feat: cascade changes and removes (#1239)

* chore(site): dependabot deps (#1148)

* chore(deps): bump highlight.js from 10.4.1 to 10.5.0 in /site (#1143)

Bumps [highlight.js](https://github.com/highlightjs/highlight.js) from 10.4.1 to 10.5.0.
- [Release notes](https://github.com/highlightjs/highlight.js/releases)
- [Changelog](https://github.com/highlightjs/highlight.js/blob/master/CHANGES.md)
- [Commits](https://github.com/highlightjs/highlight.js/compare/10.4.1...10.5.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/plugin-transform-runtime in /site (#1144)

Bumps [@babel/plugin-transform-runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-runtime) from 7.12.1 to 7.12.10.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.10/packages/babel-plugin-transform-runtime)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump sirv from 1.0.7 to 1.0.10 in /site (#1145)

Bumps [sirv](https://github.com/lukeed/sirv) from 1.0.7 to 1.0.10.
- [Release notes](https://github.com/lukeed/sirv/releases)
- [Commits](https://github.com/lukeed/sirv/compare/v1.0.7...v1.0.10)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump rollup from 2.34.0 to 2.35.1 in /site (#1142)

Bumps [rollup](https://github.com/rollup/rollup) from 2.34.0 to 2.35.1.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v2.34.0...v2.35.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @rollup/plugin-node-resolve in /site (#1141)

Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins) from 10.0.0 to 11.0.1.
- [Release notes](https://github.com/rollup/plugins/releases)
- [Commits](https://github.com/rollup/plugins/compare/node-resolve-v10.0.0...commonjs-v11.0.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump marked from 1.2.5 to 1.2.7 in /site (#1140)

Bumps [marked](https://github.com/markedjs/marked) from 1.2.5 to 1.2.7.
- [Release notes](https://github.com/markedjs/marked/releases)
- [Changelog](https://github.com/markedjs/marked/blob/master/release.config.js)
- [Commits](https://github.com/markedjs/marked/compare/v1.2.5...v1.2.7)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/core from 7.12.9 to 7.12.10 in /site (#1139)

Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.12.9 to 7.12.10.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.10/packages/babel-core)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump rollup-plugin-svelte from 6.1.1 to 7.0.0 in /site (#1138)

Bumps [rollup-plugin-svelte](https://github.com/sveltejs/rollup-plugin-svelte) from 6.1.1 to 7.0.0.
- [Release notes](https://github.com/sveltejs/rollup-plugin-svelte/releases)
- [Changelog](https://github.com/sveltejs/rollup-plugin-svelte/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/rollup-plugin-svelte/compare/v6.1.1...v7.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/preset-env from 7.12.1 to 7.12.11 in /site (#1137)

Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.12.1 to 7.12.11.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.11/packages/babel-preset-env)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* downgrade svelte plugin

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(console): dependabot deps (#1147)

* chore(deps-dev): bump @types/node from 14.14.13 to 14.14.19 in /console (#1146)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.13 to 14.14.19.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump ts-protoc-gen from 0.13.0 to 0.14.0 in /console (#1129)

Bumps [ts-protoc-gen](https://github.com/improbable-eng/ts-protoc-gen) from 0.13.0 to 0.14.0.
- [Release notes](https://github.com/improbable-eng/ts-protoc-gen/releases)
- [Changelog](https://github.com/improbable-eng/ts-protoc-gen/blob/master/CHANGELOG.md)
- [Commits](https://github.com/improbable-eng/ts-protoc-gen/compare/0.13.0...0.14.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/language-service in /console (#1128)

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.0.4 to 11.0.5.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.0.5/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/cli from 11.0.4 to 11.0.5 in /console (#1127)

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.0.4 to 11.0.5.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.0.4...v11.0.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular-devkit/build-angular in /console (#1126)

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1100.4 to 0.1100.5.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* audit

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: e-mail templates (#1158)

* View definition added

* Get templates and texts from the database.

* Fill in texts in templates

* Fill in texts in templates

* Client API added

* Weekly backup

* Weekly backup

* Daily backup

* Weekly backup

* Tests added

* Corrections from merge branch

* Fixes from pull request review

* chore(console): dependencies (#1189)

* chore(deps-dev): bump @angular/language-service in /console (#1187)

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.0.5 to 11.0.9.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.0.9/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google-proto-files from 2.3.0 to 2.4.0 in /console (#1186)

Bumps [google-proto-files](https://github.com/googleapis/nodejs-proto-files) from 2.3.0 to 2.4.0.
- [Release notes](https://github.com/googleapis/nodejs-proto-files/releases)
- [Changelog](https://github.com/googleapis/nodejs-proto-files/blob/master/CHANGELOG.md)
- [Commits](https://github.com/googleapis/nodejs-proto-files/compare/v2.3.0...v2.4.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @types/node from 14.14.19 to 14.14.21 in /console (#1185)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.19 to 14.14.21.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/cli from 11.0.5 to 11.0.7 in /console (#1184)

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.0.5 to 11.0.7.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.0.5...v11.0.7)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump karma from 5.2.3 to 6.0.0 in /console (#1183)

Bumps [karma](https://github.com/karma-runner/karma) from 5.2.3 to 6.0.0.
- [Release notes](https://github.com/karma-runner/karma/releases)
- [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md)
- [Commits](https://github.com/karma-runner/karma/compare/v5.2.3...v6.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular-devkit/build-angular in /console (#1182)

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1100.5 to 0.1100.7.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: change login to command side

* feat: change login to command side

* fix: fix push on user

* fix(console): trigger unauthenticated dialog only once (#1170)

* fix: trigger dialog once

* remove log

* typed trigger

* chore(console): dependencies (#1205)

* chore(deps-dev): bump stylelint from 13.8.0 to 13.9.0 in /console (#1204)

Bumps [stylelint](https://github.com/stylelint/stylelint) from 13.8.0 to 13.9.0.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/stylelint/stylelint/compare/13.8.0...13.9.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/language-service in /console (#1203)

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.0.9 to 11.1.0.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.1.0/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump karma from 6.0.0 to 6.0.1 in /console (#1202)

Bumps [karma](https://github.com/karma-runner/karma) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/karma-runner/karma/releases)
- [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md)
- [Commits](https://github.com/karma-runner/karma/compare/v6.0.0...v6.0.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/cli from 11.0.7 to 11.1.1 in /console (#1201)

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.0.7 to 11.1.1.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.0.7...v11.1.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @types/jasmine from 3.6.2 to 3.6.3 in /console (#1200)

Bumps [@types/jasmine](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jasmine) from 3.6.2 to 3.6.3.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jasmine)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* chore(deps-dev): bump @types/node from 14.14.21 to 14.14.22 in /console (#1199)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.21 to 14.14.22.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular-devkit/build-angular in /console (#1198)

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1100.7 to 0.1101.1.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* chore(deps): bump angularx-qrcode from 10.0.11 to 11.0.0 in /console (#1197)

Bumps [angularx-qrcode](https://github.com/cordobo/angularx-qrcode) from 10.0.11 to 11.0.0.
- [Release notes](https://github.com/cordobo/angularx-qrcode/releases)
- [Commits](https://github.com/cordobo/angularx-qrcode/compare/10.0.11...11.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix pack lock

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: handle sequence correctly in subscription (#1209)

* feat: user command side

* feat: sign out

* feat: command side login

* feat: command side login

* feat: fix register user

* feat: fix register user

* feat: fix web auth n events

* feat: add machine keys

* feat: send codes

* feat: move authrequest to domain

* feat: move authrequest to domain

* feat: webauthn working

* fix: correct master after merges again (#1230)

* chore(docs): correct `iss` claim of jwt profile (#1229)

* core(docs): correct `iss` claim of jwt profile

* fix: correct master after merges again (#1230)

* feat(login): new palette based styles (#1149)

* chore(deps-dev): bump rollup from 2.33.2 to 2.34.0 in /site (#1040)

Bumps [rollup](https://github.com/rollup/rollup) from 2.33.2 to 2.34.0.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v2.33.2...v2.34.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump svelte-i18n from 3.2.5 to 3.3.0 in /site (#1039)

Bumps [svelte-i18n](https://github.com/kaisermann/svelte-i18n) from 3.2.5 to 3.3.0.
- [Release notes](https://github.com/kaisermann/svelte-i18n/releases)
- [Changelog](https://github.com/kaisermann/svelte-i18n/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kaisermann/svelte-i18n/compare/v3.2.5...v3.3.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @rollup/plugin-url from 5.0.1 to 6.0.0 in /site (#1038)

Bumps [@rollup/plugin-url](https://github.com/rollup/plugins) from 5.0.1 to 6.0.0.
- [Release notes](https://github.com/rollup/plugins/releases)
- [Commits](https://github.com/rollup/plugins/compare/url-v5.0.1...url-v6.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump svelte from 3.29.7 to 3.30.1 in /site (#1037)

Bumps [svelte](https://github.com/sveltejs/svelte) from 3.29.7 to 3.30.1.
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte/compare/v3.29.7...v3.30.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump marked from 1.2.4 to 1.2.5 in /site (#1036)

Bumps [marked](https://github.com/markedjs/marked) from 1.2.4 to 1.2.5.
- [Release notes](https://github.com/markedjs/marked/releases)
- [Changelog](https://github.com/markedjs/marked/blob/master/release.config.js)
- [Commits](https://github.com/markedjs/marked/compare/v1.2.4...v1.2.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/core from 7.12.3 to 7.12.9 in /site (#1035)

Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.12.3 to 7.12.9.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.9/packages/babel-core)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump rollup-plugin-svelte from 6.1.1 to 7.0.0 in /site (#1034)

Bumps [rollup-plugin-svelte](https://github.com/sveltejs/rollup-plugin-svelte) from 6.1.1 to 7.0.0.
- [Release notes](https://github.com/sveltejs/rollup-plugin-svelte/releases)
- [Changelog](https://github.com/sveltejs/rollup-plugin-svelte/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/rollup-plugin-svelte/compare/v6.1.1...v7.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @rollup/plugin-commonjs in /site (#1033)

Bumps [@rollup/plugin-commonjs](https://github.com/rollup/plugins) from 15.1.0 to 17.0.0.
- [Release notes](https://github.com/rollup/plugins/releases)
- [Commits](https://github.com/rollup/plugins/compare/commonjs-v15.1.0...commonjs-v17.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @rollup/plugin-node-resolve in /site (#1032)

Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins) from 10.0.0 to 11.0.0.
- [Release notes](https://github.com/rollup/plugins/releases)
- [Commits](https://github.com/rollup/plugins/compare/node-resolve-v10.0.0...commonjs-v11.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/preset-env from 7.12.1 to 7.12.7 in /site (#1031)

Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.12.1 to 7.12.7.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.7/packages/babel-preset-env)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* go

* bundle files, lgn-color, legacy theme

* remove old references

* light dark context, button styles, zitadel brand

* button theme, edit templates

* typography theme mixins

* input styles, container, extend light dark palette

* footer, palette, container

* container, label, assets, header

* action container, input, typography label, adapt button theme

* a and footer styles, adapt palette

* user log profile, resourcetempurl

* postinstall againnn

* wrochage

* rm local grpc

* button elevation, helper for components

* radio

* radio button mixins, bundle

* qr code styles, secret clipboard, icon pack

* stroked buttons, icon buttons, header action, typography

* fix password policy styles

* account selection

* account selection, lgn avatar

* mocks

* template fixes, animations scss

* checkbox, register temp

* checkbox appr

* fix checkbox, remove input interference

* select theme

* avatar script, user selection, password policy validation fix

* fix formfield state for register and change pwd

* footer, main style, qr code fix, mfa type fix, account sel, checkbox

* fotter tos, user select

* reverse buttons for intial submit action

* theme script, themed error messages, header img source

* content wrapper, i18n, mobile

* emptyline

* idp mixins, fix unstyled html

* register container

* register layout, list themes, policy theme, register org

* massive asset cleanup

* fix source path, add missing icon, fix complexity refs, prefix

* remove material icons, unused assets, fix icon font

* move icon pack

* avatar, contrast theme, error fix

* zitadel css map

* revert go mod

* fix mfa verify actions

* add idp styles

* fix google colors, idp styles

* fix: bugs

* fix register options, google

* fix script, mobile layout

* precompile font selection

* go mod tidy

* assets and cleanup

* input suffix, fix alignment, actions, add progress bar themes

* progress bar mixins, layout fixes

* remove test from loginname

* cleanup comments, scripts

* clear comments

* fix external back button

* fix mfa alignment

* fix actions layout, on dom change listener for suffix

* free tier change, success label

* fix: button font line-height

* remove tabindex

* remove comment

* remove comment

* Update internal/ui/login/handler/password_handler.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Maximilian Peintner <csaq7175@uibk.ac.at>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* feat: external users

* chore(console): dependencies (#1233)

* chore(deps-dev): bump @angular-devkit/build-angular in /console (#1214)

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1101.1 to 0.1101.2.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump karma from 6.0.1 to 6.0.3 in /console (#1215)

Bumps [karma](https://github.com/karma-runner/karma) from 6.0.1 to 6.0.3.
- [Release notes](https://github.com/karma-runner/karma/releases)
- [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md)
- [Commits](https://github.com/karma-runner/karma/compare/v6.0.1...v6.0.3)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/language-service in /console (#1216)

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.1.0 to 11.1.1.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.1.1/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/cli from 11.1.1 to 11.1.2 in /console (#1217)

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.1.1 to 11.1.2.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.1.1...v11.1.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* lock

* site deps

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: external users login

* feat: notify users

* fix: tests

* feat: cascade remove user grants on project remove

* feat: cascade remove user grants on user remove

* feat: cascade remove roles

* feat: verified domain

* feat: cascade remove on idp config remove

* feat: cascade remove on system idp config remove

* fix: get email texts with default language (#1238)

* fix: login policy

* fix: login policy

* fix: cascade delete on remove idp from default policy

* fix(login): mail verification (#1237)

* fix: mail verification

* not block, stroked

* fix: issues of new login ui (#1241)

* fix: i18n of register

* fix: autofocus

* feat(operator): zitadel and database operator (#1208)

* feat(operator): add base for zitadel operator

* fix(operator): changed pipeline to release operator

* fix(operator): fmt with only one parameter

* fix(operator): corrected workflow job name

* fix(zitadelctl): added restore and backuplist command

* fix(zitadelctl): scale for restore

* chore(container): use scratch for deploy container

* fix(zitadelctl): limit image to scratch

* fix(migration): added migration scripts for newer version

* fix(operator): changed handling of kubeconfig in operator logic

* fix(operator): changed handling of secrets in operator logic

* fix(operator): use new version of zitadel

* fix(operator): added path for migrations

* fix(operator): delete doublets of migration scripts

* fix(operator): delete subpaths and integrate logic into init container

* fix(operator): corrected path in dockerfile for local migrations

* fix(operator): added migrations for cockroachdb-secure

* fix(operator): delete logic for ambassador module

* fix(operator): added read and write secret commands

* fix(operator): correct and align operator pipeline with zitadel pipeline

* fix(operator): correct yaml error in operator pipeline

* fix(operator): correct action name in operator pipeline

* fix(operator): correct case-sensitive filename in operator pipeline

* fix(operator): upload artifacts from buildx output

* fix(operator): corrected attribute spelling error

* fix(operator): combined jobs for operator binary and image

* fix(operator): added missing comma in operator pipeline

* fix(operator): added codecov for operator image

* fix(operator): added codecov for operator image

* fix(testing): code changes for testing and several unit-tests (#1009)

* fix(operator): usage of interface of kubernetes client for testing and several unit-tests

* fix(operator): several unit-tests

* fix(operator): several unit-tests

* fix(operator): changed order for the operator logic

* fix(operator): added version of zitadelctl from semantic release

* fix(operator): corrected function call with version of zitadelctl

* fix(operator): corrected function call with version of zitadelctl

* fix(operator): add check output to operator release pipeline

* fix(operator): set --short length everywhere to 12

* fix(operator): zitadel setup in job instead of exec with several unit tests

* fix(operator): fixes to combine newest zitadel and testing branch

* fix(operator): corrected path in Dockerfile

* fix(operator): fixed unit-test that was ignored during changes

* fix(operator): fixed unit-test that was ignored during changes

* fix(operator): corrected Dockerfile to correctly use env variable

* fix(operator): quickfix takeoff deployment

* fix(operator): corrected the clusterrolename in the applied artifacts

* fix: update secure migrations

* fix(operator): migrations (#1057)

* fix(operator): copied migrations from orbos repository

* fix(operator): newest migrations

* chore: use cockroach-secure

* fix: rename migration

* fix: remove insecure cockroach migrations

Co-authored-by: Stefan Benz <stefan@caos.ch>

* fix: finalize labels

* fix(operator): cli logging concurrent and fixe deployment of operator during restore

* fix: finalize labels and cli commands

* fix: restore

* chore: cockroachdb is always secure

* chore: use orbos consistent-labels latest commit

* test: make tests compatible with new labels

* fix: default to sa token for start command

* fix: use cockroachdb v12.02

* fix: don't delete flyway user

* test: fix migration test

* fix: use correct table qualifiers

* fix: don't alter sequence ownership

* fix: upgrade flyway

* fix: change ownership of all dbs and tables to admin user

* fix: change defaultdb user

* fix: treat clientid status codes >= 400 as errors

* fix: reconcile specified ZITADEL version, not binary version

* fix: add ca-certs

* fix: use latest orbos code

* fix: use orbos with fixed race condition

* fix: use latest ORBOS code

* fix: use latest ORBOS code

* fix: make migration and scaling around restoring work

* fix(operator): move zitadel operator

* chore(migrations): include owner change migration

* feat(db): add code base for database operator

* fix(db): change used image registry for database operator

* fix(db): generated mock

* fix(db): add accidentally ignored file

* fix(db): add cockroachdb backup image to pipeline

* fix(db): correct pipeline and image versions

* fix(db): correct version of used orbos

* fix(db): correct database import

* fix(db): go mod tidy

* fix(db): use new version for orbos

* fix(migrations): include migrations into zitadelctl binary (#1211)

* fix(db): use statik to integrate migrations into binary

* fix(migrations): corrections unit tests and pipeline for integrated migrations into zitadelctl binary

* fix(migrations): correction in dockerfile for pipeline build

* fix(migrations): correction in dockerfile for pipeline build

* fix(migrations):  dockerfile changes for cache optimization

* fix(database): correct used part-of label in database operator

* fix(database): correct used selectable label in zitadel operator

* fix(operator): correct lables for user secrets in zitadel operator

* fix(operator): correct lables for service test in zitadel operator

* fix: don't enable database features for user operations (#1227)

* fix: don't enable database features for user operations

* fix: omit database feature for connection info adapter

* fix: use latest orbos version

* fix: update ORBOS (#1240)

Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* Merge branch 'new-eventstore' into cascades

# Conflicts:
#	internal/auth/repository/auth_request.go
#	internal/auth/repository/eventsourcing/eventstore/auth_request.go
#	internal/management/repository/eventsourcing/eventstore/user_grant.go
#	internal/management/repository/user_grant.go
#	internal/ui/login/handler/external_login_handler.go
#	internal/ui/login/handler/external_register_handler.go
#	internal/ui/login/handler/init_password_handler.go
#	internal/ui/login/handler/register_handler.go
#	internal/user/repository/view/model/notify_user.go
#	internal/v2/command/org_policy_login.go
#	internal/v2/command/project.go
#	internal/v2/command/user.go
#	internal/v2/command/user_human.go
#	internal/v2/command/user_human_externalidp.go
#	internal/v2/command/user_human_init.go
#	internal/v2/command/user_human_password.go
#	internal/v2/command/user_human_webauthn.go
#	internal/v2/domain/next_step.go
#	internal/v2/domain/policy_login.go
#	internal/v2/domain/request.go

* Merge branch 'new-eventstore' into cascades

# Conflicts:
#	internal/auth/repository/auth_request.go
#	internal/auth/repository/eventsourcing/eventstore/auth_request.go
#	internal/management/repository/eventsourcing/eventstore/user_grant.go
#	internal/management/repository/user_grant.go
#	internal/ui/login/handler/external_login_handler.go
#	internal/ui/login/handler/external_register_handler.go
#	internal/ui/login/handler/init_password_handler.go
#	internal/ui/login/handler/register_handler.go
#	internal/user/repository/view/model/notify_user.go
#	internal/v2/command/org_policy_login.go
#	internal/v2/command/project.go
#	internal/v2/command/user.go
#	internal/v2/command/user_human.go
#	internal/v2/command/user_human_externalidp.go
#	internal/v2/command/user_human_init.go
#	internal/v2/command/user_human_password.go
#	internal/v2/command/user_human_webauthn.go
#	internal/v2/domain/next_step.go
#	internal/v2/domain/policy_login.go
#	internal/v2/domain/request.go

* chore: add local migrate_local.go again (#1261)

* fix: logging on cascade removes

* fix: migrations

* fix: tests

* fix: tests

* chore: pass params in migrate_local.go

* migrations

* fix query

* fix tests

* fix tests

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Michael Waeger <49439088+michaelulrichwaeger@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Maximilian Peintner <csaq7175@uibk.ac.at>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>

internal/v2/command/iam_idp_config.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
@@ -21,7 +22,6 @@ func (r *CommandSide) AddDefaultIDPConfig(ctx context.Context, config *domain.ID
 	if err != nil {
 		return nil, err
 	}
-	//TODO: check name unique on aggregate
 	addedConfig := NewIAMIDPConfigWriteModel(idpConfigID)
 
 	clientSecret, err := crypto.Crypt([]byte(config.OIDCConfig.ClientSecretString), r.idpConfigSecretCrypto)
@@ -108,7 +108,7 @@ func (r *CommandSide) ReactivateDefaultIDPConfig(ctx context.Context, idpID stri
 	return r.eventstore.PushAggregate(ctx, existingIDP, iamAgg)
 }
 
-func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, idpID string) error {
+func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, idpID string, idpProviders []*domain.IDPProvider, externalIDPs ...*domain.ExternalIDP) error {
 	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, idpID)
 	if err != nil {
 		return err
@@ -116,10 +116,24 @@ func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, idpID string)
 	if existingIDP.State == domain.IDPConfigStateRemoved || existingIDP.State == domain.IDPConfigStateUnspecified {
 		return caos_errs.ThrowNotFound(nil, "IAM-4M0xy", "Errors.IAM.IDPConfig.NotExisting")
 	}
+
+	aggregates := make([]eventstore.Aggregater, 0)
 	iamAgg := IAMAggregateFromWriteModel(&existingIDP.WriteModel)
 	iamAgg.PushEvents(iam_repo.NewIDPConfigRemovedEvent(ctx, existingIDP.ResourceOwner, idpID, existingIDP.Name))
 
-	return r.eventstore.PushAggregate(ctx, existingIDP, iamAgg)
+	userAggregates := make([]eventstore.Aggregater, 0)
+	for _, idpProvider := range idpProviders {
+		if idpProvider.AggregateID == domain.IAMID {
+			userAggregates = r.removeIDPProviderFromDefaultLoginPolicy(ctx, iamAgg, idpProvider, true, externalIDPs...)
+		}
+		orgAgg := OrgAggregateFromWriteModel(&NewOrgIdentityProviderWriteModel(idpProvider.AggregateID, idpID).WriteModel)
+		r.removeIDPProviderFromLoginPolicy(ctx, orgAgg, idpID, true)
+	}
+
+	aggregates = append(aggregates, iamAgg)
+	aggregates = append(aggregates, userAggregates...)
+	_, err = r.eventstore.PushAggregates(ctx, aggregates...)
+	return err
 }
 
 func (r *CommandSide) iamIDPConfigWriteModelByID(ctx context.Context, idpID string) (policy *IAMIDPConfigWriteModel, err error) {

internal/v2/command/iam_policy_login.go

@@ -2,6 +2,8 @@ package command
 
 import (
 	"context"
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/eventstore/v2"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
@@ -101,7 +103,7 @@ func (r *CommandSide) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, id
 	return writeModelToIDPProvider(&idpModel.IdentityProviderWriteModel), nil
 }
 
-func (r *CommandSide) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context, idpProvider *domain.IDPProvider) error {
+func (r *CommandSide) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context, idpProvider *domain.IDPProvider, cascadeExternalIDPs ...*domain.ExternalIDP) error {
 	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
@@ -110,10 +112,35 @@ func (r *CommandSide) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Contex
 	if idpModel.State == domain.IdentityProviderStateUnspecified || idpModel.State == domain.IdentityProviderStateRemoved {
 		return caos_errs.ThrowNotFound(nil, "IAM-39fjs", "Errors.IAM.LoginPolicy.IDP.NotExisting")
 	}
+
+	aggregates := make([]eventstore.Aggregater, 0)
 	iamAgg := IAMAggregateFromWriteModel(&idpModel.IdentityProviderWriteModel.WriteModel)
 	iamAgg.PushEvents(iam_repo.NewIdentityProviderRemovedEvent(ctx, idpProvider.IDPConfigID))
 
-	return r.eventstore.PushAggregate(ctx, idpModel, iamAgg)
+	userAggregates := r.removeIDPProviderFromDefaultLoginPolicy(ctx, iamAgg, idpProvider, false, cascadeExternalIDPs...)
+	aggregates = append(aggregates, iamAgg)
+	aggregates = append(aggregates, userAggregates...)
+	_, err = r.eventstore.PushAggregates(ctx, aggregates...)
+	return err
+}
+
+func (r *CommandSide) removeIDPProviderFromDefaultLoginPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, idpProvider *domain.IDPProvider, cascade bool, cascadeExternalIDPs ...*domain.ExternalIDP) []eventstore.Aggregater {
+	if cascade {
+		iamAgg.PushEvents(iam_repo.NewIdentityProviderCascadeRemovedEvent(ctx, idpProvider.IDPConfigID))
+		return nil
+	}
+	iamAgg.PushEvents(iam_repo.NewIdentityProviderRemovedEvent(ctx, idpProvider.IDPConfigID))
+
+	userAggregates := make([]eventstore.Aggregater, 0)
+	for _, idp := range cascadeExternalIDPs {
+		userAgg, _, err := r.removeHumanExternalIDP(ctx, idp, true)
+		if err != nil {
+			logging.LogWithFields("COMMAND-4nfsf", "userid", idp.AggregateID, "idp-id", idp.IDPConfigID).WithError(err).Warn("could not cascade remove externalidp in remove provider from policy")
+			continue
+		}
+		userAggregates = append(userAggregates, userAgg)
+	}
+	return userAggregates
 }
 
 func (r *CommandSide) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType) (domain.SecondFactorType, error) {
@@ -128,7 +155,7 @@ func (r *CommandSide) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, s
 		return domain.SecondFactorTypeUnspecified, err
 	}
 
-	return domain.SecondFactorType(secondFactorModel.MFAType), nil
+	return secondFactorModel.MFAType, nil
 }
 
 func (r *CommandSide) addSecondFactorToDefaultLoginPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, secondFactorModel *IAMSecondFactorWriteModel, secondFactor domain.SecondFactorType) error {

internal/v2/command/org.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/v2/domain"
@@ -32,17 +33,19 @@ func (r *CommandSide) checkOrgExists(ctx context.Context, orgID string) error {
 }
 
 func (r *CommandSide) SetUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) error {
-	orgAgg, userAgg, orgMemberAgg, err := r.setUpOrg(ctx, organisation, admin)
+	orgAgg, userAgg, orgMemberAgg, claimedUsers, err := r.setUpOrg(ctx, organisation, admin)
 	if err != nil {
 		return err
 	}
-
-	_, err = r.eventstore.PushAggregates(ctx, orgAgg, userAgg, orgMemberAgg)
+	aggregates := make([]eventstore.Aggregater, 0)
+	aggregates = append(aggregates, orgAgg, userAgg, orgMemberAgg)
+	aggregates = append(aggregates, claimedUsers...)
+	_, err = r.eventstore.PushAggregates(ctx, aggregates...)
 	return err
 }
 
 func (r *CommandSide) AddOrg(ctx context.Context, name, userID, resourceOwner string) (*domain.Org, error) {
-	orgAgg, addedOrg, err := r.addOrg(ctx, &domain.Org{Name: name})
+	orgAgg, addedOrg, claimedUsers, err := r.addOrg(ctx, &domain.Org{Name: name})
 	if err != nil {
 		return nil, err
 	}
@@ -56,7 +59,15 @@ func (r *CommandSide) AddOrg(ctx context.Context, name, userID, resourceOwner st
 	if err != nil {
 		return nil, err
 	}
-	err = r.eventstore.PushAggregate(ctx, addedOrg, orgAgg)
+	aggregates := make([]eventstore.Aggregater, 0)
+	aggregates = append(aggregates, orgAgg)
+	aggregates = append(aggregates, claimedUsers...)
+	resEvents, err := r.eventstore.PushAggregates(ctx, aggregates...)
+	if err != nil {
+		return nil, err
+	}
+	addedOrg.AppendEvents(resEvents...)
+	err = addedOrg.Reduce()
 	if err != nil {
 		return nil, err
 	}
@@ -97,46 +108,50 @@ func (r *CommandSide) ReactivateOrg(ctx context.Context, orgID string) error {
 	return r.eventstore.PushAggregate(ctx, orgWriteModel, orgAgg)
 }
 
-func (r *CommandSide) setUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) (*org.Aggregate, *user.Aggregate, *org.Aggregate, error) {
-	orgAgg, _, err := r.addOrg(ctx, organisation)
+func (r *CommandSide) setUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) (*org.Aggregate, *user.Aggregate, *org.Aggregate, []eventstore.Aggregater, error) {
+	orgAgg, _, claimedUserAggregates, err := r.addOrg(ctx, organisation)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, nil, nil, err
 	}
 
 	userAgg, _, err := r.addHuman(ctx, orgAgg.ID(), admin)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, nil, nil, err
 	}
 
 	addedMember := NewOrgMemberWriteModel(orgAgg.ID(), userAgg.ID())
 	orgMemberAgg := OrgAggregateFromWriteModel(&addedMember.WriteModel)
 	err = r.addOrgMember(ctx, orgMemberAgg, addedMember, domain.NewMember(orgMemberAgg.ID(), userAgg.ID(), domain.RoleOrgOwner))
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, nil, nil, err
 	}
-	return orgAgg, userAgg, orgMemberAgg, nil
+	return orgAgg, userAgg, orgMemberAgg, claimedUserAggregates, nil
 }
 
-func (r *CommandSide) addOrg(ctx context.Context, organisation *domain.Org) (_ *org.Aggregate, _ *OrgWriteModel, err error) {
+func (r *CommandSide) addOrg(ctx context.Context, organisation *domain.Org, claimedUserIDs ...string) (_ *org.Aggregate, _ *OrgWriteModel, _ []eventstore.Aggregater, err error) {
 	if organisation == nil || !organisation.IsValid() {
-		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMM-deLSk", "Errors.Org.Invalid")
+		return nil, nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMM-deLSk", "Errors.Org.Invalid")
 	}
 
 	organisation.AggregateID, err = r.idGenerator.Next()
 	if err != nil {
-		return nil, nil, caos_errs.ThrowInternal(err, "COMMA-OwciI", "Errors.Internal")
+		return nil, nil, nil, caos_errs.ThrowInternal(err, "COMMA-OwciI", "Errors.Internal")
 	}
 	organisation.AddIAMDomain(r.iamDomain)
 	addedOrg := NewOrgWriteModel(organisation.AggregateID)
 
 	orgAgg := OrgAggregateFromWriteModel(&addedOrg.WriteModel)
 	orgAgg.PushEvents(org.NewOrgAddedEvent(ctx, organisation.Name))
+	claimedUserAggregates := make([]eventstore.Aggregater, 0)
 	for _, orgDomain := range organisation.Domains {
-		if err := r.addOrgDomain(ctx, orgAgg, NewOrgDomainWriteModel(orgAgg.ID(), orgDomain.Domain), orgDomain); err != nil {
-			return nil, nil, err
+		aggregates, err := r.addOrgDomain(ctx, orgAgg, NewOrgDomainWriteModel(orgAgg.ID(), orgDomain.Domain), orgDomain, claimedUserIDs...)
+		if err != nil {
+			return nil, nil, nil, err
+		} else {
+			claimedUserAggregates = append(claimedUserAggregates, aggregates...)
 		}
 	}
-	return orgAgg, addedOrg, nil
+	return orgAgg, addedOrg, claimedUserAggregates, nil
 }
 
 func (r *CommandSide) getOrgWriteModelByID(ctx context.Context, orgID string) (*OrgWriteModel, error) {

internal/v2/command/org_domain.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
 
 	"github.com/caos/logging"
 
@@ -15,14 +16,27 @@ import (
 func (r *CommandSide) AddOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain) (*domain.OrgDomain, error) {
 	domainWriteModel := NewOrgDomainWriteModel(orgDomain.AggregateID, orgDomain.Domain)
 	orgAgg := OrgAggregateFromWriteModel(&domainWriteModel.WriteModel)
-	err := r.addOrgDomain(ctx, orgAgg, domainWriteModel, orgDomain)
+	userAggregates, err := r.addOrgDomain(ctx, orgAgg, domainWriteModel, orgDomain)
 	if err != nil {
 		return nil, err
 	}
-	err = r.eventstore.PushAggregate(ctx, domainWriteModel, orgAgg)
+	if len(userAggregates) == 0 {
+		err = r.eventstore.PushAggregate(ctx, domainWriteModel, orgAgg)
+		if err != nil {
+			return nil, err
+		}
+		return orgDomainWriteModelToOrgDomain(domainWriteModel), nil
+	}
+
+	aggregates := make([]eventstore.Aggregater, 0)
+	aggregates = append(aggregates, orgAgg)
+	aggregates = append(aggregates, userAggregates...)
+	resultEvents, err := r.eventstore.PushAggregates(ctx, aggregates...)
 	if err != nil {
 		return nil, err
 	}
+	domainWriteModel.AppendEvents(resultEvents...)
+	domainWriteModel.Reduce()
 	return orgDomainWriteModelToOrgDomain(domainWriteModel), nil
 }
 
@@ -63,7 +77,7 @@ func (r *CommandSide) GenerateOrgDomainValidation(ctx context.Context, orgDomain
 	return token, url, nil
 }
 
-func (r *CommandSide) ValidateOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain) error {
+func (r *CommandSide) ValidateOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain, claimedUserIDs ...string) error {
 	if orgDomain == nil || !orgDomain.IsValid() {
 		return caos_errs.ThrowPreconditionFailed(nil, "ORG-R24hb", "Errors.Org.InvalidDomain")
 	}
@@ -89,8 +103,20 @@ func (r *CommandSide) ValidateOrgDomain(ctx context.Context, orgDomain *domain.O
 	err = r.domainVerificationValidator(domainWriteModel.Domain, validationCode, validationCode, checkType)
 	orgAgg := OrgAggregateFromWriteModel(&domainWriteModel.WriteModel)
 	if err == nil {
+		aggregates := make([]eventstore.Aggregater, 0)
 		orgAgg.PushEvents(org.NewDomainVerifiedEvent(ctx, orgDomain.Domain))
-		return r.eventstore.PushAggregate(ctx, domainWriteModel, orgAgg)
+		aggregates = append(aggregates, orgAgg)
+
+		for _, userID := range claimedUserIDs {
+			userAgg, _, err := r.userDomainClaimed(ctx, userID)
+			if err != nil {
+				logging.LogWithFields("COMMAND-5m8fs", "userid", userID).WithError(err).Warn("could not claim user")
+				continue
+			}
+			aggregates = append(aggregates, userAgg)
+		}
+		_, err = r.eventstore.PushAggregates(ctx, aggregates...)
+		return err
 	}
 	orgAgg.PushEvents(org.NewDomainVerificationFailedEvent(ctx, orgDomain.Domain))
 	err = r.eventstore.PushAggregate(ctx, domainWriteModel, orgAgg)
@@ -136,24 +162,33 @@ func (r *CommandSide) RemoveOrgDomain(ctx context.Context, orgDomain *domain.Org
 	return r.eventstore.PushAggregate(ctx, domainWriteModel, orgAgg)
 }
 
-func (r *CommandSide) addOrgDomain(ctx context.Context, orgAgg *org.Aggregate, addedDomain *OrgDomainWriteModel, orgDomain *domain.OrgDomain) error {
+func (r *CommandSide) addOrgDomain(ctx context.Context, orgAgg *org.Aggregate, addedDomain *OrgDomainWriteModel, orgDomain *domain.OrgDomain, claimedUserIDs ...string) ([]eventstore.Aggregater, error) {
 	err := r.eventstore.FilterToQueryReducer(ctx, addedDomain)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if addedDomain.State == domain.OrgDomainStateActive {
-		return caos_errs.ThrowAlreadyExists(nil, "COMMA-Bd2jj", "Errors.Org.Domain.AlreadyExists")
+		return nil, caos_errs.ThrowAlreadyExists(nil, "COMMA-Bd2jj", "Errors.Org.Domain.AlreadyExists")
 	}
+
 	orgAgg.PushEvents(org.NewDomainAddedEvent(ctx, orgDomain.Domain))
+
+	userAggregates := make([]eventstore.Aggregater, 0)
 	if orgDomain.Verified {
-		//TODO: uniqueness verified domain
-		//TODO: users with verified domain -> domain claimed
 		orgAgg.PushEvents(org.NewDomainVerifiedEvent(ctx, orgDomain.Domain))
+		for _, userID := range claimedUserIDs {
+			userAgg, _, err := r.userDomainClaimed(ctx, userID)
+			if err != nil {
+				logging.LogWithFields("COMMAND-nn8Jf", "userid", userID).WithError(err).Warn("could not claim user")
+				continue
+			}
+			userAggregates = append(userAggregates, userAgg)
+		}
 	}
 	if orgDomain.Primary {
 		orgAgg.PushEvents(org.NewDomainPrimarySetEvent(ctx, orgDomain.Domain))
 	}
-	return nil
+	return userAggregates, nil
 }
 
 func (r *CommandSide) getOrgDomainWriteModel(ctx context.Context, orgID, domain string) (*OrgDomainWriteModel, error) {

internal/v2/command/org_idp_config.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
@@ -21,7 +22,6 @@ func (r *CommandSide) AddIDPConfig(ctx context.Context, config *domain.IDPConfig
 	if err != nil {
 		return nil, err
 	}
-	//TODO: check name unique on aggregate
 	addedConfig := NewOrgIDPConfigWriteModel(idpConfigID, config.AggregateID)
 
 	clientSecret, err := crypto.Crypt([]byte(config.OIDCConfig.ClientSecretString), r.idpConfigSecretCrypto)
@@ -109,7 +109,7 @@ func (r *CommandSide) ReactivateIDPConfig(ctx context.Context, idpID, orgID stri
 	return r.eventstore.PushAggregate(ctx, existingIDP, orgAgg)
 }
 
-func (r *CommandSide) RemoveIDPConfig(ctx context.Context, idpID, orgID string) error {
+func (r *CommandSide) RemoveIDPConfig(ctx context.Context, idpID, orgID string, cascadeRemoveProvider bool, cascadeExternalIDPs ...*domain.ExternalIDP) error {
 	existingIDP, err := r.orgIDPConfigWriteModelByID(ctx, idpID, orgID)
 	if err != nil {
 		return err
@@ -121,10 +121,20 @@ func (r *CommandSide) RemoveIDPConfig(ctx context.Context, idpID, orgID string)
 	if existingIDP.State != domain.IDPConfigStateInactive {
 		return caos_errs.ThrowPreconditionFailed(nil, "Org-5Mo0d", "Errors.Org.IDPConfig.NotInactive")
 	}
+
+	aggregates := make([]eventstore.Aggregater, 0)
 	orgAgg := OrgAggregateFromWriteModel(&existingIDP.WriteModel)
 	orgAgg.PushEvents(org_repo.NewIDPConfigRemovedEvent(ctx, existingIDP.ResourceOwner, idpID, existingIDP.Name))
 
-	return r.eventstore.PushAggregate(ctx, existingIDP, orgAgg)
+	userAggregates := make([]eventstore.Aggregater, 0)
+	if cascadeRemoveProvider {
+		userAggregates = r.removeIDPProviderFromLoginPolicy(ctx, orgAgg, idpID, true, cascadeExternalIDPs...)
+	}
+	aggregates = append(aggregates, orgAgg)
+	aggregates = append(aggregates, userAggregates...)
+
+	_, err = r.eventstore.PushAggregates(ctx, aggregates...)
+	return err
 }
 
 func (r *CommandSide) orgIDPConfigWriteModelByID(ctx context.Context, idpID, orgID string) (policy *OrgIDPConfigWriteModel, err error) {

internal/v2/command/org_policy_login.go

@@ -2,6 +2,8 @@ package command
 
 import (
 	"context"
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/eventstore/v2"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/v2/domain"
@@ -38,7 +40,7 @@ func (r *CommandSide) ChangeLoginPolicy(ctx context.Context, policy *domain.Logi
 	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
 		return nil, caos_errs.ThrowNotFound(nil, "Org-M0sif", "Errors.Org.LoginPolicy.NotFound")
 	}
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIDP, policy.ForceMFA, domain.PasswordlessType(policy.PasswordlessType))
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIDP, policy.ForceMFA, policy.PasswordlessType)
 	if !hasChanged {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "Org-5M9vdd", "Errors.Org.LoginPolicy.NotChanged")
 	}
@@ -89,7 +91,7 @@ func (r *CommandSide) AddIDPProviderToLoginPolicy(ctx context.Context, idpProvid
 	return writeModelToIDPProvider(&idpModel.IdentityProviderWriteModel), nil
 }
 
-func (r *CommandSide) RemoveIDPProviderFromLoginPolicy(ctx context.Context, idpProvider *domain.IDPProvider) error {
+func (r *CommandSide) RemoveIDPProviderFromLoginPolicy(ctx context.Context, idpProvider *domain.IDPProvider, cascadeExternalIDPs ...*domain.ExternalIDP) error {
 	idpModel := NewOrgIdentityProviderWriteModel(idpProvider.AggregateID, idpProvider.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
@@ -98,10 +100,36 @@ func (r *CommandSide) RemoveIDPProviderFromLoginPolicy(ctx context.Context, idpP
 	if idpModel.State == domain.IdentityProviderStateUnspecified || idpModel.State == domain.IdentityProviderStateRemoved {
 		return caos_errs.ThrowNotFound(nil, "Org-39fjs", "Errors.Org.LoginPolicy.IDP.NotExisting")
 	}
-	orgAgg := OrgAggregateFromWriteModel(&idpModel.IdentityProviderWriteModel.WriteModel)
-	orgAgg.PushEvents(org.NewIdentityProviderRemovedEvent(ctx, idpProvider.IDPConfigID))
 
-	return r.eventstore.PushAggregate(ctx, idpModel, orgAgg)
+	aggregates := make([]eventstore.Aggregater, 0)
+	orgAgg := OrgAggregateFromWriteModel(&idpModel.IdentityProviderWriteModel.WriteModel)
+	userAggregates := r.removeIDPProviderFromLoginPolicy(ctx, orgAgg, idpProvider.IDPConfigID, false, cascadeExternalIDPs...)
+
+	aggregates = append(aggregates, orgAgg)
+	aggregates = append(aggregates, userAggregates...)
+
+	_, err = r.eventstore.PushAggregates(ctx, aggregates...)
+	return err
+}
+
+func (r *CommandSide) removeIDPProviderFromLoginPolicy(ctx context.Context, orgAgg *org.Aggregate, idpConfigID string, cascade bool, cascadeExternalIDPs ...*domain.ExternalIDP) []eventstore.Aggregater {
+	if cascade {
+		orgAgg.PushEvents(org.NewIdentityProviderCascadeRemovedEvent(ctx, idpConfigID))
+
+	} else {
+		orgAgg.PushEvents(org.NewIdentityProviderRemovedEvent(ctx, idpConfigID))
+	}
+
+	userAggregates := make([]eventstore.Aggregater, 0)
+	for _, idp := range cascadeExternalIDPs {
+		userAgg, _, err := r.removeHumanExternalIDP(ctx, idp, true)
+		if err != nil {
+			logging.LogWithFields("COMMAND-n8RRf", "userid", idp.AggregateID, "idpconfigid", idp.IDPConfigID).WithError(err).Warn("could not cascade remove external idp")
+			continue
+		}
+		userAggregates = append(userAggregates, userAgg)
+	}
+	return userAggregates
 }
 
 func (r *CommandSide) AddSecondFactorToLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType, orgID string) (domain.SecondFactorType, error) {

internal/v2/command/project.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+	"github.com/caos/logging"
 	"github.com/caos/zitadel/internal/eventstore/v2"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
@@ -145,7 +146,7 @@ func (r *CommandSide) ReactivateProject(ctx context.Context, projectID string, r
 	return r.eventstore.PushAggregate(ctx, existingProject, projectAgg)
 }
 
-func (r *CommandSide) RemoveProject(ctx context.Context, projectID, resourceOwner string, cascadingGrantIDs ...string) error {
+func (r *CommandSide) RemoveProject(ctx context.Context, projectID, resourceOwner string, cascadingUserGrantIDs ...string) error {
 	if projectID == "" || resourceOwner == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-66hM9", "Errors.Project.ProjectIDMissing")
 	}
@@ -163,10 +164,11 @@ func (r *CommandSide) RemoveProject(ctx context.Context, projectID, resourceOwne
 	projectAgg.PushEvents(project.NewProjectRemovedEvent(ctx, existingProject.Name, existingProject.ResourceOwner))
 	aggregates = append(aggregates, projectAgg)
 
-	for _, grantID := range cascadingGrantIDs {
+	for _, grantID := range cascadingUserGrantIDs {
 		grantAgg, _, err := r.removeUserGrant(ctx, grantID, "", true)
 		if err != nil {
-			return err
+			logging.LogWithFields("COMMAND-b8Djf", "usergrantid", grantID).WithError(err).Warn("could not cascade remove user grant")
+			continue
 		}
 		aggregates = append(aggregates, grantAgg)
 	}

internal/v2/command/project_grant.go

@@ -2,10 +2,13 @@ package command
 
 import (
 	"context"
+	"github.com/caos/logging"
 	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/project"
+	"github.com/caos/zitadel/internal/v2/repository/usergrant"
 	"reflect"
 )
 
@@ -41,7 +44,7 @@ func (r *CommandSide) AddProjectGrant(ctx context.Context, grant *domain.Project
 	return projectGrantWriteModelToProjectGrant(addedGrant), nil
 }
 
-func (r *CommandSide) ChangeProjectGrant(ctx context.Context, grant *domain.ProjectGrant, resourceOwner string) (_ *domain.ProjectGrant, err error) {
+func (r *CommandSide) ChangeProjectGrant(ctx context.Context, grant *domain.ProjectGrant, resourceOwner string, cascadeUserGrantIDs ...string) (_ *domain.ProjectGrant, err error) {
 	if grant.GrantID == "" {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-1j83s", "Errors.IDMissing")
 	}
@@ -58,16 +61,75 @@ func (r *CommandSide) ChangeProjectGrant(ctx context.Context, grant *domain.Proj
 	if reflect.DeepEqual(existingGrant.RoleKeys, grant.RoleKeys) {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-0o0pL", "Errors.NoChangesFoundc")
 	}
+
 	projectAgg.PushEvents(project.NewGrantChangedEvent(ctx, grant.GrantID, grant.RoleKeys))
-	//TODO: Change UserGrants (if role removed should be removed from user grant)
-	err = r.eventstore.PushAggregate(ctx, existingGrant, projectAgg)
+
+	removedRoles := domain.GetRemovedRoles(existingGrant.RoleKeys, grant.RoleKeys)
+	if len(removedRoles) == 0 {
+		err = r.eventstore.PushAggregate(ctx, existingGrant, projectAgg)
+		if err != nil {
+			return nil, err
+		}
+		return projectGrantWriteModelToProjectGrant(existingGrant), nil
+	}
+
+	aggregates := make([]eventstore.Aggregater, 0)
+	aggregates = append(aggregates, projectAgg)
+	for _, userGrantID := range cascadeUserGrantIDs {
+		grantAgg, _, err := r.removeRoleFromUserGrant(ctx, userGrantID, removedRoles, true)
+		if err != nil {
+			continue
+		}
+		aggregates = append(aggregates, grantAgg)
+	}
+	resultEvents, err := r.eventstore.PushAggregates(ctx, aggregates...)
+	if err != nil {
+		return nil, err
+	}
+	existingGrant.AppendEvents(resultEvents...)
+	err = existingGrant.Reduce()
 	if err != nil {
 		return nil, err
 	}
-
 	return projectGrantWriteModelToProjectGrant(existingGrant), nil
 }
 
+func (r *CommandSide) removeRoleFromProjectGrant(ctx context.Context, projectAgg *project.Aggregate, projectID, projectGrantID, roleKey string, cascade bool) (_ *ProjectGrantWriteModel, err error) {
+	existingProjectGrant, err := r.projectGrantWriteModelByID(ctx, projectID, projectGrantID, "")
+	if err != nil {
+		return nil, err
+	}
+	if existingProjectGrant.State == domain.ProjectGrantStateUnspecified || existingProjectGrant.State == domain.ProjectGrantStateRemoved {
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.Grant.NotFound")
+	}
+	keyExists := false
+	for i, key := range existingProjectGrant.RoleKeys {
+		if key == roleKey {
+			keyExists = true
+			copy(existingProjectGrant.RoleKeys[i:], existingProjectGrant.RoleKeys[i+1:])
+			existingProjectGrant.RoleKeys[len(existingProjectGrant.RoleKeys)-1] = ""
+			existingProjectGrant.RoleKeys = existingProjectGrant.RoleKeys[:len(existingProjectGrant.RoleKeys)-1]
+			continue
+		}
+	}
+	if !keyExists {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5m8g9", "Errors.Project.Grant.RoleKeyNotFound")
+	}
+	changedProjectGrant := NewProjectGrantWriteModel(projectGrantID, projectID, existingProjectGrant.ResourceOwner)
+
+	if !cascade {
+		projectAgg.PushEvents(
+			project.NewGrantChangedEvent(ctx, projectGrantID, existingProjectGrant.RoleKeys),
+		)
+	} else {
+		projectAgg.PushEvents(
+			usergrant.NewUserGrantCascadeChangedEvent(ctx, existingProjectGrant.RoleKeys),
+		)
+	}
+
+	return changedProjectGrant, nil
+}
+
 func (r *CommandSide) DeactivateProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string) (err error) {
 	if grantID == "" || projectID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "PROJECT-p0s4V", "Errors.IDMissing")
@@ -109,7 +171,7 @@ func (r *CommandSide) ReactivateProjectGrant(ctx context.Context, projectID, gra
 	return r.eventstore.PushAggregate(ctx, existingGrant, projectAgg)
 }
 
-func (r *CommandSide) RemoveProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string) (err error) {
+func (r *CommandSide) RemoveProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string, cascadeUserGrantIDs ...string) (err error) {
 	if grantID == "" || projectID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "PROJECT-1m9fJ", "Errors.IDMissing")
 	}
@@ -121,10 +183,21 @@ func (r *CommandSide) RemoveProjectGrant(ctx context.Context, projectID, grantID
 	if err != nil {
 		return err
 	}
+	aggregates := make([]eventstore.Aggregater, 0)
 	projectAgg := ProjectAggregateFromWriteModel(&existingGrant.WriteModel)
 	projectAgg.PushEvents(project.NewGrantRemovedEvent(ctx, grantID, existingGrant.GrantedOrgID, projectID))
-	//TODO: Cascade Remove usergrants
-	return r.eventstore.PushAggregate(ctx, existingGrant, projectAgg)
+	aggregates = append(aggregates, projectAgg)
+
+	for _, userGrantID := range cascadeUserGrantIDs {
+		grantAgg, _, err := r.removeUserGrant(ctx, userGrantID, "", true)
+		if err != nil {
+			logging.LogWithFields("COMMAND-3m8sG", "usergrantid", grantID).WithError(err).Warn("could not cascade remove user grant")
+			continue
+		}
+		aggregates = append(aggregates, grantAgg)
+	}
+	_, err = r.eventstore.PushAggregates(ctx, aggregates...)
+	return err
 }
 
 func (r *CommandSide) projectGrantWriteModelByID(ctx context.Context, grantID, projectID, resourceOwner string) (member *ProjectGrantWriteModel, err error) {

internal/v2/command/project_grant_model.go

@@ -90,15 +90,18 @@ func (wm *ProjectGrantWriteModel) Reduce() error {
 }
 
 func (wm *ProjectGrantWriteModel) Query() *eventstore.SearchQueryBuilder {
-	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, project.AggregateType).
+	query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, project.AggregateType).
 		AggregateIDs(wm.AggregateID).
-		ResourceOwner(wm.ResourceOwner)
-	//EventTypes(
-	//	project.GrantAddedType,
-	//	project.GrantChangedType,
-	//	project.GrantCascadeChangedType,
-	//	project.GrantDeactivatedType,
-	//	project.GrantReactivatedType,
-	//	project.GrantRemovedType,
-	//	project.ProjectRemovedType)
+		EventTypes(
+			project.GrantAddedType,
+			project.GrantChangedType,
+			project.GrantCascadeChangedType,
+			project.GrantDeactivatedType,
+			project.GrantReactivatedType,
+			project.GrantRemovedType,
+			project.ProjectRemovedType)
+	if wm.ResourceOwner != "" {
+		query.ResourceOwner(wm.ResourceOwner)
+	}
+	return query
 }

internal/v2/command/project_role.go

@@ -2,7 +2,9 @@ package command
 
 import (
 	"context"
+	"github.com/caos/logging"
 	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/project"
 )
@@ -92,7 +94,7 @@ func (r *CommandSide) ChangeProjectRole(ctx context.Context, projectRole *domain
 	return roleWriteModelToRole(existingRole), nil
 }
 
-func (r *CommandSide) RemoveProjectRole(ctx context.Context, projectID, key, resourceOwner string) (err error) {
+func (r *CommandSide) RemoveProjectRole(ctx context.Context, projectID, key, resourceOwner string, cascadingProjectGrantIds []string, cascadeUserGrantIDs ...string) (err error) {
 	if projectID == "" || key == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4m9vS", "Errors.Project.Role.Invalid")
 	}
@@ -103,12 +105,29 @@ func (r *CommandSide) RemoveProjectRole(ctx context.Context, projectID, key, res
 	if existingRole.State == domain.ProjectRoleStateUnspecified || existingRole.State == domain.ProjectRoleStateRemoved {
 		return caos_errs.ThrowNotFound(nil, "COMMAND-m9vMf", "Errors.Project.Role.NotExisting")
 	}
-
+	aggregates := make([]eventstore.Aggregater, 0)
 	projectAgg := ProjectAggregateFromWriteModel(&existingRole.WriteModel)
 	projectAgg.PushEvents(project.NewRoleRemovedEvent(ctx, key, projectID, existingRole.ResourceOwner))
-	//TODO: Update UserGrants (remove roles if on usergrants)
+	for _, projectGrantID := range cascadingProjectGrantIds {
+		_, err = r.removeRoleFromProjectGrant(ctx, projectAgg, projectID, projectGrantID, key, true)
+		if err != nil {
+			logging.LogWithFields("COMMAND-6n77g", "projectgrantid", projectGrantID).WithError(err).Warn("could not cascade remove role from project grant")
+			continue
+		}
+	}
+	aggregates = append(aggregates, projectAgg)
 
-	return r.eventstore.PushAggregate(ctx, existingRole, projectAgg)
+	for _, grantID := range cascadeUserGrantIDs {
+		grantAgg, _, err := r.removeRoleFromUserGrant(ctx, grantID, []string{key}, true)
+		if err != nil {
+			logging.LogWithFields("COMMAND-mK0of", "usergrantid", grantID).WithError(err).Warn("could not cascade remove role on user grant")
+			continue
+		}
+		aggregates = append(aggregates, grantAgg)
+	}
+
+	_, err = r.eventstore.PushAggregates(ctx, aggregates...)
+	return err
 }
 
 func (r *CommandSide) getProjectRoleWriteModelByID(ctx context.Context, key, projectID, resourceOwner string) (*ProjectRoleWriteModel, error) {

internal/v2/command/setup_step1.go

@@ -100,7 +100,7 @@ func (r *CommandSide) SetupStep1(ctx context.Context, step1 *Step1) error {
 	//create orgs
 	aggregates := make([]eventstore.Aggregater, 0)
 	for _, organisation := range step1.Orgs {
-		orgAgg, userAgg, orgMemberAgg, err := r.setUpOrg(ctx,
+		orgAgg, userAgg, orgMemberAgg, claimedUsers, err := r.setUpOrg(ctx,
 			&domain.Org{
 				Name:    organisation.Name,
 				Domains: []*domain.OrgDomain{{Domain: organisation.Domain}},
@@ -131,6 +131,7 @@ func (r *CommandSide) SetupStep1(ctx context.Context, step1 *Step1) error {
 			}
 		}
 		aggregates = append(aggregates, orgAgg, userAgg, orgMemberAgg)
+		aggregates = append(aggregates, claimedUsers...)
 		if organisation.Name == step1.GlobalOrg {
 			err = r.setGlobalOrg(ctx, iamAgg, iamWriteModel, orgAgg.ID())
 			if err != nil {

internal/v2/command/user.go

@@ -2,8 +2,11 @@ package command
 
 import (
 	"context"
+	"fmt"
+	"github.com/caos/logging"
 	auth_req_model "github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/v2"
 	"strings"
 	"time"
 
@@ -121,7 +124,7 @@ func (r *CommandSide) UnlockUser(ctx context.Context, userID, resourceOwner stri
 	return r.eventstore.PushAggregate(ctx, existingUser, userAgg)
 }
 
-func (r *CommandSide) RemoveUser(ctx context.Context, userID, resourceOwner string) error {
+func (r *CommandSide) RemoveUser(ctx context.Context, userID, resourceOwner string, cascadingGrantIDs ...string) error {
 	if userID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M0ds", "Errors.User.UserIDMissing")
 	}
@@ -136,11 +139,22 @@ func (r *CommandSide) RemoveUser(ctx context.Context, userID, resourceOwner stri
 	if err != nil {
 		return err
 	}
+	aggregates := make([]eventstore.Aggregater, 0)
 	userAgg := UserAggregateFromWriteModel(&existingUser.WriteModel)
 	userAgg.PushEvents(user.NewUserRemovedEvent(ctx, existingUser.ResourceOwner, existingUser.UserName, orgIAMPolicy.UserLoginMustBeDomain))
-	//TODO: remove user grants
+	aggregates = append(aggregates, userAgg)
 
-	return r.eventstore.PushAggregate(ctx, existingUser, userAgg)
+	for _, grantID := range cascadingGrantIDs {
+		grantAgg, _, err := r.removeUserGrant(ctx, grantID, "", true)
+		if err != nil {
+			logging.LogWithFields("COMMAND-5m9oL", "usergrantid", grantID).WithError(err).Warn("could not cascade remove role on user grant")
+			continue
+		}
+		aggregates = append(aggregates, grantAgg)
+	}
+
+	_, err = r.eventstore.PushAggregates(ctx, aggregates...)
+	return err
 }
 
 func (r *CommandSide) CreateUserToken(ctx context.Context, orgID, agentID, clientID, userID string, audience, scopes []string, lifetime time.Duration) (*domain.Token, error) {
@@ -193,6 +207,25 @@ func (r *CommandSide) CreateUserToken(ctx context.Context, orgID, agentID, clien
 	}, nil
 }
 
+func (r *CommandSide) userDomainClaimed(ctx context.Context, userID string) (_ *user.Aggregate, _ *UserWriteModel, err error) {
+	existingUser, err := r.userWriteModelByID(ctx, userID, "")
+	if err != nil {
+		return nil, nil, err
+	}
+	if existingUser.UserState == domain.UserStateUnspecified || existingUser.UserState == domain.UserStateDeleted {
+		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-ii9K0", "Errors.User.NotFound")
+	}
+	changedUserGrant := NewUserWriteModel(userID, existingUser.ResourceOwner)
+	userAgg := UserAggregateFromWriteModel(&changedUserGrant.WriteModel)
+
+	id, err := r.idGenerator.Next()
+	if err != nil {
+		return nil, nil, err
+	}
+	userAgg.PushEvents(user.NewDomainClaimedEvent(ctx, fmt.Sprintf("%s@temporary.%s", id, r.iamDomain)))
+	return userAgg, changedUserGrant, nil
+}
+
 func (r *CommandSide) UserDomainClaimedSent(ctx context.Context, orgID, userID string) (err error) {
 	existingUser, err := r.userWriteModelByID(ctx, userID, orgID)
 	if err != nil {

internal/v2/command/user_grant.go

@@ -108,6 +108,45 @@ func (r *CommandSide) changeUserGrant(ctx context.Context, userGrant *domain.Use
 	return userGrantAgg, changedUserGrant, nil
 }
 
+func (r *CommandSide) removeRoleFromUserGrant(ctx context.Context, userGrantID string, roleKeys []string, cascade bool) (_ *usergrant.Aggregate, _ *UserGrantWriteModel, err error) {
+	existingUserGrant, err := r.userGrantWriteModelByID(ctx, userGrantID, "")
+	if err != nil {
+		return nil, nil, err
+	}
+	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
+		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.UserGrant.NotFound")
+	}
+	keyExists := false
+	for i, key := range existingUserGrant.RoleKeys {
+		for _, roleKey := range roleKeys {
+			if key == roleKey {
+				keyExists = true
+				copy(existingUserGrant.RoleKeys[i:], existingUserGrant.RoleKeys[i+1:])
+				existingUserGrant.RoleKeys[len(existingUserGrant.RoleKeys)-1] = ""
+				existingUserGrant.RoleKeys = existingUserGrant.RoleKeys[:len(existingUserGrant.RoleKeys)-1]
+				continue
+			}
+		}
+	}
+	if !keyExists {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5m8g9", "Errors.UserGrant.RoleKeyNotFound")
+	}
+	changedUserGrant := NewUserGrantWriteModel(userGrantID, "")
+	userGrantAgg := UserGrantAggregateFromWriteModel(&changedUserGrant.WriteModel)
+
+	if !cascade {
+		userGrantAgg.PushEvents(
+			usergrant.NewUserGrantChangedEvent(ctx, existingUserGrant.RoleKeys),
+		)
+	} else {
+		userGrantAgg.PushEvents(
+			usergrant.NewUserGrantCascadeChangedEvent(ctx, existingUserGrant.RoleKeys),
+		)
+	}
+
+	return userGrantAgg, changedUserGrant, nil
+}
+
 func (r *CommandSide) DeactivateUserGrant(ctx context.Context, grantID, resourceOwner string) (err error) {
 	if grantID == "" || resourceOwner == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-M0dsf", "Errors.UserGrant.IDMissing")
@@ -197,10 +236,13 @@ func (r *CommandSide) removeUserGrant(ctx context.Context, grantID, resourceOwne
 	if err != nil {
 		return nil, nil, err
 	}
-	err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
-	if err != nil {
-		return nil, nil, err
+	if !cascade {
+		err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
+		if err != nil {
+			return nil, nil, err
+		}
 	}
+
 	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
 		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-1My0t", "Errors.UserGrant.NotFound")
 	}

internal/v2/command/user_human_externalidp.go

@@ -10,7 +10,7 @@ import (
 )
 
 func (r *CommandSide) BulkAddedHumanExternalIDP(ctx context.Context, userID, resourceOwner string, externalIDPs []*domain.ExternalIDP) error {
-	if len(externalIDPs) == 0 {
+	if externalIDPs == nil || len(externalIDPs) == 0 {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Ek9s", "Errors.User.ExternalIDP.MinimumExternalIDPNeeded")
 	}
 	aggregates := make([]eventstore.Aggregater, len(externalIDPs))
@@ -38,20 +38,24 @@ func (r *CommandSide) addHumanExternalIDP(ctx context.Context, userAgg *user.Agg
 }
 
 func (r *CommandSide) RemoveHumanExternalIDP(ctx context.Context, externalIDP *domain.ExternalIDP) error {
-	return r.removeHumanExternalIDP(ctx, externalIDP, false)
+	userAgg, writemodel, err := r.removeHumanExternalIDP(ctx, externalIDP, false)
+	if err != nil {
+		return err
+	}
+	return r.eventstore.PushAggregate(ctx, writemodel, userAgg)
 }
 
-func (r *CommandSide) removeHumanExternalIDP(ctx context.Context, externalIDP *domain.ExternalIDP, cascade bool) error {
+func (r *CommandSide) removeHumanExternalIDP(ctx context.Context, externalIDP *domain.ExternalIDP, cascade bool) (*user.Aggregate, *HumanExternalIDPWriteModel, error) {
 	if externalIDP.IsValid() {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3M9ds", "Errors.IDMissing")
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3M9ds", "Errors.IDMissing")
 	}
 
 	existingExternalIDP, err := r.externalIDPWriteModelByID(ctx, externalIDP.AggregateID, externalIDP.IDPConfigID, externalIDP.ExternalUserID, externalIDP.ResourceOwner)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}
 	if existingExternalIDP.State == domain.ExternalIDPStateUnspecified || existingExternalIDP.State == domain.ExternalIDPStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-1M9xR", "Errors.User.ExternalIDP.NotFound")
+		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-1M9xR", "Errors.User.ExternalIDP.NotFound")
 	}
 	userAgg := UserAggregateFromWriteModel(&existingExternalIDP.WriteModel)
 	if !cascade {
@@ -63,7 +67,7 @@ func (r *CommandSide) removeHumanExternalIDP(ctx context.Context, externalIDP *d
 			user.NewHumanExternalIDPCascadeRemovedEvent(ctx, externalIDP.IDPConfigID, externalIDP.ExternalUserID),
 		)
 	}
-	return r.eventstore.PushAggregate(ctx, existingExternalIDP, userAgg)
+	return userAgg, existingExternalIDP, nil
 }
 
 func (r *CommandSide) HumanExternalLoginChecked(ctx context.Context, orgID, userID string, authRequest *domain.AuthRequest) (err error) {

internal/v2/domain/project_grant.go

@@ -28,3 +28,22 @@ const (
 func (p *ProjectGrant) IsValid() bool {
 	return p.GrantedOrgID != ""
 }
+
+func GetRemovedRoles(existingRoles, newRoles []string) []string {
+	removed := make([]string, 0)
+	for _, role := range existingRoles {
+		if !containsKey(newRoles, role) {
+			removed = append(removed, role)
+		}
+	}
+	return removed
+}
+
+func containsKey(roles []string, key string) bool {
+	for _, role := range roles {
+		if role == key {
+			return true
+		}
+	}
+	return false
+}

internal/v2/repository/iam/eventstore.go

@@ -29,5 +29,8 @@ func RegisterEventMappers(es *eventstore.Eventstore) {
 		RegisterFilterEventMapper(IDPConfigDeactivatedEventType, IDPConfigDeactivatedEventMapper).
 		RegisterFilterEventMapper(IDPConfigReactivatedEventType, IDPConfigReactivatedEventMapper).
 		RegisterFilterEventMapper(IDPOIDCConfigAddedEventType, IDPOIDCConfigAddedEventMapper).
-		RegisterFilterEventMapper(IDPOIDCConfigChangedEventType, IDPOIDCConfigChangedEventMapper)
+		RegisterFilterEventMapper(IDPOIDCConfigChangedEventType, IDPOIDCConfigChangedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderAddedEventType, IdentityProviderAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderRemovedEventType, IdentityProviderRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderCascadeRemovedEventType, IdentityProviderCascadeRemovedEventMapper)
 }

internal/v2/repository/iam/policy_login_identity_provider.go

@@ -9,8 +9,9 @@ import (
 )
 
 var (
-	LoginPolicyIDPProviderAddedEventType   = iamEventTypePrefix + policy.LoginPolicyIDPProviderAddedType
-	LoginPolicyIDPProviderRemovedEventType = iamEventTypePrefix + policy.LoginPolicyIDPProviderRemovedType
+	LoginPolicyIDPProviderAddedEventType          = iamEventTypePrefix + policy.LoginPolicyIDPProviderAddedType
+	LoginPolicyIDPProviderRemovedEventType        = iamEventTypePrefix + policy.LoginPolicyIDPProviderRemovedType
+	LoginPolicyIDPProviderCascadeRemovedEventType = iamEventTypePrefix + policy.LoginPolicyIDPProviderCascadeRemovedType
 )
 
 type IdentityProviderAddedEvent struct {
@@ -67,3 +68,29 @@ func IdentityProviderRemovedEventMapper(event *repository.Event) (eventstore.Eve
 		IdentityProviderRemovedEvent: *e.(*policy.IdentityProviderRemovedEvent),
 	}, nil
 }
+
+type IdentityProviderCascadeRemovedEvent struct {
+	policy.IdentityProviderCascadeRemovedEvent
+}
+
+func NewIdentityProviderCascadeRemovedEvent(
+	ctx context.Context,
+	idpConfigID string,
+) *IdentityProviderCascadeRemovedEvent {
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *policy.NewIdentityProviderCascadeRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyIDPProviderCascadeRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func IdentityProviderCascadeRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderCascadeRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *e.(*policy.IdentityProviderCascadeRemovedEvent),
+	}, nil
+}

internal/v2/repository/org/domain.go

@@ -12,6 +12,7 @@ import (
 )
 
 const (
+	uniqueOrgDomain                      = "org_domain"
 	domainEventPrefix                    = orgEventTypePrefix + "domain."
 	OrgDomainAddedEventType              = domainEventPrefix + "added"
 	OrgDomainVerificationAddedEventType  = domainEventPrefix + "verification.added"
@@ -21,6 +22,19 @@ const (
 	OrgDomainRemovedEventType            = domainEventPrefix + "removed"
 )
 
+func NewAddOrgDomainUniqueConstraint(orgDomain string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueOrgDomain,
+		orgDomain,
+		"Errors.Org.Domain.AlreadyExists")
+}
+
+func NewRemoveOrgDomainUniqueConstraint(orgDomain string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		uniqueOrgDomain,
+		orgDomain)
+}
+
 type DomainAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
@@ -70,7 +84,7 @@ func (e *DomainVerificationAddedEvent) Data() interface{} {
 }
 
 func (e *DomainVerificationAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
-	return nil
+	return []*eventstore.EventUniqueConstraint{NewAddOrgDomainUniqueConstraint(e.Domain)}
 }
 
 func NewDomainVerificationAddedEvent(
@@ -212,7 +226,8 @@ func DomainPrimarySetEventMapper(event *repository.Event) (eventstore.EventReade
 type DomainRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	Domain string `json:"domain,omitempty"`
+	Domain     string `json:"domain,omitempty"`
+	isVerified bool
 }
 
 func (e *DomainRemovedEvent) Data() interface{} {
@@ -220,7 +235,10 @@ func (e *DomainRemovedEvent) Data() interface{} {
 }
 
 func (e *DomainRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
-	return nil
+	if !e.isVerified {
+		return nil
+	}
+	return []*eventstore.EventUniqueConstraint{NewRemoveOrgDomainUniqueConstraint(e.Domain)}
 }
 
 func NewDomainRemovedEvent(ctx context.Context, domain string) *DomainRemovedEvent {

internal/v2/repository/org/eventstore.go

@@ -31,6 +31,7 @@ func RegisterEventMappers(es *eventstore.Eventstore) {
 		RegisterFilterEventMapper(LoginPolicyMultiFactorRemovedEventType, MultiFactorRemovedEventEventMapper).
 		RegisterFilterEventMapper(LoginPolicyIDPProviderAddedEventType, IdentityProviderAddedEventMapper).
 		RegisterFilterEventMapper(LoginPolicyIDPProviderRemovedEventType, IdentityProviderRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderCascadeRemovedEventType, IdentityProviderCascadeRemovedEventMapper).
 		RegisterFilterEventMapper(OrgIAMPolicyAddedEventType, OrgIAMPolicyAddedEventMapper).
 		RegisterFilterEventMapper(OrgIAMPolicyChangedEventType, OrgIAMPolicyChangedEventMapper).
 		RegisterFilterEventMapper(OrgIAMPolicyRemovedEventType, OrgIAMPolicyRemovedEventMapper).

internal/v2/repository/org/org.go

@@ -18,12 +18,6 @@ const (
 	OrgRemovedEventType     = orgEventTypePrefix + "removed"
 )
 
-type OrgnameUniqueConstraint struct {
-	uniqueType string
-	orgName    string
-	action     eventstore.UniqueConstraintAction
-}
-
 func NewAddOrgNameUniqueConstraint(orgName string) *eventstore.EventUniqueConstraint {
 	return eventstore.NewAddEventUniqueConstraint(
 		uniqueOrgname,

internal/v2/repository/org/policy_login_identity_provider.go

@@ -9,8 +9,9 @@ import (
 )
 
 var (
-	LoginPolicyIDPProviderAddedEventType   = orgEventTypePrefix + policy.LoginPolicyIDPProviderAddedType
-	LoginPolicyIDPProviderRemovedEventType = orgEventTypePrefix + policy.LoginPolicyIDPProviderRemovedType
+	LoginPolicyIDPProviderAddedEventType          = orgEventTypePrefix + policy.LoginPolicyIDPProviderAddedType
+	LoginPolicyIDPProviderRemovedEventType        = orgEventTypePrefix + policy.LoginPolicyIDPProviderRemovedType
+	LoginPolicyIDPProviderCascadeRemovedEventType = orgEventTypePrefix + policy.LoginPolicyIDPProviderCascadeRemovedType
 )
 
 type IdentityProviderAddedEvent struct {
@@ -67,3 +68,29 @@ func IdentityProviderRemovedEventMapper(event *repository.Event) (eventstore.Eve
 		IdentityProviderRemovedEvent: *e.(*policy.IdentityProviderRemovedEvent),
 	}, nil
 }
+
+type IdentityProviderCascadeRemovedEvent struct {
+	policy.IdentityProviderCascadeRemovedEvent
+}
+
+func NewIdentityProviderCascadeRemovedEvent(
+	ctx context.Context,
+	idpConfigID string,
+) *IdentityProviderCascadeRemovedEvent {
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *policy.NewIdentityProviderCascadeRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, LoginPolicyIDPProviderRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func IdentityProviderCascadeRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderCascadeRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *e.(*policy.IdentityProviderCascadeRemovedEvent),
+	}, nil
+}

internal/v2/repository/policy/policy_login_identity_provider.go

@@ -9,9 +9,10 @@ import (
 )
 
 const (
-	loginPolicyIDPProviderPrevix      = loginPolicyPrefix + "idpprovider."
-	LoginPolicyIDPProviderAddedType   = loginPolicyIDPProviderPrevix + "added"
-	LoginPolicyIDPProviderRemovedType = loginPolicyIDPProviderPrevix + "removed"
+	loginPolicyIDPProviderPrevix             = loginPolicyPrefix + "idpprovider."
+	LoginPolicyIDPProviderAddedType          = loginPolicyIDPProviderPrevix + "added"
+	LoginPolicyIDPProviderRemovedType        = loginPolicyIDPProviderPrevix + "removed"
+	LoginPolicyIDPProviderCascadeRemovedType = loginPolicyIDPProviderPrevix + "cascade.removed"
 )
 
 type IdentityProviderAddedEvent struct {
@@ -91,3 +92,40 @@ func IdentityProviderRemovedEventMapper(event *repository.Event) (eventstore.Eve
 
 	return e, nil
 }
+
+type IdentityProviderCascadeRemovedEvent struct {
+	eventstore.BaseEvent
+
+	IDPConfigID string `json:"idpConfigId"`
+}
+
+func (e *IdentityProviderCascadeRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *IdentityProviderCascadeRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewIdentityProviderCascadeRemovedEvent(
+	base *eventstore.BaseEvent,
+	idpConfigID string,
+) *IdentityProviderCascadeRemovedEvent {
+	return &IdentityProviderCascadeRemovedEvent{
+		BaseEvent:   *base,
+		IDPConfigID: idpConfigID,
+	}
+}
+
+func IdentityProviderCascadeRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &IdentityProviderCascadeRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROVI-7M9fs", "Errors.Internal")
+	}
+
+	return e, nil
+}