feat: api v2beta to api v2 (#8283)

# Which Problems Are Solved

The v2beta services are stable but not GA.

# How the Problems Are Solved

The v2beta services are copied to v2. The corresponding v1 and v2beta
services are deprecated.

# Additional Context

Closes #7236

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>

internal/api/grpc/settings/v2/server.go

@@ -10,7 +10,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/server"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/query"
-	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )
 
 var _ settings.SettingsServiceServer = (*Server)(nil)

internal/api/grpc/settings/v2/server_integration_test.go

@@ -9,7 +9,7 @@ import (
 	"time"
 
 	"github.com/zitadel/zitadel/internal/integration"
-	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )
 
 var (

internal/api/grpc/settings/v2/settings.go

@@ -10,8 +10,8 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/i18n"
 	"github.com/zitadel/zitadel/internal/query"
-	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
-	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )
 
 func (s *Server) GetLoginSettings(ctx context.Context, req *settings.GetLoginSettingsRequest) (*settings.GetLoginSettingsResponse, error) {

internal/api/grpc/settings/v2/settings_converter.go

@@ -8,7 +8,7 @@ import (
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
-	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )
 
 func loginSettingsToPb(current *query.LoginPolicy) *settings.LoginSettings {

internal/api/grpc/settings/v2/settings_converter_test.go

@@ -16,7 +16,7 @@ import (
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
-	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )
 
 var ignoreTypes = []protoreflect.FullName{"google.protobuf.Duration"}

internal/api/grpc/settings/v2/settings_integration_test.go

@@ -11,8 +11,8 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/zitadel/zitadel/internal/integration"
-	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
-	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )
 
 func TestServer_GetSecuritySettings(t *testing.T) {

internal/api/grpc/settings/v2beta/server.go

@@ -0,0 +1,57 @@
+package settings
+
+import (
+	"context"
+
+	"google.golang.org/grpc"
+
+	"github.com/zitadel/zitadel/internal/api/assets"
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/server"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/query"
+	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+)
+
+var _ settings.SettingsServiceServer = (*Server)(nil)
+
+type Server struct {
+	settings.UnimplementedSettingsServiceServer
+	command         *command.Commands
+	query           *query.Queries
+	assetsAPIDomain func(context.Context) string
+}
+
+type Config struct{}
+
+func CreateServer(
+	command *command.Commands,
+	query *query.Queries,
+	externalSecure bool,
+) *Server {
+	return &Server{
+		command:         command,
+		query:           query,
+		assetsAPIDomain: assets.AssetAPI(externalSecure),
+	}
+}
+
+func (s *Server) RegisterServer(grpcServer *grpc.Server) {
+	settings.RegisterSettingsServiceServer(grpcServer, s)
+}
+
+func (s *Server) AppName() string {
+	return settings.SettingsService_ServiceDesc.ServiceName
+}
+
+func (s *Server) MethodPrefix() string {
+	return settings.SettingsService_ServiceDesc.ServiceName
+}
+
+func (s *Server) AuthMethods() authz.MethodMapping {
+	return settings.SettingsService_AuthMethods
+}
+
+func (s *Server) RegisterGateway() server.RegisterGatewayFunc {
+	return settings.RegisterSettingsServiceHandler
+}

internal/api/grpc/settings/v2beta/server_integration_test.go

@@ -0,0 +1,34 @@
+//go:build integration
+
+package settings_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+)
+
+var (
+	CTX, AdminCTX context.Context
+	Tester        *integration.Tester
+	Client        settings.SettingsServiceClient
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(func() int {
+		ctx, _, cancel := integration.Contexts(3 * time.Minute)
+		defer cancel()
+
+		Tester = integration.NewTester(ctx)
+		defer Tester.Done()
+
+		CTX = ctx
+		AdminCTX = Tester.WithAuthorization(ctx, integration.IAMOwner)
+		Client = Tester.Client.SettingsV2beta
+		return m.Run()
+	}())
+}

internal/api/grpc/settings/v2beta/settings.go

@@ -0,0 +1,161 @@
+package settings
+
+import (
+	"context"
+
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	object "github.com/zitadel/zitadel/internal/api/grpc/object/v2beta"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/i18n"
+	"github.com/zitadel/zitadel/internal/query"
+	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
+	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+)
+
+func (s *Server) GetLoginSettings(ctx context.Context, req *settings.GetLoginSettingsRequest) (*settings.GetLoginSettingsResponse, error) {
+	current, err := s.query.LoginPolicyByID(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetLoginSettingsResponse{
+		Settings: loginSettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.OrgID,
+		},
+	}, nil
+}
+
+func (s *Server) GetPasswordComplexitySettings(ctx context.Context, req *settings.GetPasswordComplexitySettingsRequest) (*settings.GetPasswordComplexitySettingsResponse, error) {
+	current, err := s.query.PasswordComplexityPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetPasswordComplexitySettingsResponse{
+		Settings: passwordComplexitySettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetPasswordExpirySettings(ctx context.Context, req *settings.GetPasswordExpirySettingsRequest) (*settings.GetPasswordExpirySettingsResponse, error) {
+	current, err := s.query.PasswordAgePolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetPasswordExpirySettingsResponse{
+		Settings: passwordExpirySettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetBrandingSettings(ctx context.Context, req *settings.GetBrandingSettingsRequest) (*settings.GetBrandingSettingsResponse, error) {
+	current, err := s.query.ActiveLabelPolicyByOrg(ctx, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetBrandingSettingsResponse{
+		Settings: brandingSettingsToPb(current, s.assetsAPIDomain(ctx)),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetDomainSettings(ctx context.Context, req *settings.GetDomainSettingsRequest) (*settings.GetDomainSettingsResponse, error) {
+	current, err := s.query.DomainPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetDomainSettingsResponse{
+		Settings: domainSettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetLegalAndSupportSettings(ctx context.Context, req *settings.GetLegalAndSupportSettingsRequest) (*settings.GetLegalAndSupportSettingsResponse, error) {
+	current, err := s.query.PrivacyPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetLegalAndSupportSettingsResponse{
+		Settings: legalAndSupportSettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetLockoutSettings(ctx context.Context, req *settings.GetLockoutSettingsRequest) (*settings.GetLockoutSettingsResponse, error) {
+	current, err := s.query.LockoutPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()))
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetLockoutSettingsResponse{
+		Settings: lockoutSettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetActiveIdentityProviders(ctx context.Context, req *settings.GetActiveIdentityProvidersRequest) (*settings.GetActiveIdentityProvidersResponse, error) {
+	links, err := s.query.IDPLoginPolicyLinks(ctx, object.ResourceOwnerFromReq(ctx, req.GetCtx()), &query.IDPLoginPolicyLinksSearchQuery{}, false)
+	if err != nil {
+		return nil, err
+	}
+
+	return &settings.GetActiveIdentityProvidersResponse{
+		Details:           object.ToListDetails(links.SearchResponse),
+		IdentityProviders: identityProvidersToPb(links.Links),
+	}, nil
+}
+
+func (s *Server) GetGeneralSettings(ctx context.Context, _ *settings.GetGeneralSettingsRequest) (*settings.GetGeneralSettingsResponse, error) {
+	instance := authz.GetInstance(ctx)
+	return &settings.GetGeneralSettingsResponse{
+		SupportedLanguages: domain.LanguagesToStrings(i18n.SupportedLanguages()),
+		DefaultOrgId:       instance.DefaultOrganisationID(),
+		DefaultLanguage:    instance.DefaultLanguage().String(),
+	}, nil
+}
+
+func (s *Server) GetSecuritySettings(ctx context.Context, req *settings.GetSecuritySettingsRequest) (*settings.GetSecuritySettingsResponse, error) {
+	policy, err := s.query.SecurityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetSecuritySettingsResponse{
+		Settings: securityPolicyToSettingsPb(policy),
+	}, nil
+}
+
+func (s *Server) SetSecuritySettings(ctx context.Context, req *settings.SetSecuritySettingsRequest) (*settings.SetSecuritySettingsResponse, error) {
+	details, err := s.command.SetSecurityPolicy(ctx, securitySettingsToCommand(req))
+	if err != nil {
+		return nil, err
+	}
+	return &settings.SetSecuritySettingsResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}

internal/api/grpc/settings/v2beta/settings_converter.go

@@ -0,0 +1,245 @@
+package settings
+
+import (
+	"time"
+
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/query"
+	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+)
+
+func loginSettingsToPb(current *query.LoginPolicy) *settings.LoginSettings {
+	multi := make([]settings.MultiFactorType, len(current.MultiFactors))
+	for i, typ := range current.MultiFactors {
+		multi[i] = multiFactorTypeToPb(typ)
+	}
+	second := make([]settings.SecondFactorType, len(current.SecondFactors))
+	for i, typ := range current.SecondFactors {
+		second[i] = secondFactorTypeToPb(typ)
+	}
+
+	return &settings.LoginSettings{
+		AllowUsernamePassword:      current.AllowUsernamePassword,
+		AllowRegister:              current.AllowRegister,
+		AllowExternalIdp:           current.AllowExternalIDPs,
+		ForceMfa:                   current.ForceMFA,
+		ForceMfaLocalOnly:          current.ForceMFALocalOnly,
+		PasskeysType:               passkeysTypeToPb(current.PasswordlessType),
+		HidePasswordReset:          current.HidePasswordReset,
+		IgnoreUnknownUsernames:     current.IgnoreUnknownUsernames,
+		AllowDomainDiscovery:       current.AllowDomainDiscovery,
+		DisableLoginWithEmail:      current.DisableLoginWithEmail,
+		DisableLoginWithPhone:      current.DisableLoginWithPhone,
+		DefaultRedirectUri:         current.DefaultRedirectURI,
+		PasswordCheckLifetime:      durationpb.New(time.Duration(current.PasswordCheckLifetime)),
+		ExternalLoginCheckLifetime: durationpb.New(time.Duration(current.ExternalLoginCheckLifetime)),
+		MfaInitSkipLifetime:        durationpb.New(time.Duration(current.MFAInitSkipLifetime)),
+		SecondFactorCheckLifetime:  durationpb.New(time.Duration(current.SecondFactorCheckLifetime)),
+		MultiFactorCheckLifetime:   durationpb.New(time.Duration(current.MultiFactorCheckLifetime)),
+		SecondFactors:              second,
+		MultiFactors:               multi,
+		ResourceOwnerType:          isDefaultToResourceOwnerTypePb(current.IsDefault),
+	}
+}
+
+func isDefaultToResourceOwnerTypePb(isDefault bool) settings.ResourceOwnerType {
+	if isDefault {
+		return settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE
+	}
+	return settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_ORG
+}
+
+func passkeysTypeToPb(passwordlessType domain.PasswordlessType) settings.PasskeysType {
+	switch passwordlessType {
+	case domain.PasswordlessTypeAllowed:
+		return settings.PasskeysType_PASSKEYS_TYPE_ALLOWED
+	case domain.PasswordlessTypeNotAllowed:
+		return settings.PasskeysType_PASSKEYS_TYPE_NOT_ALLOWED
+	default:
+		return settings.PasskeysType_PASSKEYS_TYPE_NOT_ALLOWED
+	}
+}
+
+func secondFactorTypeToPb(secondFactorType domain.SecondFactorType) settings.SecondFactorType {
+	switch secondFactorType {
+	case domain.SecondFactorTypeTOTP:
+		return settings.SecondFactorType_SECOND_FACTOR_TYPE_OTP
+	case domain.SecondFactorTypeU2F:
+		return settings.SecondFactorType_SECOND_FACTOR_TYPE_U2F
+	case domain.SecondFactorTypeOTPEmail:
+		return settings.SecondFactorType_SECOND_FACTOR_TYPE_OTP_EMAIL
+	case domain.SecondFactorTypeOTPSMS:
+		return settings.SecondFactorType_SECOND_FACTOR_TYPE_OTP_SMS
+	case domain.SecondFactorTypeUnspecified:
+		return settings.SecondFactorType_SECOND_FACTOR_TYPE_UNSPECIFIED
+	default:
+		return settings.SecondFactorType_SECOND_FACTOR_TYPE_UNSPECIFIED
+	}
+}
+
+func multiFactorTypeToPb(typ domain.MultiFactorType) settings.MultiFactorType {
+	switch typ {
+	case domain.MultiFactorTypeU2FWithPIN:
+		return settings.MultiFactorType_MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
+	case domain.MultiFactorTypeUnspecified:
+		return settings.MultiFactorType_MULTI_FACTOR_TYPE_UNSPECIFIED
+	default:
+		return settings.MultiFactorType_MULTI_FACTOR_TYPE_UNSPECIFIED
+	}
+}
+
+func passwordComplexitySettingsToPb(current *query.PasswordComplexityPolicy) *settings.PasswordComplexitySettings {
+	return &settings.PasswordComplexitySettings{
+		MinLength:         current.MinLength,
+		RequiresUppercase: current.HasUppercase,
+		RequiresLowercase: current.HasLowercase,
+		RequiresNumber:    current.HasNumber,
+		RequiresSymbol:    current.HasSymbol,
+		ResourceOwnerType: isDefaultToResourceOwnerTypePb(current.IsDefault),
+	}
+}
+
+func passwordExpirySettingsToPb(current *query.PasswordAgePolicy) *settings.PasswordExpirySettings {
+	return &settings.PasswordExpirySettings{
+		MaxAgeDays:        current.MaxAgeDays,
+		ExpireWarnDays:    current.ExpireWarnDays,
+		ResourceOwnerType: isDefaultToResourceOwnerTypePb(current.IsDefault),
+	}
+}
+
+func brandingSettingsToPb(current *query.LabelPolicy, assetPrefix string) *settings.BrandingSettings {
+	return &settings.BrandingSettings{
+		LightTheme:          themeToPb(current.Light, assetPrefix, current.ResourceOwner),
+		DarkTheme:           themeToPb(current.Dark, assetPrefix, current.ResourceOwner),
+		FontUrl:             domain.AssetURL(assetPrefix, current.ResourceOwner, current.FontURL),
+		DisableWatermark:    current.WatermarkDisabled,
+		HideLoginNameSuffix: current.HideLoginNameSuffix,
+		ResourceOwnerType:   isDefaultToResourceOwnerTypePb(current.IsDefault),
+		ThemeMode:           themeModeToPb(current.ThemeMode),
+	}
+}
+
+func themeModeToPb(themeMode domain.LabelPolicyThemeMode) settings.ThemeMode {
+	switch themeMode {
+	case domain.LabelPolicyThemeAuto:
+		return settings.ThemeMode_THEME_MODE_AUTO
+	case domain.LabelPolicyThemeLight:
+		return settings.ThemeMode_THEME_MODE_LIGHT
+	case domain.LabelPolicyThemeDark:
+		return settings.ThemeMode_THEME_MODE_DARK
+	default:
+		return settings.ThemeMode_THEME_MODE_AUTO
+	}
+}
+
+func themeToPb(theme query.Theme, assetPrefix, resourceOwner string) *settings.Theme {
+	return &settings.Theme{
+		PrimaryColor:    theme.PrimaryColor,
+		BackgroundColor: theme.BackgroundColor,
+		FontColor:       theme.FontColor,
+		WarnColor:       theme.WarnColor,
+		LogoUrl:         domain.AssetURL(assetPrefix, resourceOwner, theme.LogoURL),
+		IconUrl:         domain.AssetURL(assetPrefix, resourceOwner, theme.IconURL),
+	}
+}
+
+func domainSettingsToPb(current *query.DomainPolicy) *settings.DomainSettings {
+	return &settings.DomainSettings{
+		LoginNameIncludesDomain:                current.UserLoginMustBeDomain,
+		RequireOrgDomainVerification:           current.ValidateOrgDomains,
+		SmtpSenderAddressMatchesInstanceDomain: current.SMTPSenderAddressMatchesInstanceDomain,
+		ResourceOwnerType:                      isDefaultToResourceOwnerTypePb(current.IsDefault),
+	}
+}
+
+func legalAndSupportSettingsToPb(current *query.PrivacyPolicy) *settings.LegalAndSupportSettings {
+	return &settings.LegalAndSupportSettings{
+		TosLink:           current.TOSLink,
+		PrivacyPolicyLink: current.PrivacyLink,
+		HelpLink:          current.HelpLink,
+		SupportEmail:      string(current.SupportEmail),
+		ResourceOwnerType: isDefaultToResourceOwnerTypePb(current.IsDefault),
+		DocsLink:          current.DocsLink,
+		CustomLink:        current.CustomLink,
+		CustomLinkText:    current.CustomLinkText,
+	}
+}
+
+func lockoutSettingsToPb(current *query.LockoutPolicy) *settings.LockoutSettings {
+	return &settings.LockoutSettings{
+		MaxPasswordAttempts: current.MaxPasswordAttempts,
+		MaxOtpAttempts:      current.MaxOTPAttempts,
+		ResourceOwnerType:   isDefaultToResourceOwnerTypePb(current.IsDefault),
+	}
+}
+
+func identityProvidersToPb(idps []*query.IDPLoginPolicyLink) []*settings.IdentityProvider {
+	providers := make([]*settings.IdentityProvider, len(idps))
+	for i, idp := range idps {
+		providers[i] = identityProviderToPb(idp)
+	}
+	return providers
+}
+
+func identityProviderToPb(idp *query.IDPLoginPolicyLink) *settings.IdentityProvider {
+	return &settings.IdentityProvider{
+		Id:   idp.IDPID,
+		Name: domain.IDPName(idp.IDPName, idp.IDPType),
+		Type: idpTypeToPb(idp.IDPType),
+	}
+}
+
+func idpTypeToPb(idpType domain.IDPType) settings.IdentityProviderType {
+	switch idpType {
+	case domain.IDPTypeUnspecified:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_UNSPECIFIED
+	case domain.IDPTypeOIDC:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OIDC
+	case domain.IDPTypeJWT:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_JWT
+	case domain.IDPTypeOAuth:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OAUTH
+	case domain.IDPTypeLDAP:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_LDAP
+	case domain.IDPTypeAzureAD:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_AZURE_AD
+	case domain.IDPTypeGitHub:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITHUB
+	case domain.IDPTypeGitHubEnterprise:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITHUB_ES
+	case domain.IDPTypeGitLab:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITLAB
+	case domain.IDPTypeGitLabSelfHosted:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITLAB_SELF_HOSTED
+	case domain.IDPTypeGoogle:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GOOGLE
+	case domain.IDPTypeSAML:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_SAML
+	case domain.IDPTypeApple:
+		// Handle all remaining cases so the linter succeeds
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_UNSPECIFIED
+	default:
+		return settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_UNSPECIFIED
+	}
+}
+
+func securityPolicyToSettingsPb(policy *query.SecurityPolicy) *settings.SecuritySettings {
+	return &settings.SecuritySettings{
+		EmbeddedIframe: &settings.EmbeddedIframeSettings{
+			Enabled:        policy.EnableIframeEmbedding,
+			AllowedOrigins: policy.AllowedOrigins,
+		},
+		EnableImpersonation: policy.EnableImpersonation,
+	}
+}
+
+func securitySettingsToCommand(req *settings.SetSecuritySettingsRequest) *command.SecurityPolicy {
+	return &command.SecurityPolicy{
+		EnableIframeEmbedding: req.GetEmbeddedIframe().GetEnabled(),
+		AllowedOrigins:        req.GetEmbeddedIframe().GetAllowedOrigins(),
+		EnableImpersonation:   req.GetEnableImpersonation(),
+	}
+}

internal/api/grpc/settings/v2beta/settings_converter_test.go

@@ -0,0 +1,517 @@
+package settings
+
+import (
+	"reflect"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/reflect/protoreflect"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	"github.com/zitadel/zitadel/internal/api/grpc"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/query"
+	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+)
+
+var ignoreTypes = []protoreflect.FullName{"google.protobuf.Duration"}
+
+func Test_loginSettingsToPb(t *testing.T) {
+	arg := &query.LoginPolicy{
+		AllowUsernamePassword:      true,
+		AllowRegister:              true,
+		AllowExternalIDPs:          true,
+		ForceMFA:                   true,
+		ForceMFALocalOnly:          true,
+		PasswordlessType:           domain.PasswordlessTypeAllowed,
+		HidePasswordReset:          true,
+		IgnoreUnknownUsernames:     true,
+		AllowDomainDiscovery:       true,
+		DisableLoginWithEmail:      true,
+		DisableLoginWithPhone:      true,
+		DefaultRedirectURI:         "example.com",
+		PasswordCheckLifetime:      database.Duration(time.Hour),
+		ExternalLoginCheckLifetime: database.Duration(time.Minute),
+		MFAInitSkipLifetime:        database.Duration(time.Millisecond),
+		SecondFactorCheckLifetime:  database.Duration(time.Microsecond),
+		MultiFactorCheckLifetime:   database.Duration(time.Nanosecond),
+		SecondFactors: []domain.SecondFactorType{
+			domain.SecondFactorTypeTOTP,
+			domain.SecondFactorTypeU2F,
+			domain.SecondFactorTypeOTPEmail,
+			domain.SecondFactorTypeOTPSMS,
+		},
+		MultiFactors: []domain.MultiFactorType{
+			domain.MultiFactorTypeU2FWithPIN,
+		},
+		IsDefault: true,
+	}
+
+	want := &settings.LoginSettings{
+		AllowUsernamePassword:      true,
+		AllowRegister:              true,
+		AllowExternalIdp:           true,
+		ForceMfa:                   true,
+		ForceMfaLocalOnly:          true,
+		PasskeysType:               settings.PasskeysType_PASSKEYS_TYPE_ALLOWED,
+		HidePasswordReset:          true,
+		IgnoreUnknownUsernames:     true,
+		AllowDomainDiscovery:       true,
+		DisableLoginWithEmail:      true,
+		DisableLoginWithPhone:      true,
+		DefaultRedirectUri:         "example.com",
+		PasswordCheckLifetime:      durationpb.New(time.Hour),
+		ExternalLoginCheckLifetime: durationpb.New(time.Minute),
+		MfaInitSkipLifetime:        durationpb.New(time.Millisecond),
+		SecondFactorCheckLifetime:  durationpb.New(time.Microsecond),
+		MultiFactorCheckLifetime:   durationpb.New(time.Nanosecond),
+		SecondFactors: []settings.SecondFactorType{
+			settings.SecondFactorType_SECOND_FACTOR_TYPE_OTP,
+			settings.SecondFactorType_SECOND_FACTOR_TYPE_U2F,
+			settings.SecondFactorType_SECOND_FACTOR_TYPE_OTP_EMAIL,
+			settings.SecondFactorType_SECOND_FACTOR_TYPE_OTP_SMS,
+		},
+		MultiFactors: []settings.MultiFactorType{
+			settings.MultiFactorType_MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION,
+		},
+		ResourceOwnerType: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
+	}
+
+	got := loginSettingsToPb(arg)
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
+	if !proto.Equal(got, want) {
+		t.Errorf("loginSettingsToPb() =\n%v\nwant\n%v", got, want)
+	}
+}
+
+func Test_isDefaultToResourceOwnerTypePb(t *testing.T) {
+	type args struct {
+		isDefault bool
+	}
+	tests := []struct {
+		args args
+		want settings.ResourceOwnerType
+	}{
+		{
+			args: args{false},
+			want: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_ORG,
+		},
+		{
+			args: args{true},
+			want: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.want.String(), func(t *testing.T) {
+			got := isDefaultToResourceOwnerTypePb(tt.args.isDefault)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func Test_passkeysTypeToPb(t *testing.T) {
+	type args struct {
+		passwordlessType domain.PasswordlessType
+	}
+	tests := []struct {
+		args args
+		want settings.PasskeysType
+	}{
+		{
+			args: args{domain.PasswordlessTypeNotAllowed},
+			want: settings.PasskeysType_PASSKEYS_TYPE_NOT_ALLOWED,
+		},
+		{
+			args: args{domain.PasswordlessTypeAllowed},
+			want: settings.PasskeysType_PASSKEYS_TYPE_ALLOWED,
+		},
+		{
+			args: args{99},
+			want: settings.PasskeysType_PASSKEYS_TYPE_NOT_ALLOWED,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.want.String(), func(t *testing.T) {
+			got := passkeysTypeToPb(tt.args.passwordlessType)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func Test_secondFactorTypeToPb(t *testing.T) {
+	type args struct {
+		secondFactorType domain.SecondFactorType
+	}
+	tests := []struct {
+		args args
+		want settings.SecondFactorType
+	}{
+		{
+			args: args{domain.SecondFactorTypeTOTP},
+			want: settings.SecondFactorType_SECOND_FACTOR_TYPE_OTP,
+		},
+		{
+			args: args{domain.SecondFactorTypeU2F},
+			want: settings.SecondFactorType_SECOND_FACTOR_TYPE_U2F,
+		},
+		{
+			args: args{domain.SecondFactorTypeOTPSMS},
+			want: settings.SecondFactorType_SECOND_FACTOR_TYPE_OTP_SMS,
+		},
+		{
+			args: args{domain.SecondFactorTypeOTPEmail},
+			want: settings.SecondFactorType_SECOND_FACTOR_TYPE_OTP_EMAIL,
+		},
+		{
+			args: args{domain.SecondFactorTypeUnspecified},
+			want: settings.SecondFactorType_SECOND_FACTOR_TYPE_UNSPECIFIED,
+		},
+		{
+			args: args{99},
+			want: settings.SecondFactorType_SECOND_FACTOR_TYPE_UNSPECIFIED,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.want.String(), func(t *testing.T) {
+			got := secondFactorTypeToPb(tt.args.secondFactorType)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func Test_multiFactorTypeToPb(t *testing.T) {
+	type args struct {
+		typ domain.MultiFactorType
+	}
+	tests := []struct {
+		args args
+		want settings.MultiFactorType
+	}{
+		{
+			args: args{domain.MultiFactorTypeU2FWithPIN},
+			want: settings.MultiFactorType_MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION,
+		},
+		{
+			args: args{domain.MultiFactorTypeUnspecified},
+			want: settings.MultiFactorType_MULTI_FACTOR_TYPE_UNSPECIFIED,
+		},
+		{
+			args: args{99},
+			want: settings.MultiFactorType_MULTI_FACTOR_TYPE_UNSPECIFIED,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.want.String(), func(t *testing.T) {
+			got := multiFactorTypeToPb(tt.args.typ)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func Test_passwordComplexitySettingsToPb(t *testing.T) {
+	arg := &query.PasswordComplexityPolicy{
+		MinLength:    12,
+		HasUppercase: true,
+		HasLowercase: true,
+		HasNumber:    true,
+		HasSymbol:    true,
+		IsDefault:    true,
+	}
+	want := &settings.PasswordComplexitySettings{
+		MinLength:         12,
+		RequiresUppercase: true,
+		RequiresLowercase: true,
+		RequiresNumber:    true,
+		RequiresSymbol:    true,
+		ResourceOwnerType: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
+	}
+
+	got := passwordComplexitySettingsToPb(arg)
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
+	if !proto.Equal(got, want) {
+		t.Errorf("passwordComplexitySettingsToPb() =\n%v\nwant\n%v", got, want)
+	}
+}
+
+func Test_passwordExpirySettingsToPb(t *testing.T) {
+	arg := &query.PasswordAgePolicy{
+		ExpireWarnDays: 80,
+		MaxAgeDays:     90,
+		IsDefault:      true,
+	}
+	want := &settings.PasswordExpirySettings{
+		ExpireWarnDays:    80,
+		MaxAgeDays:        90,
+		ResourceOwnerType: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
+	}
+
+	got := passwordExpirySettingsToPb(arg)
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
+	if !proto.Equal(got, want) {
+		t.Errorf("passwordExpirySettingsToPb() =\n%v\nwant\n%v", got, want)
+	}
+}
+
+func Test_brandingSettingsToPb(t *testing.T) {
+	arg := &query.LabelPolicy{
+		Light: query.Theme{
+			PrimaryColor:    "red",
+			WarnColor:       "white",
+			BackgroundColor: "blue",
+			FontColor:       "orange",
+			LogoURL:         "light-logo",
+			IconURL:         "light-icon",
+		},
+		Dark: query.Theme{
+			PrimaryColor:    "magenta",
+			WarnColor:       "pink",
+			BackgroundColor: "black",
+			FontColor:       "white",
+			LogoURL:         "dark-logo",
+			IconURL:         "dark-icon",
+		},
+		ResourceOwner:       "me",
+		FontURL:             "fonts",
+		WatermarkDisabled:   true,
+		HideLoginNameSuffix: true,
+		ThemeMode:           domain.LabelPolicyThemeDark,
+		IsDefault:           true,
+	}
+	want := &settings.BrandingSettings{
+		LightTheme: &settings.Theme{
+			PrimaryColor:    "red",
+			WarnColor:       "white",
+			BackgroundColor: "blue",
+			FontColor:       "orange",
+			LogoUrl:         "http://example.com/me/light-logo",
+			IconUrl:         "http://example.com/me/light-icon",
+		},
+		DarkTheme: &settings.Theme{
+			PrimaryColor:    "magenta",
+			WarnColor:       "pink",
+			BackgroundColor: "black",
+			FontColor:       "white",
+			LogoUrl:         "http://example.com/me/dark-logo",
+			IconUrl:         "http://example.com/me/dark-icon",
+		},
+		FontUrl:             "http://example.com/me/fonts",
+		DisableWatermark:    true,
+		HideLoginNameSuffix: true,
+		ResourceOwnerType:   settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
+		ThemeMode:           settings.ThemeMode_THEME_MODE_DARK,
+	}
+
+	got := brandingSettingsToPb(arg, "http://example.com")
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
+	if !proto.Equal(got, want) {
+		t.Errorf("brandingSettingsToPb() =\n%v\nwant\n%v", got, want)
+	}
+}
+
+func Test_domainSettingsToPb(t *testing.T) {
+	arg := &query.DomainPolicy{
+		UserLoginMustBeDomain:                  true,
+		ValidateOrgDomains:                     true,
+		SMTPSenderAddressMatchesInstanceDomain: true,
+		IsDefault:                              true,
+	}
+	want := &settings.DomainSettings{
+		LoginNameIncludesDomain:                true,
+		RequireOrgDomainVerification:           true,
+		SmtpSenderAddressMatchesInstanceDomain: true,
+		ResourceOwnerType:                      settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
+	}
+	got := domainSettingsToPb(arg)
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
+	if !proto.Equal(got, want) {
+		t.Errorf("domainSettingsToPb() =\n%v\nwant\n%v", got, want)
+	}
+}
+
+func Test_legalSettingsToPb(t *testing.T) {
+	arg := &query.PrivacyPolicy{
+		TOSLink:        "http://example.com/tos",
+		PrivacyLink:    "http://example.com/pricacy",
+		HelpLink:       "http://example.com/help",
+		SupportEmail:   "support@zitadel.com",
+		IsDefault:      true,
+		DocsLink:       "http://example.com/docs",
+		CustomLink:     "http://example.com/custom",
+		CustomLinkText: "Custom",
+	}
+	want := &settings.LegalAndSupportSettings{
+		TosLink:           "http://example.com/tos",
+		PrivacyPolicyLink: "http://example.com/pricacy",
+		HelpLink:          "http://example.com/help",
+		SupportEmail:      "support@zitadel.com",
+		DocsLink:          "http://example.com/docs",
+		CustomLink:        "http://example.com/custom",
+		CustomLinkText:    "Custom",
+		ResourceOwnerType: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
+	}
+	got := legalAndSupportSettingsToPb(arg)
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
+	if !proto.Equal(got, want) {
+		t.Errorf("legalSettingsToPb() =\n%v\nwant\n%v", got, want)
+	}
+}
+
+func Test_lockoutSettingsToPb(t *testing.T) {
+	arg := &query.LockoutPolicy{
+		MaxPasswordAttempts: 22,
+		MaxOTPAttempts:      22,
+		IsDefault:           true,
+	}
+	want := &settings.LockoutSettings{
+		MaxPasswordAttempts: 22,
+		MaxOtpAttempts:      22,
+		ResourceOwnerType:   settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
+	}
+	got := lockoutSettingsToPb(arg)
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
+	if !proto.Equal(got, want) {
+		t.Errorf("lockoutSettingsToPb() =\n%v\nwant\n%v", got, want)
+	}
+}
+
+func Test_identityProvidersToPb(t *testing.T) {
+	arg := []*query.IDPLoginPolicyLink{
+		{
+			IDPID:   "1",
+			IDPName: "foo",
+			IDPType: domain.IDPTypeOIDC,
+		},
+		{
+			IDPID:   "2",
+			IDPName: "bar",
+			IDPType: domain.IDPTypeGitHub,
+		},
+	}
+	want := []*settings.IdentityProvider{
+		{
+			Id:   "1",
+			Name: "foo",
+			Type: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OIDC,
+		},
+		{
+			Id:   "2",
+			Name: "bar",
+			Type: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITHUB,
+		},
+	}
+	got := identityProvidersToPb(arg)
+	require.Len(t, got, len(got))
+	for i, v := range got {
+		grpc.AllFieldsSet(t, v.ProtoReflect(), ignoreTypes...)
+		if !proto.Equal(v, want[i]) {
+			t.Errorf("identityProvidersToPb() =\n%v\nwant\n%v", got, want)
+		}
+	}
+}
+
+func Test_idpTypeToPb(t *testing.T) {
+	type args struct {
+		idpType domain.IDPType
+	}
+	tests := []struct {
+		args args
+		want settings.IdentityProviderType
+	}{
+		{
+			args: args{domain.IDPTypeUnspecified},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_UNSPECIFIED,
+		},
+		{
+			args: args{domain.IDPTypeOIDC},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OIDC,
+		},
+		{
+			args: args{domain.IDPTypeJWT},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_JWT,
+		},
+		{
+			args: args{domain.IDPTypeOAuth},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OAUTH,
+		},
+		{
+			args: args{domain.IDPTypeLDAP},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_LDAP,
+		},
+		{
+			args: args{domain.IDPTypeAzureAD},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_AZURE_AD,
+		},
+		{
+			args: args{domain.IDPTypeGitHub},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITHUB,
+		},
+		{
+			args: args{domain.IDPTypeGitHubEnterprise},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITHUB_ES,
+		},
+		{
+			args: args{domain.IDPTypeGitLab},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITLAB,
+		},
+		{
+			args: args{domain.IDPTypeGitLabSelfHosted},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GITLAB_SELF_HOSTED,
+		},
+		{
+			args: args{domain.IDPTypeGoogle},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_GOOGLE,
+		},
+		{
+			args: args{domain.IDPTypeSAML},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_SAML,
+		},
+		{
+			args: args{99},
+			want: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_UNSPECIFIED,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.want.String(), func(t *testing.T) {
+			if got := idpTypeToPb(tt.args.idpType); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("idpTypeToPb() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_securityPolicyToSettingsPb(t *testing.T) {
+	want := &settings.SecuritySettings{
+		EmbeddedIframe: &settings.EmbeddedIframeSettings{
+			Enabled:        true,
+			AllowedOrigins: []string{"foo", "bar"},
+		},
+		EnableImpersonation: true,
+	}
+	got := securityPolicyToSettingsPb(&query.SecurityPolicy{
+		EnableIframeEmbedding: true,
+		AllowedOrigins:        []string{"foo", "bar"},
+		EnableImpersonation:   true,
+	})
+	assert.Equal(t, want, got)
+}
+
+func Test_securitySettingsToCommand(t *testing.T) {
+	want := &command.SecurityPolicy{
+		EnableIframeEmbedding: true,
+		AllowedOrigins:        []string{"foo", "bar"},
+		EnableImpersonation:   true,
+	}
+	got := securitySettingsToCommand(&settings.SetSecuritySettingsRequest{
+		EmbeddedIframe: &settings.EmbeddedIframeSettings{
+			Enabled:        true,
+			AllowedOrigins: []string{"foo", "bar"},
+		},
+		EnableImpersonation: true,
+	})
+	assert.Equal(t, want, got)
+}

internal/api/grpc/settings/v2beta/settings_integration_test.go

@@ -0,0 +1,174 @@
+//go:build integration
+
+package settings_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
+	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
+)
+
+func TestServer_GetSecuritySettings(t *testing.T) {
+	_, err := Client.SetSecuritySettings(AdminCTX, &settings.SetSecuritySettingsRequest{
+		EmbeddedIframe: &settings.EmbeddedIframeSettings{
+			Enabled:        true,
+			AllowedOrigins: []string{"foo", "bar"},
+		},
+		EnableImpersonation: true,
+	})
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		want    *settings.GetSecuritySettingsResponse
+		wantErr bool
+	}{
+		{
+			name:    "permission error",
+			ctx:     Tester.WithAuthorization(CTX, integration.OrgOwner),
+			wantErr: true,
+		},
+		{
+			name: "success",
+			ctx:  AdminCTX,
+			want: &settings.GetSecuritySettingsResponse{
+				Settings: &settings.SecuritySettings{
+					EmbeddedIframe: &settings.EmbeddedIframeSettings{
+						Enabled:        true,
+						AllowedOrigins: []string{"foo", "bar"},
+					},
+					EnableImpersonation: true,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			resp, err := Client.GetSecuritySettings(tt.ctx, &settings.GetSecuritySettingsRequest{})
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			got, want := resp.GetSettings(), tt.want.GetSettings()
+			assert.Equal(t, want.GetEmbeddedIframe().GetEnabled(), got.GetEmbeddedIframe().GetEnabled(), "enable iframe embedding")
+			assert.Equal(t, want.GetEmbeddedIframe().GetAllowedOrigins(), got.GetEmbeddedIframe().GetAllowedOrigins(), "allowed origins")
+			assert.Equal(t, want.GetEnableImpersonation(), got.GetEnableImpersonation(), "enable impersonation")
+		})
+	}
+}
+
+func TestServer_SetSecuritySettings(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		req *settings.SetSecuritySettingsRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *settings.SetSecuritySettingsResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: Tester.WithAuthorization(CTX, integration.OrgOwner),
+				req: &settings.SetSecuritySettingsRequest{
+					EmbeddedIframe: &settings.EmbeddedIframeSettings{
+						Enabled:        true,
+						AllowedOrigins: []string{"foo.com", "bar.com"},
+					},
+					EnableImpersonation: true,
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success allowed origins",
+			args: args{
+				ctx: AdminCTX,
+				req: &settings.SetSecuritySettingsRequest{
+					EmbeddedIframe: &settings.EmbeddedIframeSettings{
+						AllowedOrigins: []string{"foo.com", "bar.com"},
+					},
+				},
+			},
+			want: &settings.SetSecuritySettingsResponse{
+				Details: &object_pb.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Instance.InstanceID(),
+				},
+			},
+		},
+		{
+			name: "success enable iframe embedding",
+			args: args{
+				ctx: AdminCTX,
+				req: &settings.SetSecuritySettingsRequest{
+					EmbeddedIframe: &settings.EmbeddedIframeSettings{
+						Enabled: true,
+					},
+				},
+			},
+			want: &settings.SetSecuritySettingsResponse{
+				Details: &object_pb.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Instance.InstanceID(),
+				},
+			},
+		},
+		{
+			name: "success impersonation",
+			args: args{
+				ctx: AdminCTX,
+				req: &settings.SetSecuritySettingsRequest{
+					EnableImpersonation: true,
+				},
+			},
+			want: &settings.SetSecuritySettingsResponse{
+				Details: &object_pb.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Instance.InstanceID(),
+				},
+			},
+		},
+		{
+			name: "success all",
+			args: args{
+				ctx: AdminCTX,
+				req: &settings.SetSecuritySettingsRequest{
+					EmbeddedIframe: &settings.EmbeddedIframeSettings{
+						Enabled:        true,
+						AllowedOrigins: []string{"foo.com", "bar.com"},
+					},
+					EnableImpersonation: true,
+				},
+			},
+			want: &settings.SetSecuritySettingsResponse{
+				Details: &object_pb.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Instance.InstanceID(),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.SetSecuritySettings(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}