fix: use query side for requests (#2818)

* refactor(domain): add user type * fix(projections): start with login names * fix(login_policy): correct handling of user domain claimed event * fix(projections): add members * refactor: simplify member projections * add migration for members * add metadata to member projections * refactor: login name projection * fix: set correct suffixes on login name projections * test(projections): login name reduces * fix: correct cols in reduce member * test(projections): org, iam, project members * member additional cols and conds as opt, add project grant members * fix(migration): members * fix(migration): correct database name * migration version * migs * better naming for member cond and col * split project and project grant members * prepare member columns * feat(queries): membership query * test(queries): membership prepare * fix(queries): multiple projections for latest sequence * fix(api): use query for membership queries in auth and management * feat: org member queries * fix(api): use query for iam member calls * fix(queries): org members * fix(queries): project members * fix(queries): project grant members * refactor: remove unsued methods in repo-interfaces * start * fix(query): membership * fix(auth): list my project orgs * fix(query): member queries and user avatar column * refactor(auth): MyProjectOrgs * fix(queries): member and membership stmts * fix user test * fix(management): use query for project (-grant) members * fix(admin): use query for member calls * fix(api): add domain to org mapping * remove old idp * membership * refactor: remove old files * idp * refactor: use query for idps and idp user links * refactor(eventstore): rename EventPusher to Command, EventReader to Event, PushEvents to Push and FilterEvents to Filter * gloabl org check for org roles Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 04:57:33 +00:00 · 2022-01-13 08:58:14 +01:00
parent 3d14653a08
commit b8bec25129
63 changed files with 307 additions and 4926 deletions
--- a/internal/api/grpc/admin/idp.go
+++ b/internal/api/grpc/admin/idp.go
@@ -6,6 +6,7 @@ import (
 	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
 	object_pb "github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/query"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )

@@ -22,7 +23,7 @@ func (s *Server) ListIDPs(ctx context.Context, req *admin_pb.ListIDPsRequest) (*
 	if err != nil {
 		return nil, err
 	}
-	resp, err := s.query.SearchIDPs(ctx, domain.IAMID, queries)
+	resp, err := s.query.IDPs(ctx, queries)
 	if err != nil {
 		return nil, err
 	}
@@ -93,15 +94,29 @@ func (s *Server) ReactivateIDP(ctx context.Context, req *admin_pb.ReactivateIDPR
 }

 func (s *Server) RemoveIDP(ctx context.Context, req *admin_pb.RemoveIDPRequest) (*admin_pb.RemoveIDPResponse, error) {
-	idpProviders, err := s.iam.IDPProvidersByIDPConfigID(ctx, req.IdpId)
+	providerQuery, err := query.NewIDPIDSearchQuery(req.IdpId)
 	if err != nil {
 		return nil, err
 	}
-	externalIDPs, err := s.iam.ExternalIDPsByIDPConfigID(ctx, req.IdpId)
+	idps, err := s.query.IDPs(ctx, &query.IDPSearchQueries{
+		Queries: []query.SearchQuery{providerQuery},
+	})
 	if err != nil {
 		return nil, err
 	}
-	objectDetails, err := s.command.RemoveDefaultIDPConfig(ctx, req.IdpId, idpProviderViewsToDomain(idpProviders), externalIDPViewsToDomain(externalIDPs)...)
+
+	idpQuery, err := query.NewIDPUserLinkIDPIDSearchQuery(req.IdpId)
+	if err != nil {
+		return nil, err
+	}
+	userLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{
+		Queries: []query.SearchQuery{idpQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	objectDetails, err := s.command.RemoveDefaultIDPConfig(ctx, req.IdpId, idpsToDomain(idps.IDPs), idpUserLinksToDomain(userLinks.Links)...)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/idp_converter.go
+++ b/internal/api/grpc/admin/idp_converter.go
@@ -6,9 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/query"
-	user_model "github.com/caos/zitadel/internal/user/model"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )

@@ -89,6 +87,11 @@ func listIDPsToModel(req *admin_pb.ListIDPsRequest) (*query.IDPSearchQueries, er
 	if err != nil {
 		return nil, err
 	}
+	iamQuery, err := query.NewIDPResourceOwnerSearchQuery(domain.IAMID)
+	if err != nil {
+		return nil, err
+	}
+	queries = append(queries, iamQuery)
 	return &query.IDPSearchQueries{
 		SearchRequest: query.SearchRequest{
 			Offset:        offset,
@@ -123,30 +126,21 @@ func idpQueryToModel(idpQuery *admin_pb.IDPQuery) (query.SearchQuery, error) {
 	}
 }

-func idpProviderViewsToDomain(idps []*iam_model.IDPProviderView) []*domain.IDPProvider {
+func idpsToDomain(idps []*query.IDP) []*domain.IDPProvider {
 	idpProvider := make([]*domain.IDPProvider, len(idps))
 	for i, idp := range idps {
 		idpProvider[i] = &domain.IDPProvider{
 			ObjectRoot: models.ObjectRoot{
-				AggregateID: idp.AggregateID,
+				AggregateID: idp.ResourceOwner,
 			},
-			IDPConfigID: idp.IDPConfigID,
-			Type:        idpConfigTypeToDomain(idp.IDPProviderType),
+			IDPConfigID: idp.ID,
+			Type:        idp.OwnerType,
 		}
 	}
 	return idpProvider
 }

-func idpConfigTypeToDomain(idpType iam_model.IDPProviderType) domain.IdentityProviderType {
-	switch idpType {
-	case iam_model.IDPProviderTypeOrg:
-		return domain.IdentityProviderTypeOrg
-	default:
-		return domain.IdentityProviderTypeSystem
-	}
-}
-
-func externalIDPViewsToDomain(idps []*user_model.ExternalIDPView) []*domain.UserIDPLink {
+func idpUserLinksToDomain(idps []*query.IDPUserLink) []*domain.UserIDPLink {
 	externalIDPs := make([]*domain.UserIDPLink, len(idps))
 	for i, idp := range idps {
 		externalIDPs[i] = &domain.UserIDPLink{
@@ -154,9 +148,9 @@ func externalIDPViewsToDomain(idps []*user_model.ExternalIDPView) []*domain.User
 				AggregateID:   idp.UserID,
 				ResourceOwner: idp.ResourceOwner,
 			},
-			IDPConfigID:    idp.IDPConfigID,
-			ExternalUserID: idp.ExternalUserID,
-			DisplayName:    idp.UserDisplayName,
+			IDPConfigID:    idp.IDPID,
+			ExternalUserID: idp.ProvidedUserID,
+			DisplayName:    idp.ProvidedUsername,
 		}
 	}
 	return externalIDPs
--- a/internal/api/grpc/admin/login_policy.go
+++ b/internal/api/grpc/admin/login_policy.go
@@ -4,6 +4,7 @@ import (
 	"context"

 	"github.com/caos/zitadel/internal/api/grpc/user"
+	"github.com/caos/zitadel/internal/query"

 	"github.com/caos/zitadel/internal/api/grpc/idp"
 	"github.com/caos/zitadel/internal/api/grpc/object"
@@ -60,11 +61,12 @@ func (s *Server) AddIDPToLoginPolicy(ctx context.Context, req *admin_pb.AddIDPTo
 }

 func (s *Server) RemoveIDPFromLoginPolicy(ctx context.Context, req *admin_pb.RemoveIDPFromLoginPolicyRequest) (*admin_pb.RemoveIDPFromLoginPolicyResponse, error) {
-	externalIDPs, err := s.iam.ExternalIDPsByIDPConfigID(ctx, req.IdpId)
-	if err != nil {
-		return nil, err
-	}
-	objectDetails, err := s.command.RemoveIDPProviderFromDefaultLoginPolicy(ctx, &domain.IDPProvider{IDPConfigID: req.IdpId}, user.ExternalIDPViewsToExternalIDPs(externalIDPs)...)
+	idpQuery, err := query.NewIDPUserLinkIDPIDSearchQuery(req.IdpId)
+	idps, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{
+		Queries: []query.SearchQuery{idpQuery},
+	})
+
+	objectDetails, err := s.command.RemoveIDPProviderFromDefaultLoginPolicy(ctx, &domain.IDPProvider{IDPConfigID: req.IdpId}, user.ExternalIDPViewsToExternalIDPs(idps.Links)...)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/user.go
+++ b/internal/api/grpc/auth/user.go
@@ -2,7 +2,6 @@ package auth

 import (
 	"context"
-	"time"

 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/change"
@@ -12,7 +11,7 @@ import (
 	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	user_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/internal/query"
 	grant_model "github.com/caos/zitadel/internal/usergrant/model"
 	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
 )
@@ -31,11 +30,18 @@ func (s *Server) RemoveMyUser(ctx context.Context, _ *auth_pb.RemoveMyUserReques
 	if err != nil {
 		return nil, err
 	}
-	membersShips, err := s.repo.SearchMyUserMemberships(ctx, &user_model.UserMembershipSearchRequest{Queries: []*user_model.UserMembershipSearchQuery{}})
+
+	userQuery, err := query.NewMembershipUserIDQuery(authz.GetCtxData(ctx).UserID)
 	if err != nil {
 		return nil, err
 	}
-	details, err := s.command.RemoveUser(ctx, ctxData.UserID, ctxData.ResourceOwner, UserMembershipViewsToDomain(membersShips.Result), userGrantsToIDs(grants.Result)...)
+	memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
+		Queries: []query.SearchQuery{userQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	details, err := s.command.RemoveUser(ctx, ctxData.UserID, ctxData.ResourceOwner, memberships.Memberships, userGrantsToIDs(grants.Result)...)
 	if err != nil {
 		return nil, err
 	}
@@ -129,68 +135,141 @@ func (s *Server) ListMyUserGrants(ctx context.Context, req *auth_pb.ListMyUserGr
 }

 func (s *Server) ListMyProjectOrgs(ctx context.Context, req *auth_pb.ListMyProjectOrgsRequest) (*auth_pb.ListMyProjectOrgsResponse, error) {
-	r, err := ListMyProjectOrgsRequestToModel(req)
+	queries, err := ListMyProjectOrgsRequestToQuery(req)
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.repo.SearchMyProjectOrgs(ctx, r)
+
+	iam, err := s.query.IAMByID(ctx, domain.IAMID)
+	if err != nil {
+		return nil, err
+	}
+	ctxData := authz.GetCtxData(ctx)
+
+	//client of user is not in project of ZITADEL
+	if ctxData.ProjectID != iam.IAMProjectID {
+		grants, err := s.repo.UserGrantsByProjectAndUserID(ctxData.ProjectID, ctxData.UserID)
+		if err != nil {
+			return nil, err
+		}
+
+		ids := make([]string, 0, len(grants))
+		for _, grant := range grants {
+			ids = appendIfNotExists(ids, grant.ResourceOwner)
+		}
+
+		idsQuery, err := query.NewOrgIDsSearchQuery(ids...)
+		if err != nil {
+			return nil, err
+		}
+		queries.Queries = append(queries.Queries, idsQuery)
+	} else {
+		memberships, err := s.myOrgsQuery(ctx, ctxData)
+		if err != nil {
+			return nil, err
+		}
+
+		if !isIAMAdmin(memberships.Memberships) {
+			ids := make([]string, 0, len(memberships.Memberships))
+			for _, grant := range memberships.Memberships {
+				ids = appendIfNotExists(ids, grant.ResourceOwner)
+			}
+
+			idsQuery, err := query.NewOrgIDsSearchQuery(ids...)
+			if err != nil {
+				return nil, err
+			}
+			queries.Queries = append(queries.Queries, idsQuery)
+		}
+	}
+
+	orgs, err := s.query.SearchOrgs(ctx, queries)
 	if err != nil {
 		return nil, err
 	}
 	return &auth_pb.ListMyProjectOrgsResponse{
-		//TODO: not all details
-		Details: obj_grpc.ToListDetails(res.TotalResult, 0, time.Time{}),
-		Result:  org.OrgsToPb(res.Result),
+		Details: obj_grpc.ToListDetails(orgs.Count, orgs.Sequence, orgs.Timestamp),
+		Result:  org.OrgsToPb(orgs.Orgs),
 	}, nil
 }

-func ListMyProjectOrgsRequestToModel(req *auth_pb.ListMyProjectOrgsRequest) (*grant_model.UserGrantSearchRequest, error) {
-	offset, limit, asc := obj_grpc.ListQueryToModel(req.Query)
-	queries, err := org.OrgQueriesToUserGrantModel(req.Queries)
+func (s *Server) myOrgsQuery(ctx context.Context, ctxData authz.CtxData) (*query.Memberships, error) {
+	userQuery, err := query.NewMembershipUserIDQuery(ctxData.UserID)
 	if err != nil {
 		return nil, err
 	}
-	return &grant_model.UserGrantSearchRequest{
-		Offset:  offset,
-		Limit:   limit,
-		Asc:     asc,
+	return s.query.Memberships(ctx, &query.MembershipSearchQuery{
+		Queries: []query.SearchQuery{userQuery},
+	})
+}
+
+func isIAMAdmin(memberships []*query.Membership) bool {
+	for _, m := range memberships {
+		if m.IAM != nil {
+			return true
+		}
+	}
+	return false
+}
+
+func appendIfNotExists(array []string, value string) []string {
+	for _, a := range array {
+		if a == value {
+			return array
+		}
+	}
+	return append(array, value)
+}
+
+func ListMyProjectOrgsRequestToQuery(req *auth_pb.ListMyProjectOrgsRequest) (*query.OrgSearchQueries, error) {
+	offset, limit, asc := obj_grpc.ListQueryToModel(req.Query)
+	queries, err := org.OrgQueriesToQuery(req.Queries)
+	if err != nil {
+		return nil, err
+	}
+	return &query.OrgSearchQueries{
+		SearchRequest: query.SearchRequest{
+			Offset: offset,
+			Limit:  limit,
+			Asc:    asc,
+		},
 		Queries: queries,
 	}, nil
 }

-func UserMembershipViewsToDomain(memberships []*user_model.UserMembershipView) []*domain.UserMembership {
+func membershipToDomain(memberships []*query.Membership) []*domain.UserMembership {
 	result := make([]*domain.UserMembership, len(memberships))
 	for i, membership := range memberships {
+		typ, displayName, aggID, objID := MemberTypeToDomain(membership)
 		result[i] = &domain.UserMembership{
-			UserID:            membership.UserID,
-			MemberType:        MemberTypeToDomain(membership.MemberType),
-			AggregateID:       membership.AggregateID,
-			ObjectID:          membership.ObjectID,
-			Roles:             membership.Roles,
-			DisplayName:       membership.DisplayName,
-			CreationDate:      membership.CreationDate,
-			ChangeDate:        membership.ChangeDate,
-			ResourceOwner:     membership.ResourceOwner,
-			ResourceOwnerName: membership.ResourceOwnerName,
-			Sequence:          membership.Sequence,
+			UserID:        membership.UserID,
+			MemberType:    typ,
+			AggregateID:   aggID,
+			ObjectID:      objID,
+			Roles:         membership.Roles,
+			DisplayName:   displayName,
+			CreationDate:  membership.CreationDate,
+			ChangeDate:    membership.ChangeDate,
+			ResourceOwner: membership.ResourceOwner,
+			//TODO: implement
+			// ResourceOwnerName: membership.ResourceOwnerName,
+			Sequence: membership.Sequence,
 		}
 	}
 	return result
 }

-func MemberTypeToDomain(mType user_model.MemberType) domain.MemberType {
-	switch mType {
-	case user_model.MemberTypeIam:
-		return domain.MemberTypeIam
-	case user_model.MemberTypeOrganisation:
-		return domain.MemberTypeOrganisation
-	case user_model.MemberTypeProject:
-		return domain.MemberTypeProject
-	case user_model.MemberTypeProjectGrant:
-		return domain.MemberTypeProjectGrant
-	default:
-		return domain.MemberTypeUnspecified
+func MemberTypeToDomain(m *query.Membership) (_ domain.MemberType, displayName, aggID, objID string) {
+	if m.Org != nil {
+		return domain.MemberTypeOrganisation, m.Org.Name, m.Org.OrgID, ""
+	} else if m.IAM != nil {
+		return domain.MemberTypeIam, m.IAM.Name, m.IAM.IAMID, ""
+	} else if m.Project != nil {
+		return domain.MemberTypeProject, m.Project.Name, m.Project.ProjectID, ""
+	} else if m.ProjectGrant != nil {
+		return domain.MemberTypeProjectGrant, m.ProjectGrant.ProjectName, m.ProjectGrant.ProjectID, m.ProjectGrant.GrantID
 	}
+	return domain.MemberTypeUnspecified, "", "", ""
 }

 func userGrantsToIDs(userGrants []*grant_model.UserGrantView) []string {
--- a/internal/api/grpc/management/iam.go
+++ b/internal/api/grpc/management/iam.go
@@ -7,7 +7,7 @@ import (
 )

 func (s *Server) GetIAM(ctx context.Context, req *mgmt_pb.GetIAMRequest) (*mgmt_pb.GetIAMResponse, error) {
-	iam, err := s.project.GetIAMByID(ctx)
+	iam, err := s.query.IAMByID(ctx, s.systemDefaults.IamID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/idp.go
+++ b/internal/api/grpc/management/idp.go
@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/api/authz"
 	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
 	object_pb "github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/query"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )

@@ -18,11 +19,11 @@ func (s *Server) GetOrgIDPByID(ctx context.Context, req *mgmt_pb.GetOrgIDPByIDRe
 }

 func (s *Server) ListOrgIDPs(ctx context.Context, req *mgmt_pb.ListOrgIDPsRequest) (*mgmt_pb.ListOrgIDPsResponse, error) {
-	queries, err := listIDPsToModel(req)
+	queries, err := listIDPsToModel(ctx, req)
 	if err != nil {
 		return nil, err
 	}
-	resp, err := s.query.SearchIDPs(ctx, authz.GetCtxData(ctx).OrgID, queries)
+	resp, err := s.query.IDPs(ctx, queries)
 	if err != nil {
 		return nil, err
 	}
@@ -83,11 +84,17 @@ func (s *Server) RemoveOrgIDP(ctx context.Context, req *mgmt_pb.RemoveOrgIDPRequ
 	if err != nil {
 		return nil, err
 	}
-	externalIDPs, err := s.user.ExternalIDPsByIDPConfigID(ctx, req.IdpId)
+	idpQuery, err := query.NewIDPUserLinkIDPIDSearchQuery(req.IdpId)
 	if err != nil {
 		return nil, err
 	}
-	_, err = s.command.RemoveIDPConfig(ctx, req.IdpId, authz.GetCtxData(ctx).OrgID, idp != nil, externalIDPViewsToDomain(externalIDPs)...)
+	userLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{
+		Queries: []query.SearchQuery{idpQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	_, err = s.command.RemoveIDPConfig(ctx, req.IdpId, authz.GetCtxData(ctx).OrgID, idp != nil, userLinksToDomain(userLinks.Links)...)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/idp_converter.go
+++ b/internal/api/grpc/management/idp_converter.go
@@ -1,6 +1,9 @@
 package management

 import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/authz"
 	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/domain"
@@ -8,7 +11,6 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/query"
-	user_model "github.com/caos/zitadel/internal/user/model"
 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )

@@ -83,12 +85,21 @@ func updateJWTConfigToDomain(req *mgmt_pb.UpdateOrgIDPJWTConfigRequest) *domain.
 	}
 }

-func listIDPsToModel(req *mgmt_pb.ListOrgIDPsRequest) (queries *query.IDPSearchQueries, err error) {
+func listIDPsToModel(ctx context.Context, req *mgmt_pb.ListOrgIDPsRequest) (queries *query.IDPSearchQueries, err error) {
 	offset, limit, asc := object.ListQueryToModel(req.Query)
 	q, err := idpQueriesToModel(req.Queries)
 	if err != nil {
 		return nil, err
 	}
+	iamQuery, err := query.NewIDPIDSearchQuery(domain.IAMID)
+	if err != nil {
+		return nil, err
+	}
+	resourceOwnerQuery, err := query.NewIDPResourceOwnerSearchQuery(authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	q = append(q, resourceOwnerQuery, iamQuery)
 	return &query.IDPSearchQueries{
 		SearchRequest: query.SearchRequest{
 			Offset:        offset,
@@ -148,18 +159,18 @@ func idpConfigTypeToDomain(idpType iam_model.IDPProviderType) domain.IdentityPro
 	}
 }

-func externalIDPViewsToDomain(idps []*user_model.ExternalIDPView) []*domain.UserIDPLink {
-	externalIDPs := make([]*domain.UserIDPLink, len(idps))
+func userLinksToDomain(idps []*query.IDPUserLink) []*domain.UserIDPLink {
+	links := make([]*domain.UserIDPLink, len(idps))
 	for i, idp := range idps {
-		externalIDPs[i] = &domain.UserIDPLink{
+		links[i] = &domain.UserIDPLink{
 			ObjectRoot: models.ObjectRoot{
 				AggregateID:   idp.UserID,
 				ResourceOwner: idp.ResourceOwner,
 			},
-			IDPConfigID:    idp.IDPConfigID,
-			ExternalUserID: idp.ExternalUserID,
-			DisplayName:    idp.UserDisplayName,
+			IDPConfigID:    idp.IDPID,
+			ExternalUserID: idp.ProvidedUserID,
+			DisplayName:    idp.ProvidedUsername,
 		}
 	}
-	return externalIDPs
+	return links
 }
--- a/internal/api/grpc/management/org.go
+++ b/internal/api/grpc/management/org.go
@@ -208,7 +208,11 @@ func (s *Server) SetPrimaryOrgDomain(ctx context.Context, req *mgmt_pb.SetPrimar
 }

 func (s *Server) ListOrgMemberRoles(ctx context.Context, req *mgmt_pb.ListOrgMemberRolesRequest) (*mgmt_pb.ListOrgMemberRolesResponse, error) {
-	roles := s.org.GetOrgMemberRoles()
+	iam, err := s.iam.IAMByID(ctx, domain.IAMID)
+	if err != nil {
+		return nil, err
+	}
+	roles := s.org.GetOrgMemberRoles(authz.GetCtxData(ctx).OrgID == iam.GlobalOrgID)
 	return &mgmt_pb.ListOrgMemberRolesResponse{
 		Result: roles,
 	}, nil
--- a/internal/api/grpc/management/policy_login.go
+++ b/internal/api/grpc/management/policy_login.go
@@ -9,6 +9,7 @@ import (
 	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
 	"github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/query"

 	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
@@ -93,11 +94,17 @@ func (s *Server) AddIDPToLoginPolicy(ctx context.Context, req *mgmt_pb.AddIDPToL
 }

 func (s *Server) RemoveIDPFromLoginPolicy(ctx context.Context, req *mgmt_pb.RemoveIDPFromLoginPolicyRequest) (*mgmt_pb.RemoveIDPFromLoginPolicyResponse, error) {
-	externalIDPs, err := s.user.ExternalIDPsByIDPConfigID(ctx, req.IdpId)
+	idpQuery, err := query.NewIDPUserLinkIDPIDSearchQuery(req.IdpId)
 	if err != nil {
 		return nil, err
 	}
-	objectDetails, err := s.command.RemoveIDPProviderFromLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, &domain.IDPProvider{IDPConfigID: req.IdpId}, user.ExternalIDPViewsToExternalIDPs(externalIDPs)...)
+	userLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{
+		Queries: []query.SearchQuery{idpQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	objectDetails, err := s.command.RemoveIDPProviderFromLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, &domain.IDPProvider{IDPConfigID: req.IdpId}, user.ExternalIDPViewsToExternalIDPs(userLinks.Links)...)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@@ -261,11 +261,17 @@ func (s *Server) RemoveUser(ctx context.Context, req *mgmt_pb.RemoveUserRequest)
 	if err != nil {
 		return nil, err
 	}
-	membersShips, err := s.user.UserMembershipsByUserID(ctx, req.Id)
+	userQuery, err := query.NewMembershipUserIDQuery(req.Id)
 	if err != nil {
 		return nil, err
 	}
-	objectDetails, err := s.command.RemoveUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID, UserMembershipViewsToDomain(membersShips), userGrantsToIDs(grants)...)
+	memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
+		Queries: []query.SearchQuery{userQuery},
+	})
+	if err != nil {
+		return nil, err
+	}
+	objectDetails, err := s.command.RemoveUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID, memberships.Memberships, userGrantsToIDs(grants)...)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/org/converter.go
+++ b/internal/api/grpc/org/converter.go
@@ -5,7 +5,6 @@ import (
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/query"
-	grant_model "github.com/caos/zitadel/internal/usergrant/model"
 	org_pb "github.com/caos/zitadel/pkg/grpc/org"
 )

@@ -31,10 +30,10 @@ func OrgQueryToModel(apiQuery *org_pb.OrgQuery) (query.SearchQuery, error) {
 	}
 }

-func OrgQueriesToUserGrantModel(queries []*org_pb.OrgQuery) (_ []*grant_model.UserGrantSearchQuery, err error) {
-	q := make([]*grant_model.UserGrantSearchQuery, len(queries))
+func OrgQueriesToQuery(queries []*org_pb.OrgQuery) (_ []query.SearchQuery, err error) {
+	q := make([]query.SearchQuery, len(queries))
 	for i, query := range queries {
-		q[i], err = OrgQueryToUserGrantQueryModel(query)
+		q[i], err = OrgQueryToQuery(query)
 		if err != nil {
 			return nil, err
 		}
@@ -42,20 +41,12 @@ func OrgQueriesToUserGrantModel(queries []*org_pb.OrgQuery) (_ []*grant_model.Us
 	return q, nil
 }

-func OrgQueryToUserGrantQueryModel(query *org_pb.OrgQuery) (*grant_model.UserGrantSearchQuery, error) {
-	switch q := query.Query.(type) {
+func OrgQueryToQuery(search *org_pb.OrgQuery) (query.SearchQuery, error) {
+	switch q := search.Query.(type) {
 	case *org_pb.OrgQuery_DomainQuery:
-		return &grant_model.UserGrantSearchQuery{
-			Key:    grant_model.UserGrantSearchKeyOrgDomain,
-			Method: object.TextMethodToModel(q.DomainQuery.Method),
-			Value:  q.DomainQuery.Domain,
-		}, nil
+		return query.NewOrgDomainSearchQuery(object.TextMethodToQuery(q.DomainQuery.Method), q.DomainQuery.Domain)
 	case *org_pb.OrgQuery_NameQuery:
-		return &grant_model.UserGrantSearchQuery{
-			Key:    grant_model.UserGrantSearchKeyOrgName,
-			Method: object.TextMethodToModel(q.NameQuery.Method),
-			Value:  q.NameQuery.Name,
-		}, nil
+		return query.NewOrgNameSearchQuery(object.TextMethodToQuery(q.NameQuery.Method), q.NameQuery.Name)
 	default:
 		return nil, errors.ThrowInvalidArgument(nil, "ADMIN-ADvsd", "List.Query.Invalid")
 	}
@@ -71,9 +62,10 @@ func OrgViewsToPb(orgs []*query.Org) []*org_pb.Org {

 func OrgViewToPb(org *query.Org) *org_pb.Org {
 	return &org_pb.Org{
-		Id:    org.ID,
-		State: OrgStateToPb(org.State),
-		Name:  org.Name,
+		Id:            org.ID,
+		State:         OrgStateToPb(org.State),
+		Name:          org.Name,
+		PrimaryDomain: org.Domain,
 		Details: object.ToViewDetailsPb(
 			org.Sequence,
 			org.CreationDate,
@@ -83,7 +75,7 @@ func OrgViewToPb(org *query.Org) *org_pb.Org {
 	}
 }

-func OrgsToPb(orgs []*grant_model.Org) []*org_pb.Org {
+func OrgsToPb(orgs []*query.Org) []*org_pb.Org {
 	o := make([]*org_pb.Org, len(orgs))
 	for i, org := range orgs {
 		o[i] = OrgToPb(org)
@@ -91,17 +83,13 @@ func OrgsToPb(orgs []*grant_model.Org) []*org_pb.Org {
 	return o
 }

-func OrgToPb(org *grant_model.Org) *org_pb.Org {
+func OrgToPb(org *query.Org) *org_pb.Org {
 	return &org_pb.Org{
-		Id:   org.OrgID,
-		Name: org.OrgName,
-		// State: OrgStateToPb(org.State), //TODO: not provided
-		// Details: object.ChangeToDetailsPb(//TODO: not provided
-		// 	org.Sequence,//TODO: not provided
-		// 	org.CreationDate,//TODO: not provided
-		// 	org.EventDate,//TODO: not provided
-		// 	org.ResourceOwner,//TODO: not provided
-		// ),//TODO: not provided
+		Id:            org.ID,
+		Name:          org.Name,
+		PrimaryDomain: org.Domain,
+		Details:       object.AddToDetailsPb(org.Sequence, org.CreationDate, org.ResourceOwner),
+		State:         OrgStateToPb(org.State),
 	}
 }

--- a/internal/api/grpc/user/converter.go
+++ b/internal/api/grpc/user/converter.go
@@ -4,6 +4,7 @@ import (
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/internal/user/model"
 	usr_grant_model "github.com/caos/zitadel/internal/usergrant/model"
 	user_pb "github.com/caos/zitadel/pkg/grpc/user"
@@ -233,7 +234,7 @@ func WebAuthNTokenToWebAuthNKeyPb(token *domain.WebAuthNToken) *user_pb.WebAuthN
 	}
 }

-func ExternalIDPViewsToExternalIDPs(externalIDPs []*model.ExternalIDPView) []*domain.UserIDPLink {
+func ExternalIDPViewsToExternalIDPs(externalIDPs []*query.IDPUserLink) []*domain.UserIDPLink {
 	idps := make([]*domain.UserIDPLink, len(externalIDPs))
 	for i, idp := range externalIDPs {
 		idps[i] = &domain.UserIDPLink{
@@ -241,9 +242,9 @@ func ExternalIDPViewsToExternalIDPs(externalIDPs []*model.ExternalIDPView) []*do
 				AggregateID:   idp.UserID,
 				ResourceOwner: idp.ResourceOwner,
 			},
-			IDPConfigID:    idp.IDPConfigID,
-			ExternalUserID: idp.ExternalUserID,
-			DisplayName:    idp.UserDisplayName,
+			IDPConfigID:    idp.IDPID,
+			ExternalUserID: idp.ProvidedUserID,
+			DisplayName:    idp.ProvidedUsername,
 		}
 	}
 	return idps