fix: use domain models for v2 eventstore (#1151)

* fix: use domain models for v2 eventstore

* fix: user domain model

* Update internal/api/grpc/admin/login_policy_converter.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: converter

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

cmd/zitadel/main.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"flag"
 	metrics "github.com/caos/zitadel/internal/telemetry/metrics/config"
+	"github.com/caos/zitadel/internal/v2/command"
+	"github.com/caos/zitadel/internal/v2/query"
 
 	"github.com/caos/logging"
 	admin_es "github.com/caos/zitadel/internal/admin/repository/eventsourcing"
@@ -93,6 +95,19 @@ func startZitadel(configPaths []string) {
 	logging.Log("MAIN-FaF2r").OnError(err).Fatal("cannot read config")
 
 	ctx := context.Background()
+	es, err := es_int.Start(conf.Admin.Eventstore)
+	if err != nil {
+		return
+	}
+	esV2 := es.V2()
+	command, err := command.StartCommandSide(&command.Config{Eventstore: esV2, SystemDefaults: conf.SystemDefaults})
+	if err != nil {
+		return
+	}
+	query, err := query.StartQuerySide(&query.Config{Eventstore: esV2, SystemDefaults: conf.SystemDefaults})
+	if err != nil {
+		return
+	}
 	authZRepo, err := authz.Start(ctx, conf.AuthZ, conf.InternalAuthZ, conf.SystemDefaults)
 	logging.Log("MAIN-s9KOw").OnError(err).Fatal("error starting authz repo")
 	var authRepo *auth_es.EsRepository
@@ -101,7 +116,7 @@ func startZitadel(configPaths []string) {
 		logging.Log("MAIN-9oRw6").OnError(err).Fatal("error starting auth repo")
 	}
 
-	startAPI(ctx, conf, authZRepo, authRepo)
+	startAPI(ctx, conf, authZRepo, authRepo, command, query)
 	startUI(ctx, conf, authRepo)
 
 	if *notificationEnabled {
@@ -126,23 +141,23 @@ func startUI(ctx context.Context, conf *Config, authRepo *auth_es.EsRepository)
 	uis.Start(ctx)
 }
 
-func startAPI(ctx context.Context, conf *Config, authZRepo *authz_repo.EsRepository, authRepo *auth_es.EsRepository) {
+func startAPI(ctx context.Context, conf *Config, authZRepo *authz_repo.EsRepository, authRepo *auth_es.EsRepository, command *command.CommandSide, query *query.QuerySide) {
 	roles := make([]string, len(conf.InternalAuthZ.RolePermissionMappings))
 	for i, role := range conf.InternalAuthZ.RolePermissionMappings {
 		roles[i] = role.Role
 	}
-	adminRepo, err := admin_es.Start(ctx, conf.Admin, conf.SystemDefaults, roles)
+	repo, err := admin_es.Start(ctx, conf.Admin, conf.SystemDefaults, roles)
 	logging.Log("API-D42tq").OnError(err).Fatal("error starting auth repo")
 
-	apis := api.Create(conf.API, conf.InternalAuthZ, authZRepo, authRepo, adminRepo, conf.SystemDefaults)
+	apis := api.Create(conf.API, conf.InternalAuthZ, authZRepo, authRepo, repo, conf.SystemDefaults)
 
 	if *adminEnabled {
-		apis.RegisterServer(ctx, admin.CreateServer(adminRepo))
+		apis.RegisterServer(ctx, admin.CreateServer(command, query, repo))
 	}
 	if *managementEnabled {
 		managementRepo, err := mgmt_es.Start(conf.Mgmt, conf.SystemDefaults, roles)
 		logging.Log("API-Gd2qq").OnError(err).Fatal("error starting management repo")
-		apis.RegisterServer(ctx, management.CreateServer(managementRepo, conf.SystemDefaults))
+		apis.RegisterServer(ctx, management.CreateServer(command, query, managementRepo, conf.SystemDefaults))
 	}
 	if *authEnabled {
 		apis.RegisterServer(ctx, auth.CreateServer(authRepo))

internal/admin/repository/eventsourcing/eventstore/iam.go

@@ -2,7 +2,6 @@ package eventstore
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/v2/query"
 	"strings"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
@@ -19,7 +18,6 @@ import (
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	usr_es "github.com/caos/zitadel/internal/user/repository/eventsourcing"
-	"github.com/caos/zitadel/internal/v2/command"
 )
 
 type IAMRepository struct {
@@ -30,9 +28,6 @@ type IAMRepository struct {
 	View           *admin_view.View
 	SystemDefaults systemdefaults.SystemDefaults
 	Roles          []string
-
-	IAMV2Command *command.CommandSide
-	IAMV2Query   *query.QuerySide
 }
 
 func (repo *IAMRepository) IAMMemberByID(ctx context.Context, iamID, userID string) (*iam_model.IAMMemberView, error) {
@@ -43,30 +38,6 @@ func (repo *IAMRepository) IAMMemberByID(ctx context.Context, iamID, userID stri
 	return iam_es_model.IAMMemberToModel(member), nil
 }
 
-func (repo *IAMRepository) AddIAMMember(ctx context.Context, member *iam_model.IAMMember) (*iam_model.IAMMember, error) {
-	member.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddIAMMember(ctx, member)
-	}
-	return repo.IAMEventstore.AddIAMMember(ctx, member)
-}
-
-func (repo *IAMRepository) ChangeIAMMember(ctx context.Context, member *iam_model.IAMMember) (*iam_model.IAMMember, error) {
-	member.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ChangeIAMMember(ctx, member)
-	}
-	return repo.IAMEventstore.ChangeIAMMember(ctx, member)
-}
-
-func (repo *IAMRepository) RemoveIAMMember(ctx context.Context, userID string) error {
-	member := iam_model.NewIAMMember(repo.SystemDefaults.IamID, userID)
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.RemoveIAMMember(ctx, member)
-	}
-	return repo.IAMEventstore.RemoveIAMMember(ctx, member)
-}
-
 func (repo *IAMRepository) SearchIAMMembers(ctx context.Context, request *iam_model.IAMMemberSearchRequest) (*iam_model.IAMMemberSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
 	sequence, err := repo.View.GetLatestIAMMemberSequence("")
@@ -98,48 +69,6 @@ func (repo *IAMRepository) GetIAMMemberRoles() []string {
 	return roles
 }
 
-func (repo *IAMRepository) IDPConfigByID(ctx context.Context, idpConfigID string) (*iam_model.IDPConfigView, error) {
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Query.DefaultIDPConfigByID(ctx, repo.SystemDefaults.IamID, idpConfigID)
-	}
-
-	idp, err := repo.View.IDPConfigByID(idpConfigID)
-	if err != nil {
-		return nil, err
-	}
-	return iam_es_model.IDPConfigViewToModel(idp), nil
-}
-
-func (repo *IAMRepository) AddOIDCIDPConfig(ctx context.Context, idp *iam_model.IDPConfig) (*iam_model.IDPConfig, error) {
-	idp.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddDefaultIDPConfig(ctx, idp)
-	}
-	return repo.IAMEventstore.AddIDPConfig(ctx, idp)
-}
-
-func (repo *IAMRepository) ChangeIDPConfig(ctx context.Context, idp *iam_model.IDPConfig) (*iam_model.IDPConfig, error) {
-	idp.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ChangeDefaultIDPConfig(ctx, idp)
-	}
-	return repo.IAMEventstore.ChangeIDPConfig(ctx, idp)
-}
-
-func (repo *IAMRepository) DeactivateIDPConfig(ctx context.Context, idpConfigID string) (*iam_model.IDPConfig, error) {
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.DeactivateDefaultIDPConfig(ctx, repo.SystemDefaults.IamID, idpConfigID)
-	}
-	return repo.IAMEventstore.DeactivateIDPConfig(ctx, repo.SystemDefaults.IamID, idpConfigID)
-}
-
-func (repo *IAMRepository) ReactivateIDPConfig(ctx context.Context, idpConfigID string) (*iam_model.IDPConfig, error) {
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ReactivateDefaultIDPConfig(ctx, repo.SystemDefaults.IamID, idpConfigID)
-	}
-	return repo.IAMEventstore.ReactivateIDPConfig(ctx, repo.SystemDefaults.IamID, idpConfigID)
-}
-
 func (repo *IAMRepository) RemoveIDPConfig(ctx context.Context, idpConfigID string) error {
 	// if repo.IAMV2Command != nil {
 	// 	return repo.IAMV2Command.
@@ -184,14 +113,6 @@ func (repo *IAMRepository) RemoveIDPConfig(ctx context.Context, idpConfigID stri
 	return es_sdk.PushAggregates(ctx, repo.Eventstore.PushAggregates, nil, aggregates...)
 }
 
-func (repo *IAMRepository) ChangeOidcIDPConfig(ctx context.Context, oidcConfig *iam_model.OIDCIDPConfig) (*iam_model.OIDCIDPConfig, error) {
-	oidcConfig.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ChangeDefaultIDPOIDCConfig(ctx, oidcConfig)
-	}
-	return repo.IAMEventstore.ChangeIDPOIDCConfig(ctx, oidcConfig)
-}
-
 func (repo *IAMRepository) SearchIDPConfigs(ctx context.Context, request *iam_model.IDPConfigSearchRequest) (*iam_model.IDPConfigSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
 	sequence, err := repo.View.GetLatestIDPConfigSequence("")
@@ -238,22 +159,6 @@ func (repo *IAMRepository) GetDefaultLabelPolicy(ctx context.Context) (*iam_mode
 	return iam_es_model.LabelPolicyViewToModel(policy), nil
 }
 
-func (repo *IAMRepository) AddDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddDefaultLabelPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.AddLabelPolicy(ctx, policy)
-}
-
-func (repo *IAMRepository) ChangeDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ChangeDefaultLabelPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.ChangeLabelPolicy(ctx, policy)
-}
-
 func (repo *IAMRepository) GetDefaultLoginPolicy(ctx context.Context) (*iam_model.LoginPolicyView, error) {
 	policy, viewErr := repo.View.LoginPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
@@ -279,22 +184,6 @@ func (repo *IAMRepository) GetDefaultLoginPolicy(ctx context.Context) (*iam_mode
 	return iam_es_model.LoginPolicyViewToModel(policy), nil
 }
 
-func (repo *IAMRepository) AddDefaultLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddDefaultLoginPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.AddLoginPolicy(ctx, policy)
-}
-
-func (repo *IAMRepository) ChangeDefaultLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ChangeDefaultLoginPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.ChangeLoginPolicy(ctx, policy)
-}
-
 func (repo *IAMRepository) SearchDefaultIDPProviders(ctx context.Context, request *iam_model.IDPProviderSearchRequest) (*iam_model.IDPProviderSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
 	request.AppendAggregateIDQuery(repo.SystemDefaults.IamID)
@@ -317,14 +206,6 @@ func (repo *IAMRepository) SearchDefaultIDPProviders(ctx context.Context, reques
 	return result, nil
 }
 
-func (repo *IAMRepository) AddIDPProviderToLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) (*iam_model.IDPProvider, error) {
-	provider.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddIDPProviderToDefaultLoginPolicy(ctx, provider)
-	}
-	return repo.IAMEventstore.AddIDPProviderToLoginPolicy(ctx, provider)
-}
-
 func (repo *IAMRepository) RemoveIDPProviderFromLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) error {
 	aggregates := make([]*es_models.Aggregate, 0)
 	provider.AggregateID = repo.SystemDefaults.IamID
@@ -361,20 +242,6 @@ func (repo *IAMRepository) SearchDefaultSecondFactors(ctx context.Context) (*iam
 	}, nil
 }
 
-func (repo *IAMRepository) AddSecondFactorToLoginPolicy(ctx context.Context, mfa iam_model.SecondFactorType) (iam_model.SecondFactorType, error) {
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddSecondFactorToDefaultLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
-	}
-	return repo.IAMEventstore.AddSecondFactorToLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
-}
-
-func (repo *IAMRepository) RemoveSecondFactorFromLoginPolicy(ctx context.Context, mfa iam_model.SecondFactorType) error {
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.RemoveSecondFactorFromDefaultLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
-	}
-	return repo.IAMEventstore.RemoveSecondFactorFromLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
-}
-
 func (repo *IAMRepository) SearchDefaultMultiFactors(ctx context.Context) (*iam_model.MultiFactorsSearchResponse, error) {
 	policy, err := repo.GetDefaultLoginPolicy(ctx)
 	if err != nil {
@@ -386,20 +253,6 @@ func (repo *IAMRepository) SearchDefaultMultiFactors(ctx context.Context) (*iam_
 	}, nil
 }
 
-func (repo *IAMRepository) AddMultiFactorToLoginPolicy(ctx context.Context, mfa iam_model.MultiFactorType) (iam_model.MultiFactorType, error) {
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddMultiFactorToDefaultLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
-	}
-	return repo.IAMEventstore.AddMultiFactorToLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
-}
-
-func (repo *IAMRepository) RemoveMultiFactorFromLoginPolicy(ctx context.Context, mfa iam_model.MultiFactorType) error {
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.RemoveMultiFactorFromDefaultLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
-	}
-	return repo.IAMEventstore.RemoveMultiFactorFromLoginPolicy(ctx, repo.SystemDefaults.IamID, mfa)
-}
-
 func (repo *IAMRepository) GetDefaultPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error) {
 	policy, viewErr := repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
@@ -425,22 +278,6 @@ func (repo *IAMRepository) GetDefaultPasswordComplexityPolicy(ctx context.Contex
 	return iam_es_model.PasswordComplexityViewToModel(policy), nil
 }
 
-func (repo *IAMRepository) AddDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddDefaultPasswordComplexityPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.AddPasswordComplexityPolicy(ctx, policy)
-}
-
-func (repo *IAMRepository) ChangeDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ChangeDefaultPasswordComplexityPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.ChangePasswordComplexityPolicy(ctx, policy)
-}
-
 func (repo *IAMRepository) GetDefaultPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error) {
 	policy, viewErr := repo.View.PasswordAgePolicyByAggregateID(repo.SystemDefaults.IamID)
 	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
@@ -466,22 +303,6 @@ func (repo *IAMRepository) GetDefaultPasswordAgePolicy(ctx context.Context) (*ia
 	return iam_es_model.PasswordAgeViewToModel(policy), nil
 }
 
-func (repo *IAMRepository) AddDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddDefaultPasswordAgePolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.AddPasswordAgePolicy(ctx, policy)
-}
-
-func (repo *IAMRepository) ChangeDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ChangeDefaultPasswordAgePolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.ChangePasswordAgePolicy(ctx, policy)
-}
-
 func (repo *IAMRepository) GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) {
 	policy, viewErr := repo.View.PasswordLockoutPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
@@ -507,22 +328,6 @@ func (repo *IAMRepository) GetDefaultPasswordLockoutPolicy(ctx context.Context)
 	return iam_es_model.PasswordLockoutViewToModel(policy), nil
 }
 
-func (repo *IAMRepository) AddDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddDefaultPasswordLockoutPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.AddPasswordLockoutPolicy(ctx, policy)
-}
-
-func (repo *IAMRepository) ChangeDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ChangeDefaultPasswordLockoutPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.ChangePasswordLockoutPolicy(ctx, policy)
-}
-
 func (repo *IAMRepository) GetOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error) {
 	policy, viewErr := repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
@@ -547,19 +352,3 @@ func (repo *IAMRepository) GetOrgIAMPolicy(ctx context.Context) (*iam_model.OrgI
 	}
 	return iam_es_model.OrgIAMViewToModel(policy), nil
 }
-
-func (repo *IAMRepository) AddDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.AddDefaultOrgIAMPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.AddOrgIAMPolicy(ctx, policy)
-}
-
-func (repo *IAMRepository) ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
-	policy.AggregateID = repo.SystemDefaults.IamID
-	if repo.IAMV2Command != nil {
-		return repo.IAMV2Command.ChangeDefaultOrgIAMPolicy(ctx, policy)
-	}
-	return repo.IAMEventstore.ChangeOrgIAMPolicy(ctx, policy)
-}

internal/admin/repository/eventsourcing/repository.go

@@ -2,9 +2,6 @@ package eventsourcing
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/v2/command"
-	"github.com/caos/zitadel/internal/v2/query"
-
 	"github.com/caos/zitadel/internal/admin/repository/eventsourcing/eventstore"
 	"github.com/caos/zitadel/internal/admin/repository/eventsourcing/handler"
 	"github.com/caos/zitadel/internal/admin/repository/eventsourcing/spooler"
@@ -39,8 +36,6 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, r
 	if err != nil {
 		return nil, err
 	}
-	esV2 := es.V2()
-
 	iam, err := es_iam.StartIAM(es_iam.IAMConfig{
 		Eventstore: es,
 		Cache:      conf.Eventstore.Cache,
@@ -66,14 +61,6 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, r
 	if err != nil {
 		return nil, err
 	}
-	iamV2Command, err := command.StartCommandSide(&command.Config{Eventstore: esV2, SystemDefaults: systemDefaults})
-	if err != nil {
-		return nil, err
-	}
-	iamV2Query, err := query.StartQuerySide(&query.Config{Eventstore: esV2, SystemDefaults: systemDefaults})
-	if err != nil {
-		return nil, err
-	}
 
 	spool := spooler.StartSpooler(conf.Spooler, es, view, sqlClient, handler.EventstoreRepos{UserEvents: user, OrgEvents: org, IamEvents: iam}, systemDefaults)
 
@@ -95,8 +82,6 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, r
 			SystemDefaults: systemDefaults,
 			SearchLimit:    conf.SearchLimit,
 			Roles:          roles,
-			IAMV2Command:   iamV2Command,
-			IAMV2Query:     iamV2Query,
 		},
 		AdministratorRepo: eventstore.AdministratorRepo{
 			View: view,

internal/admin/repository/iam.go

@@ -8,51 +8,25 @@ import (
 
 type IAMRepository interface {
 	SearchIAMMembers(ctx context.Context, request *iam_model.IAMMemberSearchRequest) (*iam_model.IAMMemberSearchResponse, error)
-	AddIAMMember(ctx context.Context, member *iam_model.IAMMember) (*iam_model.IAMMember, error)
-	ChangeIAMMember(ctx context.Context, member *iam_model.IAMMember) (*iam_model.IAMMember, error)
-	RemoveIAMMember(ctx context.Context, userID string) error
 
 	GetIAMMemberRoles() []string
 
 	SearchIDPConfigs(ctx context.Context, request *iam_model.IDPConfigSearchRequest) (*iam_model.IDPConfigSearchResponse, error)
-	IDPConfigByID(ctx context.Context, id string) (*iam_model.IDPConfigView, error)
-	AddOIDCIDPConfig(ctx context.Context, idp *iam_model.IDPConfig) (*iam_model.IDPConfig, error)
-	ChangeIDPConfig(ctx context.Context, idp *iam_model.IDPConfig) (*iam_model.IDPConfig, error)
-	DeactivateIDPConfig(ctx context.Context, idpConfigID string) (*iam_model.IDPConfig, error)
-	ReactivateIDPConfig(ctx context.Context, idpConfigID string) (*iam_model.IDPConfig, error)
 	RemoveIDPConfig(ctx context.Context, idpConfigID string) error
-	ChangeOidcIDPConfig(ctx context.Context, oidcConfig *iam_model.OIDCIDPConfig) (*iam_model.OIDCIDPConfig, error)
 
 	GetDefaultLoginPolicy(ctx context.Context) (*iam_model.LoginPolicyView, error)
-	AddDefaultLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error)
-	ChangeDefaultLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error)
 	SearchDefaultIDPProviders(ctx context.Context, request *iam_model.IDPProviderSearchRequest) (*iam_model.IDPProviderSearchResponse, error)
-	AddIDPProviderToLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) (*iam_model.IDPProvider, error)
 	RemoveIDPProviderFromLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) error
 	SearchDefaultSecondFactors(ctx context.Context) (*iam_model.SecondFactorsSearchResponse, error)
-	AddSecondFactorToLoginPolicy(ctx context.Context, mfa iam_model.SecondFactorType) (iam_model.SecondFactorType, error)
-	RemoveSecondFactorFromLoginPolicy(ctx context.Context, mfa iam_model.SecondFactorType) error
 	SearchDefaultMultiFactors(ctx context.Context) (*iam_model.MultiFactorsSearchResponse, error)
-	AddMultiFactorToLoginPolicy(ctx context.Context, mfa iam_model.MultiFactorType) (iam_model.MultiFactorType, error)
-	RemoveMultiFactorFromLoginPolicy(ctx context.Context, mfa iam_model.MultiFactorType) error
 
 	GetDefaultLabelPolicy(ctx context.Context) (*iam_model.LabelPolicyView, error)
-	AddDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error)
-	ChangeDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error)
 
 	GetDefaultPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error)
-	AddDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error)
-	ChangeDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error)
 
 	GetDefaultPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error)
-	AddDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error)
-	ChangeDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error)
 
 	GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error)
-	AddDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error)
-	ChangeDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error)
 
 	GetDefaultOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error)
-	AddDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error)
-	ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error)
 }

internal/api/grpc/admin/iam_member.go

@@ -21,23 +21,23 @@ func (s *Server) SearchIamMembers(ctx context.Context, in *admin.IamMemberSearch
 }
 
 func (s *Server) AddIamMember(ctx context.Context, member *admin.AddIamMemberRequest) (*admin.IamMember, error) {
-	addedMember, err := s.iam.AddIAMMember(ctx, addIamMemberToModel(member))
+	addedMember, err := s.command.AddIAMMember(ctx, addIamMemberToDomain(member))
 	if err != nil {
 		return nil, err
 	}
 
-	return iamMemberFromModel(addedMember), nil
+	return iamMemberFromDomain(addedMember), nil
 }
 
 func (s *Server) ChangeIamMember(ctx context.Context, member *admin.ChangeIamMemberRequest) (*admin.IamMember, error) {
-	changedMember, err := s.iam.ChangeIAMMember(ctx, changeIamMemberToModel(member))
+	changedMember, err := s.command.ChangeIAMMember(ctx, changeIamMemberToDomain(member))
 	if err != nil {
 		return nil, err
 	}
-	return iamMemberFromModel(changedMember), nil
+	return iamMemberFromDomain(changedMember), nil
 }
 
 func (s *Server) RemoveIamMember(ctx context.Context, member *admin.RemoveIamMemberRequest) (*empty.Empty, error) {
-	err := s.iam.RemoveIAMMember(ctx, member.UserId)
+	err := s.command.RemoveIAMMember(ctx, member.UserId)
 	return &empty.Empty{}, err
 }

internal/api/grpc/admin/iam_member_converter.go

@@ -2,6 +2,7 @@ package admin
 
 import (
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/golang/protobuf/ptypes"
 
 	iam_model "github.com/caos/zitadel/internal/iam/model"
@@ -9,25 +10,21 @@ import (
 	"github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func addIamMemberToModel(member *admin.AddIamMemberRequest) *iam_model.IAMMember {
+func addIamMemberToDomain(member *admin.AddIamMemberRequest) *domain.IAMMember {
-	memberModel := &iam_model.IAMMember{
+	return &domain.IAMMember{
 		UserID: member.UserId,
+		Roles:  member.Roles,
 	}
-	memberModel.Roles = member.Roles
-
-	return memberModel
 }
 
-func changeIamMemberToModel(member *admin.ChangeIamMemberRequest) *iam_model.IAMMember {
+func changeIamMemberToDomain(member *admin.ChangeIamMemberRequest) *domain.IAMMember {
-	memberModel := &iam_model.IAMMember{
+	return &domain.IAMMember{
 		UserID: member.UserId,
+		Roles:  member.Roles,
 	}
-	memberModel.Roles = member.Roles
-
-	return memberModel
 }
 
-func iamMemberFromModel(member *iam_model.IAMMember) *admin.IamMember {
+func iamMemberFromDomain(member *domain.IAMMember) *admin.IamMember {
 	creationDate, err := ptypes.TimestampProto(member.CreationDate)
 	logging.Log("GRPC-Lsp76").OnError(err).Debug("date parse failed")
 

internal/api/grpc/admin/idp_config.go

@@ -8,56 +8,57 @@ import (
 )
 
 func (s *Server) IdpByID(ctx context.Context, id *admin.IdpID) (*admin.IdpView, error) {
-	config, err := s.iam.IDPConfigByID(ctx, id.Id)
+	config, err := s.query.DefaultIDPConfigByID(ctx, id.Id)
 	if err != nil {
 		return nil, err
 	}
-	return idpViewFromModel(config), nil
+	return idpViewFromDomain(config), nil
 }
 
 func (s *Server) CreateOidcIdp(ctx context.Context, oidcIdpConfig *admin.OidcIdpConfigCreate) (*admin.Idp, error) {
-	config, err := s.iam.AddOIDCIDPConfig(ctx, createOidcIdpToModel(oidcIdpConfig))
+	config, err := s.command.AddDefaultIDPConfig(ctx, createOIDCIDPToDomain(oidcIdpConfig))
 	if err != nil {
 		return nil, err
 	}
-	return idpFromModel(config), nil
+	return idpFromDomain(config), nil
 }
 
 func (s *Server) UpdateIdpConfig(ctx context.Context, idpConfig *admin.IdpUpdate) (*admin.Idp, error) {
-	config, err := s.iam.ChangeIDPConfig(ctx, updateIdpToModel(idpConfig))
+	config, err := s.command.ChangeDefaultIDPConfig(ctx, updateIdpToDomain(idpConfig))
 	if err != nil {
 		return nil, err
 	}
-	return idpFromModel(config), nil
+	return idpFromDomain(config), nil
 }
 
 func (s *Server) DeactivateIdpConfig(ctx context.Context, id *admin.IdpID) (*admin.Idp, error) {
-	config, err := s.iam.DeactivateIDPConfig(ctx, id.Id)
+	config, err := s.command.DeactivateDefaultIDPConfig(ctx, id.Id)
 	if err != nil {
 		return nil, err
 	}
-	return idpFromModel(config), nil
+	return idpFromDomain(config), nil
 }
 
 func (s *Server) ReactivateIdpConfig(ctx context.Context, id *admin.IdpID) (*admin.Idp, error) {
-	config, err := s.iam.ReactivateIDPConfig(ctx, id.Id)
+	config, err := s.command.ReactivateDefaultIDPConfig(ctx, id.Id)
 	if err != nil {
 		return nil, err
 	}
-	return idpFromModel(config), nil
+	return idpFromDomain(config), nil
 }
 
+//TODO: Change To V2
 func (s *Server) RemoveIdpConfig(ctx context.Context, id *admin.IdpID) (*empty.Empty, error) {
 	err := s.iam.RemoveIDPConfig(ctx, id.Id)
 	return &empty.Empty{}, err
 }
 
 func (s *Server) UpdateOidcIdpConfig(ctx context.Context, request *admin.OidcIdpConfigUpdate) (*admin.OidcIdpConfig, error) {
-	config, err := s.iam.ChangeOidcIDPConfig(ctx, updateOidcIdpToModel(request))
+	config, err := s.command.ChangeDefaultIDPOIDCConfig(ctx, updateOIDCIDPToDomain(request))
 	if err != nil {
 		return nil, err
 	}
-	return oidcIdpConfigFromModel(config), nil
+	return oidcIDPConfigFromDomain(config), nil
 }
 
 func (s *Server) SearchIdps(ctx context.Context, request *admin.IdpSearchRequest) (*admin.IdpSearchResponse, error) {

internal/api/grpc/admin/idp_config_converter.go

@@ -3,47 +3,48 @@ package admin
 import (
 	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
 )
 
-func createOidcIdpToModel(idp *admin.OidcIdpConfigCreate) *iam_model.IDPConfig {
+func createOIDCIDPToDomain(idp *admin.OidcIdpConfigCreate) *domain.IDPConfig {
-	return &iam_model.IDPConfig{
+	return &domain.IDPConfig{
 		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToModel(idp.StylingType),
+		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
-		Type:        iam_model.IDPConfigTypeOIDC,
+		Type:        domain.IDPConfigTypeOIDC,
-		OIDCConfig: &iam_model.OIDCIDPConfig{
+		OIDCConfig: &domain.OIDCIDPConfig{
 			ClientID:              idp.ClientId,
 			ClientSecretString:    idp.ClientSecret,
 			Issuer:                idp.Issuer,
 			Scopes:                idp.Scopes,
-			IDPDisplayNameMapping: oidcMappingFieldToModel(idp.IdpDisplayNameMapping),
+			IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
-			UsernameMapping:       oidcMappingFieldToModel(idp.UsernameMapping),
+			UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
 		},
 	}
 }
 
-func updateIdpToModel(idp *admin.IdpUpdate) *iam_model.IDPConfig {
+func updateIdpToDomain(idp *admin.IdpUpdate) *domain.IDPConfig {
-	return &iam_model.IDPConfig{
+	return &domain.IDPConfig{
 		IDPConfigID: idp.Id,
 		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToModel(idp.StylingType),
+		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
 	}
 }
 
-func updateOidcIdpToModel(idp *admin.OidcIdpConfigUpdate) *iam_model.OIDCIDPConfig {
+func updateOIDCIDPToDomain(idp *admin.OidcIdpConfigUpdate) *domain.OIDCIDPConfig {
-	return &iam_model.OIDCIDPConfig{
+	return &domain.OIDCIDPConfig{
 		IDPConfigID:           idp.IdpId,
 		ClientID:              idp.ClientId,
 		ClientSecretString:    idp.ClientSecret,
 		Issuer:                idp.Issuer,
 		Scopes:                idp.Scopes,
-		IDPDisplayNameMapping: oidcMappingFieldToModel(idp.IdpDisplayNameMapping),
+		IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldToModel(idp.UsernameMapping),
+		UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
 	}
 }
 
-func idpFromModel(idp *iam_model.IDPConfig) *admin.Idp {
+func idpFromDomain(idp *domain.IDPConfig) *admin.Idp {
 	creationDate, err := ptypes.TimestampProto(idp.CreationDate)
 	logging.Log("GRPC-8dju8").OnError(err).Debug("date parse failed")
 
@@ -56,9 +57,28 @@ func idpFromModel(idp *iam_model.IDPConfig) *admin.Idp {
 		ChangeDate:   changeDate,
 		Sequence:     idp.Sequence,
 		Name:         idp.Name,
-		StylingType:  idpConfigStylingTypeFromModel(idp.StylingType),
+		StylingType:  idpConfigStylingTypeFromDomain(idp.StylingType),
-		State:        idpConfigStateFromModel(idp.State),
+		State:        idpConfigStateFromDomain(idp.State),
-		IdpConfig:    idpConfigFromModel(idp),
+		IdpConfig:    idpConfigFromDomain(idp),
+	}
+}
+
+func idpViewFromDomain(idp *domain.IDPConfigView) *admin.IdpView {
+	creationDate, err := ptypes.TimestampProto(idp.CreationDate)
+	logging.Log("GRPC-8dju8").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(idp.ChangeDate)
+	logging.Log("GRPC-Dsj8i").OnError(err).Debug("date parse failed")
+
+	return &admin.IdpView{
+		Id:            idp.IDPConfigID,
+		CreationDate:  creationDate,
+		ChangeDate:    changeDate,
+		Sequence:      idp.Sequence,
+		Name:          idp.Name,
+		StylingType:   admin.IdpStylingType(idp.StylingType),
+		State:         admin.IdpState(idp.State),
+		IdpConfigView: idpConfigViewFromDomain(idp),
 	}
 }
 
@@ -75,22 +95,22 @@ func idpViewFromModel(idp *iam_model.IDPConfigView) *admin.IdpView {
 		ChangeDate:    changeDate,
 		Sequence:      idp.Sequence,
 		Name:          idp.Name,
-		StylingType:   idpConfigStylingTypeFromModel(idp.StylingType),
+		StylingType:   admin.IdpStylingType(idp.StylingType),
-		State:         idpConfigStateFromModel(idp.State),
+		State:         admin.IdpState(idp.State),
 		IdpConfigView: idpConfigViewFromModel(idp),
 	}
 }
 
-func idpConfigFromModel(idp *iam_model.IDPConfig) *admin.Idp_OidcConfig {
+func idpConfigFromDomain(idp *domain.IDPConfig) *admin.Idp_OidcConfig {
-	if idp.Type == iam_model.IDPConfigTypeOIDC {
+	if idp.Type == domain.IDPConfigTypeOIDC {
 		return &admin.Idp_OidcConfig{
-			OidcConfig: oidcIdpConfigFromModel(idp.OIDCConfig),
+			OidcConfig: oidcIDPConfigFromDomain(idp.OIDCConfig),
 		}
 	}
 	return nil
 }
 
-func oidcIdpConfigFromModel(idp *iam_model.OIDCIDPConfig) *admin.OidcIdpConfig {
+func oidcIDPConfigFromDomain(idp *domain.OIDCIDPConfig) *admin.OidcIdpConfig {
 	return &admin.OidcIdpConfig{
 		ClientId: idp.ClientID,
 		Issuer:   idp.Issuer,
@@ -98,6 +118,15 @@ func oidcIdpConfigFromModel(idp *iam_model.OIDCIDPConfig) *admin.OidcIdpConfig {
 	}
 }
 
+func idpConfigViewFromDomain(idp *domain.IDPConfigView) *admin.IdpView_OidcConfig {
+	if idp.IsOIDC {
+		return &admin.IdpView_OidcConfig{
+			OidcConfig: oidcIdpConfigViewFromDomain(idp),
+		}
+	}
+	return nil
+}
+
 func idpConfigViewFromModel(idp *iam_model.IDPConfigView) *admin.IdpView_OidcConfig {
 	if idp.IsOIDC {
 		return &admin.IdpView_OidcConfig{
@@ -107,46 +136,56 @@ func idpConfigViewFromModel(idp *iam_model.IDPConfigView) *admin.IdpView_OidcCon
 	return nil
 }
 
+func oidcIdpConfigViewFromDomain(idp *domain.IDPConfigView) *admin.OidcIdpConfigView {
+	return &admin.OidcIdpConfigView{
+		ClientId:              idp.OIDCClientID,
+		Issuer:                idp.OIDCIssuer,
+		Scopes:                idp.OIDCScopes,
+		IdpDisplayNameMapping: oidcMappingFieldFromDomain(idp.OIDCIDPDisplayNameMapping),
+		UsernameMapping:       oidcMappingFieldFromDomain(idp.OIDCUsernameMapping),
+	}
+}
+
 func oidcIdpConfigViewFromModel(idp *iam_model.IDPConfigView) *admin.OidcIdpConfigView {
 	return &admin.OidcIdpConfigView{
 		ClientId:              idp.OIDCClientID,
 		Issuer:                idp.OIDCIssuer,
 		Scopes:                idp.OIDCScopes,
-		IdpDisplayNameMapping: oidcMappingFieldFromModel(idp.OIDCIDPDisplayNameMapping),
+		IdpDisplayNameMapping: admin.OIDCMappingField(idp.OIDCIDPDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldFromModel(idp.OIDCUsernameMapping),
+		UsernameMapping:       admin.OIDCMappingField(idp.OIDCUsernameMapping),
 	}
 }
 
-func idpConfigStateFromModel(state iam_model.IDPConfigState) admin.IdpState {
+func idpConfigStateFromDomain(state domain.IDPConfigState) admin.IdpState {
 	switch state {
-	case iam_model.IDPConfigStateActive:
+	case domain.IDPConfigStateActive:
 		return admin.IdpState_IDPCONFIGSTATE_ACTIVE
-	case iam_model.IDPConfigStateInactive:
+	case domain.IDPConfigStateInactive:
 		return admin.IdpState_IDPCONFIGSTATE_INACTIVE
 	default:
 		return admin.IdpState_IDPCONFIGSTATE_UNSPECIFIED
 	}
 }
 
-func oidcMappingFieldFromModel(field iam_model.OIDCMappingField) admin.OIDCMappingField {
+func oidcMappingFieldFromDomain(field domain.OIDCMappingField) admin.OIDCMappingField {
 	switch field {
-	case iam_model.OIDCMappingFieldPreferredLoginName:
+	case domain.OIDCMappingFieldPreferredLoginName:
 		return admin.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME
-	case iam_model.OIDCMappingFieldEmail:
+	case domain.OIDCMappingFieldEmail:
 		return admin.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL
 	default:
 		return admin.OIDCMappingField_OIDCMAPPINGFIELD_UNSPECIFIED
 	}
 }
 
-func oidcMappingFieldToModel(field admin.OIDCMappingField) iam_model.OIDCMappingField {
+func oidcMappingFieldToDomain(field admin.OIDCMappingField) domain.OIDCMappingField {
 	switch field {
 	case admin.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME:
-		return iam_model.OIDCMappingFieldPreferredLoginName
+		return domain.OIDCMappingFieldPreferredLoginName
 	case admin.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL:
-		return iam_model.OIDCMappingFieldEmail
+		return domain.OIDCMappingFieldEmail
 	default:
-		return iam_model.OIDCMappingFieldUnspecified
+		return domain.OIDCMappingFieldPreferredLoginName
 	}
 }
 
@@ -207,20 +246,20 @@ func idpConfigsFromView(viewIdps []*iam_model.IDPConfigView) []*admin.IdpView {
 	return idps
 }
 
-func idpConfigStylingTypeFromModel(stylingType iam_model.IDPStylingType) admin.IdpStylingType {
+func idpConfigStylingTypeFromDomain(stylingType domain.IDPConfigStylingType) admin.IdpStylingType {
 	switch stylingType {
-	case iam_model.IDPStylingTypeGoogle:
+	case domain.IDPConfigStylingTypeGoogle:
 		return admin.IdpStylingType_IDPSTYLINGTYPE_GOOGLE
 	default:
 		return admin.IdpStylingType_IDPSTYLINGTYPE_UNSPECIFIED
 	}
 }
 
-func idpConfigStylingTypeToModel(stylingType admin.IdpStylingType) iam_model.IDPStylingType {
+func idpConfigStylingTypeToDomain(stylingType admin.IdpStylingType) domain.IDPConfigStylingType {
 	switch stylingType {
 	case admin.IdpStylingType_IDPSTYLINGTYPE_GOOGLE:
-		return iam_model.IDPStylingTypeGoogle
+		return domain.IDPConfigStylingTypeGoogle
 	default:
-		return iam_model.IDPStylingTypeUnspecified
+		return domain.IDPConfigStylingTypeUnspecified
 	}
 }

internal/api/grpc/admin/label_policy.go

@@ -16,9 +16,9 @@ func (s *Server) GetDefaultLabelPolicy(ctx context.Context, _ *empty.Empty) (*ad
 }
 
 func (s *Server) UpdateDefaultLabelPolicy(ctx context.Context, policy *admin.DefaultLabelPolicyUpdate) (*admin.DefaultLabelPolicy, error) {
-	result, err := s.iam.ChangeDefaultLabelPolicy(ctx, labelPolicyToModel(policy))
+	result, err := s.command.ChangeDefaultLabelPolicy(ctx, labelPolicyToDomain(policy))
 	if err != nil {
 		return nil, err
 	}
-	return labelPolicyFromModel(result), nil
+	return labelPolicyFromDomain(result), nil
 }

internal/api/grpc/admin/label_policy_converter.go

@@ -3,18 +3,19 @@ package admin
 import (
 	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
 )
 
-func labelPolicyToModel(policy *admin.DefaultLabelPolicyUpdate) *iam_model.LabelPolicy {
+func labelPolicyToDomain(policy *admin.DefaultLabelPolicyUpdate) *domain.LabelPolicy {
-	return &iam_model.LabelPolicy{
+	return &domain.LabelPolicy{
 		PrimaryColor:   policy.PrimaryColor,
 		SecondaryColor: policy.SecondaryColor,
 	}
 }
 
-func labelPolicyFromModel(policy *iam_model.LabelPolicy) *admin.DefaultLabelPolicy {
+func labelPolicyFromDomain(policy *domain.LabelPolicy) *admin.DefaultLabelPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("ADMIN-QwQG9").OnError(err).Debug("date parse failed")
 

internal/api/grpc/admin/login_policy.go

@@ -15,11 +15,11 @@ func (s *Server) GetDefaultLoginPolicy(ctx context.Context, _ *empty.Empty) (*ad
 }
 
 func (s *Server) UpdateDefaultLoginPolicy(ctx context.Context, policy *admin.DefaultLoginPolicyRequest) (*admin.DefaultLoginPolicy, error) {
-	result, err := s.iam.ChangeDefaultLoginPolicy(ctx, loginPolicyToModel(policy))
+	result, err := s.command.ChangeDefaultLoginPolicy(ctx, loginPolicyToDomain(policy))
 	if err != nil {
 		return nil, err
 	}
-	return loginPolicyFromModel(result), nil
+	return loginPolicyFromDomain(result), nil
 }
 
 func (s *Server) GetDefaultLoginPolicyIdpProviders(ctx context.Context, request *admin.IdpProviderSearchRequest) (*admin.IdpProviderSearchResponse, error) {
@@ -31,13 +31,14 @@ func (s *Server) GetDefaultLoginPolicyIdpProviders(ctx context.Context, request
 }
 
 func (s *Server) AddIdpProviderToDefaultLoginPolicy(ctx context.Context, provider *admin.IdpProviderID) (*admin.IdpProviderID, error) {
-	result, err := s.iam.AddIDPProviderToLoginPolicy(ctx, idpProviderToModel(provider))
+	result, err := s.command.AddIDPProviderToDefaultLoginPolicy(ctx, idpProviderToDomain(provider))
 	if err != nil {
 		return nil, err
 	}
-	return idpProviderFromModel(result), nil
+	return idpProviderFromDomain(result), nil
 }
 
+//TODO: Change to v2
 func (s *Server) RemoveIdpProviderFromDefaultLoginPolicy(ctx context.Context, provider *admin.IdpProviderID) (*empty.Empty, error) {
 	err := s.iam.RemoveIDPProviderFromLoginPolicy(ctx, idpProviderToModel(provider))
 	return &empty.Empty{}, err
@@ -52,7 +53,7 @@ func (s *Server) GetDefaultLoginPolicySecondFactors(ctx context.Context, _ *empt
 }
 
 func (s *Server) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*admin.SecondFactor, error) {
-	result, err := s.iam.AddSecondFactorToLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	result, err := s.command.AddSecondFactorToDefaultLoginPolicy(ctx, secondFactorTypeToModel(mfa))
 	if err != nil {
 		return nil, err
 	}
@@ -60,7 +61,7 @@ func (s *Server) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, mfa *a
 }
 
 func (s *Server) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*empty.Empty, error) {
-	err := s.iam.RemoveSecondFactorFromLoginPolicy(ctx, secondFactorTypeToModel(mfa))
+	err := s.command.RemoveSecondFactorFromDefaultLoginPolicy(ctx, secondFactorTypeToModel(mfa))
 	return &empty.Empty{}, err
 }
 
@@ -73,7 +74,7 @@ func (s *Server) GetDefaultLoginPolicyMultiFactors(ctx context.Context, _ *empty
 }
 
 func (s *Server) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*admin.MultiFactor, error) {
-	result, err := s.iam.AddMultiFactorToLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	result, err := s.command.AddMultiFactorToDefaultLoginPolicy(ctx, multiFactorTypeToModel(mfa))
 	if err != nil {
 		return nil, err
 	}
@@ -81,6 +82,6 @@ func (s *Server) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, mfa *ad
 }
 
 func (s *Server) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*empty.Empty, error) {
-	err := s.iam.RemoveMultiFactorFromLoginPolicy(ctx, multiFactorTypeToModel(mfa))
+	err := s.command.RemoveMultiFactorFromDefaultLoginPolicy(ctx, multiFactorTypeToModel(mfa))
 	return &empty.Empty{}, err
 }

internal/api/grpc/admin/login_policy_converter.go

@@ -3,21 +3,22 @@ package admin
 import (
 	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
 )
 
-func loginPolicyToModel(policy *admin.DefaultLoginPolicyRequest) *iam_model.LoginPolicy {
+func loginPolicyToDomain(policy *admin.DefaultLoginPolicyRequest) *domain.LoginPolicy {
-	return &iam_model.LoginPolicy{
+	return &domain.LoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
 		ForceMFA:              policy.ForceMfa,
-		PasswordlessType:      passwordlessTypeToModel(policy.PasswordlessType),
+		PasswordlessType:      passwordlessTypeToDomain(policy.PasswordlessType),
 	}
 }
 
-func loginPolicyFromModel(policy *iam_model.LoginPolicy) *admin.DefaultLoginPolicy {
+func loginPolicyFromDomain(policy *domain.LoginPolicy) *admin.DefaultLoginPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-3Fsm9").OnError(err).Debug("date parse failed")
 
@@ -29,7 +30,7 @@ func loginPolicyFromModel(policy *iam_model.LoginPolicy) *admin.DefaultLoginPoli
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
 		ForceMfa:              policy.ForceMFA,
-		PasswordlessType:      passwordlessTypeFromModel(policy.PasswordlessType),
+		PasswordlessType:      passwordlessTypeFromDomain(policy.PasswordlessType),
 		CreationDate:          creationDate,
 		ChangeDate:            changeDate,
 	}
@@ -47,7 +48,7 @@ func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *admin.DefaultL
 		AllowExternalIdp:      policy.AllowExternalIDP,
 		AllowRegister:         policy.AllowRegister,
 		ForceMfa:              policy.ForceMFA,
-		PasswordlessType:      passwordlessTypeFromModel(policy.PasswordlessType),
+		PasswordlessType:      passwordlessTypeFromDomain(policy.PasswordlessType),
 		CreationDate:          creationDate,
 		ChangeDate:            changeDate,
 	}
@@ -69,6 +70,13 @@ func idpProviderSearchResponseFromModel(response *iam_model.IDPProviderSearchRes
 	}
 }
 
+func idpProviderToDomain(provider *admin.IdpProviderID) *domain.IDPProvider {
+	return &domain.IDPProvider{
+		IDPConfigID: provider.IdpConfigId,
+		Type:        domain.IdentityProviderTypeSystem,
+	}
+}
+
 func idpProviderToModel(provider *admin.IdpProviderID) *iam_model.IDPProvider {
 	return &iam_model.IDPProvider{
 		IDPConfigID: provider.IdpConfigId,
@@ -76,7 +84,7 @@ func idpProviderToModel(provider *admin.IdpProviderID) *iam_model.IDPProvider {
 	}
 }
 
-func idpProviderFromModel(provider *iam_model.IDPProvider) *admin.IdpProviderID {
+func idpProviderFromDomain(provider *domain.IDPProvider) *admin.IdpProviderID {
 	return &admin.IdpProviderID{
 		IdpConfigId: provider.IDPConfigID,
 	}
@@ -148,21 +156,21 @@ func secondFactorTypeToModel(mfaType *admin.SecondFactor) iam_model.SecondFactor
 	}
 }
 
-func passwordlessTypeFromModel(passwordlessType iam_model.PasswordlessType) admin.PasswordlessType {
+func passwordlessTypeFromDomain(passwordlessType domain.PasswordlessType) admin.PasswordlessType {
 	switch passwordlessType {
-	case iam_model.PasswordlessTypeAllowed:
+	case domain.PasswordlessTypeAllowed:
 		return admin.PasswordlessType_PASSWORDLESSTYPE_ALLOWED
 	default:
 		return admin.PasswordlessType_PASSWORDLESSTYPE_NOT_ALLOWED
 	}
 }
 
-func passwordlessTypeToModel(passwordlessType admin.PasswordlessType) iam_model.PasswordlessType {
+func passwordlessTypeToDomain(passwordlessType admin.PasswordlessType) domain.PasswordlessType {
 	switch passwordlessType {
 	case admin.PasswordlessType_PASSWORDLESSTYPE_ALLOWED:
-		return iam_model.PasswordlessTypeAllowed
+		return domain.PasswordlessTypeAllowed
 	default:
-		return iam_model.PasswordlessTypeNotAllowed
+		return domain.PasswordlessTypeNotAllowed
 	}
 }
 

internal/api/grpc/admin/org.go

@@ -47,11 +47,11 @@ func (s *Server) GetDefaultOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_
 }
 
 func (s *Server) UpdateDefaultOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.iam.ChangeDefaultOrgIAMPolicy(ctx, orgIAMPolicyRequestToModel(in))
+	policy, err := s.command.ChangeDefaultOrgIAMPolicy(ctx, orgIAMPolicyRequestToDomain(in))
 	if err != nil {
 		return nil, err
 	}
-	return orgIAMPolicyFromModel(policy), err
+	return orgIAMPolicyFromDomain(policy), err
 }
 
 func (s *Server) GetOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *admin.OrgIamPolicyView, err error) {
@@ -63,19 +63,19 @@ func (s *Server) GetOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID)
 }
 
 func (s *Server) CreateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.org.CreateOrgIAMPolicy(ctx, orgIAMPolicyRequestToModel(in))
+	policy, err := s.command.AddOrgIAMPolicy(ctx, orgIAMPolicyRequestToDomain(in))
 	if err != nil {
 		return nil, err
 	}
-	return orgIAMPolicyFromModel(policy), err
+	return orgIAMPolicyFromDomain(policy), err
 }
 
 func (s *Server) UpdateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.org.ChangeOrgIAMPolicy(ctx, orgIAMPolicyRequestToModel(in))
+	policy, err := s.command.ChangeOrgIAMPolicy(ctx, orgIAMPolicyRequestToDomain(in))
 	if err != nil {
 		return nil, err
 	}
-	return orgIAMPolicyFromModel(policy), err
+	return orgIAMPolicyFromDomain(policy), err
 }
 
 func (s *Server) RemoveOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *empty.Empty, err error) {

internal/api/grpc/admin/org_converter.go

@@ -3,6 +3,7 @@ package admin
 import (
 	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/golang/protobuf/ptypes"
 
 	admin_model "github.com/caos/zitadel/internal/admin/model"
@@ -197,7 +198,7 @@ func orgQueryMethodToModel(method admin.OrgSearchMethod) model.SearchMethod {
 	}
 }
 
-func orgIAMPolicyFromModel(policy *iam_model.OrgIAMPolicy) *admin.OrgIamPolicy {
+func orgIAMPolicyFromDomain(policy *domain.OrgIAMPolicy) *admin.OrgIamPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-ush36").OnError(err).Debug("unable to get timestamp from time")
 
@@ -227,8 +228,8 @@ func orgIAMPolicyViewFromModel(policy *iam_model.OrgIAMPolicyView) *admin.OrgIam
 	}
 }
 
-func orgIAMPolicyRequestToModel(policy *admin.OrgIamPolicyRequest) *iam_model.OrgIAMPolicy {
+func orgIAMPolicyRequestToDomain(policy *admin.OrgIamPolicyRequest) *domain.OrgIAMPolicy {
-	return &iam_model.OrgIAMPolicy{
+	return &domain.OrgIAMPolicy{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: policy.OrgId,
 		},

internal/api/grpc/admin/password_age_policy.go

@@ -15,9 +15,9 @@ func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, _ *empty.Empty
 }
 
 func (s *Server) UpdateDefaultPasswordAgePolicy(ctx context.Context, policy *admin.DefaultPasswordAgePolicyRequest) (*admin.DefaultPasswordAgePolicy, error) {
-	result, err := s.iam.ChangeDefaultPasswordAgePolicy(ctx, passwordAgePolicyToModel(policy))
+	result, err := s.command.ChangeDefaultPasswordAgePolicy(ctx, passwordAgePolicyToDomain(policy))
 	if err != nil {
 		return nil, err
 	}
-	return passwordAgePolicyFromModel(result), nil
+	return passwordAgePolicyFromDomain(result), nil
 }

internal/api/grpc/admin/password_age_policy_converter.go

@@ -3,18 +3,19 @@ package admin
 import (
 	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
 )
 
-func passwordAgePolicyToModel(policy *admin.DefaultPasswordAgePolicyRequest) *iam_model.PasswordAgePolicy {
+func passwordAgePolicyToDomain(policy *admin.DefaultPasswordAgePolicyRequest) *domain.PasswordAgePolicy {
-	return &iam_model.PasswordAgePolicy{
+	return &domain.PasswordAgePolicy{
 		MaxAgeDays:     policy.MaxAgeDays,
 		ExpireWarnDays: policy.ExpireWarnDays,
 	}
 }
 
-func passwordAgePolicyFromModel(policy *iam_model.PasswordAgePolicy) *admin.DefaultPasswordAgePolicy {
+func passwordAgePolicyFromDomain(policy *domain.PasswordAgePolicy) *admin.DefaultPasswordAgePolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-mH9os").OnError(err).Debug("date parse failed")
 

internal/api/grpc/admin/password_complexity_policy.go

@@ -15,9 +15,9 @@ func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empt
 }
 
 func (s *Server) UpdateDefaultPasswordComplexityPolicy(ctx context.Context, policy *admin.DefaultPasswordComplexityPolicyRequest) (*admin.DefaultPasswordComplexityPolicy, error) {
-	result, err := s.iam.ChangeDefaultPasswordComplexityPolicy(ctx, passwordComplexityPolicyToModel(policy))
+	result, err := s.command.ChangeDefaultPasswordComplexityPolicy(ctx, passwordComplexityPolicyToDomain(policy))
 	if err != nil {
 		return nil, err
 	}
-	return passwordComplexityPolicyFromModel(result), nil
+	return passwordComplexityPolicyFromDomain(result), nil
 }

internal/api/grpc/admin/password_complexity_policy_converter.go

@@ -3,12 +3,13 @@ package admin
 import (
 	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
 )
 
-func passwordComplexityPolicyToModel(policy *admin.DefaultPasswordComplexityPolicyRequest) *iam_model.PasswordComplexityPolicy {
+func passwordComplexityPolicyToDomain(policy *admin.DefaultPasswordComplexityPolicyRequest) *domain.PasswordComplexityPolicy {
-	return &iam_model.PasswordComplexityPolicy{
+	return &domain.PasswordComplexityPolicy{
 		MinLength:    policy.MinLength,
 		HasUppercase: policy.HasUppercase,
 		HasLowercase: policy.HasLowercase,
@@ -17,7 +18,7 @@ func passwordComplexityPolicyToModel(policy *admin.DefaultPasswordComplexityPoli
 	}
 }
 
-func passwordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicy) *admin.DefaultPasswordComplexityPolicy {
+func passwordComplexityPolicyFromDomain(policy *domain.PasswordComplexityPolicy) *admin.DefaultPasswordComplexityPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-6Zhs9").OnError(err).Debug("date parse failed")
 

internal/api/grpc/admin/password_lockout_policy.go

@@ -15,9 +15,9 @@ func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, _ *empty.E
 }
 
 func (s *Server) UpdateDefaultPasswordLockoutPolicy(ctx context.Context, policy *admin.DefaultPasswordLockoutPolicyRequest) (*admin.DefaultPasswordLockoutPolicy, error) {
-	result, err := s.iam.ChangeDefaultPasswordLockoutPolicy(ctx, passwordLockoutPolicyToModel(policy))
+	result, err := s.command.ChangeDefaultPasswordLockoutPolicy(ctx, passwordLockoutPolicyToDomain(policy))
 	if err != nil {
 		return nil, err
 	}
-	return passwordLockoutPolicyFromModel(result), nil
+	return passwordLockoutPolicyFromDomain(result), nil
 }

internal/api/grpc/admin/password_lockout_policy_converter.go

@@ -3,18 +3,19 @@ package admin
 import (
 	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
 )
 
-func passwordLockoutPolicyToModel(policy *admin.DefaultPasswordLockoutPolicyRequest) *iam_model.PasswordLockoutPolicy {
+func passwordLockoutPolicyToDomain(policy *admin.DefaultPasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
-	return &iam_model.PasswordLockoutPolicy{
+	return &domain.PasswordLockoutPolicy{
 		MaxAttempts:         policy.MaxAttempts,
 		ShowLockOutFailures: policy.ShowLockoutFailure,
 	}
 }
 
-func passwordLockoutPolicyFromModel(policy *iam_model.PasswordLockoutPolicy) *admin.DefaultPasswordLockoutPolicy {
+func passwordLockoutPolicyFromDomain(policy *domain.PasswordLockoutPolicy) *admin.DefaultPasswordLockoutPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-4Gsm9f").OnError(err).Debug("date parse failed")
 

internal/api/grpc/admin/server.go

@@ -1,6 +1,8 @@
 package admin
 
 import (
+	"github.com/caos/zitadel/internal/v2/command"
+	"github.com/caos/zitadel/internal/v2/query"
 	"google.golang.org/grpc"
 
 	"github.com/caos/zitadel/internal/admin/repository"
@@ -17,6 +19,8 @@ const (
 var _ admin.AdminServiceServer = (*Server)(nil)
 
 type Server struct {
+	command       *command.CommandSide
+	query         *query.QuerySide
 	org           repository.OrgRepository
 	iam           repository.IAMRepository
 	administrator repository.AdministratorRepository
@@ -27,8 +31,10 @@ type Config struct {
 	Repository eventsourcing.Config
 }
 
-func CreateServer(repo repository.Repository) *Server {
+func CreateServer(command *command.CommandSide, query *query.QuerySide, repo repository.Repository) *Server {
 	return &Server{
+		command:       command,
+		query:         query,
 		org:           repo,
 		iam:           repo,
 		administrator: repo,

internal/api/grpc/management/server.go

@@ -1,6 +1,8 @@
 package management
 
 import (
+	"github.com/caos/zitadel/internal/v2/command"
+	"github.com/caos/zitadel/internal/v2/query"
 	"google.golang.org/grpc"
 
 	"github.com/caos/zitadel/internal/api/authz"
@@ -18,6 +20,8 @@ const (
 var _ management.ManagementServiceServer = (*Server)(nil)
 
 type Server struct {
+	command        *command.CommandSide
+	query          *query.QuerySide
 	project        repository.ProjectRepository
 	org            repository.OrgRepository
 	user           repository.UserRepository
@@ -31,8 +35,10 @@ type Config struct {
 	Repository eventsourcing.Config
 }
 
-func CreateServer(repo repository.Repository, sd systemdefaults.SystemDefaults) *Server {
+func CreateServer(command *command.CommandSide, query *query.QuerySide, repo repository.Repository, sd systemdefaults.SystemDefaults) *Server {
 	return &Server{
+		command:        command,
+		query:          query,
 		project:        repo,
 		org:            repo,
 		user:           repo,

internal/api/grpc/management/user.go

@@ -52,11 +52,11 @@ func (s *Server) IsUserUnique(ctx context.Context, request *management.UniqueUse
 }
 
 func (s *Server) CreateUser(ctx context.Context, in *management.CreateUserRequest) (*management.UserResponse, error) {
-	user, err := s.user.CreateUser(ctx, userCreateToModel(in))
+	user, err := s.command.AddUser(ctx, userCreateToDomain(in))
 	if err != nil {
 		return nil, err
 	}
-	return userFromModel(user), nil
+	return userFromDomain(user), nil
 }
 
 func (s *Server) DeactivateUser(ctx context.Context, in *management.UserID) (*management.UserResponse, error) {

internal/api/grpc/management/user_converter.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/golang/protobuf/ptypes"
 	"golang.org/x/text/language"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -16,6 +17,32 @@ import (
 	"github.com/caos/zitadel/pkg/grpc/message"
 )
 
+func userFromDomain(user *domain.User) *management.UserResponse {
+	creationDate, err := ptypes.TimestampProto(user.CreationDate)
+	logging.Log("GRPC-8duwe").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(user.ChangeDate)
+	logging.Log("GRPC-ckoe3d").OnError(err).Debug("unable to parse timestamp")
+
+	userResp := &management.UserResponse{
+		Id:           user.AggregateID,
+		State:        userStateFromDomain(user.State),
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Sequence:     user.Sequence,
+		UserName:     user.UserName,
+	}
+
+	if user.Machine != nil {
+		userResp.User = &management.UserResponse_Machine{Machine: machineFromDomain(user.Machine)}
+	}
+	if user.Human != nil {
+		userResp.User = &management.UserResponse_Human{Human: humanFromDomain(user.Human)}
+	}
+
+	return userResp
+}
+
 func userFromModel(user *usr_model.User) *management.UserResponse {
 	creationDate, err := ptypes.TimestampProto(user.CreationDate)
 	logging.Log("GRPC-8duwe").OnError(err).Debug("unable to parse timestamp")
@@ -25,7 +52,7 @@ func userFromModel(user *usr_model.User) *management.UserResponse {
 
 	userResp := &management.UserResponse{
 		Id:           user.AggregateID,
-		State:        userStateFromModel(user.State),
+		State:        management.UserState(user.State),
 		CreationDate: creationDate,
 		ChangeDate:   changeDate,
 		Sequence:     user.Sequence,
@@ -42,18 +69,18 @@ func userFromModel(user *usr_model.User) *management.UserResponse {
 	return userResp
 }
 
-func userCreateToModel(user *management.CreateUserRequest) *usr_model.User {
+func userCreateToDomain(user *management.CreateUserRequest) *domain.User {
-	var human *usr_model.Human
+	var human *domain.Human
-	var machine *usr_model.Machine
+	var machine *domain.Machine
 
 	if h := user.GetHuman(); h != nil {
-		human = humanCreateToModel(h)
+		human = humanCreateToDomain(h)
 	}
 	if m := user.GetMachine(); m != nil {
-		machine = machineCreateToModel(m)
+		machine = machineCreateToDomain(m)
 	}
 
-	return &usr_model.User{
+	return &domain.User{
 		UserName: user.UserName,
 		Human:    human,
 		Machine:  machine,
@@ -222,7 +249,7 @@ func profileFromModel(profile *usr_model.Profile) *management.UserProfile {
 		DisplayName:       profile.DisplayName,
 		NickName:          profile.NickName,
 		PreferredLanguage: profile.PreferredLanguage.String(),
-		Gender:            genderFromModel(profile.Gender),
+		Gender:            management.Gender(profile.Gender),
 	}
 }
 
@@ -243,7 +270,7 @@ func profileViewFromModel(profile *usr_model.Profile) *management.UserProfileVie
 		DisplayName:        profile.DisplayName,
 		NickName:           profile.NickName,
 		PreferredLanguage:  profile.PreferredLanguage.String(),
-		Gender:             genderFromModel(profile.Gender),
+		Gender:             management.Gender(profile.Gender),
 		LoginNames:         profile.LoginNames,
 		PreferredLoginName: profile.PreferredLoginName,
 	}
@@ -259,7 +286,7 @@ func updateProfileToModel(u *management.UpdateUserProfileRequest) *usr_model.Pro
 		LastName:          u.LastName,
 		NickName:          u.NickName,
 		PreferredLanguage: preferredLanguage,
-		Gender:            genderToModel(u.Gender),
+		Gender:            usr_model.Gender(u.Gender),
 	}
 }
 
@@ -430,7 +457,7 @@ func userViewFromModel(user *usr_model.UserView) *management.UserView {
 
 	userView := &management.UserView{
 		Id:                 user.ID,
-		State:              userStateFromModel(user.State),
+		State:              management.UserState(user.State),
 		CreationDate:       creationDate,
 		ChangeDate:         changeDate,
 		LastLogin:          lastLogin,
@@ -520,30 +547,30 @@ func notifyTypeToModel(state management.NotificationType) usr_model.Notification
 	}
 }
 
-func userStateFromModel(state usr_model.UserState) management.UserState {
+func userStateFromDomain(state domain.UserState) management.UserState {
 	switch state {
-	case usr_model.UserStateActive:
+	case domain.UserStateActive:
 		return management.UserState_USERSTATE_ACTIVE
-	case usr_model.UserStateInactive:
+	case domain.UserStateInactive:
 		return management.UserState_USERSTATE_INACTIVE
-	case usr_model.UserStateLocked:
+	case domain.UserStateLocked:
 		return management.UserState_USERSTATE_LOCKED
-	case usr_model.UserStateInitial:
+	case domain.UserStateInitial:
 		return management.UserState_USERSTATE_INITIAL
-	case usr_model.UserStateSuspend:
+	case domain.UserStateSuspend:
 		return management.UserState_USERSTATE_SUSPEND
 	default:
 		return management.UserState_USERSTATE_UNSPECIFIED
 	}
 }
 
-func genderFromModel(gender usr_model.Gender) management.Gender {
+func genderFromDomain(gender domain.Gender) management.Gender {
 	switch gender {
-	case usr_model.GenderFemale:
+	case domain.GenderFemale:
 		return management.Gender_GENDER_FEMALE
-	case usr_model.GenderMale:
+	case domain.GenderMale:
 		return management.Gender_GENDER_MALE
-	case usr_model.GenderDiverse:
+	case domain.GenderDiverse:
 		return management.Gender_GENDER_DIVERSE
 	default:
 		return management.Gender_GENDER_UNSPECIFIED
@@ -562,16 +589,17 @@ func memberTypeFromModel(memberType usr_model.MemberType) management.MemberType
 		return management.MemberType_MEMBERTYPE_UNSPECIFIED
 	}
 }
-func genderToModel(gender management.Gender) usr_model.Gender {
+
+func genderToDomain(gender management.Gender) domain.Gender {
 	switch gender {
 	case management.Gender_GENDER_FEMALE:
-		return usr_model.GenderFemale
+		return domain.GenderFemale
 	case management.Gender_GENDER_MALE:
-		return usr_model.GenderMale
+		return domain.GenderMale
 	case management.Gender_GENDER_DIVERSE:
-		return usr_model.GenderDiverse
+		return domain.GenderDiverse
 	default:
-		return usr_model.GenderUnspecified
+		return domain.GenderUnspecified
 	}
 }
 

internal/api/grpc/management/user_human_converter.go

@@ -3,11 +3,40 @@ package management
 import (
 	"github.com/caos/logging"
 	usr_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes"
 	"golang.org/x/text/language"
 )
 
+func humanFromDomain(user *domain.Human) *management.HumanResponse {
+	human := &management.HumanResponse{
+		FirstName:         user.FirstName,
+		LastName:          user.LastName,
+		DisplayName:       user.DisplayName,
+		NickName:          user.NickName,
+		PreferredLanguage: user.PreferredLanguage.String(),
+		Gender:            genderFromDomain(user.Gender),
+	}
+
+	if user.Email != nil {
+		human.Email = user.EmailAddress
+		human.IsEmailVerified = user.IsEmailVerified
+	}
+	if user.Phone != nil {
+		human.Phone = user.PhoneNumber
+		human.IsPhoneVerified = user.IsPhoneVerified
+	}
+	if user.Address != nil {
+		human.Country = user.Country
+		human.Locality = user.Locality
+		human.PostalCode = user.PostalCode
+		human.Region = user.Region
+		human.StreetAddress = user.StreetAddress
+	}
+	return human
+}
+
 func humanFromModel(user *usr_model.Human) *management.HumanResponse {
 	human := &management.HumanResponse{
 		FirstName:         user.FirstName,
@@ -15,7 +44,8 @@ func humanFromModel(user *usr_model.Human) *management.HumanResponse {
 		DisplayName:       user.DisplayName,
 		NickName:          user.NickName,
 		PreferredLanguage: user.PreferredLanguage.String(),
-		Gender:            genderFromModel(user.Gender),
+		//TODO: User Converter
+		Gender: management.Gender(user.Gender),
 	}
 
 	if user.Email != nil {
@@ -46,7 +76,8 @@ func humanViewFromModel(user *usr_model.HumanView) *management.HumanView {
 		DisplayName:       user.DisplayName,
 		NickName:          user.NickName,
 		PreferredLanguage: user.PreferredLanguage,
-		Gender:            genderFromModel(user.Gender),
+		//TODO: User converter
+		Gender:          management.Gender(user.Gender),
 		Email:           user.Email,
 		IsEmailVerified: user.IsEmailVerified,
 		Phone:           user.Phone,
@@ -60,23 +91,23 @@ func humanViewFromModel(user *usr_model.HumanView) *management.HumanView {
 	}
 }
 
-func humanCreateToModel(u *management.CreateHumanRequest) *usr_model.Human {
+func humanCreateToDomain(u *management.CreateHumanRequest) *domain.Human {
 	preferredLanguage, err := language.Parse(u.PreferredLanguage)
 	logging.Log("GRPC-cK5k2").OnError(err).Debug("language malformed")
 
-	human := &usr_model.Human{
+	human := &domain.Human{
-		Profile: &usr_model.Profile{
+		Profile: &domain.Profile{
 			FirstName:         u.FirstName,
 			LastName:          u.LastName,
 			NickName:          u.NickName,
 			PreferredLanguage: preferredLanguage,
-			Gender:            genderToModel(u.Gender),
+			Gender:            genderToDomain(u.Gender),
 		},
-		Email: &usr_model.Email{
+		Email: &domain.Email{
 			EmailAddress:    u.Email,
 			IsEmailVerified: u.IsEmailVerified,
 		},
-		Address: &usr_model.Address{
+		Address: &domain.Address{
 			Country:       u.Country,
 			Locality:      u.Locality,
 			PostalCode:    u.PostalCode,
@@ -85,10 +116,10 @@ func humanCreateToModel(u *management.CreateHumanRequest) *usr_model.Human {
 		},
 	}
 	if u.Password != "" {
-		human.Password = &usr_model.Password{SecretString: u.Password}
+		human.Password = &domain.Password{SecretString: u.Password}
 	}
 	if u.Phone != "" {
-		human.Phone = &usr_model.Phone{PhoneNumber: u.Phone, IsPhoneVerified: u.IsPhoneVerified}
+		human.Phone = &domain.Phone{PhoneNumber: u.Phone, IsPhoneVerified: u.IsPhoneVerified}
 	}
 	return human
 }

internal/api/grpc/management/user_machine_converter.go

@@ -2,6 +2,7 @@ package management
 
 import (
 	"encoding/json"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"time"
 
 	"github.com/caos/logging"
@@ -12,8 +13,8 @@ import (
 	"github.com/golang/protobuf/ptypes"
 )
 
-func machineCreateToModel(machine *management.CreateMachineRequest) *usr_model.Machine {
+func machineCreateToDomain(machine *management.CreateMachineRequest) *domain.Machine {
-	return &usr_model.Machine{
+	return &domain.Machine{
 		Name:        machine.Name,
 		Description: machine.Description,
 	}
@@ -26,6 +27,13 @@ func updateMachineToModel(machine *management.UpdateMachineRequest) *usr_model.M
 	}
 }
 
+func machineFromDomain(account *domain.Machine) *management.MachineResponse {
+	return &management.MachineResponse{
+		Name:        account.Name,
+		Description: account.Description,
+	}
+}
+
 func machineFromModel(account *usr_model.Machine) *management.MachineResponse {
 	return &management.MachineResponse{
 		Name:        account.Name,

internal/static/i18n/de.yaml

@@ -28,9 +28,10 @@ Errors:
       Invalid: Email ist ungültig
       AlreadyVerified: Email ist bereits verifiziert
       NotChanged: Email wurde nicht geändert
-    PhoneNotFound: Telfonnummer nicht gefunden
+    Phone:
-    PhoneInvalid: Telefonnummer ist ungültig
+      NotFound: Telfonnummer nicht gefunden
-    PhoneAlreadyVerified: Telefonnummer bereits verifiziert
+      Invalid: Telefonnummer ist ungültig
+      AlreadyVerified: Telefonnummer bereits verifiziert
     Address:
       NotFound: Addresse nicht gefunden
       NotChanged: Addresse wurde nicht geändert

internal/static/i18n/en.yaml

@@ -28,9 +28,10 @@ Errors:
       Invalid: Email is invalid
       AlreadyVerified: Email is alredy verified
       NotChanged: Email not changed
-    PhoneNotFound: Phone not found
+    Phone:
-    PhoneInvalid: Phone is invalid
+      NotFound: Phone not found
-    PhoneAlreadyVerified: Phone already verified
+      Invalid: Phone is invalid
+      AlreadyVerified: Phone already verified
     Address:
       NotFound: Address not found
       NotChanged: Address not changed

internal/user/model/user_human.go

@@ -3,6 +3,7 @@ package model
 import (
 	"bytes"
 	caos_errors "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"strings"
 	"time"
 
@@ -48,7 +49,7 @@ const (
 	GenderDiverse
 )
 
-func (u *Human) CheckOrgIAMPolicy(userName string, policy *iam_model.OrgIAMPolicy) error {
+func (u *Human) CheckOrgIAMPolicy(userName string, policy *domain.OrgIAMPolicy) error {
 	if policy == nil {
 		return caos_errors.ThrowPreconditionFailed(nil, "MODEL-zSH7j", "Errors.Users.OrgIamPolicyNil")
 	}

internal/user/repository/eventsourcing/eventstore.go

@@ -1024,12 +1024,12 @@ func (es *UserEventstore) PhoneByID(ctx context.Context, userID string) (*usr_mo
 	if user.Phone != nil {
 		return user.Phone, nil
 	}
-	return nil, caos_errs.ThrowNotFound(nil, "EVENT-pos9e", "Errors.User.PhoneNotFound")
+	return nil, caos_errs.ThrowNotFound(nil, "EVENT-pos9e", "Errors.User.Phone.NotFound")
 }
 
 func (es *UserEventstore) ChangePhone(ctx context.Context, phone *usr_model.Phone) (*usr_model.Phone, error) {
 	if !phone.IsValid() {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-do9s4", "Errors.User.PhoneInvalid")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-do9s4", "Errors.User.Phone.Invalid")
 	}
 	user, err := es.HumanByID(ctx, phone.AggregateID)
 	if err != nil {
@@ -1093,10 +1093,10 @@ func (es *UserEventstore) CreatePhoneVerificationCode(ctx context.Context, userI
 		return err
 	}
 	if user.Phone == nil {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sp9fs", "Errors.User.PhoneNotFound")
+		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sp9fs", "Errors.User.Phone.NotFound")
 	}
 	if user.IsPhoneVerified {
-		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sleis", "Errors.User.PhoneAlreadyVerified")
+		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sleis", "Errors.User.Phone.AlreadyVerified")
 	}
 
 	phoneCode := new(usr_model.PhoneCode)

internal/v2/command/iam_converter.go

@@ -4,6 +4,7 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 )
 
 func writeModelToObjectRoot(writeModel eventstore.WriteModel) models.ObjectRoot {
@@ -25,50 +26,50 @@ func writeModelToIAM(wm *IAMWriteModel) *model.IAM {
 	}
 }
 
-func writeModelToMember(writeModel *IAMMemberWriteModel) *model.IAMMember {
+func writeModelToMember(writeModel *IAMMemberWriteModel) *domain.IAMMember {
-	return &model.IAMMember{
+	return &domain.IAMMember{
 		ObjectRoot: writeModelToObjectRoot(writeModel.MemberWriteModel.WriteModel),
 		Roles:      writeModel.Roles,
 		UserID:     writeModel.UserID,
 	}
 }
 
-func writeModelToLoginPolicy(wm *IAMLoginPolicyWriteModel) *model.LoginPolicy {
+func writeModelToLoginPolicy(wm *IAMLoginPolicyWriteModel) *domain.LoginPolicy {
-	return &model.LoginPolicy{
+	return &domain.LoginPolicy{
 		ObjectRoot:            writeModelToObjectRoot(wm.LoginPolicyWriteModel.WriteModel),
 		AllowUsernamePassword: wm.AllowUserNamePassword,
 		AllowRegister:         wm.AllowRegister,
 		AllowExternalIdp:      wm.AllowExternalIDP,
 		ForceMFA:              wm.ForceMFA,
-		PasswordlessType:      model.PasswordlessType(wm.PasswordlessType),
+		PasswordlessType:      wm.PasswordlessType,
 	}
 }
 
-func writeModelToLabelPolicy(wm *IAMLabelPolicyWriteModel) *model.LabelPolicy {
+func writeModelToLabelPolicy(wm *IAMLabelPolicyWriteModel) *domain.LabelPolicy {
-	return &model.LabelPolicy{
+	return &domain.LabelPolicy{
 		ObjectRoot:     writeModelToObjectRoot(wm.LabelPolicyWriteModel.WriteModel),
 		PrimaryColor:   wm.PrimaryColor,
 		SecondaryColor: wm.SecondaryColor,
 	}
 }
 
-func writeModelToOrgIAMPolicy(wm *IAMOrgIAMPolicyWriteModel) *model.OrgIAMPolicy {
+func writeModelToOrgIAMPolicy(wm *IAMOrgIAMPolicyWriteModel) *domain.OrgIAMPolicy {
-	return &model.OrgIAMPolicy{
+	return &domain.OrgIAMPolicy{
 		ObjectRoot:            writeModelToObjectRoot(wm.PolicyOrgIAMWriteModel.WriteModel),
 		UserLoginMustBeDomain: wm.UserLoginMustBeDomain,
 	}
 }
 
-func writeModelToPasswordAgePolicy(wm *IAMPasswordAgePolicyWriteModel) *model.PasswordAgePolicy {
+func writeModelToPasswordAgePolicy(wm *IAMPasswordAgePolicyWriteModel) *domain.PasswordAgePolicy {
-	return &model.PasswordAgePolicy{
+	return &domain.PasswordAgePolicy{
 		ObjectRoot:     writeModelToObjectRoot(wm.PasswordAgePolicyWriteModel.WriteModel),
 		MaxAgeDays:     wm.MaxAgeDays,
 		ExpireWarnDays: wm.ExpireWarnDays,
 	}
 }
 
-func writeModelToPasswordComplexityPolicy(wm *IAMPasswordComplexityPolicyWriteModel) *model.PasswordComplexityPolicy {
+func writeModelToPasswordComplexityPolicy(wm *IAMPasswordComplexityPolicyWriteModel) *domain.PasswordComplexityPolicy {
-	return &model.PasswordComplexityPolicy{
+	return &domain.PasswordComplexityPolicy{
 		ObjectRoot:   writeModelToObjectRoot(wm.PasswordComplexityPolicyWriteModel.WriteModel),
 		MinLength:    wm.MinLength,
 		HasLowercase: wm.HasLowercase,
@@ -78,41 +79,41 @@ func writeModelToPasswordComplexityPolicy(wm *IAMPasswordComplexityPolicyWriteMo
 	}
 }
 
-func writeModelToPasswordLockoutPolicy(wm *IAMPasswordLockoutPolicyWriteModel) *model.PasswordLockoutPolicy {
+func writeModelToPasswordLockoutPolicy(wm *IAMPasswordLockoutPolicyWriteModel) *domain.PasswordLockoutPolicy {
-	return &model.PasswordLockoutPolicy{
+	return &domain.PasswordLockoutPolicy{
 		ObjectRoot:          writeModelToObjectRoot(wm.PasswordLockoutPolicyWriteModel.WriteModel),
 		MaxAttempts:         wm.MaxAttempts,
 		ShowLockOutFailures: wm.ShowLockOutFailures,
 	}
 }
 
-func writeModelToIDPConfig(wm *IAMIDPConfigWriteModel) *model.IDPConfig {
+func writeModelToIDPConfig(wm *IAMIDPConfigWriteModel) *domain.IDPConfig {
-	return &model.IDPConfig{
+	return &domain.IDPConfig{
 		ObjectRoot:  writeModelToObjectRoot(wm.WriteModel),
 		OIDCConfig:  writeModelToIDPOIDCConfig(wm.OIDCConfig),
 		IDPConfigID: wm.ConfigID,
 		Name:        wm.Name,
-		State:       model.IDPConfigState(wm.State),
+		State:       wm.State,
-		StylingType: model.IDPStylingType(wm.StylingType),
+		StylingType: wm.StylingType,
 	}
 }
 
-func writeModelToIDPOIDCConfig(wm *OIDCConfigWriteModel) *model.OIDCIDPConfig {
+func writeModelToIDPOIDCConfig(wm *OIDCConfigWriteModel) *domain.OIDCIDPConfig {
-	return &model.OIDCIDPConfig{
+	return &domain.OIDCIDPConfig{
 		ObjectRoot:            writeModelToObjectRoot(wm.WriteModel),
 		ClientID:              wm.ClientID,
 		IDPConfigID:           wm.IDPConfigID,
-		IDPDisplayNameMapping: model.OIDCMappingField(wm.IDPDisplayNameMapping),
+		IDPDisplayNameMapping: wm.IDPDisplayNameMapping,
 		Issuer:                wm.Issuer,
 		Scopes:                wm.Scopes,
-		UsernameMapping:       model.OIDCMappingField(wm.UserNameMapping),
+		UsernameMapping:       wm.UserNameMapping,
 	}
 }
 
-func writeModelToIDPProvider(wm *IAMIdentityProviderWriteModel) *model.IDPProvider {
+func writeModelToIDPProvider(wm *IAMIdentityProviderWriteModel) *domain.IDPProvider {
-	return &model.IDPProvider{
+	return &domain.IDPProvider{
 		ObjectRoot:  writeModelToObjectRoot(wm.IdentityProviderWriteModel.WriteModel),
 		IDPConfigID: wm.IDPConfigID,
-		Type:        model.IDPProviderType(wm.IDPProviderType),
+		Type:        wm.IDPProviderType,
 	}
 }

internal/v2/command/iam_idp_config.go

@@ -8,12 +8,11 @@ import (
 
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
 
-func (r *CommandSide) AddDefaultIDPConfig(ctx context.Context, config *iam_model.IDPConfig) (*iam_model.IDPConfig, error) {
+func (r *CommandSide) AddDefaultIDPConfig(ctx context.Context, config *domain.IDPConfig) (*domain.IDPConfig, error) {
 	if config.OIDCConfig == nil {
 		return nil, errors.ThrowInvalidArgument(nil, "IAM-eUpQU", "Errors.idp.config.notset")
 	}
@@ -36,8 +35,8 @@ func (r *CommandSide) AddDefaultIDPConfig(ctx context.Context, config *iam_model
 			ctx,
 			idpConfigID,
 			config.Name,
-			domain.IDPConfigType(config.Type),
+			config.Type,
-			domain.IDPConfigStylingType(config.StylingType),
+			config.StylingType,
 		),
 	)
 	iamAgg.PushEvents(
@@ -46,8 +45,8 @@ func (r *CommandSide) AddDefaultIDPConfig(ctx context.Context, config *iam_model
 			idpConfigID,
 			config.OIDCConfig.Issuer,
 			clientSecret,
-			domain.OIDCMappingField(config.OIDCConfig.IDPDisplayNameMapping),
+			config.OIDCConfig.IDPDisplayNameMapping,
-			domain.OIDCMappingField(config.OIDCConfig.UsernameMapping),
+			config.OIDCConfig.UsernameMapping,
 			config.OIDCConfig.Scopes...,
 		),
 	)
@@ -58,7 +57,7 @@ func (r *CommandSide) AddDefaultIDPConfig(ctx context.Context, config *iam_model
 	return writeModelToIDPConfig(addedConfig), nil
 }
 
-func (r *CommandSide) ChangeDefaultIDPConfig(ctx context.Context, config *iam_model.IDPConfig) (*iam_model.IDPConfig, error) {
+func (r *CommandSide) ChangeDefaultIDPConfig(ctx context.Context, config *domain.IDPConfig) (*domain.IDPConfig, error) {
 	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, config.AggregateID, config.IDPConfigID)
 	if err != nil {
 		return nil, err
@@ -67,7 +66,7 @@ func (r *CommandSide) ChangeDefaultIDPConfig(ctx context.Context, config *iam_mo
 		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-4M9so", "Errors.IAM.IDPConfig.NotExisting")
 	}
 
-	changedEvent, hasChanged := existingIDP.NewChangedEvent(ctx, config.IDPConfigID, config.Name, domain.IDPConfigStylingType(config.StylingType))
+	changedEvent, hasChanged := existingIDP.NewChangedEvent(ctx, config.IDPConfigID, config.Name, config.StylingType)
 	if !hasChanged {
 		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-4M9vs", "Errors.IAM.LabelPolicy.NotChanged")
 	}
@@ -81,8 +80,8 @@ func (r *CommandSide) ChangeDefaultIDPConfig(ctx context.Context, config *iam_mo
 	return writeModelToIDPConfig(existingIDP), nil
 }
 
-func (r *CommandSide) DeactivateDefaultIDPConfig(ctx context.Context, iamID, idpID string) (*iam_model.IDPConfig, error) {
+func (r *CommandSide) DeactivateDefaultIDPConfig(ctx context.Context, idpID string) (*domain.IDPConfig, error) {
-	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, iamID, idpID)
+	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, r.iamID, idpID)
 	if err != nil {
 		return nil, err
 	}
@@ -99,8 +98,8 @@ func (r *CommandSide) DeactivateDefaultIDPConfig(ctx context.Context, iamID, idp
 	return writeModelToIDPConfig(existingIDP), nil
 }
 
-func (r *CommandSide) ReactivateDefaultIDPConfig(ctx context.Context, iamID, idpID string) (*iam_model.IDPConfig, error) {
+func (r *CommandSide) ReactivateDefaultIDPConfig(ctx context.Context, idpID string) (*domain.IDPConfig, error) {
-	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, iamID, idpID)
+	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, r.iamID, idpID)
 	if err != nil {
 		return nil, err
 	}
@@ -118,7 +117,7 @@ func (r *CommandSide) ReactivateDefaultIDPConfig(ctx context.Context, iamID, idp
 	return writeModelToIDPConfig(existingIDP), nil
 }
 
-func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, iamID, idpID string) (*iam_model.IDPConfig, error) {
+func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, iamID, idpID string) (*domain.IDPConfig, error) {
 	writeModel, err := r.pushDefaultIDPWriteModel(ctx, iamID, idpID, func(a *iam.Aggregate, _ *IAMIDPConfigWriteModel) *iam.Aggregate {
 		a.Aggregate = *a.PushEvents(iam_repo.NewIDPConfigRemovedEvent(ctx, idpID))
 		return a

internal/v2/command/iam_idp_oidc_config.go

@@ -4,11 +4,9 @@ import (
 	"context"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/v2/domain"
-
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 )
 
-func (r *CommandSide) ChangeDefaultIDPOIDCConfig(ctx context.Context, config *iam_model.OIDCIDPConfig) (*iam_model.OIDCIDPConfig, error) {
+func (r *CommandSide) ChangeDefaultIDPOIDCConfig(ctx context.Context, config *domain.OIDCIDPConfig) (*domain.OIDCIDPConfig, error) {
 	existingConfig := NewIDPOIDCConfigWriteModel(config.AggregateID, config.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, existingConfig)
 	if err != nil {
@@ -25,8 +23,8 @@ func (r *CommandSide) ChangeDefaultIDPOIDCConfig(ctx context.Context, config *ia
 		config.Issuer,
 		config.ClientSecretString,
 		r.idpConfigSecretCrypto,
-		domain.OIDCMappingField(config.IDPDisplayNameMapping),
+		config.IDPDisplayNameMapping,
-		domain.OIDCMappingField(config.UsernameMapping),
+		config.UsernameMapping,
 		config.Scopes...)
 	if err != nil {
 		return nil, err

internal/v2/command/iam_member.go

@@ -2,16 +2,16 @@ package command
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"reflect"
 
 	"github.com/caos/zitadel/internal/errors"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
 
-func (r *CommandSide) AddIAMMember(ctx context.Context, member *iam_model.IAMMember) (*iam_model.IAMMember, error) {
+func (r *CommandSide) AddIAMMember(ctx context.Context, member *domain.IAMMember) (*domain.IAMMember, error) {
 	//TODO: check if roles valid
 
 	if !member.IsValid() {
@@ -39,7 +39,7 @@ func (r *CommandSide) AddIAMMember(ctx context.Context, member *iam_model.IAMMem
 }
 
 //ChangeIAMMember updates an existing member
-func (r *CommandSide) ChangeIAMMember(ctx context.Context, member *iam_model.IAMMember) (*iam_model.IAMMember, error) {
+func (r *CommandSide) ChangeIAMMember(ctx context.Context, member *domain.IAMMember) (*domain.IAMMember, error) {
 	//TODO: check if roles valid
 
 	if !member.IsValid() {
@@ -70,8 +70,8 @@ func (r *CommandSide) ChangeIAMMember(ctx context.Context, member *iam_model.IAM
 	return writeModelToMember(existingMember), nil
 }
 
-func (r *CommandSide) RemoveIAMMember(ctx context.Context, member *iam_model.IAMMember) error {
+func (r *CommandSide) RemoveIAMMember(ctx context.Context, userID string) error {
-	m, err := r.iamMemberWriteModelByID(ctx, member.AggregateID, member.UserID)
+	m, err := r.iamMemberWriteModelByID(ctx, r.iamID, userID)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
@@ -80,7 +80,7 @@ func (r *CommandSide) RemoveIAMMember(ctx context.Context, member *iam_model.IAM
 	}
 
 	iamAgg := IAMAggregateFromWriteModel(&m.MemberWriteModel.WriteModel)
-	iamAgg.PushEvents(iam_repo.NewMemberRemovedEvent(ctx, member.UserID))
+	iamAgg.PushEvents(iam_repo.NewMemberRemovedEvent(ctx, userID))
 
 	return r.eventstore.PushAggregate(ctx, m, iamAgg)
 }

internal/v2/command/iam_policy_label.go

@@ -3,16 +3,13 @@ package command
 import (
 	"context"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
 
-func (r *CommandSide) AddDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+func (r *CommandSide) AddDefaultLabelPolicy(ctx context.Context, policy *domain.LabelPolicy) (*domain.LabelPolicy, error) {
-	if !policy.IsValid() {
+	policy.AggregateID = r.iamID
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-5Mv0s", "Errors.IAM.LabelPolicyInvalid")
-	}
-
 	addedPolicy := NewIAMLabelPolicyWriteModel(policy.AggregateID)
 	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
 	if err != nil {
@@ -33,11 +30,8 @@ func (r *CommandSide) AddDefaultLabelPolicy(ctx context.Context, policy *iam_mod
 	return writeModelToLabelPolicy(addedPolicy), nil
 }
 
-func (r *CommandSide) ChangeDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+func (r *CommandSide) ChangeDefaultLabelPolicy(ctx context.Context, policy *domain.LabelPolicy) (*domain.LabelPolicy, error) {
-	if !policy.IsValid() {
+	policy.AggregateID = r.iamID
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-6M0od", "Errors.IAM.LabelPolicyInvalid")
-	}
-
 	existingPolicy, err := r.defaultLabelPolicyWriteModelByID(ctx, policy.AggregateID)
 	if err != nil {
 		return nil, err

internal/v2/command/iam_policy_login.go

@@ -9,7 +9,8 @@ import (
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
 
-func (r *CommandSide) AddDefaultLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
+func (r *CommandSide) AddDefaultLoginPolicy(ctx context.Context, policy *domain.LoginPolicy) (*domain.LoginPolicy, error) {
+	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMLoginPolicyWriteModel(policy.AggregateID)
 	iamAgg, err := r.addDefaultLoginPolicy(ctx, addedPolicy, policy)
 	if err != nil {
@@ -23,7 +24,7 @@ func (r *CommandSide) AddDefaultLoginPolicy(ctx context.Context, policy *iam_mod
 	return writeModelToLoginPolicy(addedPolicy), nil
 }
 
-func (r *CommandSide) addDefaultLoginPolicy(ctx context.Context, addedPolicy *IAMLoginPolicyWriteModel, policy *iam_model.LoginPolicy) (*iam_repo.Aggregate, error) {
+func (r *CommandSide) addDefaultLoginPolicy(ctx context.Context, addedPolicy *IAMLoginPolicyWriteModel, policy *domain.LoginPolicy) (*iam_repo.Aggregate, error) {
 	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
 	if err != nil {
 		return nil, err
@@ -33,16 +34,13 @@ func (r *CommandSide) addDefaultLoginPolicy(ctx context.Context, addedPolicy *IA
 	}
 
 	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.LoginPolicyWriteModel.WriteModel)
-	iamAgg.PushEvents(iam_repo.NewLoginPolicyAddedEvent(ctx, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIdp, policy.ForceMFA, domain.PasswordlessType(policy.PasswordlessType)))
+	iamAgg.PushEvents(iam_repo.NewLoginPolicyAddedEvent(ctx, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIdp, policy.ForceMFA, policy.PasswordlessType))
 
 	return iamAgg, nil
 }
 
-func (r *CommandSide) ChangeDefaultLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
+func (r *CommandSide) ChangeDefaultLoginPolicy(ctx context.Context, policy *domain.LoginPolicy) (*domain.LoginPolicy, error) {
-	if !policy.IsValid() {
+	policy.AggregateID = r.iamID
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-6M0od", "Errors.IAM.LoginPolicyInvalid")
-	}
-
 	existingPolicy, err := r.defaultLoginPolicyWriteModelByID(ctx, policy.AggregateID)
 	if err != nil {
 		return nil, err
@@ -65,7 +63,8 @@ func (r *CommandSide) ChangeDefaultLoginPolicy(ctx context.Context, policy *iam_
 	return writeModelToLoginPolicy(existingPolicy), nil
 }
 
-func (r *CommandSide) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, idpProvider *iam_model.IDPProvider) (*iam_model.IDPProvider, error) {
+func (r *CommandSide) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, idpProvider *domain.IDPProvider) (*domain.IDPProvider, error) {
+	idpProvider.AggregateID = r.iamID
 	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.AggregateID, idpProvider.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
@@ -86,6 +85,7 @@ func (r *CommandSide) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, id
 }
 
 func (r *CommandSide) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context, idpProvider *iam_model.IDPProvider) error {
+	idpProvider.AggregateID = r.iamID
 	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.AggregateID, idpProvider.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
@@ -100,8 +100,8 @@ func (r *CommandSide) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Contex
 	return r.eventstore.PushAggregate(ctx, idpModel, iamAgg)
 }
 
-func (r *CommandSide) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, iamID string, secondFactor iam_model.SecondFactorType) (iam_model.SecondFactorType, error) {
+func (r *CommandSide) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, secondFactor iam_model.SecondFactorType) (iam_model.SecondFactorType, error) {
-	secondFactorModel := NewIAMSecondFactorWriteModel(iamID)
+	secondFactorModel := NewIAMSecondFactorWriteModel(r.iamID)
 	err := r.eventstore.FilterToQueryReducer(ctx, secondFactorModel)
 	if err != nil {
 		return iam_model.SecondFactorTypeUnspecified, err
@@ -121,8 +121,8 @@ func (r *CommandSide) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, i
 	return iam_model.SecondFactorType(secondFactorModel.MFAType), nil
 }
 
-func (r *CommandSide) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, iamID string, secondFactor iam_model.SecondFactorType) error {
+func (r *CommandSide) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, secondFactor iam_model.SecondFactorType) error {
-	secondFactorModel := NewIAMSecondFactorWriteModel(iamID)
+	secondFactorModel := NewIAMSecondFactorWriteModel(r.iamID)
 	err := r.eventstore.FilterToQueryReducer(ctx, secondFactorModel)
 	if err != nil {
 		return err
@@ -136,8 +136,8 @@ func (r *CommandSide) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Conte
 	return r.eventstore.PushAggregate(ctx, secondFactorModel, iamAgg)
 }
 
-func (r *CommandSide) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, iamID string, multiFactor iam_model.MultiFactorType) (iam_model.MultiFactorType, error) {
+func (r *CommandSide) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, multiFactor iam_model.MultiFactorType) (iam_model.MultiFactorType, error) {
-	multiFactorModel := NewIAMMultiFactorWriteModel(iamID)
+	multiFactorModel := NewIAMMultiFactorWriteModel(r.iamID)
 	err := r.eventstore.FilterToQueryReducer(ctx, multiFactorModel)
 	if err != nil {
 		return iam_model.MultiFactorTypeUnspecified, err
@@ -155,8 +155,8 @@ func (r *CommandSide) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, ia
 	return iam_model.MultiFactorType(multiFactorModel.MultiFactoryWriteModel.MFAType), nil
 }
 
-func (r *CommandSide) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, iamID string, multiFactor iam_model.MultiFactorType) error {
+func (r *CommandSide) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, multiFactor iam_model.MultiFactorType) error {
-	multiFactorModel := NewIAMMultiFactorWriteModel(iamID)
+	multiFactorModel := NewIAMMultiFactorWriteModel(r.iamID)
 	err := r.eventstore.FilterToQueryReducer(ctx, multiFactorModel)
 	if err != nil {
 		return err

internal/v2/command/iam_policy_org_iam.go

@@ -3,13 +3,13 @@ package command
 import (
 	"context"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
 
-func (r *CommandSide) GetDefaultOrgIAMPolicy(ctx context.Context, aggregateID string) (*iam_model.OrgIAMPolicy, error) {
+func (r *CommandSide) GetDefaultOrgIAMPolicy(ctx context.Context) (*domain.OrgIAMPolicy, error) {
-	policyWriteModel := NewIAMOrgIAMPolicyWriteModel(aggregateID)
+	policyWriteModel := NewIAMOrgIAMPolicyWriteModel(r.iamID)
 	err := r.eventstore.FilterToQueryReducer(ctx, policyWriteModel)
 	if err != nil {
 		return nil, err
@@ -19,7 +19,8 @@ func (r *CommandSide) GetDefaultOrgIAMPolicy(ctx context.Context, aggregateID st
 	return policy, nil
 }
 
-func (r *CommandSide) AddDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+func (r *CommandSide) AddDefaultOrgIAMPolicy(ctx context.Context, policy *domain.OrgIAMPolicy) (*domain.OrgIAMPolicy, error) {
+	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMOrgIAMPolicyWriteModel(policy.AggregateID)
 	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
 	if err != nil {
@@ -39,7 +40,8 @@ func (r *CommandSide) AddDefaultOrgIAMPolicy(ctx context.Context, policy *iam_mo
 	return writeModelToOrgIAMPolicy(addedPolicy), nil
 }
 
-func (r *CommandSide) ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+func (r *CommandSide) ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *domain.OrgIAMPolicy) (*domain.OrgIAMPolicy, error) {
+	policy.AggregateID = r.iamID
 	existingPolicy, err := r.defaultOrgIAMPolicyWriteModelByID(ctx, policy.AggregateID)
 	if err != nil {
 		return nil, err

internal/v2/command/iam_policy_password_age.go

@@ -3,12 +3,13 @@ package command
 import (
 	"context"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
 
-func (r *CommandSide) AddDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+func (r *CommandSide) AddDefaultPasswordAgePolicy(ctx context.Context, policy *domain.PasswordAgePolicy) (*domain.PasswordAgePolicy, error) {
+	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMPasswordAgePolicyWriteModel(policy.AggregateID)
 	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
 	if err != nil {
@@ -29,7 +30,8 @@ func (r *CommandSide) AddDefaultPasswordAgePolicy(ctx context.Context, policy *i
 	return writeModelToPasswordAgePolicy(addedPolicy), nil
 }
 
-func (r *CommandSide) ChangeDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+func (r *CommandSide) ChangeDefaultPasswordAgePolicy(ctx context.Context, policy *domain.PasswordAgePolicy) (*domain.PasswordAgePolicy, error) {
+	policy.AggregateID = r.iamID
 	existingPolicy, err := r.defaultPasswordAgePolicyWriteModelByID(ctx, policy.AggregateID)
 	if err != nil {
 		return nil, err

internal/v2/command/iam_policy_password_complexity.go

@@ -3,13 +3,13 @@ package command
 import (
 	"context"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
 
-func (r *CommandSide) GetDefaultPasswordComplexityPolicy(ctx context.Context, aggregateID string) (*iam_model.PasswordComplexityPolicy, error) {
+func (r *CommandSide) GetDefaultPasswordComplexityPolicy(ctx context.Context) (*domain.PasswordComplexityPolicy, error) {
-	policyWriteModel := NewIAMPasswordComplexityPolicyWriteModel(aggregateID)
+	policyWriteModel := NewIAMPasswordComplexityPolicyWriteModel(r.iamID)
 	err := r.eventstore.FilterToQueryReducer(ctx, policyWriteModel)
 	if err != nil {
 		return nil, err
@@ -19,7 +19,8 @@ func (r *CommandSide) GetDefaultPasswordComplexityPolicy(ctx context.Context, ag
 	return policy, nil
 }
 
-func (r *CommandSide) AddDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+func (r *CommandSide) AddDefaultPasswordComplexityPolicy(ctx context.Context, policy *domain.PasswordComplexityPolicy) (*domain.PasswordComplexityPolicy, error) {
+	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMPasswordComplexityPolicyWriteModel(policy.AggregateID)
 	iamAgg, err := r.addDefaultPasswordComplexityPolicy(ctx, addedPolicy, policy)
 	if err != nil {
@@ -34,7 +35,7 @@ func (r *CommandSide) AddDefaultPasswordComplexityPolicy(ctx context.Context, po
 	return writeModelToPasswordComplexityPolicy(addedPolicy), nil
 }
 
-func (r *CommandSide) addDefaultPasswordComplexityPolicy(ctx context.Context, addedPolicy *IAMPasswordComplexityPolicyWriteModel, policy *iam_model.PasswordComplexityPolicy) (*iam_repo.Aggregate, error) {
+func (r *CommandSide) addDefaultPasswordComplexityPolicy(ctx context.Context, addedPolicy *IAMPasswordComplexityPolicyWriteModel, policy *domain.PasswordComplexityPolicy) (*iam_repo.Aggregate, error) {
 	if err := policy.IsValid(); err != nil {
 		return nil, err
 	}
@@ -53,7 +54,8 @@ func (r *CommandSide) addDefaultPasswordComplexityPolicy(ctx context.Context, ad
 	return iamAgg, nil
 }
 
-func (r *CommandSide) ChangeDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+func (r *CommandSide) ChangeDefaultPasswordComplexityPolicy(ctx context.Context, policy *domain.PasswordComplexityPolicy) (*domain.PasswordComplexityPolicy, error) {
+	policy.AggregateID = r.iamID
 	if err := policy.IsValid(); err != nil {
 		return nil, err
 	}

internal/v2/command/iam_policy_password_lockout.go

@@ -3,12 +3,13 @@ package command
 import (
 	"context"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
 
-func (r *CommandSide) AddDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+func (r *CommandSide) AddDefaultPasswordLockoutPolicy(ctx context.Context, policy *domain.PasswordLockoutPolicy) (*domain.PasswordLockoutPolicy, error) {
+	policy.AggregateID = r.iamID
 	addedPolicy := NewIAMPasswordLockoutPolicyWriteModel(policy.AggregateID)
 	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
 	if err != nil {
@@ -29,7 +30,8 @@ func (r *CommandSide) AddDefaultPasswordLockoutPolicy(ctx context.Context, polic
 	return writeModelToPasswordLockoutPolicy(addedPolicy), nil
 }
 
-func (r *CommandSide) ChangeDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+func (r *CommandSide) ChangeDefaultPasswordLockoutPolicy(ctx context.Context, policy *domain.PasswordLockoutPolicy) (*domain.PasswordLockoutPolicy, error) {
+	policy.AggregateID = r.iamID
 	existingPolicy, err := r.defaultPasswordLockoutPolicyWriteModelByID(ctx, policy.AggregateID)
 	if err != nil {
 		return nil, err

internal/v2/command/org_converter.go

@@ -1,18 +1,18 @@
 package command
 
 import (
-	"github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 )
 
-func orgWriteModelToOrgIAMPolicy(wm *ORGOrgIAMPolicyWriteModel) *model.OrgIAMPolicy {
+func orgWriteModelToOrgIAMPolicy(wm *ORGOrgIAMPolicyWriteModel) *domain.OrgIAMPolicy {
-	return &model.OrgIAMPolicy{
+	return &domain.OrgIAMPolicy{
 		ObjectRoot:            writeModelToObjectRoot(wm.PolicyOrgIAMWriteModel.WriteModel),
 		UserLoginMustBeDomain: wm.UserLoginMustBeDomain,
 	}
 }
 
-func orgWriteModelToPasswordComplexityPolicy(wm *OrgPasswordComplexityPolicyWriteModel) *model.PasswordComplexityPolicy {
+func orgWriteModelToPasswordComplexityPolicy(wm *OrgPasswordComplexityPolicyWriteModel) *domain.PasswordComplexityPolicy {
-	return &model.PasswordComplexityPolicy{
+	return &domain.PasswordComplexityPolicy{
 		ObjectRoot:   writeModelToObjectRoot(wm.PasswordComplexityPolicyWriteModel.WriteModel),
 		MinLength:    wm.MinLength,
 		HasLowercase: wm.HasLowercase,

internal/v2/command/org_policy_org_iam.go

@@ -3,12 +3,12 @@ package command
 import (
 	"context"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
 
-func (r *CommandSide) GetOrgIAMPolicy(ctx context.Context, orgID string) (*iam_model.OrgIAMPolicy, error) {
+func (r *CommandSide) GetOrgIAMPolicy(ctx context.Context, orgID string) (*domain.OrgIAMPolicy, error) {
 	policy := NewORGOrgIAMPolicyWriteModel(orgID)
 	err := r.eventstore.FilterToQueryReducer(ctx, policy)
 	if err != nil {
@@ -17,10 +17,10 @@ func (r *CommandSide) GetOrgIAMPolicy(ctx context.Context, orgID string) (*iam_m
 	if policy.IsActive {
 		return orgWriteModelToOrgIAMPolicy(policy), nil
 	}
-	return r.GetDefaultOrgIAMPolicy(ctx, r.iamID)
+	return r.GetDefaultOrgIAMPolicy(ctx)
 }
 
-func (r *CommandSide) AddOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+func (r *CommandSide) AddOrgIAMPolicy(ctx context.Context, policy *domain.OrgIAMPolicy) (*domain.OrgIAMPolicy, error) {
 	addedPolicy := NewORGOrgIAMPolicyWriteModel(policy.AggregateID)
 	err := r.eventstore.FilterToQueryReducer(ctx, addedPolicy)
 	if err != nil {
@@ -40,7 +40,7 @@ func (r *CommandSide) AddOrgIAMPolicy(ctx context.Context, policy *iam_model.Org
 	return orgWriteModelToOrgIAMPolicy(addedPolicy), nil
 }
 
-func (r *CommandSide) ChangeOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+func (r *CommandSide) ChangeOrgIAMPolicy(ctx context.Context, policy *domain.OrgIAMPolicy) (*domain.OrgIAMPolicy, error) {
 	existingPolicy, err := r.orgIAMPolicyWriteModelByID(ctx, policy.AggregateID)
 	if err != nil {
 		return nil, err
@@ -65,11 +65,11 @@ func (r *CommandSide) ChangeOrgIAMPolicy(ctx context.Context, policy *iam_model.
 	return orgWriteModelToOrgIAMPolicy(existingPolicy), nil
 }
 
-func (r *CommandSide) orgIAMPolicyWriteModelByID(ctx context.Context, iamID string) (policy *ORGOrgIAMPolicyWriteModel, err error) {
+func (r *CommandSide) orgIAMPolicyWriteModelByID(ctx context.Context, orgID string) (policy *ORGOrgIAMPolicyWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	writeModel := NewORGOrgIAMPolicyWriteModel(iamID)
+	writeModel := NewORGOrgIAMPolicyWriteModel(orgID)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err

internal/v2/command/org_policy_password_complexity.go

@@ -2,10 +2,10 @@ package command
 
 import (
 	"context"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 )
 
-func (r *CommandSide) GetOrgPasswordComplexityPolicy(ctx context.Context, orgID string) (*iam_model.PasswordComplexityPolicy, error) {
+func (r *CommandSide) GetOrgPasswordComplexityPolicy(ctx context.Context, orgID string) (*domain.PasswordComplexityPolicy, error) {
 	policy := NewOrgPasswordComplexityPolicyWriteModel(orgID)
 	err := r.eventstore.FilterToQueryReducer(ctx, policy)
 	if err != nil {
@@ -14,5 +14,5 @@ func (r *CommandSide) GetOrgPasswordComplexityPolicy(ctx context.Context, orgID
 	if policy.IsActive {
 		return orgWriteModelToPasswordComplexityPolicy(policy), nil
 	}
-	return r.GetDefaultPasswordComplexityPolicy(ctx, r.iamID)
+	return r.GetDefaultPasswordComplexityPolicy(ctx)
 }

internal/v2/command/setup_step1.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )
@@ -72,7 +71,7 @@ func (r *CommandSide) SetupStep1(ctx context.Context, iamID string, step1 Step1)
 	//create default login policy
 	iamAgg, err := r.addDefaultLoginPolicy(ctx,
 		NewIAMLoginPolicyWriteModel(iam.AggregateID),
-		&iam_model.LoginPolicy{
+		&domain.LoginPolicy{
 			AllowUsernamePassword: step1.DefaultLoginPolicy.AllowUsernamePassword,
 			AllowRegister:         step1.DefaultLoginPolicy.AllowRegister,
 			AllowExternalIdp:      step1.DefaultLoginPolicy.AllowExternalIdp,

internal/v2/command/setup_step2.go

@@ -18,7 +18,7 @@ func (r *CommandSide) SetupStep2(ctx context.Context, iamID string, step Step2)
 	if err != nil && !caos_errs.IsNotFound(err) {
 		return err
 	}
-	iamAgg, err := r.addDefaultPasswordComplexityPolicy(ctx, NewIAMPasswordComplexityPolicyWriteModel(iam.AggregateID), &iam_model.PasswordComplexityPolicy{
+	iamAgg, err := r.addDefaultPasswordComplexityPolicy(ctx, NewIAMPasswordComplexityPolicyWriteModel(iam.AggregateID), &domain.PasswordComplexityPolicy{
 		MinLength:    step.DefaultPasswordComplexityPolicy.MinLength,
 		HasLowercase: step.DefaultPasswordComplexityPolicy.HasLowercase,
 		HasUppercase: step.DefaultPasswordComplexityPolicy.HasUppercase,

internal/v2/command/user.go

@@ -4,12 +4,11 @@ import (
 	"context"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
-	usr_model "github.com/caos/zitadel/internal/user/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/user"
 )
 
-func (r *CommandSide) AddUser(ctx context.Context, user *usr_model.User) (*usr_model.User, error) {
+func (r *CommandSide) AddUser(ctx context.Context, user *domain.User) (*domain.User, error) {
 	if !user.IsValid() {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2N9fs", "Errors.User.Invalid")
 	}
@@ -19,14 +18,27 @@ func (r *CommandSide) AddUser(ctx context.Context, user *usr_model.User) (*usr_m
 		if err != nil {
 			return nil, err
 		}
-		return &usr_model.User{UserName: user.UserName, Human: human}, nil
+		return &domain.User{UserName: user.UserName, Human: human}, nil
 	} else if user.Machine != nil {
 
 	}
 	return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-8K0df", "Errors.User.TypeUndefined")
 }
 
-func (r *CommandSide) DeactivateUser(ctx context.Context, userID string) (*usr_model.User, error) {
+func (r *CommandSide) RegisterUser(ctx context.Context, user *domain.User) (*domain.User, error) {
+	if !user.IsValid() {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2N9fs", "Errors.User.Invalid")
+	}
+
+	if user.Human != nil {
+
+	} else if user.Machine != nil {
+
+	}
+	return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-8K0df", "Errors.User.TypeUndefined")
+}
+
+func (r *CommandSide) DeactivateUser(ctx context.Context, userID string) (*domain.User, error) {
 	existingUser, err := r.userWriteModelByID(ctx, userID)
 	if err != nil {
 		return nil, err
@@ -47,7 +59,7 @@ func (r *CommandSide) DeactivateUser(ctx context.Context, userID string) (*usr_m
 	return writeModelToUser(existingUser), nil
 }
 
-func (r *CommandSide) ReactivateUser(ctx context.Context, userID string) (*usr_model.User, error) {
+func (r *CommandSide) ReactivateUser(ctx context.Context, userID string) (*domain.User, error) {
 	existingUser, err := r.userWriteModelByID(ctx, userID)
 	if err != nil {
 		return nil, err
@@ -68,7 +80,7 @@ func (r *CommandSide) ReactivateUser(ctx context.Context, userID string) (*usr_m
 	return writeModelToUser(existingUser), nil
 }
 
-func (r *CommandSide) LockUser(ctx context.Context, userID string) (*usr_model.User, error) {
+func (r *CommandSide) LockUser(ctx context.Context, userID string) (*domain.User, error) {
 	existingUser, err := r.userWriteModelByID(ctx, userID)
 	if err != nil {
 		return nil, err
@@ -89,7 +101,7 @@ func (r *CommandSide) LockUser(ctx context.Context, userID string) (*usr_model.U
 	return writeModelToUser(existingUser), nil
 }
 
-func (r *CommandSide) UnlockUser(ctx context.Context, userID string) (*usr_model.User, error) {
+func (r *CommandSide) UnlockUser(ctx context.Context, userID string) (*domain.User, error) {
 	existingUser, err := r.userWriteModelByID(ctx, userID)
 	if err != nil {
 		return nil, err

internal/v2/command/user_converter.go

@@ -2,31 +2,39 @@ package command
 
 import (
 	"github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 )
 
-func writeModelToUser(wm *UserWriteModel) *model.User {
+func writeModelToUser(wm *UserWriteModel) *domain.User {
-	return &model.User{
+	return &domain.User{
 		ObjectRoot: writeModelToObjectRoot(wm.WriteModel),
 		UserName:   wm.UserName,
-		State:      model.UserState(wm.UserState),
+		State:      wm.UserState,
 	}
 }
 
-func writeModelToHuman(wm *HumanWriteModel) *model.Human {
+func writeModelToHuman(wm *HumanWriteModel) *domain.Human {
-	return &model.Human{
+	return &domain.Human{
 		ObjectRoot: writeModelToObjectRoot(wm.WriteModel),
-		Profile: &model.Profile{
+		Profile: &domain.Profile{
 			FirstName:         wm.FirstName,
 			LastName:          wm.LastName,
 			NickName:          wm.NickName,
 			DisplayName:       wm.DisplayName,
 			PreferredLanguage: wm.PreferredLanguage,
-			Gender:            model.Gender(wm.Gender),
+			Gender:            wm.Gender,
 		},
-		Email: &model.Email{
+		Email: &domain.Email{
 			EmailAddress:    wm.Email,
 			IsEmailVerified: wm.IsEmailVerified,
 		},
+		Address: &domain.Address{
+			Country:       wm.Country,
+			Locality:      wm.Locality,
+			PostalCode:    wm.PostalCode,
+			Region:        wm.Region,
+			StreetAddress: wm.StreetAddress,
+		},
 	}
 }
 

internal/v2/command/user_human.go

@@ -3,12 +3,11 @@ package command
 import (
 	"context"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	usr_model "github.com/caos/zitadel/internal/user/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/user"
 )
 
-func (r *CommandSide) AddHuman(ctx context.Context, orgID, username string, human *usr_model.Human) (*usr_model.Human, error) {
+func (r *CommandSide) AddHuman(ctx context.Context, orgID, username string, human *domain.Human) (*domain.Human, error) {
 	if !human.IsValid() {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-4M90d", "Errors.User.Invalid")
 	}
@@ -21,16 +20,16 @@ func (r *CommandSide) AddHuman(ctx context.Context, orgID, username string, huma
 	if err != nil {
 		return nil, err
 	}
-	//pwPolicy, err := r.GetOrgPasswordComplexityPolicy(ctx, orgID)
+	pwPolicy, err := r.GetOrgPasswordComplexityPolicy(ctx, orgID)
-	//if err != nil {
+	if err != nil {
-	//	return nil, err
+		return nil, err
-	//}
+	}
 
 	addedHuman := NewHumanWriteModel(human.AggregateID)
 	//TODO: Check Unique Username
 	human.CheckOrgIAMPolicy(username, orgIAMPolicy)
 	human.SetNamesAsDisplayname()
-	//human.HashPasswordIfExisting(pwPolicy, r.userPasswordAlg, true)
+	human.HashPasswordIfExisting(pwPolicy, r.userPasswordAlg, true)
 
 	userAgg := UserAggregateFromWriteModel(&addedHuman.WriteModel)
 	userAgg.PushEvents(
@@ -42,7 +41,7 @@ func (r *CommandSide) AddHuman(ctx context.Context, orgID, username string, huma
 			human.NickName,
 			human.DisplayName,
 			human.PreferredLanguage,
-			domain.Gender(human.Gender),
+			human.Gender,
 			human.EmailAddress,
 			human.PhoneNumber,
 			human.Country,

internal/v2/domain/human.go

@@ -1,5 +1,40 @@
 package domain
 
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	caos_errors "github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"strings"
+	"time"
+)
+
+type Human struct {
+	es_models.ObjectRoot
+
+	*Password
+	*Profile
+	*Email
+	*Phone
+	*Address
+	ExternalIDPs       []*ExternalIDP
+	InitCode           *InitUserCode
+	EmailCode          *EmailCode
+	PhoneCode          *PhoneCode
+	PasswordCode       *PasswordCode
+	OTP                *OTP
+	U2FTokens          []*WebAuthNToken
+	PasswordlessTokens []*WebAuthNToken
+	U2FLogins          []*WebAuthNLogin
+	PasswordlessLogins []*WebAuthNLogin
+}
+
+type InitUserCode struct {
+	es_models.ObjectRoot
+
+	Code   *crypto.CryptoValue
+	Expiry time.Duration
+}
+
 type Gender int32
 
 const (
@@ -14,3 +49,33 @@ const (
 func (f Gender) Valid() bool {
 	return f >= 0 && f < genderCount
 }
+
+func (u *Human) IsValid() bool {
+	return u.Profile != nil && u.FirstName != "" && u.LastName != "" && u.Email != nil && u.Email.IsValid() && u.Phone == nil || (u.Phone != nil && u.Phone.PhoneNumber != "" && u.Phone.IsValid())
+}
+
+func (u *Human) CheckOrgIAMPolicy(userName string, policy *OrgIAMPolicy) error {
+	if policy == nil {
+		return caos_errors.ThrowPreconditionFailed(nil, "DOMAIN-zSH7j", "Errors.Users.OrgIamPolicyNil")
+	}
+	if policy.UserLoginMustBeDomain && strings.Contains(userName, "@") {
+		return caos_errors.ThrowPreconditionFailed(nil, "DOMAIN-se4sJ", "Errors.User.EmailAsUsernameNotAllowed")
+	}
+	if !policy.UserLoginMustBeDomain && u.Profile != nil && userName == "" && u.Email != nil {
+		userName = u.EmailAddress
+	}
+	return nil
+}
+
+func (u *Human) SetNamesAsDisplayname() {
+	if u.Profile != nil && u.DisplayName == "" && u.FirstName != "" && u.LastName != "" {
+		u.DisplayName = u.FirstName + " " + u.LastName
+	}
+}
+
+func (u *Human) HashPasswordIfExisting(policy *PasswordComplexityPolicy, passwordAlg crypto.HashAlgorithm, onetime bool) error {
+	if u.Password != nil {
+		return u.Password.HashPasswordIfExisting(policy, passwordAlg, onetime)
+	}
+	return nil
+}

internal/v2/domain/human_address.go

@@ -0,0 +1,13 @@
+package domain
+
+import es_models "github.com/caos/zitadel/internal/eventstore/models"
+
+type Address struct {
+	es_models.ObjectRoot
+
+	Country       string
+	Locality      string
+	PostalCode    string
+	Region        string
+	StreetAddress string
+}

internal/v2/domain/human_email.go

@@ -0,0 +1,25 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"time"
+)
+
+type Email struct {
+	es_models.ObjectRoot
+
+	EmailAddress    string
+	IsEmailVerified bool
+}
+
+type EmailCode struct {
+	es_models.ObjectRoot
+
+	Code   *crypto.CryptoValue
+	Expiry time.Duration
+}
+
+func (e *Email) IsValid() bool {
+	return e.EmailAddress != ""
+}

internal/v2/domain/human_external_idp.go

@@ -0,0 +1,11 @@
+package domain
+
+import es_models "github.com/caos/zitadel/internal/eventstore/models"
+
+type ExternalIDP struct {
+	es_models.ObjectRoot
+
+	IDPConfigID string
+	UserID      string
+	DisplayName string
+}

internal/v2/domain/human_otp.go

@@ -0,0 +1,15 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type OTP struct {
+	es_models.ObjectRoot
+
+	Secret       *crypto.CryptoValue
+	SecretString string
+	Url          string
+	State        MFAState
+}

internal/v2/domain/human_password.go

@@ -0,0 +1,43 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"time"
+)
+
+type Password struct {
+	es_models.ObjectRoot
+
+	SecretString   string
+	SecretCrypto   *crypto.CryptoValue
+	ChangeRequired bool
+}
+
+type PasswordCode struct {
+	es_models.ObjectRoot
+
+	Code             *crypto.CryptoValue
+	Expiry           time.Duration
+	NotificationType NotificationType
+}
+
+func (p *Password) HashPasswordIfExisting(policy *PasswordComplexityPolicy, passwordAlg crypto.HashAlgorithm, onetime bool) error {
+	if p.SecretString == "" {
+		return nil
+	}
+	if policy == nil {
+		return caos_errs.ThrowPreconditionFailed(nil, "DOMAIN-s8ifS", "Errors.User.PasswordComplexityPolicy.NotFound")
+	}
+	if err := policy.Check(p.SecretString); err != nil {
+		return err
+	}
+	secret, err := crypto.Hash([]byte(p.SecretString), passwordAlg)
+	if err != nil {
+		return err
+	}
+	p.SecretCrypto = secret
+	p.ChangeRequired = onetime
+	return nil
+}

internal/v2/domain/human_phone.go

@@ -0,0 +1,41 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/ttacon/libphonenumber"
+	"time"
+)
+
+const (
+	defaultRegion = "CH"
+)
+
+type Phone struct {
+	es_models.ObjectRoot
+
+	PhoneNumber     string
+	IsPhoneVerified bool
+}
+
+type PhoneCode struct {
+	es_models.ObjectRoot
+
+	Code   *crypto.CryptoValue
+	Expiry time.Duration
+}
+
+func (p *Phone) IsValid() bool {
+	err := p.formatPhone()
+	return p.PhoneNumber != "" && err == nil
+}
+
+func (p *Phone) formatPhone() error {
+	phoneNr, err := libphonenumber.Parse(p.PhoneNumber, defaultRegion)
+	if err != nil {
+		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-so0wa", "Errors.User.Phone.Invalid")
+	}
+	p.PhoneNumber = libphonenumber.Format(phoneNr, libphonenumber.E164)
+	return nil
+}

internal/v2/domain/human_profile.go

@@ -0,0 +1,19 @@
+package domain
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"golang.org/x/text/language"
+)
+
+type Profile struct {
+	es_models.ObjectRoot
+
+	FirstName          string
+	LastName           string
+	NickName           string
+	DisplayName        string
+	PreferredLanguage  language.Tag
+	Gender             Gender
+	PreferredLoginName string
+	LoginNames         []string
+}

internal/v2/domain/human_web_auth_n.go

@@ -0,0 +1,40 @@
+package domain
+
+import es_models "github.com/caos/zitadel/internal/eventstore/models"
+
+type WebAuthNToken struct {
+	es_models.ObjectRoot
+
+	WebAuthNTokenID        string
+	CredentialCreationData []byte
+	State                  MFAState
+	Challenge              string
+	AllowedCredentialIDs   [][]byte
+	UserVerification       UserVerificationRequirement
+	KeyID                  []byte
+	PublicKey              []byte
+	AttestationType        string
+	AAGUID                 []byte
+	SignCount              uint32
+	WebAuthNTokenName      string
+}
+
+type WebAuthNLogin struct {
+	es_models.ObjectRoot
+
+	CredentialAssertionData []byte
+	Challenge               string
+	AllowedCredentialIDs    [][]byte
+	UserVerification        UserVerificationRequirement
+	//TODO: Add Auth Request
+	//*model.AuthRequest
+}
+
+type UserVerificationRequirement int32
+
+const (
+	UserVerificationRequirementUnspecified UserVerificationRequirement = iota
+	UserVerificationRequirementRequired
+	UserVerificationRequirementPreferred
+	UserVerificationRequirementDiscouraged
+)

internal/v2/domain/iam_member.go

@@ -0,0 +1,16 @@
+package domain
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type IAMMember struct {
+	es_models.ObjectRoot
+
+	UserID string
+	Roles  []string
+}
+
+func (i *IAMMember) IsValid() bool {
+	return i.AggregateID != "" && i.UserID != "" && len(i.Roles) != 0
+}

internal/v2/domain/idp_config.go

@@ -1,5 +1,53 @@
 package domain
 
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"time"
+)
+
+type IDPConfig struct {
+	es_models.ObjectRoot
+	IDPConfigID string
+	Type        IDPConfigType
+	Name        string
+	StylingType IDPConfigStylingType
+	State       IDPConfigState
+	OIDCConfig  *OIDCIDPConfig
+}
+
+type IDPConfigView struct {
+	AggregateID     string
+	IDPConfigID     string
+	Name            string
+	StylingType     IDPConfigStylingType
+	State           IDPConfigState
+	CreationDate    time.Time
+	ChangeDate      time.Time
+	Sequence        uint64
+	IDPProviderType IdentityProviderType
+
+	IsOIDC                    bool
+	OIDCClientID              string
+	OIDCClientSecret          *crypto.CryptoValue
+	OIDCIssuer                string
+	OIDCScopes                []string
+	OIDCIDPDisplayNameMapping OIDCMappingField
+	OIDCUsernameMapping       OIDCMappingField
+}
+
+type OIDCIDPConfig struct {
+	es_models.ObjectRoot
+	IDPConfigID           string
+	ClientID              string
+	ClientSecret          *crypto.CryptoValue
+	ClientSecretString    string
+	Issuer                string
+	Scopes                []string
+	IDPDisplayNameMapping OIDCMappingField
+	UsernameMapping       OIDCMappingField
+}
+
 type IDPConfigType int32
 
 const (
@@ -32,7 +80,8 @@ func (f IDPConfigState) Valid() bool {
 type IDPConfigStylingType int32
 
 const (
-	IDPConfigStylingTypeGoogle IDPConfigStylingType = iota + 1
+	IDPConfigStylingTypeUnspecified IDPConfigStylingType = iota
+	IDPConfigStylingTypeGoogle
 
 	idpConfigStylingTypeCount
 )

internal/v2/domain/machine.go

@@ -0,0 +1,14 @@
+package domain
+
+import "github.com/caos/zitadel/internal/eventstore/models"
+
+type Machine struct {
+	models.ObjectRoot
+
+	Name        string
+	Description string
+}
+
+func (sa *Machine) IsValid() bool {
+	return sa.Name != ""
+}

internal/v2/domain/policy_label.go

@@ -0,0 +1,13 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type LabelPolicy struct {
+	models.ObjectRoot
+
+	Default        bool
+	PrimaryColor   string
+	SecondaryColor string
+}

internal/v2/domain/policy_login.go

@@ -1,5 +1,27 @@
 package domain
 
+import "github.com/caos/zitadel/internal/eventstore/models"
+
+type LoginPolicy struct {
+	models.ObjectRoot
+
+	Default               bool
+	AllowUsernamePassword bool
+	AllowRegister         bool
+	AllowExternalIdp      bool
+	IDPProviders          []*IDPProvider
+	ForceMFA              bool
+	SecondFactors         []SecondFactorType
+	MultiFactors          []MultiFactorType
+	PasswordlessType      PasswordlessType
+}
+
+type IDPProvider struct {
+	models.ObjectRoot
+	Type        IdentityProviderType
+	IDPConfigID string
+}
+
 type PasswordlessType int32
 
 const (

internal/v2/domain/policy_org_iam.go

@@ -0,0 +1,12 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type OrgIAMPolicy struct {
+	models.ObjectRoot
+
+	UserLoginMustBeDomain bool
+	Default               bool
+}

internal/v2/domain/policy_password_age.go

@@ -0,0 +1,12 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type PasswordAgePolicy struct {
+	models.ObjectRoot
+
+	MaxAgeDays     uint64
+	ExpireWarnDays uint64
+}

internal/v2/domain/policy_password_complexity.go

@@ -0,0 +1,56 @@
+package domain
+
+import (
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"regexp"
+)
+
+var (
+	hasStringLowerCase = regexp.MustCompile(`[a-z]`).MatchString
+	hasStringUpperCase = regexp.MustCompile(`[A-Z]`).MatchString
+	hasNumber          = regexp.MustCompile(`[0-9]`).MatchString
+	hasSymbol          = regexp.MustCompile(`[^A-Za-z0-9]`).MatchString
+)
+
+type PasswordComplexityPolicy struct {
+	models.ObjectRoot
+
+	MinLength    uint64
+	HasLowercase bool
+	HasUppercase bool
+	HasNumber    bool
+	HasSymbol    bool
+
+	Default bool
+}
+
+func (p *PasswordComplexityPolicy) IsValid() error {
+	if p.MinLength == 0 || p.MinLength > 72 {
+		return caos_errs.ThrowInvalidArgument(nil, "MODEL-Lsp0e", "Errors.User.PasswordComplexityPolicy.MinLengthNotAllowed")
+	}
+	return nil
+}
+
+func (p *PasswordComplexityPolicy) Check(password string) error {
+	if p.MinLength != 0 && uint64(len(password)) < p.MinLength {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-HuJf6", "Errors.User.PasswordComplexityPolicy.MinLength")
+	}
+
+	if p.HasLowercase && !hasStringLowerCase(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-co3Xw", "Errors.User.PasswordComplexityPolicy.HasLower")
+	}
+
+	if p.HasUppercase && !hasStringUpperCase(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-VoaRj", "Errors.User.PasswordComplexityPolicy.HasUpper")
+	}
+
+	if p.HasNumber && !hasNumber(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-ZBv4H", "Errors.User.PasswordComplexityPolicy.HasNumber")
+	}
+
+	if p.HasSymbol && !hasSymbol(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "DOMAIN-ZDLwA", "Errors.User.PasswordComplexityPolicy.HasSymbol")
+	}
+	return nil
+}

internal/v2/domain/policy_password_lockout.go

@@ -0,0 +1,12 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type PasswordLockoutPolicy struct {
+	models.ObjectRoot
+
+	MaxAttempts         uint64
+	ShowLockOutFailures bool
+}

internal/v2/domain/user.go

@@ -1,5 +1,16 @@
 package domain
 
+import es_models "github.com/caos/zitadel/internal/eventstore/models"
+
+type User struct {
+	es_models.ObjectRoot
+	State    UserState
+	UserName string
+
+	*Human
+	*Machine
+}
+
 type UserState int32
 
 const (
@@ -17,3 +28,13 @@ const (
 func (f UserState) Valid() bool {
 	return f >= 0 && f < userStateCount
 }
+
+func (u *User) IsValid() bool {
+	if u.Human == nil && u.Machine == nil || u.UserName == "" {
+		return false
+	}
+	if u.Human != nil {
+		return u.Human.IsValid()
+	}
+	return u.Machine.IsValid()
+}

internal/v2/query/converter.go

@@ -4,6 +4,7 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 )
 
 func readModelToIAM(readModel *ReadModel) *model.IAM {
@@ -24,25 +25,28 @@ func readModelToIAM(readModel *ReadModel) *model.IAM {
 	}
 }
 
-func readModelToIDPConfigView(rm *IAMIDPConfigReadModel) *model.IDPConfigView {
+func readModelToIDPConfigView(rm *IAMIDPConfigReadModel) *domain.IDPConfigView {
-	return &model.IDPConfigView{
+	converted := &domain.IDPConfigView{
 		AggregateID:     rm.AggregateID,
 		ChangeDate:      rm.ChangeDate,
 		CreationDate:    rm.CreationDate,
 		IDPConfigID:     rm.ConfigID,
-		IDPProviderType:           model.IDPProviderType(rm.ProviderType),
+		IDPProviderType: rm.ProviderType,
 		IsOIDC:          rm.OIDCConfig != nil,
 		Name:            rm.Name,
-		OIDCClientID:              rm.OIDCConfig.ClientID,
-		OIDCClientSecret:          rm.OIDCConfig.ClientSecret,
-		OIDCIDPDisplayNameMapping: model.OIDCMappingField(rm.OIDCConfig.IDPDisplayNameMapping),
-		OIDCIssuer:                rm.OIDCConfig.Issuer,
-		OIDCScopes:                rm.OIDCConfig.Scopes,
-		OIDCUsernameMapping:       model.OIDCMappingField(rm.OIDCConfig.UserNameMapping),
 		Sequence:        rm.ProcessedSequence,
-		State:                     model.IDPConfigState(rm.State),
+		State:           rm.State,
-		StylingType:               model.IDPStylingType(rm.StylingType),
+		StylingType:     rm.StylingType,
 	}
+	if rm.OIDCConfig != nil {
+		converted.OIDCClientID = rm.OIDCConfig.ClientID
+		converted.OIDCClientSecret = rm.OIDCConfig.ClientSecret
+		converted.OIDCIDPDisplayNameMapping = rm.OIDCConfig.IDPDisplayNameMapping
+		converted.OIDCIssuer = rm.OIDCConfig.Issuer
+		converted.OIDCScopes = rm.OIDCConfig.Scopes
+		converted.OIDCUsernameMapping = rm.OIDCConfig.UserNameMapping
+	}
+	return converted
 }
 
 func readModelToMember(readModel *MemberReadModel) *model.IAMMember {

internal/v2/query/iam_idp_config.go

@@ -0,0 +1,16 @@
+package query
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/v2/domain"
+)
+
+func (r *QuerySide) DefaultIDPConfigByID(ctx context.Context, idpConfigID string) (*domain.IDPConfigView, error) {
+	idpConfig := NewIAMIDPConfigReadModel(r.iamID, idpConfigID)
+	err := r.eventstore.FilterToQueryReducer(ctx, idpConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return readModelToIDPConfigView(idpConfig), nil
+}

internal/v2/query/idp_config.go

@@ -1,16 +0,0 @@
-package query
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/iam/model"
-)
-
-func (r *QuerySide) DefaultIDPConfigByID(ctx context.Context, iamID, idpConfigID string) (*model.IDPConfigView, error) {
-	idpConfig := NewIAMIDPConfigReadModel(iamID, idpConfigID)
-	err := r.eventstore.FilterToQueryReducer(ctx, idpConfig)
-	if err != nil {
-		return nil, err
-	}
-
-	return readModelToIDPConfigView(idpConfig), nil
-}

internal/v2/query/query.go

@@ -13,6 +13,7 @@ import (
 )
 
 type QuerySide struct {
+	iamID        string
 	eventstore   *eventstore.Eventstore
 	idGenerator  id.Generator
 	secretCrypto crypto.Crypto
@@ -25,6 +26,7 @@ type Config struct {
 
 func StartQuerySide(config *Config) (repo *QuerySide, err error) {
 	repo = &QuerySide{
+		iamID:       config.SystemDefaults.IamID,
 		eventstore:  config.Eventstore,
 		idGenerator: id.SonyFlakeGenerator,
 	}