fix(query): realtime data on defined requests (#3726)

* feat: directly specify factors on addCustomLoginPolicy and return on LoginPolicy responses * fix proto * update login policy * feat: directly specify idp on addCustomLoginPolicy and return on LoginPolicy responses * fix: tests * fix(projection): trigger bulk * refactor: clean projection pkg * instance should bulk * fix(query): should trigger bulk on id calls * tests * build prerelease * fix: add shouldTriggerBulk * fix: test Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Max Peintner <max@caos.ch>
2025-08-12 07:47:32 +00:00 · 2022-06-14 07:51:00 +02:00
parent 5c805c48db
commit dd2f31683c
146 changed files with 1097 additions and 1239 deletions
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -31,7 +31,7 @@ type API struct {

 type health interface {
 	Health(ctx context.Context) error
-	Instance(ctx context.Context) (*query.Instance, error)
+	Instance(ctx context.Context, shouldTriggerBulk bool) (*query.Instance, error)
 }

 func New(port uint16, router *mux.Router, queries *query.Queries, verifier *internal_authz.TokenVerifier, authZ internal_authz.Config, externalSecure bool, http2HostName, http1HostName string) *API {
--- a/internal/api/grpc/admin/domain_policy.go
+++ b/internal/api/grpc/admin/domain_policy.go
@@ -19,7 +19,7 @@ func (s *Server) GetDomainPolicy(ctx context.Context, _ *admin_pb.GetDomainPolic
 }

 func (s *Server) GetCustomDomainPolicy(ctx context.Context, req *admin_pb.GetCustomDomainPolicyRequest) (*admin_pb.GetCustomDomainPolicyResponse, error) {
-	policy, err := s.query.DomainPolicyByOrg(ctx, req.OrgId)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, req.OrgId)
 	if err != nil {
 		return nil, err
 	}
@@ -154,7 +154,7 @@ func (s *Server) GetOrgIAMPolicy(ctx context.Context, _ *admin_pb.GetOrgIAMPolic
 }

 func (s *Server) GetCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.GetCustomOrgIAMPolicyRequest) (*admin_pb.GetCustomOrgIAMPolicyResponse, error) {
-	policy, err := s.query.DomainPolicyByOrg(ctx, req.OrgId)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, req.OrgId)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/idp.go
+++ b/internal/api/grpc/admin/idp.go
@@ -11,7 +11,7 @@ import (
 )

 func (s *Server) GetIDPByID(ctx context.Context, req *admin_pb.GetIDPByIDRequest) (*admin_pb.GetIDPByIDResponse, error) {
-	idp, err := s.query.IDPByIDAndResourceOwner(ctx, req.Id, authz.GetInstance(ctx).InstanceID())
+	idp, err := s.query.IDPByIDAndResourceOwner(ctx, true, req.Id, authz.GetInstance(ctx).InstanceID())
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@@ -28,12 +28,12 @@ func (s *Server) SetDefaultOrg(ctx context.Context, req *admin_pb.SetDefaultOrgR
 }

 func (s *Server) GetDefaultOrg(ctx context.Context, _ *admin_pb.GetDefaultOrgRequest) (*admin_pb.GetDefaultOrgResponse, error) {
-	org, err := s.query.OrgByID(ctx, authz.GetInstance(ctx).DefaultOrganisationID())
+	org, err := s.query.OrgByID(ctx, true, authz.GetInstance(ctx).DefaultOrganisationID())
 	return &admin_pb.GetDefaultOrgResponse{Org: org_grpc.OrgToPb(org)}, err
 }

 func (s *Server) GetOrgByID(ctx context.Context, req *admin_pb.GetOrgByIDRequest) (*admin_pb.GetOrgByIDResponse, error) {
-	org, err := s.query.OrgByID(ctx, req.Id)
+	org, err := s.query.OrgByID(ctx, true, req.Id)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/password_age.go
+++ b/internal/api/grpc/admin/password_age.go
@@ -9,7 +9,7 @@ import (
 )

 func (s *Server) GetPasswordAgePolicy(ctx context.Context, req *admin_pb.GetPasswordAgePolicyRequest) (*admin_pb.GetPasswordAgePolicyResponse, error) {
-	policy, err := s.query.DefaultPasswordAgePolicy(ctx)
+	policy, err := s.query.DefaultPasswordAgePolicy(ctx, true)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/password_complexity.go
+++ b/internal/api/grpc/admin/password_complexity.go
@@ -9,7 +9,7 @@ import (
 )

 func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *admin_pb.GetPasswordComplexityPolicyRequest) (*admin_pb.GetPasswordComplexityPolicyResponse, error) {
-	policy, err := s.query.DefaultPasswordComplexityPolicy(ctx)
+	policy, err := s.query.DefaultPasswordComplexityPolicy(ctx, true)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/privacy_policy.go
+++ b/internal/api/grpc/admin/privacy_policy.go
@@ -9,7 +9,7 @@ import (
 )

 func (s *Server) GetPrivacyPolicy(ctx context.Context, _ *admin_pb.GetPrivacyPolicyRequest) (*admin_pb.GetPrivacyPolicyResponse, error) {
-	policy, err := s.query.DefaultPrivacyPolicy(ctx)
+	policy, err := s.query.DefaultPrivacyPolicy(ctx, true)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/password_complexity.go
+++ b/internal/api/grpc/auth/password_complexity.go
@@ -9,7 +9,7 @@ import (
 )

 func (s *Server) GetMyPasswordComplexityPolicy(ctx context.Context, _ *auth_pb.GetMyPasswordComplexityPolicyRequest) (*auth_pb.GetMyPasswordComplexityPolicyResponse, error) {
-	policy, err := s.query.PasswordComplexityPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PasswordComplexityPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/permission.go
+++ b/internal/api/grpc/auth/permission.go
@@ -34,7 +34,7 @@ func (s *Server) ListMyProjectPermissions(ctx context.Context, _ *auth_pb.ListMy
 	if err != nil {
 		return nil, err
 	}
-	userGrant, err := s.query.UserGrant(ctx, userGrantOrgID, userGrantProjectID, userGrantUserID)
+	userGrant, err := s.query.UserGrant(ctx, true, userGrantOrgID, userGrantProjectID, userGrantUserID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/policy.go
+++ b/internal/api/grpc/auth/policy.go
@@ -19,7 +19,7 @@ func (s *Server) GetMyLabelPolicy(ctx context.Context, _ *auth_pb.GetMyLabelPoli
 }

 func (s *Server) GetMyPrivacyPolicy(ctx context.Context, _ *auth_pb.GetMyPrivacyPolicyRequest) (*auth_pb.GetMyPrivacyPolicyResponse, error) {
-	policy, err := s.query.PrivacyPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PrivacyPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/user.go
+++ b/internal/api/grpc/auth/user.go
@@ -16,7 +16,7 @@ import (
 )

 func (s *Server) GetMyUser(ctx context.Context, _ *auth_pb.GetMyUserRequest) (*auth_pb.GetMyUserResponse, error) {
-	user, err := s.query.GetUserByID(ctx, authz.GetCtxData(ctx).UserID)
+	user, err := s.query.GetUserByID(ctx, true, authz.GetCtxData(ctx).UserID)
 	if err != nil {
 		return nil, err
 	}
@@ -70,7 +70,7 @@ func (s *Server) ListMyMetadata(ctx context.Context, req *auth_pb.ListMyMetadata
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.SearchUserMetadata(ctx, authz.GetCtxData(ctx).UserID, queries)
+	res, err := s.query.SearchUserMetadata(ctx, true, authz.GetCtxData(ctx).UserID, queries)
 	if err != nil {
 		return nil, err
 	}
@@ -81,7 +81,7 @@ func (s *Server) ListMyMetadata(ctx context.Context, req *auth_pb.ListMyMetadata
 }

 func (s *Server) GetMyMetadata(ctx context.Context, req *auth_pb.GetMyMetadataRequest) (*auth_pb.GetMyMetadataResponse, error) {
-	data, err := s.query.GetUserMetadataByKey(ctx, authz.GetCtxData(ctx).UserID, req.Key)
+	data, err := s.query.GetUserMetadataByKey(ctx, true, authz.GetCtxData(ctx).UserID, req.Key)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/iam.go
+++ b/internal/api/grpc/management/iam.go
@@ -7,13 +7,13 @@ import (
 )

 func (s *Server) GetIAM(ctx context.Context, _ *mgmt_pb.GetIAMRequest) (*mgmt_pb.GetIAMResponse, error) {
-	iam, err := s.query.Instance(ctx)
+	instance, err := s.query.Instance(ctx, true)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.GetIAMResponse{
-		GlobalOrgId:  iam.DefaultOrgID,
-		DefaultOrgId: iam.DefaultOrgID,
-		IamProjectId: iam.IAMProjectID,
+		GlobalOrgId:  instance.DefaultOrgID,
+		IamProjectId: instance.IAMProjectID,
+		DefaultOrgId: instance.DefaultOrgID,
 	}, nil
 }
--- a/internal/api/grpc/management/idp.go
+++ b/internal/api/grpc/management/idp.go
@@ -11,7 +11,7 @@ import (
 )

 func (s *Server) GetOrgIDPByID(ctx context.Context, req *mgmt_pb.GetOrgIDPByIDRequest) (*mgmt_pb.GetOrgIDPByIDResponse, error) {
-	idp, err := s.query.IDPByIDAndResourceOwner(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
+	idp, err := s.query.IDPByIDAndResourceOwner(ctx, true, req.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +80,7 @@ func (s *Server) ReactivateOrgIDP(ctx context.Context, req *mgmt_pb.ReactivateOr
 }

 func (s *Server) RemoveOrgIDP(ctx context.Context, req *mgmt_pb.RemoveOrgIDPRequest) (*mgmt_pb.RemoveOrgIDPResponse, error) {
-	idp, err := s.query.IDPByIDAndResourceOwner(ctx, req.IdpId, authz.GetCtxData(ctx).OrgID)
+	idp, err := s.query.IDPByIDAndResourceOwner(ctx, true, req.IdpId, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/org.go
+++ b/internal/api/grpc/management/org.go
@@ -16,7 +16,7 @@ import (
 )

 func (s *Server) GetMyOrg(ctx context.Context, req *mgmt_pb.GetMyOrgRequest) (*mgmt_pb.GetMyOrgResponse, error) {
-	org, err := s.query.OrgByID(ctx, authz.GetCtxData(ctx).OrgID)
+	org, err := s.query.OrgByID(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -99,7 +99,7 @@ func (s *Server) ReactivateOrg(ctx context.Context, req *mgmt_pb.ReactivateOrgRe
 }

 func (s *Server) GetDomainPolicy(ctx context.Context, req *mgmt_pb.GetDomainPolicyRequest) (*mgmt_pb.GetDomainPolicyResponse, error) {
-	policy, err := s.query.DomainPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +109,7 @@ func (s *Server) GetDomainPolicy(ctx context.Context, req *mgmt_pb.GetDomainPoli
 }

 func (s *Server) GetOrgIAMPolicy(ctx context.Context, _ *mgmt_pb.GetOrgIAMPolicyRequest) (*mgmt_pb.GetOrgIAMPolicyResponse, error) {
-	policy, err := s.query.DomainPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -209,11 +209,11 @@ func (s *Server) SetPrimaryOrgDomain(ctx context.Context, req *mgmt_pb.SetPrimar
 }

 func (s *Server) ListOrgMemberRoles(ctx context.Context, _ *mgmt_pb.ListOrgMemberRolesRequest) (*mgmt_pb.ListOrgMemberRolesResponse, error) {
-	iam, err := s.query.Instance(ctx)
+	instance, err := s.query.Instance(ctx, false)
 	if err != nil {
 		return nil, err
 	}
-	roles := s.query.GetOrgMemberRoles(authz.GetCtxData(ctx).OrgID == iam.DefaultOrgID)
+	roles := s.query.GetOrgMemberRoles(authz.GetCtxData(ctx).OrgID == instance.DefaultOrgID)
 	return &mgmt_pb.ListOrgMemberRolesResponse{
 		Result: roles,
 	}, nil
--- a/internal/api/grpc/management/policy_lockout.go
+++ b/internal/api/grpc/management/policy_lockout.go
@@ -10,7 +10,7 @@ import (
 )

 func (s *Server) GetLockoutPolicy(ctx context.Context, req *mgmt_pb.GetLockoutPolicyRequest) (*mgmt_pb.GetLockoutPolicyResponse, error) {
-	policy, err := s.query.LockoutPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.LockoutPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_login.go
+++ b/internal/api/grpc/management/policy_login.go
@@ -14,7 +14,7 @@ import (
 )

 func (s *Server) GetLoginPolicy(ctx context.Context, req *mgmt_pb.GetLoginPolicyRequest) (*mgmt_pb.GetLoginPolicyResponse, error) {
-	policy, err := s.query.LoginPolicyByID(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.LoginPolicyByID(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_password_age.go
+++ b/internal/api/grpc/management/policy_password_age.go
@@ -10,7 +10,7 @@ import (
 )

 func (s *Server) GetPasswordAgePolicy(ctx context.Context, req *mgmt_pb.GetPasswordAgePolicyRequest) (*mgmt_pb.GetPasswordAgePolicyResponse, error) {
-	policy, err := s.query.PasswordAgePolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PasswordAgePolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -21,7 +21,7 @@ func (s *Server) GetPasswordAgePolicy(ctx context.Context, req *mgmt_pb.GetPassw
 }

 func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, req *mgmt_pb.GetDefaultPasswordAgePolicyRequest) (*mgmt_pb.GetDefaultPasswordAgePolicyResponse, error) {
-	policy, err := s.query.DefaultPasswordAgePolicy(ctx)
+	policy, err := s.query.DefaultPasswordAgePolicy(ctx, true)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_password_complexity.go
+++ b/internal/api/grpc/management/policy_password_complexity.go
@@ -10,7 +10,7 @@ import (
 )

 func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, req *mgmt_pb.GetPasswordComplexityPolicyRequest) (*mgmt_pb.GetPasswordComplexityPolicyResponse, error) {
-	policy, err := s.query.PasswordComplexityPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PasswordComplexityPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -18,7 +18,7 @@ func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, req *mgmt_pb.G
 }

 func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, req *mgmt_pb.GetDefaultPasswordComplexityPolicyRequest) (*mgmt_pb.GetDefaultPasswordComplexityPolicyResponse, error) {
-	policy, err := s.query.DefaultPasswordComplexityPolicy(ctx)
+	policy, err := s.query.DefaultPasswordComplexityPolicy(ctx, true)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_privacy.go
+++ b/internal/api/grpc/management/policy_privacy.go
@@ -10,7 +10,7 @@ import (
 )

 func (s *Server) GetPrivacyPolicy(ctx context.Context, _ *mgmt_pb.GetPrivacyPolicyRequest) (*mgmt_pb.GetPrivacyPolicyResponse, error) {
-	policy, err := s.query.PrivacyPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PrivacyPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -18,7 +18,7 @@ func (s *Server) GetPrivacyPolicy(ctx context.Context, _ *mgmt_pb.GetPrivacyPoli
 }

 func (s *Server) GetDefaultPrivacyPolicy(ctx context.Context, _ *mgmt_pb.GetDefaultPrivacyPolicyRequest) (*mgmt_pb.GetDefaultPrivacyPolicyResponse, error) {
-	policy, err := s.query.DefaultPrivacyPolicy(ctx)
+	policy, err := s.query.DefaultPrivacyPolicy(ctx, true)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/project.go
+++ b/internal/api/grpc/management/project.go
@@ -13,7 +13,7 @@ import (
 )

 func (s *Server) GetProjectByID(ctx context.Context, req *mgmt_pb.GetProjectByIDRequest) (*mgmt_pb.GetProjectByIDResponse, error) {
-	project, err := s.query.ProjectByID(ctx, req.Id)
+	project, err := s.query.ProjectByID(ctx, true, req.Id)
 	if err != nil {
 		return nil, err
 	}
@@ -23,12 +23,12 @@ func (s *Server) GetProjectByID(ctx context.Context, req *mgmt_pb.GetProjectByID
 }

 func (s *Server) GetGrantedProjectByID(ctx context.Context, req *mgmt_pb.GetGrantedProjectByIDRequest) (*mgmt_pb.GetGrantedProjectByIDResponse, error) {
-	project, err := s.query.ProjectGrantByID(ctx, req.GrantId)
+	grant, err := s.query.ProjectGrantByID(ctx, true, req.GrantId)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.GetGrantedProjectByIDResponse{
-		GrantedProject: project_grpc.GrantedProjectViewToPb(project),
+		GrantedProject: project_grpc.GrantedProjectViewToPb(grant),
 	}, nil
 }

@@ -187,7 +187,7 @@ func (s *Server) ListProjectRoles(ctx context.Context, req *mgmt_pb.ListProjectR
 	if err != nil {
 		return nil, err
 	}
-	roles, err := s.query.SearchProjectRoles(ctx, queries)
+	roles, err := s.query.SearchProjectRoles(ctx, true, queries)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/project_application.go
+++ b/internal/api/grpc/management/project_application.go
@@ -14,7 +14,7 @@ import (
 )

 func (s *Server) GetAppByID(ctx context.Context, req *mgmt_pb.GetAppByIDRequest) (*mgmt_pb.GetAppByIDResponse, error) {
-	app, err := s.query.AppByProjectAndAppID(ctx, req.ProjectId, req.AppId)
+	app, err := s.query.AppByProjectAndAppID(ctx, true, req.ProjectId, req.AppId)
 	if err != nil {
 		return nil, err
 	}
@@ -204,7 +204,7 @@ func (s *Server) GetAppKey(ctx context.Context, req *mgmt_pb.GetAppKeyRequest) (
 	if err != nil {
 		return nil, err
 	}
-	key, err := s.query.GetAuthNKeyByID(ctx, req.KeyId, resourceOwner, aggregateID, objectID)
+	key, err := s.query.GetAuthNKeyByID(ctx, true, req.KeyId, resourceOwner, aggregateID, objectID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/project_grant.go
+++ b/internal/api/grpc/management/project_grant.go
@@ -13,7 +13,7 @@ import (
 )

 func (s *Server) GetProjectGrantByID(ctx context.Context, req *mgmt_pb.GetProjectGrantByIDRequest) (*mgmt_pb.GetProjectGrantByIDResponse, error) {
-	grant, err := s.query.ProjectGrantByID(ctx, req.GrantId)
+	grant, err := s.query.ProjectGrantByID(ctx, true, req.GrantId)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@@ -30,7 +30,7 @@ func (s *Server) GetUserByID(ctx context.Context, req *mgmt_pb.GetUserByIDReques
 	if err != nil {
 		return nil, err
 	}
-	user, err := s.query.GetUserByID(ctx, req.Id, owner)
+	user, err := s.query.GetUserByID(ctx, true, req.Id, owner)
 	if err != nil {
 		return nil, err
 	}
@@ -86,7 +86,7 @@ func (s *Server) ListUserChanges(ctx context.Context, req *mgmt_pb.ListUserChang

 func (s *Server) IsUserUnique(ctx context.Context, req *mgmt_pb.IsUserUniqueRequest) (*mgmt_pb.IsUserUniqueResponse, error) {
 	orgID := authz.GetCtxData(ctx).OrgID
-	policy, err := s.query.DomainPolicyByOrg(ctx, orgID)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, orgID)
 	if err != nil {
 		return nil, err
 	}
@@ -111,7 +111,7 @@ func (s *Server) ListUserMetadata(ctx context.Context, req *mgmt_pb.ListUserMeta
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.SearchUserMetadata(ctx, req.Id, metadataQueries)
+	res, err := s.query.SearchUserMetadata(ctx, true, req.Id, metadataQueries)
 	if err != nil {
 		return nil, err
 	}
@@ -126,7 +126,7 @@ func (s *Server) GetUserMetadata(ctx context.Context, req *mgmt_pb.GetUserMetada
 	if err != nil {
 		return nil, err
 	}
-	data, err := s.query.GetUserMetadataByKey(ctx, req.Id, req.Key, owner)
+	data, err := s.query.GetUserMetadataByKey(ctx, true, req.Id, req.Key, owner)
 	if err != nil {
 		return nil, err
 	}
@@ -704,7 +704,7 @@ func (s *Server) GetMachineKeyByIDs(ctx context.Context, req *mgmt_pb.GetMachine
 	if err != nil {
 		return nil, err
 	}
-	key, err := s.query.GetAuthNKeyByID(ctx, req.KeyId, resourceOwner, aggregateID)
+	key, err := s.query.GetAuthNKeyByID(ctx, true, req.KeyId, resourceOwner, aggregateID)
 	if err != nil {
 		return nil, err
 	}
@@ -767,7 +767,7 @@ func (s *Server) GetPersonalAccessTokenByIDs(ctx context.Context, req *mgmt_pb.G
 	if err != nil {
 		return nil, err
 	}
-	token, err := s.query.PersonalAccessTokenByID(ctx, req.TokenId, resourceOwner, aggregateID)
+	token, err := s.query.PersonalAccessTokenByID(ctx, true, req.TokenId, resourceOwner, aggregateID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@@ -19,7 +19,7 @@ func (s *Server) GetUserGrantByID(ctx context.Context, req *mgmt_pb.GetUserGrant
 	if err != nil {
 		return nil, err
 	}
-	grant, err := s.query.UserGrant(ctx, idQuery, ownerQuery)
+	grant, err := s.query.UserGrant(ctx, true, idQuery, ownerQuery)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/system/instance.go
+++ b/internal/api/grpc/system/instance.go
@@ -31,7 +31,7 @@ func (s *Server) ListInstances(ctx context.Context, req *system_pb.ListInstances

 func (s *Server) GetInstance(ctx context.Context, req *system_pb.GetInstanceRequest) (*system_pb.GetInstanceResponse, error) {
 	ctx = authz.WithInstanceID(ctx, req.InstanceId)
-	instance, err := s.query.Instance(ctx)
+	instance, err := s.query.Instance(ctx, true)
 	if err != nil {
 		return nil, err
 	}
@@ -94,12 +94,14 @@ func (s *Server) ListDomains(ctx context.Context, req *system_pb.ListDomainsRequ
 }

 func (s *Server) AddDomain(ctx context.Context, req *system_pb.AddDomainRequest) (*system_pb.AddDomainResponse, error) {
+	//TODO: should be solved in interceptor
 	ctx = authz.WithInstanceID(ctx, req.InstanceId)
-	instance, err := s.query.Instance(ctx)
+	instance, err := s.query.Instance(ctx, true)
 	if err != nil {
 		return nil, err
 	}
 	ctx = authz.WithInstance(ctx, instance)
+
 	details, err := s.command.AddInstanceDomain(ctx, req.Domain)
 	if err != nil {
 		return nil, err
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -201,7 +201,7 @@ func (o *OPStorage) assertProjectRoleScopes(ctx context.Context, clientID string
 	if err != nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-AEG4d", "Errors.Internal")
 	}
-	project, err := o.query.ProjectByID(ctx, projectID)
+	project, err := o.query.ProjectByID(ctx, false, projectID)
 	if err != nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-w4wIn", "Errors.Internal")
 	}
@@ -212,7 +212,7 @@ func (o *OPStorage) assertProjectRoleScopes(ctx context.Context, clientID string
 	if err != nil {
 		return nil, errors.ThrowInternal(err, "OIDC-Cyc78", "Errors.Internal")
 	}
-	roles, err := o.query.SearchProjectRoles(context.TODO(), &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
+	roles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
 	if err != nil {
 		return nil, err
 	}
@@ -232,7 +232,7 @@ func (o *OPStorage) assertClientScopesForPAT(ctx context.Context, token *model.T
 	if err != nil {
 		return errors.ThrowInternal(err, "OIDC-Cyc78", "Errors.Internal")
 	}
-	roles, err := o.query.SearchProjectRoles(context.TODO(), &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
+	roles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
 	if err != nil {
 		return err
 	}
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -43,7 +43,7 @@ func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (_ op.Cl
 	if err != nil {
 		return nil, errors.ThrowInternal(err, "OIDC-mPxqP", "Errors.Internal")
 	}
-	projectRoles, err := o.query.SearchProjectRoles(ctx, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
+	projectRoles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
 	if err != nil {
 		return nil, err
 	}
@@ -77,7 +77,7 @@ func (o *OPStorage) GetKeyByIDAndIssuer(ctx context.Context, keyID, issuer strin
 }

 func (o *OPStorage) ValidateJWTProfileScopes(ctx context.Context, subject string, scopes []string) ([]string, error) {
-	user, err := o.query.GetUserByID(ctx, subject)
+	user, err := o.query.GetUserByID(ctx, true, subject)
 	if err != nil {
 		return nil, err
 	}
@@ -185,7 +185,7 @@ func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection
 func (o *OPStorage) setUserinfo(ctx context.Context, userInfo oidc.UserInfoSetter, userID, applicationID string, scopes []string) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	user, err := o.query.GetUserByID(ctx, userID)
+	user, err := o.query.GetUserByID(ctx, true, userID)
 	if err != nil {
 		return err
 	}
@@ -328,7 +328,7 @@ func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID strin
 }

 func (o *OPStorage) assertUserMetaData(ctx context.Context, userID string) (map[string]string, error) {
-	metaData, err := o.query.SearchUserMetadata(ctx, userID, &query.UserMetadataSearchQueries{})
+	metaData, err := o.query.SearchUserMetadata(ctx, true, userID, &query.UserMetadataSearchQueries{})
 	if err != nil {
 		return nil, err
 	}
@@ -341,11 +341,11 @@ func (o *OPStorage) assertUserMetaData(ctx context.Context, userID string) (map[
 }

 func (o *OPStorage) assertUserResourceOwner(ctx context.Context, userID string) (map[string]string, error) {
-	user, err := o.query.GetUserByID(ctx, userID)
+	user, err := o.query.GetUserByID(ctx, true, userID)
 	if err != nil {
 		return nil, err
 	}
-	resourceOwner, err := o.query.OrgByID(ctx, user.ResourceOwner)
+	resourceOwner, err := o.query.OrgByID(ctx, true, user.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/ui/login/password_complexity_policy_handler.go
+++ b/internal/api/ui/login/password_complexity_policy_handler.go
@@ -33,7 +33,7 @@ func (l *Login) getPasswordComplexityPolicy(r *http.Request, authReq *domain.Aut
 }

 func (l *Login) getPasswordComplexityPolicyByUserID(r *http.Request, authReq *domain.AuthRequest, userID string) (*iam_model.PasswordComplexityPolicyView, string, error) {
-	user, err := l.query.GetUserByID(r.Context(), userID)
+	user, err := l.query.GetUserByID(r.Context(), false, userID)
 	if err != nil {
 		return nil, "", nil
 	}
--- a/internal/api/ui/login/policy_handler.go
+++ b/internal/api/ui/login/policy_handler.go
@@ -15,7 +15,7 @@ func (l *Login) getOrgDomainPolicy(r *http.Request, orgID string) (*query.Domain
 	if orgID == "" {
 		return l.query.DefaultDomainPolicy(r.Context())
 	}
-	return l.query.DomainPolicyByOrg(r.Context(), orgID)
+	return l.query.DomainPolicyByOrg(r.Context(), false, orgID)
 }

 func (l *Login) getIDPConfigByID(r *http.Request, idpConfigID string) (*iam_model.IDPConfigView, error) {
@@ -26,5 +26,5 @@ func (l *Login) getLoginPolicy(r *http.Request, orgID string) (*query.LoginPolic
 	if orgID == "" {
 		return l.query.DefaultLoginPolicy(r.Context())
 	}
-	return l.query.LoginPolicyByID(r.Context(), orgID)
+	return l.query.LoginPolicyByID(r.Context(), false, orgID)
 }
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@@ -369,7 +369,7 @@ func (l *Login) getBaseData(r *http.Request, authReq *domain.AuthRequest, title
 		if labelPolicy != nil {
 			baseData.LabelPolicy = labelPolicy.ToDomain()
 		}
-		policy, err := l.query.DefaultPrivacyPolicy(r.Context())
+		policy, err := l.query.DefaultPrivacyPolicy(r.Context(), false)
 		if err != nil {
 			return baseData
 		}
@@ -498,7 +498,7 @@ func (l *Login) getOrgPrimaryDomain(r *http.Request, authReq *domain.AuthRequest
 	if authReq != nil && authReq.RequestedPrimaryDomain != "" {
 		return authReq.RequestedPrimaryDomain
 	}
-	org, err := l.query.OrgByID(r.Context(), orgID)
+	org, err := l.query.OrgByID(r.Context(), false, orgID)
 	if err != nil {
 		logging.New().WithError(err).Error("cannot get default org")
 		return ""