feat: validate org domains (#3387)

* feat: validate org domain command side * feat: validate org domain query side * fix: create domain policy * feat: add reading domain policy on addorg domain
2025-01-08 15:37:41 +00:00 · 2022-04-13 11:24:03 +02:00 · 2022-04-13 11:24:03 +02:00 · 820a21dce3
commit 820a21dce3
parent db554536a1
33 changed files with 223 additions and 39 deletions
--- a/cmd/admin/setup/steps.yaml
+++ b/cmd/admin/setup/steps.yaml
@ -100,6 +100,7 @@ S3DefaultInstance:
      MaxAgeDays: 0
    DomainPolicy:
      UserLoginMustBeDomain: true
      ValidateOrgDomains: true
    LoginPolicy:
      AllowUsernamePassword: true
      AllowRegister: true
--- a/docs/docs/apis/proto/admin.md
+++ b/docs/docs/apis/proto/admin.md
@ -1493,6 +1493,7 @@ This is an empty request
 | ----- | ---- | ----------- | ----------- |
 | org_id |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
 | user_login_must_be_domain |  bool | the username has to end with the domain of it's organisation (uniqueness is organisation based) |  |
 | validate_org_domains |  bool | - |  |
@ -3676,6 +3677,7 @@ This is an empty request
 | ----- | ---- | ----------- | ----------- |
 | org_id |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
 | user_login_must_be_domain |  bool | - |  |
 | validate_org_domains |  bool | - |  |
@ -3721,6 +3723,7 @@ This is an empty request
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | user_login_must_be_domain |  bool | - |  |
 | validate_org_domains |  bool | - |  |
--- a/docs/docs/apis/proto/policy.md
+++ b/docs/docs/apis/proto/policy.md
@ -18,6 +18,7 @@ title: zitadel/policy.proto
 | details |  zitadel.v1.ObjectDetails | - |  |
 | user_login_must_be_domain |  bool | - |  |
 | is_default |  bool | - |  |
 | validate_org_domains |  bool | - |  |
--- a/internal/api/grpc/admin/domain_policy.go
+++ b/internal/api/grpc/admin/domain_policy.go
@ -27,7 +27,7 @@ func (s *Server) GetCustomDomainPolicy(ctx context.Context, req *admin_pb.GetCus
 }
 func (s *Server) AddCustomDomainPolicy(ctx context.Context, req *admin_pb.AddCustomDomainPolicyRequest) (*admin_pb.AddCustomDomainPolicyResponse, error) {
-	policy, err := s.command.AddOrgDomainPolicy(ctx, req.OrgId, domainPolicyToDomain(req.UserLoginMustBeDomain))
+	policy, err := s.command.AddOrgDomainPolicy(ctx, req.OrgId, domainPolicyToDomain(req.UserLoginMustBeDomain, req.ValidateOrgDomains))
 	if err != nil {
 		return nil, err
 	}
@ -76,9 +76,10 @@ func (s *Server) ResetCustomDomainPolicyTo(ctx context.Context, req *admin_pb.Re
 	return nil, nil //TOOD: return data
 }
-func domainPolicyToDomain(userLoginMustBeDomain bool) *domain.DomainPolicy {
+func domainPolicyToDomain(userLoginMustBeDomain, validateOrgDomains bool) *domain.DomainPolicy {
 	return &domain.DomainPolicy{
 		UserLoginMustBeDomain: userLoginMustBeDomain,
 		ValidateOrgDomains:    validateOrgDomains,
 	}
 }
@ -88,6 +89,7 @@ func updateDomainPolicyToDomain(req *admin_pb.UpdateDomainPolicyRequest) *domain
 		// 	// AggreagateID: //TODO: there should only be ONE default
 		// },
 		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
 		ValidateOrgDomains:    req.ValidateOrgDomains,
 	}
 }
@ -97,11 +99,12 @@ func updateCustomDomainPolicyToDomain(req *admin_pb.UpdateCustomDomainPolicyRequ
 			AggregateID: req.OrgId,
 		},
 		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
 		ValidateOrgDomains:    req.ValidateOrgDomains,
 	}
 }
 func (s *Server) AddCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.AddCustomOrgIAMPolicyRequest) (*admin_pb.AddCustomOrgIAMPolicyResponse, error) {
-	policy, err := s.command.AddOrgDomainPolicy(ctx, req.OrgId, domainPolicyToDomain(req.UserLoginMustBeDomain))
+	policy, err := s.command.AddOrgDomainPolicy(ctx, req.OrgId, domainPolicyToDomain(req.UserLoginMustBeDomain, true))
 	if err != nil {
 		return nil, err
 	}
@ -161,6 +164,7 @@ func (s *Server) GetCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.GetCus
 func updateOrgIAMPolicyToDomain(req *admin_pb.UpdateOrgIAMPolicyRequest) *domain.DomainPolicy {
 	return &domain.DomainPolicy{
 		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
 		ValidateOrgDomains:    true,
 	}
 }
@ -170,5 +174,6 @@ func updateCustomOrgIAMPolicyToDomain(req *admin_pb.UpdateCustomOrgIAMPolicyRequ
 			AggregateID: req.OrgId,
 		},
 		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
 		ValidateOrgDomains:    true,
 	}
 }
--- a/internal/api/grpc/policy/domain_policy.go
+++ b/internal/api/grpc/policy/domain_policy.go
@ -9,6 +9,7 @@ import (
 func DomainPolicyToPb(policy *query.DomainPolicy) *policy_pb.DomainPolicy {
 	return &policy_pb.DomainPolicy{
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
 		ValidateOrgDomains:    policy.ValidateOrgDomains,
 		IsDefault:             policy.IsDefault,
 		Details: object.ToViewDetailsPb(
 			policy.Sequence,
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@ -78,6 +78,7 @@ type InstanceSetup struct {
 	}
 	DomainPolicy struct {
 		UserLoginMustBeDomain bool
 		ValidateOrgDomains    bool
 	}
 	LoginPolicy struct {
 		AllowUsernamePassword      bool
@ -242,6 +243,7 @@ func (c *commandNew) SetUpInstance(ctx context.Context, setup *InstanceSetup) (*
 		AddDefaultDomainPolicy(
 			instanceAgg,
 			setup.DomainPolicy.UserLoginMustBeDomain,
 			setup.DomainPolicy.ValidateOrgDomains,
 		),
 		AddDefaultLoginPolicy(
 			instanceAgg,
--- a/internal/command/instance_converter.go
+++ b/internal/command/instance_converter.go
@ -69,6 +69,7 @@ func writeModelToDomainPolicy(wm *InstanceDomainPolicyWriteModel) *domain.Domain
 	return &domain.DomainPolicy{
 		ObjectRoot:            writeModelToObjectRoot(wm.PolicyDomainWriteModel.WriteModel),
 		UserLoginMustBeDomain: wm.UserLoginMustBeDomain,
 		ValidateOrgDomains:    wm.ValidateOrgDomains,
 	}
 }
--- a/internal/command/instance_domain_policy.go
+++ b/internal/command/instance_domain_policy.go
@ -10,7 +10,8 @@ import (
 func AddDefaultDomainPolicy(
 	a *instance.Aggregate,
-	userLoginMustBeDomain bool,
+	userLoginMustBeDomain,
 	validateOrgDomains bool,
 ) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
@ -18,6 +19,7 @@ func AddDefaultDomainPolicy(
 			return []eventstore.Command{
 				instance.NewDomainPolicyAddedEvent(ctx, &a.Aggregate,
 					userLoginMustBeDomain,
 					validateOrgDomains,
 				),
 			}, nil
 		}, nil
--- a/internal/command/instance_policy_domain.go
+++ b/internal/command/instance_policy_domain.go
@ -37,7 +37,7 @@ func (c *Commands) addDefaultDomainPolicy(ctx context.Context, instanceAgg *even
 	if addedPolicy.State == domain.PolicyStateActive {
 		return nil, caos_errs.ThrowAlreadyExists(nil, "INSTANCE-Lk0dS", "Errors.IAM.DomainPolicy.AlreadyExists")
 	}
-	return iam_repo.NewDomainPolicyAddedEvent(ctx, instanceAgg, policy.UserLoginMustBeDomain), nil
+	return iam_repo.NewDomainPolicyAddedEvent(ctx, instanceAgg, policy.UserLoginMustBeDomain, policy.ValidateOrgDomains), nil
 }
 func (c *Commands) ChangeDefaultDomainPolicy(ctx context.Context, policy *domain.DomainPolicy) (*domain.DomainPolicy, error) {
@ -50,7 +50,7 @@ func (c *Commands) ChangeDefaultDomainPolicy(ctx context.Context, policy *domain
 	}
 	instanceAgg := InstanceAggregateFromWriteModel(&existingPolicy.PolicyDomainWriteModel.WriteModel)
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, instanceAgg, policy.UserLoginMustBeDomain)
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, instanceAgg, policy.UserLoginMustBeDomain, policy.ValidateOrgDomains)
 	if !hasChanged {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "INSTANCE-4M9vs", "Errors.IAM.LabelPolicy.NotChanged")
 	}
--- a/internal/command/instance_policy_domain_model.go
+++ b/internal/command/instance_policy_domain_model.go
@ -55,11 +55,15 @@ func (wm *InstanceDomainPolicyWriteModel) Query() *eventstore.SearchQueryBuilder
 func (wm *InstanceDomainPolicyWriteModel) NewChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	userLoginMustBeDomain bool) (*instance.DomainPolicyChangedEvent, bool) {
+	userLoginMustBeDomain,
-	changes := make([]policy.OrgPolicyChanges, 0)
+	validateOrgDomain bool) (*instance.DomainPolicyChangedEvent, bool) {
 	changes := make([]policy.DomainPolicyChanges, 0)
 	if wm.UserLoginMustBeDomain != userLoginMustBeDomain {
 		changes = append(changes, policy.ChangeUserLoginMustBeDomain(userLoginMustBeDomain))
 	}
 	if wm.ValidateOrgDomains != validateOrgDomain {
 		changes = append(changes, policy.ChangeValidateOrgDomains(validateOrgDomain))
 	}
 	if len(changes) == 0 {
 		return nil, false
 	}
--- a/internal/command/instance_policy_domain_test.go
+++ b/internal/command/instance_policy_domain_test.go
@ -43,6 +43,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&instance.NewAggregate("INSTANCE").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -52,6 +53,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -71,6 +73,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 								instance.NewDomainPolicyAddedEvent(context.Background(),
 									&instance.NewAggregate("INSTANCE").Aggregate,
 									true,
 									true,
 								),
 							),
 						},
@ -81,6 +84,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -91,6 +95,7 @@ func TestCommandSide_AddDefaultDomainPolicy(t *testing.T) {
 						ResourceOwner: "INSTANCE",
 					},
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 		},
@ -144,6 +149,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -160,6 +166,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&instance.NewAggregate("INSTANCE").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -169,6 +176,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -185,13 +193,14 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&instance.NewAggregate("INSTANCE").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
-								newDefaultDomainPolicyChangedEvent(context.Background(), false),
+								newDefaultDomainPolicyChangedEvent(context.Background(), false, false),
 							),
 						},
 					),
@ -201,6 +210,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: false,
 					ValidateOrgDomains:    false,
 				},
 			},
 			res: res{
@ -210,6 +220,7 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 						ResourceOwner: "INSTANCE",
 					},
 					UserLoginMustBeDomain: false,
 					ValidateOrgDomains:    false,
 				},
 			},
 		},
@ -233,11 +244,12 @@ func TestCommandSide_ChangeDefaultDomainPolicy(t *testing.T) {
 	}
 }
-func newDefaultDomainPolicyChangedEvent(ctx context.Context, userLoginMustBeDomain bool) *instance.DomainPolicyChangedEvent {
+func newDefaultDomainPolicyChangedEvent(ctx context.Context, userLoginMustBeDomain, validateOrgDomains bool) *instance.DomainPolicyChangedEvent {
 	event, _ := instance.NewDomainPolicyChangedEvent(ctx,
 		&instance.NewAggregate("INSTANCE").Aggregate,
-		[]policy.OrgPolicyChanges{
+		[]policy.DomainPolicyChanges{
 			policy.ChangeUserLoginMustBeDomain(userLoginMustBeDomain),
 			policy.ChangeValidateOrgDomains(validateOrgDomains),
 		},
 	)
 	return event
--- a/internal/command/org_converter.go
+++ b/internal/command/org_converter.go
@ -17,6 +17,7 @@ func orgWriteModelToDomainPolicy(wm *OrgDomainPolicyWriteModel) *domain.DomainPo
 	return &domain.DomainPolicy{
 		ObjectRoot:            writeModelToObjectRoot(wm.PolicyDomainWriteModel.WriteModel),
 		UserLoginMustBeDomain: wm.UserLoginMustBeDomain,
 		ValidateOrgDomains:    wm.ValidateOrgDomains,
 	}
 }
--- a/internal/command/org_domain.go
+++ b/internal/command/org_domain.go
@ -2,12 +2,11 @@ package command
 import (
 	"context"
 	errs "errors"
 	"strings"
 	"github.com/caos/logging"
 	errs "errors"
 	http_utils "github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/command/preparation"
 	"github.com/caos/zitadel/internal/crypto"
@ -30,7 +29,15 @@ func AddOrgDomain(a *org.Aggregate, domain string) preparation.Validation {
 			if existing != nil && existing.Verified {
 				return nil, errors.ThrowAlreadyExists(nil, "V2-e1wse", "Errors.Already.Exists")
 			}
-			return []eventstore.Command{org.NewDomainAddedEvent(ctx, &a.Aggregate, domain)}, nil
+			domainPolicy, err := domainPolicyWriteModel(ctx, filter)
 			if err != nil {
 				return nil, err
 			}
 			events := []eventstore.Command{org.NewDomainAddedEvent(ctx, &a.Aggregate, domain)}
 			if !domainPolicy.ValidateOrgDomains {
 				events = append(events, org.NewDomainVerifiedEvent(ctx, &a.Aggregate, domain))
 			}
 			return events, nil
 		}, nil
 	}
 }
--- a/internal/command/org_domain_test.go
+++ b/internal/command/org_domain_test.go
@ -47,12 +47,14 @@ func TestAddDomain(t *testing.T) {
 			},
 		},
 		{
-			name: "correct",
+			name: "correct (should verify domain)",
 			args: args{
 				a:      agg,
 				domain: "domain",
 				filter: func(ctx context.Context, queryFactory *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
-					return nil, nil
+					return []eventstore.Event{
 						org.NewDomainPolicyAddedEvent(ctx, &agg.Aggregate, true, true),
 					}, nil
 				},
 			},
 			want: Want{
@ -61,6 +63,24 @@ func TestAddDomain(t *testing.T) {
 				},
 			},
 		},
 		{
 			name: "correct (should not verify domain)",
 			args: args{
 				a:      agg,
 				domain: "domain",
 				filter: func(ctx context.Context, queryFactory *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
 					return []eventstore.Event{
 						org.NewDomainPolicyAddedEvent(ctx, &agg.Aggregate, true, false),
 					}, nil
 				},
 			},
 			want: Want{
 				Commands: []eventstore.Command{
 					org.NewDomainAddedEvent(context.Background(), &agg.Aggregate, "domain"),
 					org.NewDomainVerifiedEvent(context.Background(), &agg.Aggregate, "domain"),
 				},
 			},
 		},
 		{
 			name: "already verified",
 			args: args{
@ -1022,7 +1042,7 @@ func TestCommandSide_ValidateOrgDomain(t *testing.T) {
 						eventFromEventPusher(
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org2", "org2").Aggregate,
-								false))),
+								false, false))),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(org.NewDomainVerifiedEvent(context.Background(),
--- a/internal/command/org_policy_domain.go
+++ b/internal/command/org_policy_domain.go
@ -39,7 +39,7 @@ func (c *Commands) addOrgDomainPolicy(ctx context.Context, orgAgg *eventstore.Ag
 	if addedPolicy.State == domain.PolicyStateActive {
 		return nil, caos_errs.ThrowAlreadyExists(nil, "ORG-1M8ds", "Errors.Org.DomainPolicy.AlreadyExists")
 	}
-	return org.NewDomainPolicyAddedEvent(ctx, orgAgg, policy.UserLoginMustBeDomain), nil
+	return org.NewDomainPolicyAddedEvent(ctx, orgAgg, policy.UserLoginMustBeDomain, policy.ValidateOrgDomains), nil
 }
 func (c *Commands) ChangeOrgDomainPolicy(ctx context.Context, resourceOwner string, policy *domain.DomainPolicy) (*domain.DomainPolicy, error) {
@ -55,7 +55,7 @@ func (c *Commands) ChangeOrgDomainPolicy(ctx context.Context, resourceOwner stri
 	}
 	orgAgg := OrgAggregateFromWriteModel(&existingPolicy.PolicyDomainWriteModel.WriteModel)
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.UserLoginMustBeDomain)
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.UserLoginMustBeDomain, policy.ValidateOrgDomains)
 	if !hasChanged {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-3M9ds", "Errors.Org.LabelPolicy.NotChanged")
 	}
--- a/internal/command/org_policy_domain_model.go
+++ b/internal/command/org_policy_domain_model.go
@ -56,11 +56,15 @@ func (wm *OrgDomainPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 func (wm *OrgDomainPolicyWriteModel) NewChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	userLoginMustBeDomain bool) (*org.DomainPolicyChangedEvent, bool) {
+	userLoginMustBeDomain,
-	changes := make([]policy.OrgPolicyChanges, 0)
+	validateOrgDomains bool) (*org.DomainPolicyChangedEvent, bool) {
 	changes := make([]policy.DomainPolicyChanges, 0)
 	if wm.UserLoginMustBeDomain != userLoginMustBeDomain {
 		changes = append(changes, policy.ChangeUserLoginMustBeDomain(userLoginMustBeDomain))
 	}
 	if wm.ValidateOrgDomains != validateOrgDomains {
 		changes = append(changes, policy.ChangeValidateOrgDomains(validateOrgDomains))
 	}
 	if len(changes) == 0 {
 		return nil, false
 	}
--- a/internal/command/org_policy_domain_test.go
+++ b/internal/command/org_policy_domain_test.go
@ -45,6 +45,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -61,6 +62,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -71,6 +73,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -89,6 +92,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 								org.NewDomainPolicyAddedEvent(context.Background(),
 									&org.NewAggregate("org1", "org1").Aggregate,
 									true,
 									true,
 								),
 							),
 						},
@ -100,6 +104,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -109,6 +114,7 @@ func TestCommandSide_AddDomainPolicy(t *testing.T) {
 						ResourceOwner: "org1",
 					},
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 		},
@ -162,6 +168,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 				ctx: context.Background(),
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -181,6 +188,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -197,6 +205,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -207,6 +216,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: true,
 					ValidateOrgDomains:    true,
 				},
 			},
 			res: res{
@ -223,13 +233,14 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
-								newDomainPolicyChangedEvent(context.Background(), "org1", false),
+								newDomainPolicyChangedEvent(context.Background(), "org1", false, false),
 							),
 						},
 					),
@ -240,6 +251,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 				orgID: "org1",
 				policy: &domain.DomainPolicy{
 					UserLoginMustBeDomain: false,
 					ValidateOrgDomains:    false,
 				},
 			},
 			res: res{
@ -249,6 +261,7 @@ func TestCommandSide_ChangeDomainPolicy(t *testing.T) {
 						ResourceOwner: "org1",
 					},
 					UserLoginMustBeDomain: false,
 					ValidateOrgDomains:    false,
 				},
 			},
 		},
@ -330,6 +343,7 @@ func TestCommandSide_RemoveDomainPolicy(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -370,11 +384,12 @@ func TestCommandSide_RemoveDomainPolicy(t *testing.T) {
 	}
 }
-func newDomainPolicyChangedEvent(ctx context.Context, orgID string, userLoginMustBeDomain bool) *org.DomainPolicyChangedEvent {
+func newDomainPolicyChangedEvent(ctx context.Context, orgID string, userLoginMustBeDomain, validateOrgDomains bool) *org.DomainPolicyChangedEvent {
 	event, _ := org.NewDomainPolicyChangedEvent(ctx,
 		&org.NewAggregate(orgID, orgID).Aggregate,
-		[]policy.OrgPolicyChanges{
+		[]policy.DomainPolicyChanges{
 			policy.ChangeUserLoginMustBeDomain(userLoginMustBeDomain),
 			policy.ChangeValidateOrgDomains(validateOrgDomains),
 		},
 	)
 	return event
--- a/internal/command/policy_org_model.go
+++ b/internal/command/policy_org_model.go
@ -10,6 +10,7 @@ type PolicyDomainWriteModel struct {
 	eventstore.WriteModel
 	UserLoginMustBeDomain bool
 	ValidateOrgDomains    bool
 	State                 domain.PolicyState
 }
@ -18,11 +19,15 @@ func (wm *PolicyDomainWriteModel) Reduce() error {
 		switch e := event.(type) {
 		case *policy.DomainPolicyAddedEvent:
 			wm.UserLoginMustBeDomain = e.UserLoginMustBeDomain
 			wm.ValidateOrgDomains = e.ValidateOrgDomains
 			wm.State = domain.PolicyStateActive
 		case *policy.DomainPolicyChangedEvent:
 			if e.UserLoginMustBeDomain != nil {
 				wm.UserLoginMustBeDomain = *e.UserLoginMustBeDomain
 			}
 			if e.ValidateOrgDomains != nil {
 				wm.ValidateOrgDomains = *e.ValidateOrgDomains
 			}
 		}
 	}
 	return wm.WriteModel.Reduce()
--- a/internal/command/user_domain_policy_test.go
+++ b/internal/command/user_domain_policy_test.go
@ -53,6 +53,7 @@ func Test_customDomainPolicy(t *testing.T) {
 							context.Background(),
 							&org.NewAggregate("id", "ro").Aggregate,
 							true,
 							true,
 						),
 					}, nil
 				},
@ -64,6 +65,7 @@ func Test_customDomainPolicy(t *testing.T) {
 					Events:        []eventstore.Event{},
 				},
 				UserLoginMustBeDomain: true,
 				ValidateOrgDomains:    true,
 				State:                 domain.PolicyStateActive,
 			},
 			wantErr: false,
@ -122,6 +124,7 @@ func Test_defaultDomainPolicy(t *testing.T) {
 							context.Background(),
 							&instance.NewAggregate("INSTANCE").Aggregate,
 							true,
 							true,
 						),
 					}, nil
 				},
@ -133,6 +136,7 @@ func Test_defaultDomainPolicy(t *testing.T) {
 					Events:        []eventstore.Event{},
 				},
 				UserLoginMustBeDomain: true,
 				ValidateOrgDomains:    true,
 				State:                 domain.PolicyStateActive,
 			},
 			wantErr: false,
@ -181,6 +185,7 @@ func Test_DomainPolicy(t *testing.T) {
 							context.Background(),
 							&org.NewAggregate("id", "ro").Aggregate,
 							true,
 							true,
 						),
 					}, nil
 				},
@ -192,6 +197,7 @@ func Test_DomainPolicy(t *testing.T) {
 					Events:        []eventstore.Event{},
 				},
 				UserLoginMustBeDomain: true,
 				ValidateOrgDomains:    true,
 				State:                 domain.PolicyStateActive,
 			},
 			wantErr: false,
@ -224,6 +230,7 @@ func Test_DomainPolicy(t *testing.T) {
 								context.Background(),
 								&instance.NewAggregate("INSTANCE").Aggregate,
 								true,
 								true,
 							),
 						}, nil
 					}).
@ -236,6 +243,7 @@ func Test_DomainPolicy(t *testing.T) {
 					Events:        []eventstore.Event{},
 				},
 				UserLoginMustBeDomain: true,
 				ValidateOrgDomains:    true,
 				State:                 domain.PolicyStateActive,
 			},
 			wantErr: false,
--- a/internal/command/user_human_otp_test.go
+++ b/internal/command/user_human_otp_test.go
@ -179,6 +179,7 @@ func TestCommandSide_AddHumanOTP(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
--- a/internal/command/user_human_test.go
+++ b/internal/command/user_human_test.go
@ -112,6 +112,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -167,6 +168,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -282,6 +284,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -398,6 +401,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -493,6 +497,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -575,6 +580,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&userAgg.Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -793,6 +799,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -828,6 +835,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -869,6 +877,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -957,6 +966,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1039,6 +1049,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1143,6 +1154,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1251,6 +1263,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1355,6 +1368,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1556,6 +1570,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1594,6 +1609,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1640,6 +1656,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1702,6 +1719,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1764,6 +1782,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								false,
 								true,
 							),
 						),
 					),
@ -1843,6 +1862,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								false,
 								true,
 							),
 						),
 					),
@ -1980,6 +2000,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -2085,6 +2106,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -2184,6 +2206,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -2305,6 +2328,7 @@ func TestCommandSide_RegisterHuman(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -2875,6 +2899,7 @@ func TestAddHumanCommand(t *testing.T) {
 								context.Background(),
 								&org.NewAggregate("id", "ro").Aggregate,
 								true,
 								true,
 							),
 						}, nil
 					}).
@ -2917,6 +2942,7 @@ func TestAddHumanCommand(t *testing.T) {
 								context.Background(),
 								&org.NewAggregate("id", "ro").Aggregate,
 								true,
 								true,
 							),
 						}, nil
 					}).
--- a/internal/command/user_machine_test.go
+++ b/internal/command/user_machine_test.go
@ -86,6 +86,7 @@ func TestCommandSide_AddMachine(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								false,
 								true,
 							),
 						),
 					),
@ -113,6 +114,7 @@ func TestCommandSide_AddMachine(t *testing.T) {
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
--- a/internal/command/user_test.go
+++ b/internal/command/user_test.go
@ -207,6 +207,7 @@ func TestCommandSide_UsernameChange(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -249,6 +250,7 @@ func TestCommandSide_UsernameChange(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1032,6 +1034,7 @@ func TestCommandSide_RemoveUser(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1096,6 +1099,7 @@ func TestCommandSide_RemoveUser(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
@ -1153,6 +1157,7 @@ func TestCommandSide_RemoveUser(t *testing.T) {
 							instance.NewDomainPolicyAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								true,
 								true,
 							),
 						),
 					),
--- a/internal/domain/policy_org_iam.go
+++ b/internal/domain/policy_org_iam.go
@ -8,5 +8,6 @@ type DomainPolicy struct {
 	models.ObjectRoot
 	UserLoginMustBeDomain bool
 	ValidateOrgDomains    bool
 	Default               bool
 }
--- a/internal/query/org_iam_policy.go
+++ b/internal/query/org_iam_policy.go
@ -24,6 +24,7 @@ type DomainPolicy struct {
 	State         domain.PolicyState
 	UserLoginMustBeDomain bool
 	ValidateOrgDomains    bool
 	IsDefault bool
 }
@ -60,6 +61,10 @@ var (
 		name:  projection.DomainPolicyUserLoginMustBeDomainCol,
 		table: domainPolicyTable,
 	}
 	DomainPolicyColValidateOrgDomains = Column{
 		name:  projection.DomainPolicyValidateOrgDomainsCol,
 		table: domainPolicyTable,
 	}
 	DomainPolicyColIsDefault = Column{
 		name:  projection.DomainPolicyIsDefaultCol,
 		table: domainPolicyTable,
@ -120,6 +125,7 @@ func prepareDomainPolicyQuery() (sq.SelectBuilder, func(*sql.Row) (*DomainPolicy
 			DomainPolicyColChangeDate.identifier(),
 			DomainPolicyColResourceOwner.identifier(),
 			DomainPolicyColUserLoginMustBeDomain.identifier(),
 			DomainPolicyColValidateOrgDomains.identifier(),
 			DomainPolicyColIsDefault.identifier(),
 			DomainPolicyColState.identifier(),
 		).
@ -133,6 +139,7 @@ func prepareDomainPolicyQuery() (sq.SelectBuilder, func(*sql.Row) (*DomainPolicy
 				&policy.ChangeDate,
 				&policy.ResourceOwner,
 				&policy.UserLoginMustBeDomain,
 				&policy.ValidateOrgDomains,
 				&policy.IsDefault,
 				&policy.State,
 			)
--- a/internal/query/org_iam_policy_test.go
+++ b/internal/query/org_iam_policy_test.go
@ -34,6 +34,7 @@ func Test_DomainPolicyPrepares(t *testing.T) {
 						` projections.domain_policies.change_date,`+
 						` projections.domain_policies.resource_owner,`+
 						` projections.domain_policies.user_login_must_be_domain,`+
 						` projections.domain_policies.validate_org_domains,`+
 						` projections.domain_policies.is_default,`+
 						` projections.domain_policies.state`+
 						` FROM projections.domain_policies`),
@ -60,6 +61,7 @@ func Test_DomainPolicyPrepares(t *testing.T) {
 						` projections.domain_policies.change_date,`+
 						` projections.domain_policies.resource_owner,`+
 						` projections.domain_policies.user_login_must_be_domain,`+
 						` projections.domain_policies.validate_org_domains,`+
 						` projections.domain_policies.is_default,`+
 						` projections.domain_policies.state`+
 						` FROM projections.domain_policies`),
@ -70,6 +72,7 @@ func Test_DomainPolicyPrepares(t *testing.T) {
 						"change_date",
 						"resource_owner",
 						"user_login_must_be_domain",
 						"validate_org_domains",
 						"is_default",
 						"state",
 					},
@ -81,6 +84,7 @@ func Test_DomainPolicyPrepares(t *testing.T) {
 						"ro",
 						true,
 						true,
 						true,
 						domain.PolicyStateActive,
 					},
 				),
@ -93,6 +97,7 @@ func Test_DomainPolicyPrepares(t *testing.T) {
 				ResourceOwner:         "ro",
 				State:                 domain.PolicyStateActive,
 				UserLoginMustBeDomain: true,
 				ValidateOrgDomains:    true,
 				IsDefault:             true,
 			},
 		},
@ -107,6 +112,7 @@ func Test_DomainPolicyPrepares(t *testing.T) {
 						` projections.domain_policies.change_date,`+
 						` projections.domain_policies.resource_owner,`+
 						` projections.domain_policies.user_login_must_be_domain,`+
 						` projections.domain_policies.validate_org_domains,`+
 						` projections.domain_policies.is_default,`+
 						` projections.domain_policies.state`+
 						` FROM projections.domain_policies`),
--- a/internal/query/projection/domain_policy.go
+++ b/internal/query/projection/domain_policy.go
@ -22,6 +22,7 @@ const (
 	DomainPolicySequenceCol              = "sequence"
 	DomainPolicyStateCol                 = "state"
 	DomainPolicyUserLoginMustBeDomainCol = "user_login_must_be_domain"
 	DomainPolicyValidateOrgDomainsCol    = "validate_org_domains"
 	DomainPolicyIsDefaultCol             = "is_default"
 	DomainPolicyResourceOwnerCol         = "resource_owner"
 	DomainPolicyInstanceIDCol            = "instance_id"
@ -43,6 +44,7 @@ func NewDomainPolicyProjection(ctx context.Context, config crdb.StatementHandler
 			crdb.NewColumn(DomainPolicySequenceCol, crdb.ColumnTypeInt64),
 			crdb.NewColumn(DomainPolicyStateCol, crdb.ColumnTypeEnum),
 			crdb.NewColumn(DomainPolicyUserLoginMustBeDomainCol, crdb.ColumnTypeBool),
 			crdb.NewColumn(DomainPolicyValidateOrgDomainsCol, crdb.ColumnTypeBool),
 			crdb.NewColumn(DomainPolicyIsDefaultCol, crdb.ColumnTypeBool, crdb.Default(false)),
 			crdb.NewColumn(DomainPolicyResourceOwnerCol, crdb.ColumnTypeText),
 			crdb.NewColumn(DomainPolicyInstanceIDCol, crdb.ColumnTypeText),
@ -111,6 +113,7 @@ func (p *DomainPolicyProjection) reduceAdded(event eventstore.Event) (*handler.S
 			handler.NewCol(DomainPolicyIDCol, policyEvent.Aggregate().ID),
 			handler.NewCol(DomainPolicyStateCol, domain.PolicyStateActive),
 			handler.NewCol(DomainPolicyUserLoginMustBeDomainCol, policyEvent.UserLoginMustBeDomain),
 			handler.NewCol(DomainPolicyValidateOrgDomainsCol, policyEvent.ValidateOrgDomains),
 			handler.NewCol(DomainPolicyIsDefaultCol, isDefault),
 			handler.NewCol(DomainPolicyResourceOwnerCol, policyEvent.Aggregate().ResourceOwner),
 			handler.NewCol(DomainPolicyInstanceIDCol, policyEvent.Aggregate().InstanceID),
@ -134,6 +137,9 @@ func (p *DomainPolicyProjection) reduceChanged(event eventstore.Event) (*handler
 	if policyEvent.UserLoginMustBeDomain != nil {
 		cols = append(cols, handler.NewCol(DomainPolicyUserLoginMustBeDomainCol, *policyEvent.UserLoginMustBeDomain))
 	}
 	if policyEvent.ValidateOrgDomains != nil {
 		cols = append(cols, handler.NewCol(DomainPolicyValidateOrgDomainsCol, *policyEvent.ValidateOrgDomains))
 	}
 	return crdb.NewUpdateStatement(
 		&policyEvent,
 		cols,
--- a/internal/query/projection/domain_policy_test.go
+++ b/internal/query/projection/domain_policy_test.go
@ -29,7 +29,8 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 					repository.EventType(org.DomainPolicyAddedEventType),
 					org.AggregateType,
 					[]byte(`{
-						"userLoginMustBeDomain": true
+						"userLoginMustBeDomain": true,
 						"validateOrgDomains": true
 }`),
 				), org.DomainPolicyAddedEventMapper),
 			},
@ -42,7 +43,7 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.domain_policies (creation_date, change_date, sequence, id, state, user_login_must_be_domain, is_default, resource_owner, instance_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.domain_policies (creation_date, change_date, sequence, id, state, user_login_must_be_domain, validate_org_domains, is_default, resource_owner, instance_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								anyArg{},
@ -50,6 +51,7 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 								"agg-id",
 								domain.PolicyStateActive,
 								true,
 								true,
 								false,
 								"ro-id",
 								"instance-id",
@ -67,7 +69,8 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 					repository.EventType(org.DomainPolicyChangedEventType),
 					org.AggregateType,
 					[]byte(`{
-						"userLoginMustBeDomain": true
+						"userLoginMustBeDomain": true,
 						"validateOrgDomains": true
 		}`),
 				), org.DomainPolicyChangedEventMapper),
 			},
@ -79,11 +82,12 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.domain_policies SET (change_date, sequence, user_login_must_be_domain) = ($1, $2, $3) WHERE (id = $4)",
+							expectedStmt: "UPDATE projections.domain_policies SET (change_date, sequence, user_login_must_be_domain, validate_org_domains) = ($1, $2, $3, $4) WHERE (id = $5)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
 								true,
 								true,
 								"agg-id",
 							},
 						},
@ -126,7 +130,8 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 					repository.EventType(instance.DomainPolicyAddedEventType),
 					instance.AggregateType,
 					[]byte(`{
-						"userLoginMustBeDomain": true
+						"userLoginMustBeDomain": true,
 						"validateOrgDomains": true
 					}`),
 				), instance.DomainPolicyAddedEventMapper),
 			},
@ -138,7 +143,7 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.domain_policies (creation_date, change_date, sequence, id, state, user_login_must_be_domain, is_default, resource_owner, instance_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.domain_policies (creation_date, change_date, sequence, id, state, user_login_must_be_domain, validate_org_domains, is_default, resource_owner, instance_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								anyArg{},
@ -147,6 +152,7 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 								domain.PolicyStateActive,
 								true,
 								true,
 								true,
 								"ro-id",
 								"instance-id",
 							},
@ -163,7 +169,8 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 					repository.EventType(instance.DomainPolicyChangedEventType),
 					instance.AggregateType,
 					[]byte(`{
-						"userLoginMustBeDomain": true
+						"userLoginMustBeDomain": true,
 						"validateOrgDomains": true
 					}`),
 				), instance.DomainPolicyChangedEventMapper),
 			},
@ -175,11 +182,12 @@ func TestDomainPolicyProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.domain_policies SET (change_date, sequence, user_login_must_be_domain) = ($1, $2, $3) WHERE (id = $4)",
+							expectedStmt: "UPDATE projections.domain_policies SET (change_date, sequence, user_login_must_be_domain, validate_org_domains) = ($1, $2, $3, $4) WHERE (id = $5)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
 								true,
 								true,
 								"agg-id",
 							},
 						},
--- a/internal/repository/instance/policy_domain.go
+++ b/internal/repository/instance/policy_domain.go
@ -21,7 +21,8 @@ type DomainPolicyAddedEvent struct {
 func NewDomainPolicyAddedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	userLoginMustBeDomain bool,
+	userLoginMustBeDomain,
 	validateOrgDomain bool,
 ) *DomainPolicyAddedEvent {
 	return &DomainPolicyAddedEvent{
 		DomainPolicyAddedEvent: *policy.NewDomainPolicyAddedEvent(
@ -30,6 +31,7 @@ func NewDomainPolicyAddedEvent(
 				aggregate,
 				DomainPolicyAddedEventType),
 			userLoginMustBeDomain,
 			validateOrgDomain,
 		),
 	}
 }
@ -50,7 +52,7 @@ type DomainPolicyChangedEvent struct {
 func NewDomainPolicyChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	changes []policy.OrgPolicyChanges,
+	changes []policy.DomainPolicyChanges,
 ) (*DomainPolicyChangedEvent, error) {
 	changedEvent, err := policy.NewDomainPolicyChangedEvent(
 		eventstore.NewBaseEventForPush(
--- a/internal/repository/org/policy_domain.go
+++ b/internal/repository/org/policy_domain.go
@ -22,7 +22,8 @@ type DomainPolicyAddedEvent struct {
 func NewDomainPolicyAddedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	userLoginMustBeDomain bool,
+	userLoginMustBeDomain,
 	validateOrgDomains bool,
 ) *DomainPolicyAddedEvent {
 	return &DomainPolicyAddedEvent{
 		DomainPolicyAddedEvent: *policy.NewDomainPolicyAddedEvent(
@ -31,6 +32,7 @@ func NewDomainPolicyAddedEvent(
 				aggregate,
 				DomainPolicyAddedEventType),
 			userLoginMustBeDomain,
 			validateOrgDomains,
 		),
 	}
 }
@ -51,7 +53,7 @@ type DomainPolicyChangedEvent struct {
 func NewDomainPolicyChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	changes []policy.OrgPolicyChanges,
+	changes []policy.DomainPolicyChanges,
 ) (*DomainPolicyChangedEvent, error) {
 	changedEvent, err := policy.NewDomainPolicyChangedEvent(
 		eventstore.NewBaseEventForPush(
--- a/internal/repository/policy/policy_domain.go
+++ b/internal/repository/policy/policy_domain.go
@ -20,6 +20,7 @@ type DomainPolicyAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 	UserLoginMustBeDomain bool `json:"userLoginMustBeDomain,omitempty"`
 	ValidateOrgDomains    bool `json:"validateOrgDomains,omitempty"`
 }
 func (e *DomainPolicyAddedEvent) Data() interface{} {
@ -32,12 +33,14 @@ func (e *DomainPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueCo
 func NewDomainPolicyAddedEvent(
 	base *eventstore.BaseEvent,
-	userLoginMustBeDomain bool,
+	userLoginMustBeDomain,
 	validateOrgDomains bool,
 ) *DomainPolicyAddedEvent {
 	return &DomainPolicyAddedEvent{
 		BaseEvent:             *base,
 		UserLoginMustBeDomain: userLoginMustBeDomain,
 		ValidateOrgDomains:    validateOrgDomains,
 	}
 }
@ -58,6 +61,7 @@ type DomainPolicyChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 	UserLoginMustBeDomain *bool `json:"userLoginMustBeDomain,omitempty"`
 	ValidateOrgDomains    *bool `json:"validateOrgDomains,omitempty"`
 }
 func (e *DomainPolicyChangedEvent) Data() interface{} {
@ -70,7 +74,7 @@ func (e *DomainPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUnique
 func NewDomainPolicyChangedEvent(
 	base *eventstore.BaseEvent,
-	changes []OrgPolicyChanges,
+	changes []DomainPolicyChanges,
 ) (*DomainPolicyChangedEvent, error) {
 	if len(changes) == 0 {
 		return nil, errors.ThrowPreconditionFailed(nil, "POLICY-DAf3h", "Errors.NoChangesFound")
@ -84,7 +88,7 @@ func NewDomainPolicyChangedEvent(
 	return changeEvent, nil
 }
-type OrgPolicyChanges func(*DomainPolicyChangedEvent)
+type DomainPolicyChanges func(*DomainPolicyChangedEvent)
 func ChangeUserLoginMustBeDomain(userLoginMustBeDomain bool) func(*DomainPolicyChangedEvent) {
 	return func(e *DomainPolicyChangedEvent) {
@ -92,6 +96,12 @@ func ChangeUserLoginMustBeDomain(userLoginMustBeDomain bool) func(*DomainPolicyC
 	}
 }
 func ChangeValidateOrgDomains(validateOrgDomain bool) func(*DomainPolicyChangedEvent) {
 	return func(e *DomainPolicyChangedEvent) {
 		e.ValidateOrgDomains = &validateOrgDomain
 	}
 }
 func DomainPolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
 	e := &DomainPolicyChangedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@ -3589,6 +3589,7 @@ message GetDomainPolicyResponse {
 message UpdateDomainPolicyRequest {
    bool user_login_must_be_domain = 1;
    bool validate_org_domains = 2;
 }
 message UpdateDomainPolicyResponse {
@ -3637,6 +3638,11 @@ message AddCustomDomainPolicyRequest {
            description: "the username has to end with the domain of it's organisation"
        }
    ]; // the username has to end with the domain of it's organisation (uniqueness is organisation based)
    bool validate_org_domains = 3 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "defines if organisation domains should be validated org count as validated automatically"
        }
    ];
 }
 message AddCustomDomainPolicyResponse {
@ -3663,6 +3669,11 @@ message UpdateCustomDomainPolicyRequest {
            description: "the username has to end with the domain of it's organisation"
        }
    ];
    bool validate_org_domains = 3 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "defines if organisation domains should be validated org count as validated automatically"
        }
    ];
 }
 message UpdateCustomDomainPolicyResponse {
--- a/proto/zitadel/policy.proto
+++ b/proto/zitadel/policy.proto
@ -35,6 +35,11 @@ message DomainPolicy {
            description: "defines if the organisation's admin changed the policy"
        }
    ];
    bool validate_org_domains = 4 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "defines if organisation domains should be validated org count as validated automatically"
        }
    ];
 }
 message LabelPolicy {