey string) ([]*model.UserGrantView, error) {
+	users := make([]*model.UserGrantView, 0)
+	queries := []*grant_model.UserGrantSearchQuery{
+		&grant_model.UserGrantSearchQuery{Key: grant_model.USERGRANTSEARCHKEY_PROJECT_ID, Value: projectID, Method: global_model.SEARCHMETHOD_EQUALS},
+		&grant_model.UserGrantSearchQuery{Key: grant_model.USERGRANTSEARCHKEY_ROLE_KEY, Value: roleKey, Method: global_model.SEARCHMETHOD_LIST_CONTAINS},
+	}
+	query := view.PrepareSearchQuery(table, model.UserGrantSearchRequest{Queries: queries})
+	_, err := query(db, &users)
+	if err != nil {
+		return nil, err
+	}
+	return users, nil
+}
+
+func UserGrantsByOrgIDAndProjectID(db *gorm.DB, table, orgID, projectID string) ([]*model.UserGrantView, error) {
+	users := make([]*model.UserGrantView, 0)
+	queries := []*grant_model.UserGrantSearchQuery{
+		&grant_model.UserGrantSearchQuery{Key: grant_model.USERGRANTSEARCHKEY_RESOURCEOWNER, Value: orgID, Method: global_model.SEARCHMETHOD_EQUALS},
+		&grant_model.UserGrantSearchQuery{Key: grant_model.USERGRANTSEARCHKEY_PROJECT_ID, Value: projectID, Method: global_model.SEARCHMETHOD_EQUALS},
+	}
+	query := view.PrepareSearchQuery(table, model.UserGrantSearchRequest{Queries: queries})
+	_, err := query(db, &users)
+	if err != nil {
+		return nil, err
+	}
+	return users, nil
+}
+
 func UserGrantsByOrgID(db *gorm.DB, table, orgID string) ([]*model.UserGrantView, error) {
 	users := make([]*model.UserGrantView, 0)
 	queries := []*grant_model.UserGrantSearchQuery{
--- a/internal/view/query.go
+++ b/internal/view/query.go
@@ -5,6 +5,7 @@ import (
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/model"
 	"github.com/jinzhu/gorm"
+	"github.com/lib/pq"
 )

 type SearchRequest interface {
@@ -102,10 +103,14 @@ func SetQuery(query *gorm.DB, key ColumnKey, value interface{}, method model.Sea
 		query = query.Where(column+" > ?", value)
 	case model.SEARCHMETHOD_LESS_THAN:
 		query = query.Where(column+" < ?", value)
-	case model.SEARCHMETHOD_IN:
+	case model.SEARCHMETHOD_IS_ONE_OF:
 		query = query.Where(column+" IN (?)", value)
-	case model.SEARCHMETHOD_EQUALS_IN_ARRAY:
-		query = query.Where("? <@ "+column, value)
+	case model.SEARCHMETHOD_LIST_CONTAINS:
+		valueText, ok := value.(string)
+		if !ok {
+			return nil, caos_errs.ThrowInvalidArgument(nil, "VIEW-Psois", "list contains only possible for strings")
+		}
+		query = query.Where("? <@ "+column, pq.Array([]string{valueText}))
 	default:
 		return nil, nil
 	}