feat: multiple domains (#188)

* check uniqueness on create and register user * change user email, reserve release unique email * usergrant unique aggregate * usergrant uniqueness * validate UserGrant * fix tests * domain is set on username in all orgs * domain in admin * org domain sql * zitadel domain org name * org domains * org iam policy * default org iam policy * SETUP * load login names * login by login name * login name * fix: merge master * fix: merge master * Update internal/user/repository/eventsourcing/user.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: fix unique domains * fix: rename env variable Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-10-24 01:20:43 +00:00 · 2020-06-16 11:40:18 +02:00
parent 64b14b4e19
commit 7a6ca24625
109 changed files with 12578 additions and 6025 deletions
--- a/pkg/admin/api/grpc/admin.pb.authoptions.go
+++ b/pkg/admin/api/grpc/admin.pb.authoptions.go
@@ -34,6 +34,26 @@ var AdminService_AuthMethods = utils_auth.MethodMapping{
 		Permission: "iam.write",
 		CheckParam: "",
 	},
+
+	"/caos.zitadel.admin.api.v1.AdminService/GetOrgIamPolicy": utils_auth.Option{
+		Permission: "iam.policy.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.admin.api.v1.AdminService/CreateOrgIamPolicy": utils_auth.Option{
+		Permission: "iam.policy.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.admin.api.v1.AdminService/UpdateOrgIamPolicy": utils_auth.Option{
+		Permission: "iam.policy.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.admin.api.v1.AdminService/DeleteOrgIamPolicy": utils_auth.Option{
+		Permission: "iam.policy.delete",
+		CheckParam: "",
+	},
 }

 func AdminService_Authorization_Interceptor(verifier utils_auth.TokenVerifier, authConf *utils_auth.Config) grpc.UnaryServerInterceptor {
--- a/pkg/admin/api/grpc/admin.pb.go
+++ b/pkg/admin/api/grpc/admin.pb.go
--- a/pkg/admin/api/grpc/admin.pb.gw.go
+++ b/pkg/admin/api/grpc/admin.pb.gw.go
@@ -64,10 +64,7 @@ func request_AdminService_IsOrgUnique_0(ctx context.Context, marshaler runtime.M
 	var protoReq UniqueOrgRequest
 	var metadata runtime.ServerMetadata

-	if err := req.ParseForm(); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_AdminService_IsOrgUnique_0); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_AdminService_IsOrgUnique_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}

@@ -137,6 +134,130 @@ func request_AdminService_SetUpOrg_0(ctx context.Context, marshaler runtime.Mars

 }

+func request_AdminService_GetOrgIamPolicy_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq OrgIamPolicyID
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["org_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "org_id")
+	}
+
+	protoReq.OrgId, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "org_id", err)
+	}
+
+	msg, err := client.GetOrgIamPolicy(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_CreateOrgIamPolicy_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq OrgIamPolicyRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["org_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "org_id")
+	}
+
+	protoReq.OrgId, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "org_id", err)
+	}
+
+	msg, err := client.CreateOrgIamPolicy(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_UpdateOrgIamPolicy_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq OrgIamPolicyRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["org_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "org_id")
+	}
+
+	protoReq.OrgId, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "org_id", err)
+	}
+
+	msg, err := client.UpdateOrgIamPolicy(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_DeleteOrgIamPolicy_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq OrgIamPolicyID
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["org_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "org_id")
+	}
+
+	protoReq.OrgId, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "org_id", err)
+	}
+
+	msg, err := client.DeleteOrgIamPolicy(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
 // RegisterAdminServiceHandlerFromEndpoint is same as RegisterAdminServiceHandler but
 // automatically dials to "endpoint" and closes the connection when "ctx" gets done.
 func RegisterAdminServiceHandlerFromEndpoint(ctx context.Context, mux *runtime.ServeMux, endpoint string, opts []grpc.DialOption) (err error) {
@@ -315,23 +436,111 @@ func RegisterAdminServiceHandlerClient(ctx context.Context, mux *runtime.ServeMu

 	})

+	mux.Handle("GET", pattern_AdminService_GetOrgIamPolicy_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_GetOrgIamPolicy_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_GetOrgIamPolicy_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AdminService_CreateOrgIamPolicy_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_CreateOrgIamPolicy_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_CreateOrgIamPolicy_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("PUT", pattern_AdminService_UpdateOrgIamPolicy_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_UpdateOrgIamPolicy_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_UpdateOrgIamPolicy_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("DELETE", pattern_AdminService_DeleteOrgIamPolicy_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_DeleteOrgIamPolicy_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_DeleteOrgIamPolicy_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	return nil
 }

 var (
-	pattern_AdminService_Healthz_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"healthz"}, "", runtime.AssumeColonVerbOpt(true)))
+	pattern_AdminService_Healthz_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"healthz"}, ""))

-	pattern_AdminService_Ready_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"ready"}, "", runtime.AssumeColonVerbOpt(true)))
+	pattern_AdminService_Ready_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"ready"}, ""))

-	pattern_AdminService_Validate_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"validate"}, "", runtime.AssumeColonVerbOpt(true)))
+	pattern_AdminService_Validate_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"validate"}, ""))

-	pattern_AdminService_IsOrgUnique_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"orgs", "_isunique"}, "", runtime.AssumeColonVerbOpt(true)))
+	pattern_AdminService_IsOrgUnique_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"orgs", "_isunique"}, ""))

-	pattern_AdminService_GetOrgByID_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1}, []string{"orgs", "id"}, "", runtime.AssumeColonVerbOpt(true)))
+	pattern_AdminService_GetOrgByID_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1}, []string{"orgs", "id"}, ""))

-	pattern_AdminService_SearchOrgs_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"orgs", "_search"}, "", runtime.AssumeColonVerbOpt(true)))
+	pattern_AdminService_SearchOrgs_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"orgs", "_search"}, ""))

-	pattern_AdminService_SetUpOrg_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"orgs", "_setup"}, "", runtime.AssumeColonVerbOpt(true)))
+	pattern_AdminService_SetUpOrg_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"orgs", "_setup"}, ""))
+
+	pattern_AdminService_GetOrgIamPolicy_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2}, []string{"orgs", "org_id", "iampolicy"}, ""))
+
+	pattern_AdminService_CreateOrgIamPolicy_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2}, []string{"orgs", "org_id", "iampolicy"}, ""))
+
+	pattern_AdminService_UpdateOrgIamPolicy_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2}, []string{"orgs", "org_id", "iampolicy"}, ""))
+
+	pattern_AdminService_DeleteOrgIamPolicy_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2}, []string{"orgs", "org_id", "iampolicy"}, ""))
 )

 var (
@@ -348,4 +557,12 @@ var (
 	forward_AdminService_SearchOrgs_0 = runtime.ForwardResponseMessage

 	forward_AdminService_SetUpOrg_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_GetOrgIamPolicy_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_CreateOrgIamPolicy_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_UpdateOrgIamPolicy_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_DeleteOrgIamPolicy_0 = runtime.ForwardResponseMessage
 )
--- a/pkg/admin/api/grpc/admin.swagger.json
+++ b/pkg/admin/api/grpc/admin.swagger.json
@@ -143,6 +143,113 @@
        ]
      }
    },
+    "/orgs/{org_id}/iampolicy": {
+      "get": {
+        "summary": "ORG_IAM_POLICY",
+        "operationId": "GetOrgIamPolicy",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1OrgIamPolicy"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "org_id",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      },
+      "delete": {
+        "operationId": "DeleteOrgIamPolicy",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "properties": {}
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "org_id",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      },
+      "post": {
+        "operationId": "CreateOrgIamPolicy",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1OrgIamPolicy"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "org_id",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1OrgIamPolicyRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      },
+      "put": {
+        "operationId": "UpdateOrgIamPolicy",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1OrgIamPolicy"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "org_id",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1OrgIamPolicyRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
    "/ready": {
      "get": {
        "summary": "Ready returns status OK as soon as all dependent services are available",
@@ -167,7 +274,7 @@
          "200": {
            "description": "A successful response.",
            "schema": {
-              "type": "object"
+              "$ref": "#/definitions/protobufStruct"
            }
          }
        },
@@ -178,6 +285,19 @@
    }
  },
  "definitions": {
+    "protobufListValue": {
+      "type": "object",
+      "properties": {
+        "values": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/protobufValue"
+          },
+          "description": "Repeated field of dynamically typed values."
+        }
+      },
+      "description": "`ListValue` is a wrapper around a repeated field of values.\n\nThe JSON representation for `ListValue` is JSON array."
+    },
    "protobufNullValue": {
      "type": "string",
      "enum": [
@@ -186,6 +306,51 @@
      "default": "NULL_VALUE",
      "description": "`NullValue` is a singleton enumeration to represent the null value for the\n`Value` type union.\n\n The JSON representation for `NullValue` is JSON `null`.\n\n - NULL_VALUE: Null value."
    },
+    "protobufStruct": {
+      "type": "object",
+      "properties": {
+        "fields": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/protobufValue"
+          },
+          "description": "Unordered map of dynamically typed values."
+        }
+      },
+      "description": "`Struct` represents a structured data value, consisting of fields\nwhich map to dynamically typed values. In some languages, `Struct`\nmight be supported by a native representation. For example, in\nscripting languages like JS a struct is represented as an\nobject. The details of that representation are described together\nwith the proto support for the language.\n\nThe JSON representation for `Struct` is JSON object."
+    },
+    "protobufValue": {
+      "type": "object",
+      "properties": {
+        "null_value": {
+          "$ref": "#/definitions/protobufNullValue",
+          "description": "Represents a null value."
+        },
+        "number_value": {
+          "type": "number",
+          "format": "double",
+          "description": "Represents a double value."
+        },
+        "string_value": {
+          "type": "string",
+          "description": "Represents a string value."
+        },
+        "bool_value": {
+          "type": "boolean",
+          "format": "boolean",
+          "description": "Represents a boolean value."
+        },
+        "struct_value": {
+          "$ref": "#/definitions/protobufStruct",
+          "description": "Represents a structured value."
+        },
+        "list_value": {
+          "$ref": "#/definitions/protobufListValue",
+          "description": "Represents a repeated `Value`."
+        }
+      },
+      "description": "`Value` represents a dynamically typed value which can be either\nnull, a number, a string, a boolean, a recursive struct value, or a\nlist of values. A producer of value is expected to set one of that\nvariants, absence of any variant indicates an error.\n\nThe JSON representation for `Value` is JSON value."
+    },
    "v1CreateOrgRequest": {
      "type": "object",
      "properties": {
@@ -290,6 +455,52 @@
        }
      }
    },
+    "v1OrgIamPolicy": {
+      "type": "object",
+      "properties": {
+        "org_id": {
+          "type": "string"
+        },
+        "description": {
+          "type": "string"
+        },
+        "user_login_must_be_domain": {
+          "type": "boolean",
+          "format": "boolean"
+        },
+        "default": {
+          "type": "boolean",
+          "format": "boolean"
+        },
+        "sequence": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "creation_date": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "change_date": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "v1OrgIamPolicyRequest": {
+      "type": "object",
+      "properties": {
+        "org_id": {
+          "type": "string"
+        },
+        "description": {
+          "type": "string"
+        },
+        "user_login_must_be_domain": {
+          "type": "boolean",
+          "format": "boolean"
+        }
+      }
+    },
    "v1OrgSearchKey": {
      "type": "string",
      "enum": [
--- a/pkg/admin/api/grpc/mock/admin.proto.mock.go
+++ b/pkg/admin/api/grpc/mock/admin.proto.mock.go
@@ -37,6 +37,46 @@ func (m *MockAdminServiceClient) EXPECT() *MockAdminServiceClientMockRecorder {
 	return m.recorder
 }

+// CreateOrgIamPolicy mocks base method
+func (m *MockAdminServiceClient) CreateOrgIamPolicy(arg0 context.Context, arg1 *grpc.OrgIamPolicyRequest, arg2 ...grpc0.CallOption) (*grpc.OrgIamPolicy, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "CreateOrgIamPolicy", varargs...)
+	ret0, _ := ret[0].(*grpc.OrgIamPolicy)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CreateOrgIamPolicy indicates an expected call of CreateOrgIamPolicy
+func (mr *MockAdminServiceClientMockRecorder) CreateOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).CreateOrgIamPolicy), varargs...)
+}
+
+// DeleteOrgIamPolicy mocks base method
+func (m *MockAdminServiceClient) DeleteOrgIamPolicy(arg0 context.Context, arg1 *grpc.OrgIamPolicyID, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "DeleteOrgIamPolicy", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// DeleteOrgIamPolicy indicates an expected call of DeleteOrgIamPolicy
+func (mr *MockAdminServiceClientMockRecorder) DeleteOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).DeleteOrgIamPolicy), varargs...)
+}
+
 // GetOrgByID mocks base method
 func (m *MockAdminServiceClient) GetOrgByID(arg0 context.Context, arg1 *grpc.OrgID, arg2 ...grpc0.CallOption) (*grpc.Org, error) {
 	m.ctrl.T.Helper()
@@ -57,6 +97,26 @@ func (mr *MockAdminServiceClientMockRecorder) GetOrgByID(arg0, arg1 interface{},
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOrgByID", reflect.TypeOf((*MockAdminServiceClient)(nil).GetOrgByID), varargs...)
 }

+// GetOrgIamPolicy mocks base method
+func (m *MockAdminServiceClient) GetOrgIamPolicy(arg0 context.Context, arg1 *grpc.OrgIamPolicyID, arg2 ...grpc0.CallOption) (*grpc.OrgIamPolicy, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetOrgIamPolicy", varargs...)
+	ret0, _ := ret[0].(*grpc.OrgIamPolicy)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetOrgIamPolicy indicates an expected call of GetOrgIamPolicy
+func (mr *MockAdminServiceClientMockRecorder) GetOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).GetOrgIamPolicy), varargs...)
+}
+
 // Healthz mocks base method
 func (m *MockAdminServiceClient) Healthz(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
 	m.ctrl.T.Helper()
@@ -157,6 +217,26 @@ func (mr *MockAdminServiceClientMockRecorder) SetUpOrg(arg0, arg1 interface{}, a
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUpOrg", reflect.TypeOf((*MockAdminServiceClient)(nil).SetUpOrg), varargs...)
 }

+// UpdateOrgIamPolicy mocks base method
+func (m *MockAdminServiceClient) UpdateOrgIamPolicy(arg0 context.Context, arg1 *grpc.OrgIamPolicyRequest, arg2 ...grpc0.CallOption) (*grpc.OrgIamPolicy, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "UpdateOrgIamPolicy", varargs...)
+	ret0, _ := ret[0].(*grpc.OrgIamPolicy)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateOrgIamPolicy indicates an expected call of UpdateOrgIamPolicy
+func (mr *MockAdminServiceClientMockRecorder) UpdateOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateOrgIamPolicy), varargs...)
+}
+
 // Validate mocks base method
 func (m *MockAdminServiceClient) Validate(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*structpb.Struct, error) {
 	m.ctrl.T.Helper()
--- a/pkg/admin/api/grpc/org.go
+++ b/pkg/admin/api/grpc/org.go
@@ -2,10 +2,7 @@ package grpc

 import (
 	"context"
-
-	"github.com/caos/zitadel/internal/model"
-
-	org_model "github.com/caos/zitadel/internal/org/model"
+	"github.com/golang/protobuf/ptypes/empty"
 )

 func (s *Server) GetOrgByID(ctx context.Context, orgID *OrgID) (_ *Org, err error) {
@@ -43,56 +40,31 @@ func (s *Server) SetUpOrg(ctx context.Context, orgSetUp *OrgSetUpRequest) (_ *Or
 	return setUpOrgResponseFromModel(setUp), err
 }

-func orgSearchRequestToModel(req *OrgSearchRequest) *org_model.OrgSearchRequest {
-	return &org_model.OrgSearchRequest{
-		Limit:         req.Limit,
-		Asc:           req.Asc,
-		Offset:        req.Offset,
-		Queries:       orgQueriesToModel(req.Queries),
-		SortingColumn: orgQueryKeyToModel(req.SortingColumn),
+func (s *Server) GetOrgIamPolicy(ctx context.Context, in *OrgIamPolicyID) (_ *OrgIamPolicy, err error) {
+	policy, err := s.org.GetOrgIamPolicyByID(ctx, in.OrgId)
+	if err != nil {
+		return nil, err
 	}
+	return orgIamPolicyFromModel(policy), err
 }

-func orgQueriesToModel(queries []*OrgSearchQuery) []*org_model.OrgSearchQuery {
-	modelQueries := make([]*org_model.OrgSearchQuery, len(queries))
-
-	for i, query := range queries {
-		modelQueries[i] = orgQueryToModel(query)
+func (s *Server) CreateOrgIamPolicy(ctx context.Context, in *OrgIamPolicyRequest) (_ *OrgIamPolicy, err error) {
+	policy, err := s.org.CreateOrgIamPolicy(ctx, orgIamPolicyRequestToModel(in))
+	if err != nil {
+		return nil, err
 	}
-
-	return modelQueries
+	return orgIamPolicyFromModel(policy), err
 }

-func orgQueryToModel(query *OrgSearchQuery) *org_model.OrgSearchQuery {
-	return &org_model.OrgSearchQuery{
-		Key:    orgQueryKeyToModel(query.Key),
-		Value:  query.Value,
-		Method: orgQueryMethodToModel(query.Method),
+func (s *Server) UpdateOrgIamPolicy(ctx context.Context, in *OrgIamPolicyRequest) (_ *OrgIamPolicy, err error) {
+	policy, err := s.org.ChangeOrgIamPolicy(ctx, orgIamPolicyRequestToModel(in))
+	if err != nil {
+		return nil, err
 	}
+	return orgIamPolicyFromModel(policy), err
 }

-func orgQueryKeyToModel(key OrgSearchKey) org_model.OrgSearchKey {
-	switch key {
-	case OrgSearchKey_ORGSEARCHKEY_DOMAIN:
-		return org_model.ORGSEARCHKEY_ORG_DOMAIN
-	case OrgSearchKey_ORGSEARCHKEY_ORG_NAME:
-		return org_model.ORGSEARCHKEY_ORG_NAME
-	case OrgSearchKey_ORGSEARCHKEY_STATE:
-		return org_model.ORGSEARCHKEY_STATE
-	default:
-		return org_model.ORGSEARCHKEY_UNSPECIFIED
-	}
-}
-
-func orgQueryMethodToModel(method OrgSearchMethod) model.SearchMethod {
-	switch method {
-	case OrgSearchMethod_ORGSEARCHMETHOD_CONTAINS:
-		return model.SEARCHMETHOD_CONTAINS
-	case OrgSearchMethod_ORGSEARCHMETHOD_EQUALS:
-		return model.SEARCHMETHOD_EQUALS
-	case OrgSearchMethod_ORGSEARCHMETHOD_STARTS_WITH:
-		return model.SEARCHMETHOD_STARTS_WITH
-	default:
-		return 0
-	}
+func (s *Server) DeleteOrgIamPolicy(ctx context.Context, in *OrgIamPolicyID) (_ *empty.Empty, err error) {
+	err = s.org.RemoveOrgIamPolicy(ctx, in.OrgId)
+	return &empty.Empty{}, err
 }
--- a/pkg/admin/api/grpc/org_converter.go
+++ b/pkg/admin/api/grpc/org_converter.go
@@ -3,6 +3,8 @@ package grpc
 import (
 	"github.com/caos/logging"
 	admin_model "github.com/caos/zitadel/internal/admin/model"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	"github.com/golang/protobuf/ptypes"
@@ -18,8 +20,8 @@ func setUpRequestToModel(setUp *OrgSetUpRequest) *admin_model.SetupOrg {

 func orgCreateRequestToModel(org *CreateOrgRequest) *org_model.Org {
 	return &org_model.Org{
-		Domain: org.Domain,
-		Name:   org.Name,
+		Domains: []*org_model.OrgDomain{&org_model.OrgDomain{Domain: org.Domain}},
+		Name:    org.Name,
 	}
 }

@@ -82,7 +84,6 @@ func orgFromModel(org *org_model.Org) *Org {
 	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")

 	return &Org{
-		Domain:       org.Domain,
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		Id:           org.AggregateID,
@@ -99,7 +100,6 @@ func orgViewFromModel(org *org_model.OrgView) *Org {
 	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")

 	return &Org{
-		Domain:       org.Domain,
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		Id:           org.ID,
@@ -196,3 +196,84 @@ func userStateFromModel(state usr_model.UserState) UserState {
 		return UserState_USERSTATE_UNSPECIFIED
 	}
 }
+
+func orgSearchRequestToModel(req *OrgSearchRequest) *org_model.OrgSearchRequest {
+	return &org_model.OrgSearchRequest{
+		Limit:         req.Limit,
+		Asc:           req.Asc,
+		Offset:        req.Offset,
+		Queries:       orgQueriesToModel(req.Queries),
+		SortingColumn: orgQueryKeyToModel(req.SortingColumn),
+	}
+}
+
+func orgQueriesToModel(queries []*OrgSearchQuery) []*org_model.OrgSearchQuery {
+	modelQueries := make([]*org_model.OrgSearchQuery, len(queries))
+
+	for i, query := range queries {
+		modelQueries[i] = orgQueryToModel(query)
+	}
+
+	return modelQueries
+}
+
+func orgQueryToModel(query *OrgSearchQuery) *org_model.OrgSearchQuery {
+	return &org_model.OrgSearchQuery{
+		Key:    orgQueryKeyToModel(query.Key),
+		Value:  query.Value,
+		Method: orgQueryMethodToModel(query.Method),
+	}
+}
+
+func orgQueryKeyToModel(key OrgSearchKey) org_model.OrgSearchKey {
+	switch key {
+	case OrgSearchKey_ORGSEARCHKEY_DOMAIN:
+		return org_model.ORGSEARCHKEY_ORG_DOMAIN
+	case OrgSearchKey_ORGSEARCHKEY_ORG_NAME:
+		return org_model.ORGSEARCHKEY_ORG_NAME
+	case OrgSearchKey_ORGSEARCHKEY_STATE:
+		return org_model.ORGSEARCHKEY_STATE
+	default:
+		return org_model.ORGSEARCHKEY_UNSPECIFIED
+	}
+}
+
+func orgQueryMethodToModel(method OrgSearchMethod) model.SearchMethod {
+	switch method {
+	case OrgSearchMethod_ORGSEARCHMETHOD_CONTAINS:
+		return model.SEARCHMETHOD_CONTAINS
+	case OrgSearchMethod_ORGSEARCHMETHOD_EQUALS:
+		return model.SEARCHMETHOD_EQUALS
+	case OrgSearchMethod_ORGSEARCHMETHOD_STARTS_WITH:
+		return model.SEARCHMETHOD_STARTS_WITH
+	default:
+		return 0
+	}
+}
+
+func orgIamPolicyFromModel(policy *org_model.OrgIamPolicy) *OrgIamPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-ush36").OnError(err).Debug("unable to get timestamp from time")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-Ps9fW").OnError(err).Debug("unable to get timestamp from time")
+
+	return &OrgIamPolicy{
+		OrgId:                 policy.AggregateID,
+		Description:           policy.Description,
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+		Default:               policy.Default,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
+	}
+}
+
+func orgIamPolicyRequestToModel(policy *OrgIamPolicyRequest) *org_model.OrgIamPolicy {
+	return &org_model.OrgIamPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: policy.OrgId,
+		},
+		Description:           policy.Description,
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+	}
+}
--- a/pkg/admin/api/proto/admin.proto
+++ b/pkg/admin/api/proto/admin.proto
@@ -98,6 +98,49 @@ service AdminService {
            permission: "iam.write"
        };
    }
+
+    //ORG_IAM_POLICY
+    rpc GetOrgIamPolicy(OrgIamPolicyID) returns (OrgIamPolicy) {
+        option (google.api.http) = {
+            get: "/orgs/{org_id}/iampolicy"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc CreateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) {
+        option (google.api.http) = {
+            post: "/orgs/{org_id}/iampolicy"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc UpdateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) {
+        option (google.api.http) = {
+            put: "/orgs/{org_id}/iampolicy"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc DeleteOrgIamPolicy(OrgIamPolicyID) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            delete: "/orgs/{org_id}/iampolicy"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.delete"
+        };
+    }
 }

 message OrgID {
@@ -235,5 +278,25 @@ enum Gender {

 message CreateOrgRequest {
    string name = 1 [(validate.rules).string.min_len = 1];
-    string domain = 2 [(validate.rules).string.min_len = 1];
+    string domain = 2;
 }
+
+message OrgIamPolicy {
+    string org_id = 1;
+    string description = 2;
+    bool user_login_must_be_domain = 3;
+    bool default = 4;
+    uint64 sequence = 5;
+    google.protobuf.Timestamp creation_date = 6;
+    google.protobuf.Timestamp change_date = 7;
+}
+
+message OrgIamPolicyRequest {
+    string org_id = 1;
+    string description = 2;
+    bool user_login_must_be_domain = 3;
+}
+
+message OrgIamPolicyID {
+    string org_id = 1;
+}