fix: uniqueness (#1710)

* fix: uniqueconstraint to lower

* feat: change org

* feat: org change test

* feat: change org

* fix: tests

* fix: handle domain claims correctly

* feat: update org

Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>

cmd/zitadel/main.go

@@ -166,7 +166,7 @@ func startAPI(ctx context.Context, conf *Config, authZRepo *authz_repo.EsReposit
 	apis := api.Create(conf.API, conf.InternalAuthZ, authZRepo, authRepo, repo, conf.SystemDefaults)
 
 	if *adminEnabled {
-		apis.RegisterServer(ctx, admin.CreateServer(command, query, repo))
+		apis.RegisterServer(ctx, admin.CreateServer(command, query, repo, conf.SystemDefaults.Domain))
 	}
 	if *managementEnabled {
 		managementRepo, err := mgmt_es.Start(conf.Mgmt, conf.SystemDefaults, roles, query)

docs/docs/apis/proto/management.md

@@ -489,6 +489,16 @@ Creates a new organisation
 
 
 
+### UpdateOrg
+
+> **rpc** UpdateOrg([UpdateOrgRequest](#updateorgrequest))
+[UpdateOrgResponse](#updateorgresponse)
+
+Changes my organisation
+
+
+
+
 ### DeactivateOrg
 
 > **rpc** DeactivateOrg([DeactivateOrgRequest](#deactivateorgrequest))
@@ -5274,6 +5284,28 @@ This is an empty request
 
 
 
+### UpdateOrgRequest
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| name |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
+
+
+
+
+### UpdateOrgResponse
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| details |  zitadel.v1.ObjectDetails | - |  |
+
+
+
+
 ### UpdateProjectGrantMemberRequest
 
 

internal/admin/repository/eventsourcing/eventstore/user.go

@@ -0,0 +1,44 @@
+package eventstore
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/admin/repository/eventsourcing/view"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/eventstore/v1"
+	"github.com/caos/zitadel/internal/user/model"
+	usr_view_model "github.com/caos/zitadel/internal/user/repository/view/model"
+)
+
+type UserRepo struct {
+	SearchLimit    uint64
+	Eventstore     v1.Eventstore
+	View           *view.View
+	SystemDefaults systemdefaults.SystemDefaults
+}
+
+func (repo *UserRepo) Health(ctx context.Context) error {
+	return repo.Eventstore.Health(ctx)
+}
+
+func (repo *UserRepo) SearchUsers(ctx context.Context, request *model.UserSearchRequest) (*model.UserSearchResponse, error) {
+	sequence, sequenceErr := repo.View.GetLatestUserSequence()
+	logging.Log("EVENT-Gdbgfw").OnError(sequenceErr).Warn("could not read latest user sequence")
+	users, count, err := repo.View.SearchUsers(request)
+	if err != nil {
+		return nil, err
+	}
+	result := &model.UserSearchResponse{
+		Offset:      request.Offset,
+		Limit:       request.Limit,
+		TotalResult: count,
+		Result:      usr_view_model.UsersToModel(users),
+	}
+	if sequenceErr == nil {
+		result.Sequence = sequence.CurrentSequence
+		result.Timestamp = sequence.LastSuccessfulSpoolerRun
+	}
+	return result, nil
+}

internal/admin/repository/eventsourcing/repository.go

@@ -25,6 +25,7 @@ type EsRepository struct {
 	eventstore.IAMRepository
 	eventstore.AdministratorRepo
 	eventstore.FeaturesRepo
+	eventstore.UserRepo
 }
 
 func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, roles []string) (*EsRepository, error) {
@@ -67,6 +68,12 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, r
 			SearchLimit:    conf.SearchLimit,
 			SystemDefaults: systemDefaults,
 		},
+		UserRepo: eventstore.UserRepo{
+			Eventstore:     es,
+			View:           view,
+			SearchLimit:    conf.SearchLimit,
+			SystemDefaults: systemDefaults,
+		},
 	}, nil
 }
 

internal/admin/repository/repository.go

@@ -8,4 +8,5 @@ type Repository interface {
 	IAMRepository
 	AdministratorRepository
 	FeaturesRepository
+	UserRepository
 }

internal/admin/repository/user.go

@@ -0,0 +1,11 @@
+package repository
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/user/model"
+)
+
+type UserRepository interface {
+	SearchUsers(ctx context.Context, request *model.UserSearchRequest) (*model.UserSearchResponse, error)
+}

internal/api/grpc/admin/org.go

@@ -2,7 +2,10 @@ package admin
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	usr_model "github.com/caos/zitadel/internal/user/model"
 
 	org_grpc "github.com/caos/zitadel/internal/api/grpc/org"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
@@ -34,10 +37,14 @@ func (s *Server) ListOrgs(ctx context.Context, req *admin_pb.ListOrgsRequest) (*
 }
 
 func (s *Server) SetUpOrg(ctx context.Context, req *admin_pb.SetUpOrgRequest) (*admin_pb.SetUpOrgResponse, error) {
+	userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, domain.NewIAMDomainName(req.Org.Name, s.iamDomain))
+	if err != nil {
+		return nil, err
+	}
 	human := setUpOrgHumanToDomain(req.User.(*admin_pb.SetUpOrgRequest_Human_).Human) //TODO: handle machine
 	org := setUpOrgOrgToDomain(req.Org)
 
-	objectDetails, err := s.command.SetUpOrg(ctx, org, human)
+	objectDetails, err := s.command.SetUpOrg(ctx, org, human, userIDs)
 	if err != nil {
 		return nil, err
 	}
@@ -45,3 +52,28 @@ func (s *Server) SetUpOrg(ctx context.Context, req *admin_pb.SetUpOrgRequest) (*
 		Details: object.DomainToAddDetailsPb(objectDetails),
 	}, nil
 }
+
+func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain string) ([]string, error) {
+	users, err := s.users.SearchUsers(ctx, &usr_model.UserSearchRequest{
+		Queries: []*usr_model.UserSearchQuery{
+			{
+				Key:    usr_model.UserSearchKeyPreferredLoginName,
+				Method: domain.SearchMethodEndsWithIgnoreCase,
+				Value:  orgDomain,
+			},
+			{
+				Key:    usr_model.UserSearchKeyResourceOwner,
+				Method: domain.SearchMethodNotEquals,
+				Value:  authz.GetCtxData(ctx).OrgID,
+			},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	userIDs := make([]string, len(users.Result))
+	for i, user := range users.Result {
+		userIDs[i] = user.ID
+	}
+	return userIDs, nil
+}

internal/api/grpc/admin/server.go

@@ -27,13 +27,15 @@ type Server struct {
 	administrator repository.AdministratorRepository
 	repo          repository.Repository
 	features      repository.FeaturesRepository
+	users         repository.UserRepository
+	iamDomain     string
 }
 
 type Config struct {
 	Repository eventsourcing.Config
 }
 
-func CreateServer(command *command.Commands, query *query.Queries, repo repository.Repository) *Server {
+func CreateServer(command *command.Commands, query *query.Queries, repo repository.Repository, iamDomain string) *Server {
 	return &Server{
 		command:       command,
 		query:         query,
@@ -42,6 +44,8 @@ func CreateServer(command *command.Commands, query *query.Queries, repo reposito
 		administrator: repo,
 		repo:          repo,
 		features:      repo,
+		users:         repo,
+		iamDomain:     iamDomain,
 	}
 }
 

internal/api/grpc/management/org.go

@@ -12,6 +12,7 @@ import (
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	org_model "github.com/caos/zitadel/internal/org/model"
+	usr_model "github.com/caos/zitadel/internal/user/model"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
@@ -47,8 +48,12 @@ func (s *Server) ListOrgChanges(ctx context.Context, req *mgmt_pb.ListOrgChanges
 }
 
 func (s *Server) AddOrg(ctx context.Context, req *mgmt_pb.AddOrgRequest) (*mgmt_pb.AddOrgResponse, error) {
+	userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, domain.NewIAMDomainName(req.Name, s.systemDefaults.Domain))
+	if err != nil {
+		return nil, err
+	}
 	ctxData := authz.GetCtxData(ctx)
-	org, err := s.command.AddOrg(ctx, req.Name, ctxData.UserID, ctxData.ResourceOwner)
+	org, err := s.command.AddOrg(ctx, req.Name, ctxData.UserID, ctxData.ResourceOwner, userIDs)
 	if err != nil {
 		return nil, err
 	}
@@ -62,6 +67,21 @@ func (s *Server) AddOrg(ctx context.Context, req *mgmt_pb.AddOrgRequest) (*mgmt_
 	}, err
 }
 
+func (s *Server) UpdateOrg(ctx context.Context, req *mgmt_pb.UpdateOrgRequest) (*mgmt_pb.UpdateOrgResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	org, err := s.command.ChangeOrg(ctx, ctxData.ResourceOwner, req.Name)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateOrgResponse{
+		Details: object.AddToDetailsPb(
+			org.Sequence,
+			org.EventDate,
+			org.ResourceOwner,
+		),
+	}, err
+}
+
 func (s *Server) DeactivateOrg(ctx context.Context, req *mgmt_pb.DeactivateOrgRequest) (*mgmt_pb.DeactivateOrgResponse, error) {
 	objectDetails, err := s.command.DeactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
@@ -112,7 +132,7 @@ func (s *Server) ListOrgDomains(ctx context.Context, req *mgmt_pb.ListOrgDomains
 }
 
 func (s *Server) AddOrgDomain(ctx context.Context, req *mgmt_pb.AddOrgDomainRequest) (*mgmt_pb.AddOrgDomainResponse, error) {
-	domain, err := s.command.AddOrgDomain(ctx, AddOrgDomainRequestToDomain(ctx, req))
+	domain, err := s.command.AddOrgDomain(ctx, AddOrgDomainRequestToDomain(ctx, req), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -157,7 +177,11 @@ func GenerateOrgDomainValidationRequestToDomain(ctx context.Context, req *mgmt_p
 }
 
 func (s *Server) ValidateOrgDomain(ctx context.Context, req *mgmt_pb.ValidateOrgDomainRequest) (*mgmt_pb.ValidateOrgDomainResponse, error) {
-	details, err := s.command.ValidateOrgDomain(ctx, ValidateOrgDomainRequestToDomain(ctx, req))
+	userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, req.Domain)
+	if err != nil {
+		return nil, err
+	}
+	details, err := s.command.ValidateOrgDomain(ctx, ValidateOrgDomainRequestToDomain(ctx, req), userIDs)
 	if err != nil {
 		return nil, err
 	}
@@ -251,3 +275,28 @@ func (s *Server) RemoveOrgMember(ctx context.Context, req *mgmt_pb.RemoveOrgMemb
 		Details: object.DomainToChangeDetailsPb(details),
 	}, nil
 }
+
+func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain string) ([]string, error) {
+	users, err := s.user.SearchUsers(ctx, &usr_model.UserSearchRequest{
+		Queries: []*usr_model.UserSearchQuery{
+			{
+				Key:    usr_model.UserSearchKeyPreferredLoginName,
+				Method: domain.SearchMethodEndsWithIgnoreCase,
+				Value:  orgDomain,
+			},
+			{
+				Key:    usr_model.UserSearchKeyResourceOwner,
+				Method: domain.SearchMethodNotEquals,
+				Value:  authz.GetCtxData(ctx).OrgID,
+			},
+		},
+	}, false)
+	if err != nil {
+		return nil, err
+	}
+	userIDs := make([]string, len(users.Result))
+	for i, user := range users.Result {
+		userIDs[i] = user.ID
+	}
+	return userIDs, nil
+}

internal/api/grpc/management/user.go

@@ -37,7 +37,7 @@ func (s *Server) GetUserByLoginNameGlobal(ctx context.Context, req *mgmt_pb.GetU
 
 func (s *Server) ListUsers(ctx context.Context, req *mgmt_pb.ListUsersRequest) (*mgmt_pb.ListUsersResponse, error) {
 	r := ListUsersRequestToModel(ctx, req)
-	res, err := s.user.SearchUsers(ctx, r)
+	res, err := s.user.SearchUsers(ctx, r, true)
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/eventstore/user.go

@@ -220,6 +220,26 @@ func (repo *UserRepo) MachineKeyByID(ctx context.Context, keyID string) (*key_mo
 	return key_view_model.AuthNKeyToModel(key), nil
 }
 
+func (repo *UserRepo) SearchUsers(ctx context.Context, request *model.UserSearchRequest) (*model.UserSearchResponse, error) {
+	sequence, sequenceErr := repo.View.GetLatestUserSequence()
+	logging.Log("EVENT-Gdgsw").OnError(sequenceErr).Warn("could not read latest user sequence")
+	users, count, err := repo.View.SearchUsers(request)
+	if err != nil {
+		return nil, err
+	}
+	result := &model.UserSearchResponse{
+		Offset:      request.Offset,
+		Limit:       request.Limit,
+		TotalResult: count,
+		Result:      usr_view_model.UsersToModel(users),
+	}
+	if sequenceErr == nil {
+		result.Sequence = sequence.CurrentSequence
+		result.Timestamp = sequence.LastSuccessfulSpoolerRun
+	}
+	return result, nil
+}
+
 func (r *UserRepo) getUserChanges(ctx context.Context, userID string, lastSequence uint64, limit uint64, sortAscending bool, retention time.Duration) (*model.UserChanges, error) {
 	query := usr_view.ChangesQuery(userID, lastSequence, limit, sortAscending, retention)
 

internal/auth/repository/user.go

@@ -18,6 +18,8 @@ type UserRepository interface {
 	UserByLoginName(ctx context.Context, loginName string) (*model.UserView, error)
 
 	MachineKeyByID(ctx context.Context, keyID string) (*key_model.AuthNKeyView, error)
+
+	SearchUsers(ctx context.Context, request *model.UserSearchRequest) (*model.UserSearchResponse, error)
 }
 
 type myUserRepo interface {

internal/command/org.go

@@ -30,7 +30,7 @@ func (c *Commands) checkOrgExists(ctx context.Context, orgID string) error {
 	return nil
 }
 
-func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) (*domain.ObjectDetails, error) {
+func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human, claimedUserIDs []string) (*domain.ObjectDetails, error) {
 	orgIAMPolicy, err := c.getDefaultOrgIAMPolicy(ctx)
 	if err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.IAM.OrgIAMPolicy.NotFound")
@@ -39,7 +39,7 @@ func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin
 	if err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.IAM.PasswordComplexity.NotFound")
 	}
-	_, orgWriteModel, _, _, events, err := c.setUpOrg(ctx, organisation, admin, orgIAMPolicy, pwPolicy)
+	_, orgWriteModel, _, _, events, err := c.setUpOrg(ctx, organisation, admin, orgIAMPolicy, pwPolicy, claimedUserIDs)
 	if err != nil {
 		return nil, err
 	}
@@ -54,8 +54,8 @@ func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin
 	return writeModelToObjectDetails(&orgWriteModel.WriteModel), nil
 }
 
-func (c *Commands) AddOrg(ctx context.Context, name, userID, resourceOwner string) (*domain.Org, error) {
+func (c *Commands) AddOrg(ctx context.Context, name, userID, resourceOwner string, claimedUserIDs []string) (*domain.Org, error) {
-	orgAgg, addedOrg, events, err := c.addOrg(ctx, &domain.Org{Name: name})
+	orgAgg, addedOrg, events, err := c.addOrg(ctx, &domain.Org{Name: name}, claimedUserIDs)
 	if err != nil {
 		return nil, err
 	}
@@ -80,6 +80,41 @@ func (c *Commands) AddOrg(ctx context.Context, name, userID, resourceOwner strin
 	return orgWriteModelToOrg(addedOrg), nil
 }
 
+func (c *Commands) ChangeOrg(ctx context.Context, orgID, name string) (*domain.ObjectDetails, error) {
+	if orgID == "" || name == "" {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "EVENT-Mf9sd", "Errors.Org.Invalid")
+	}
+	orgWriteModel, err := c.getOrgWriteModelByID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+	if orgWriteModel.State == domain.OrgStateUnspecified || orgWriteModel.State == domain.OrgStateRemoved {
+		return nil, caos_errs.ThrowNotFound(nil, "ORG-1MRds", "Errors.Org.NotFound")
+	}
+	if orgWriteModel.Name == name {
+		return nil, caos_errs.ThrowNotFound(nil, "ORG-4VSdf", "Errors.Org.NotChanged")
+	}
+	orgAgg := OrgAggregateFromWriteModel(&orgWriteModel.WriteModel)
+	events := make([]eventstore.EventPusher, 0)
+	events = append(events, org.NewOrgChangedEvent(ctx, orgAgg, orgWriteModel.Name, name))
+	changeDomainEvents, err := c.changeDefaultDomain(ctx, orgID, name)
+	if err != nil {
+		return nil, err
+	}
+	if len(changeDomainEvents) > 0 {
+		events = append(events, changeDomainEvents...)
+	}
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(orgWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&orgWriteModel.WriteModel), nil
+}
+
 func (c *Commands) DeactivateOrg(ctx context.Context, orgID string) (*domain.ObjectDetails, error) {
 	orgWriteModel, err := c.getOrgWriteModelByID(ctx, orgID)
 	if err != nil {
@@ -126,8 +161,8 @@ func (c *Commands) ReactivateOrg(ctx context.Context, orgID string) (*domain.Obj
 	return writeModelToObjectDetails(&orgWriteModel.WriteModel), nil
 }
 
-func (c *Commands) setUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human, loginPolicy *domain.OrgIAMPolicy, pwPolicy *domain.PasswordComplexityPolicy) (orgAgg *eventstore.Aggregate, org *OrgWriteModel, human *HumanWriteModel, orgMember *OrgMemberWriteModel, events []eventstore.EventPusher, err error) {
+func (c *Commands) setUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human, loginPolicy *domain.OrgIAMPolicy, pwPolicy *domain.PasswordComplexityPolicy, claimedUserIDs []string) (orgAgg *eventstore.Aggregate, org *OrgWriteModel, human *HumanWriteModel, orgMember *OrgMemberWriteModel, events []eventstore.EventPusher, err error) {
-	orgAgg, orgWriteModel, addOrgEvents, err := c.addOrg(ctx, organisation)
+	orgAgg, orgWriteModel, addOrgEvents, err := c.addOrg(ctx, organisation, claimedUserIDs)
 	if err != nil {
 		return nil, nil, nil, nil, nil, err
 	}
@@ -148,7 +183,7 @@ func (c *Commands) setUpOrg(ctx context.Context, organisation *domain.Org, admin
 	return orgAgg, orgWriteModel, human, addedMember, addOrgEvents, nil
 }
 
-func (c *Commands) addOrg(ctx context.Context, organisation *domain.Org, claimedUserIDs ...string) (_ *eventstore.Aggregate, _ *OrgWriteModel, _ []eventstore.EventPusher, err error) {
+func (c *Commands) addOrg(ctx context.Context, organisation *domain.Org, claimedUserIDs []string) (_ *eventstore.Aggregate, _ *OrgWriteModel, _ []eventstore.EventPusher, err error) {
 	if organisation == nil || !organisation.IsValid() {
 		return nil, nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMM-deLSk", "Errors.Org.Invalid")
 	}
@@ -165,7 +200,7 @@ func (c *Commands) addOrg(ctx context.Context, organisation *domain.Org, claimed
 		org.NewOrgAddedEvent(ctx, orgAgg, organisation.Name),
 	}
 	for _, orgDomain := range organisation.Domains {
-		orgDomainEvents, err := c.addOrgDomain(ctx, orgAgg, NewOrgDomainWriteModel(orgAgg.ID, orgDomain.Domain), orgDomain, claimedUserIDs...)
+		orgDomainEvents, err := c.addOrgDomain(ctx, orgAgg, NewOrgDomainWriteModel(orgAgg.ID, orgDomain.Domain), orgDomain, claimedUserIDs)
 		if err != nil {
 			return nil, nil, nil, err
 		} else {

internal/command/org_domain.go

@@ -13,13 +13,13 @@ import (
 	"github.com/caos/zitadel/internal/repository/org"
 )
 
-func (c *Commands) AddOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain) (*domain.OrgDomain, error) {
+func (c *Commands) AddOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain, claimedUserIDs []string) (*domain.OrgDomain, error) {
 	if !orgDomain.IsValid() {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "ORG-R24hb", "Errors.Org.InvalidDomain")
 	}
 	domainWriteModel := NewOrgDomainWriteModel(orgDomain.AggregateID, orgDomain.Domain)
 	orgAgg := OrgAggregateFromWriteModel(&domainWriteModel.WriteModel)
-	events, err := c.addOrgDomain(ctx, orgAgg, domainWriteModel, orgDomain)
+	events, err := c.addOrgDomain(ctx, orgAgg, domainWriteModel, orgDomain, claimedUserIDs)
 	if err != nil {
 		return nil, err
 	}
@@ -72,7 +72,7 @@ func (c *Commands) GenerateOrgDomainValidation(ctx context.Context, orgDomain *d
 	return token, url, nil
 }
 
-func (c *Commands) ValidateOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain, claimedUserIDs ...string) (*domain.ObjectDetails, error) {
+func (c *Commands) ValidateOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain, claimedUserIDs []string) (*domain.ObjectDetails, error) {
 	if orgDomain == nil || !orgDomain.IsValid() || orgDomain.AggregateID == "" {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "ORG-R24hb", "Errors.Org.InvalidDomain")
 	}
@@ -177,7 +177,7 @@ func (c *Commands) RemoveOrgDomain(ctx context.Context, orgDomain *domain.OrgDom
 	return writeModelToObjectDetails(&domainWriteModel.WriteModel), nil
 }
 
-func (c *Commands) addOrgDomain(ctx context.Context, orgAgg *eventstore.Aggregate, addedDomain *OrgDomainWriteModel, orgDomain *domain.OrgDomain, claimedUserIDs ...string) ([]eventstore.EventPusher, error) {
+func (c *Commands) addOrgDomain(ctx context.Context, orgAgg *eventstore.Aggregate, addedDomain *OrgDomainWriteModel, orgDomain *domain.OrgDomain, claimedUserIDs []string) ([]eventstore.EventPusher, error) {
 	err := c.eventstore.FilterToQueryReducer(ctx, addedDomain)
 	if err != nil {
 		return nil, err
@@ -207,6 +207,34 @@ func (c *Commands) addOrgDomain(ctx context.Context, orgAgg *eventstore.Aggregat
 	return events, nil
 }
 
+func (c *Commands) changeDefaultDomain(ctx context.Context, orgID, newName string) ([]eventstore.EventPusher, error) {
+	orgDomains := NewOrgDomainsWriteModel(orgID)
+	err := c.eventstore.FilterToQueryReducer(ctx, orgDomains)
+	if err != nil {
+		return nil, err
+	}
+	defaultDomain := domain.NewIAMDomainName(orgDomains.OrgName, c.iamDomain)
+	isPrimary := defaultDomain == orgDomains.PrimaryDomain
+	orgAgg := OrgAggregateFromWriteModel(&orgDomains.WriteModel)
+	for _, orgDomain := range orgDomains.Domains {
+		if orgDomain.State == domain.OrgDomainStateActive {
+			if orgDomain.Domain == defaultDomain {
+				newDefaultDomain := domain.NewIAMDomainName(newName, c.iamDomain)
+				events := []eventstore.EventPusher{
+					org.NewDomainAddedEvent(ctx, orgAgg, newDefaultDomain),
+					org.NewDomainVerifiedEvent(ctx, orgAgg, newDefaultDomain),
+				}
+				if isPrimary {
+					events = append(events, org.NewDomainPrimarySetEvent(ctx, orgAgg, newDefaultDomain))
+				}
+				events = append(events, org.NewDomainRemovedEvent(ctx, orgAgg, orgDomain.Domain, orgDomain.Verified))
+				return events, nil
+			}
+		}
+	}
+	return nil, nil
+}
+
 func (c *Commands) removeCustomDomains(ctx context.Context, orgID string) ([]eventstore.EventPusher, error) {
 	orgDomains := NewOrgDomainsWriteModel(orgID)
 	err := c.eventstore.FilterToQueryReducer(ctx, orgDomains)

internal/command/org_domain_test.go

@@ -28,6 +28,7 @@ func TestCommandSide_AddOrgDomain(t *testing.T) {
 	type args struct {
 		ctx            context.Context
 		domain         *domain.OrgDomain
+		claimedUserIDs []string
 	}
 	type res struct {
 		want *domain.OrgDomain
@@ -129,7 +130,7 @@ func TestCommandSide_AddOrgDomain(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore,
 			}
-			got, err := r.AddOrgDomain(tt.args.ctx, tt.args.domain)
+			got, err := r.AddOrgDomain(tt.args.ctx, tt.args.domain, tt.args.claimedUserIDs)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -864,7 +865,7 @@ func TestCommandSide_ValidateOrgDomain(t *testing.T) {
 				iamDomain:                   "zitadel.ch",
 				idGenerator:                 tt.fields.idGenerator,
 			}
-			got, err := r.ValidateOrgDomain(tt.args.ctx, tt.args.domain, tt.args.claimedUserIDs...)
+			got, err := r.ValidateOrgDomain(tt.args.ctx, tt.args.domain, tt.args.claimedUserIDs)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}

internal/command/org_test.go

@@ -32,6 +32,7 @@ func TestCommandSide_AddOrg(t *testing.T) {
 		name           string
 		userID         string
 		resourceOwner  string
+		claimedUserIDs []string
 	}
 	type res struct {
 		want *domain.Org
@@ -326,7 +327,7 @@ func TestCommandSide_AddOrg(t *testing.T) {
 				iamDomain:    tt.fields.iamDomain,
 				zitadelRoles: tt.fields.zitadelRoles,
 			}
-			got, err := r.AddOrg(tt.args.ctx, tt.args.name, tt.args.userID, tt.args.resourceOwner)
+			got, err := r.AddOrg(tt.args.ctx, tt.args.name, tt.args.userID, tt.args.resourceOwner, tt.args.claimedUserIDs)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -340,6 +341,227 @@ func TestCommandSide_AddOrg(t *testing.T) {
 	}
 }
 
+func TestCommandSide_ChangeOrg(t *testing.T) {
+	type fields struct {
+		eventstore *eventstore.Eventstore
+		iamDomain  string
+	}
+	type args struct {
+		ctx   context.Context
+		orgID string
+		name  string
+	}
+	type res struct {
+		want *domain.Org
+		err  func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name: "empty name, invalid argument error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "org not found, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(),
+				),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				name:  "org",
+			},
+			res: res{
+				err: caos_errs.IsNotFound,
+			},
+		},
+		{
+			name: "push failed, error",
+			fields: fields{
+				iamDomain: "zitadel.ch",
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewOrgAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org"),
+						),
+					),
+					expectFilter(),
+					expectPushFailed(
+						caos_errs.ThrowInternal(nil, "id", "message"),
+						[]*repository.Event{
+							eventFromEventPusher(org.NewOrgChangedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "org", "neworg")),
+						},
+						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgNameUniqueConstraint("org")),
+						uniqueConstraintsFromEventConstraint(org.NewAddOrgNameUniqueConstraint("neworg")),
+					),
+				),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				name:  "neworg",
+			},
+			res: res{
+				err: caos_errs.IsInternal,
+			},
+		},
+		{
+			name: "change org name verified, not primary",
+			fields: fields{
+				iamDomain: "zitadel.ch",
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewOrgAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org"),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewOrgAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org"),
+						),
+						eventFromEventPusher(
+							org.NewDomainAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org.zitadel.ch"),
+						),
+						eventFromEventPusher(
+							org.NewDomainVerifiedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org.zitadel.ch"),
+						),
+					),
+					expectPush(
+						[]*repository.Event{
+							eventFromEventPusher(org.NewOrgChangedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "org", "neworg")),
+							eventFromEventPusher(org.NewDomainAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "neworg.zitadel.ch")),
+							eventFromEventPusher(org.NewDomainVerifiedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "neworg.zitadel.ch")),
+							eventFromEventPusher(org.NewDomainRemovedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "org.zitadel.ch", true)),
+						},
+						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgNameUniqueConstraint("org")),
+						uniqueConstraintsFromEventConstraint(org.NewAddOrgNameUniqueConstraint("neworg")),
+						uniqueConstraintsFromEventConstraint(org.NewAddOrgDomainUniqueConstraint("neworg.zitadel.ch")),
+						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgDomainUniqueConstraint("org.zitadel.ch")),
+					),
+				),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				name:  "neworg",
+			},
+			res: res{},
+		},
+		{
+			name: "change org name verified, with primary",
+			fields: fields{
+				iamDomain: "zitadel.ch",
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							org.NewOrgAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org"),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewOrgAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org"),
+						),
+						eventFromEventPusher(
+							org.NewDomainAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org.zitadel.ch"),
+						),
+						eventFromEventPusher(
+							org.NewDomainVerifiedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org.zitadel.ch"),
+						),
+						eventFromEventPusher(
+							org.NewDomainPrimarySetEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate,
+								"org.zitadel.ch"),
+						),
+					),
+					expectPush(
+						[]*repository.Event{
+							eventFromEventPusher(org.NewOrgChangedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "org", "neworg")),
+							eventFromEventPusher(org.NewDomainAddedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "neworg.zitadel.ch")),
+							eventFromEventPusher(org.NewDomainVerifiedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "neworg.zitadel.ch")),
+							eventFromEventPusher(org.NewDomainPrimarySetEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "neworg.zitadel.ch")),
+							eventFromEventPusher(org.NewDomainRemovedEvent(context.Background(),
+								&org.NewAggregate("org1", "org1").Aggregate, "org.zitadel.ch", true)),
+						},
+						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgNameUniqueConstraint("org")),
+						uniqueConstraintsFromEventConstraint(org.NewAddOrgNameUniqueConstraint("neworg")),
+						uniqueConstraintsFromEventConstraint(org.NewAddOrgDomainUniqueConstraint("neworg.zitadel.ch")),
+						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgDomainUniqueConstraint("org.zitadel.ch")),
+					),
+				),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				name:  "neworg",
+			},
+			res: res{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := &Commands{
+				eventstore: tt.fields.eventstore,
+				iamDomain:  tt.fields.iamDomain,
+			}
+			_, err := r.ChangeOrg(tt.args.ctx, tt.args.orgID, tt.args.name)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
 func TestCommandSide_DeactivateOrg(t *testing.T) {
 	type fields struct {
 		eventstore  *eventstore.Eventstore

internal/command/setup_step1.go

@@ -134,7 +134,7 @@ func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
 					EmailAddress:    organisation.Owner.Email,
 					IsEmailVerified: true,
 				},
-			}, orgIAMPolicy, pwPolicy)
+			}, orgIAMPolicy, pwPolicy, nil)
 		if err != nil {
 			return err
 		}

internal/eventstore/repository/sql/crdb.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"regexp"
 	"strconv"
+	"strings"
 
 	"github.com/caos/logging"
 	caos_errs "github.com/caos/zitadel/internal/errors"
@@ -167,6 +168,7 @@ func (db *CRDB) handleUniqueConstraints(ctx context.Context, tx *sql.Tx, uniqueC
 	}
 
 	for _, uniqueConstraint := range uniqueConstraints {
+		uniqueConstraint.UniqueField = strings.ToLower(uniqueConstraint.UniqueField)
 		if uniqueConstraint.Action == repository.UniqueConstraintAdd {
 			_, err := tx.ExecContext(ctx, uniqueInsert, uniqueConstraint.UniqueType, uniqueConstraint.UniqueField)
 			if err != nil {

internal/management/repository/eventsourcing/eventstore/user.go

@@ -4,11 +4,12 @@ import (
 	"context"
 	"time"
 
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/eventstore/v1"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	usr_view "github.com/caos/zitadel/internal/user/repository/view"
-	"github.com/golang/protobuf/ptypes"
 
 	"github.com/caos/logging"
 
@@ -59,11 +60,14 @@ func (repo *UserRepo) UserByID(ctx context.Context, id string) (*usr_model.UserV
 	return model.UserToModel(&userCopy), nil
 }
 
-func (repo *UserRepo) SearchUsers(ctx context.Context, request *usr_model.UserSearchRequest) (*usr_model.UserSearchResponse, error) {
+func (repo *UserRepo) SearchUsers(ctx context.Context, request *usr_model.UserSearchRequest, ensureLimit bool) (*usr_model.UserSearchResponse, error) {
+	if ensureLimit {
 		err := request.EnsureLimit(repo.SearchLimit)
+
 		if err != nil {
 			return nil, err
 		}
+	}
 	sequence, sequenceErr := repo.View.GetLatestUserSequence()
 	logging.Log("EVENT-Lcn7d").OnError(sequenceErr).Warn("could not read latest user sequence")
 	users, count, err := repo.View.SearchUsers(request)

internal/management/repository/user.go

@@ -10,7 +10,7 @@ import (
 
 type UserRepository interface {
 	UserByID(ctx context.Context, id string) (*model.UserView, error)
-	SearchUsers(ctx context.Context, request *model.UserSearchRequest) (*model.UserSearchResponse, error)
+	SearchUsers(ctx context.Context, request *model.UserSearchRequest, ensureLimit bool) (*model.UserSearchResponse, error)
 	UserIDsByDomain(ctx context.Context, domain string) ([]string, error)
 
 	GetUserByLoginNameGlobal(ctx context.Context, email string) (*model.UserView, error)

internal/static/i18n/de.yaml

@@ -115,6 +115,7 @@ Errors:
     AlreadyActive: Organisation ist bereits aktiv
     Empty: Organisation ist leer
     NotFound: Organisation konnte nicht gefunden werden
+    NotChanged: Organisation wurde nicht verändert
     InvalidDomain: Domäne ist ungültig
     DomainMissing: Domäne fehlt
     DomainNotOnOrg: Domäne fehlt auf Organisation

internal/static/i18n/en.yaml

@@ -115,6 +115,7 @@ Errors:
     AlreadyActive: Organisation is already ative
     Empty: Organisation is empty
     NotFound: Organisation not found
+    NotChanged: Organisation not changed
     InvalidDomain: Invalid domain
     DomainMissing: Domain missing
     DomainNotOnOrg: Domain doesn't exist on organisation

internal/ui/login/handler/login.go

@@ -2,11 +2,14 @@ package handler
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/command"
-	"github.com/caos/zitadel/internal/query"
 	"net"
 	"net/http"
 
+	"github.com/caos/zitadel/internal/command"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/query"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+
 	"github.com/caos/logging"
 	"github.com/gorilla/csrf"
 	"github.com/rakyll/statik/fs"
@@ -36,6 +39,7 @@ type Login struct {
 	zitadelURL          string
 	oidcAuthCallbackURL string
 	IDPConfigAesCrypto  crypto.EncryptionAlgorithm
+	iamDomain           string
 }
 
 type Config struct {
@@ -73,6 +77,7 @@ func CreateLogin(config Config, command *command.Commands, query *query.Queries,
 		query:               query,
 		authRepo:            authRepo,
 		IDPConfigAesCrypto:  aesCrypto,
+		iamDomain:           systemDefaults.Domain,
 	}
 	prefix := ""
 	if localDevMode {
@@ -148,6 +153,31 @@ func (l *Login) Listen(ctx context.Context) {
 	}()
 }
 
+func (l *Login) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgName string) ([]string, error) {
+	users, err := l.authRepo.SearchUsers(ctx, &usr_model.UserSearchRequest{
+		Queries: []*usr_model.UserSearchQuery{
+			{
+				Key:    usr_model.UserSearchKeyPreferredLoginName,
+				Method: domain.SearchMethodEndsWithIgnoreCase,
+				Value:  domain.NewIAMDomainName(orgName, l.iamDomain),
+			},
+			{
+				Key:    usr_model.UserSearchKeyResourceOwner,
+				Method: domain.SearchMethodNotEquals,
+				Value:  authz.GetCtxData(ctx).OrgID,
+			},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	userIDs := make([]string, len(users.Result))
+	for i, user := range users.Result {
+		userIDs[i] = user.ID
+	}
+	return userIDs, nil
+}
+
 func setContext(ctx context.Context, resourceOwner string) context.Context {
 	data := authz.CtxData{
 		UserID: login,

internal/ui/login/handler/register_org_handler.go

@@ -1,9 +1,10 @@
 package handler
 
 import (
-	"github.com/caos/zitadel/internal/domain"
 	"net/http"
 
+	"github.com/caos/zitadel/internal/domain"
+
 	caos_errs "github.com/caos/zitadel/internal/errors"
 )
 
@@ -58,7 +59,13 @@ func (l *Login) handleRegisterOrgCheck(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	_, err = l.command.SetUpOrg(setContext(r.Context(), ""), data.toOrgDomain(), data.toUserDomain())
+	ctx := setContext(r.Context(), "")
+	userIDs, err := l.getClaimedUserIDsOfOrgDomain(ctx, data.RegisterOrgName)
+	if err != nil {
+		l.renderRegisterOrg(w, r, authRequest, data, err)
+		return
+	}
+	_, err = l.command.SetUpOrg(ctx, data.toOrgDomain(), data.toUserDomain(), userIDs)
 	if err != nil {
 		l.renderRegisterOrg(w, r, authRequest, data, err)
 		return

internal/user/model/user_view.go

@@ -90,6 +90,7 @@ const (
 	UserSearchKeyResourceOwner
 	UserSearchKeyLoginNames
 	UserSearchKeyType
+	UserSearchKeyPreferredLoginName
 )
 
 type UserSearchQuery struct {

internal/user/repository/view/model/user.go

@@ -28,6 +28,7 @@ const (
 	UserKeyState              = "user_state"
 	UserKeyResourceOwner      = "resource_owner"
 	UserKeyLoginNames         = "login_names"
+	UserKeyPreferredLoginName = "preferred_login_name"
 	UserKeyType               = "user_type"
 )
 

internal/user/repository/view/model/user_query.go

@@ -71,6 +71,8 @@ func (key UserSearchKey) ToColumnName() string {
 		return UserKeyResourceOwner
 	case usr_model.UserSearchKeyLoginNames:
 		return UserKeyLoginNames
+	case usr_model.UserSearchKeyPreferredLoginName:
+		return UserKeyPreferredLoginName
 	case usr_model.UserSearchKeyType:
 		return UserKeyType
 	default:

proto/zitadel/management.proto

@@ -616,6 +616,18 @@ service ManagementService {
         };
     }
 
+    // Changes my organisation
+    rpc UpdateOrg(UpdateOrgRequest) returns (UpdateOrgResponse) {
+        option (google.api.http) = {
+            put: "/orgs/me"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
     // Sets the state of my organisation to deactivated
     // Users of this organisation will not be able login
     rpc DeactivateOrg(DeactivateOrgRequest) returns (DeactivateOrgResponse) {
@@ -2548,6 +2560,14 @@ message AddOrgResponse {
     zitadel.v1.ObjectDetails details = 2;
 }
 
+message UpdateOrgRequest {
+    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UpdateOrgResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
 //This is an empty request
 message DeactivateOrgRequest {}