feat: setup (#1166)

* add setup steps * refactoring * omitempty * cleanup * begin org * create org * setup org * setup org * merge * fixes * fixes * fixes * add project * add oidc application * fix app creation * add resourceOwner to writemodels * resource owner * cleanup * global org, iam project and iam member in setup * logs * logs * logs * cleanup * Update internal/v2/command/project.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * check project state Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-11 18:17:35 +00:00 · 2021-01-12 12:59:51 +01:00
parent ff87264f95
commit e5731b0d3b
97 changed files with 1664 additions and 698 deletions
--- a/internal/v2/command/command.go
+++ b/internal/v2/command/command.go
@@ -14,18 +14,18 @@ import (
 type CommandSide struct {
 	eventstore  *eventstore.Eventstore
 	idGenerator id.Generator
-	iamID       string
 	iamDomain   string

 	idpConfigSecretCrypto crypto.Crypto

-	userPasswordAlg          crypto.HashAlgorithm
-	initializeUserCode       crypto.Generator
-	emailVerificationCode    crypto.Generator
-	phoneVerificationCode    crypto.Generator
-	passwordVerificationCode crypto.Generator
-	machineKeyAlg            crypto.EncryptionAlgorithm
-	machineKeySize           int
+	userPasswordAlg            crypto.HashAlgorithm
+	initializeUserCode         crypto.Generator
+	emailVerificationCode      crypto.Generator
+	phoneVerificationCode      crypto.Generator
+	passwordVerificationCode   crypto.Generator
+	machineKeyAlg              crypto.EncryptionAlgorithm
+	machineKeySize             int
+	applicationSecretGenerator crypto.Generator
 }

 type Config struct {
@@ -37,34 +37,37 @@ func StartCommandSide(config *Config) (repo *CommandSide, err error) {
 	repo = &CommandSide{
 		eventstore:  config.Eventstore,
 		idGenerator: id.SonyFlakeGenerator,
-		iamID:       config.SystemDefaults.IamID,
 		iamDomain:   config.SystemDefaults.Domain,
 	}
 	iam_repo.RegisterEventMappers(repo.eventstore)

+	//TODO: simplify!!!!
 	repo.idpConfigSecretCrypto, err = crypto.NewAESCrypto(config.SystemDefaults.IDPConfigVerificationKey)
 	if err != nil {
 		return nil, err
 	}
-	aesCrypto, err := crypto.NewAESCrypto(config.SystemDefaults.UserVerificationKey)
+	userEncryptionAlgorithm, err := crypto.NewAESCrypto(config.SystemDefaults.UserVerificationKey)
 	if err != nil {
 		return nil, err
 	}
-	repo.initializeUserCode = crypto.NewEncryptionGenerator(config.SystemDefaults.SecretGenerators.InitializeUserCode, aesCrypto)
-	repo.emailVerificationCode = crypto.NewEncryptionGenerator(config.SystemDefaults.SecretGenerators.EmailVerificationCode, aesCrypto)
-	repo.phoneVerificationCode = crypto.NewEncryptionGenerator(config.SystemDefaults.SecretGenerators.PhoneVerificationCode, aesCrypto)
-	repo.passwordVerificationCode = crypto.NewEncryptionGenerator(config.SystemDefaults.SecretGenerators.PasswordVerificationCode, aesCrypto)
+	repo.initializeUserCode = crypto.NewEncryptionGenerator(config.SystemDefaults.SecretGenerators.InitializeUserCode, userEncryptionAlgorithm)
+	repo.emailVerificationCode = crypto.NewEncryptionGenerator(config.SystemDefaults.SecretGenerators.EmailVerificationCode, userEncryptionAlgorithm)
+	repo.phoneVerificationCode = crypto.NewEncryptionGenerator(config.SystemDefaults.SecretGenerators.PhoneVerificationCode, userEncryptionAlgorithm)
+	repo.passwordVerificationCode = crypto.NewEncryptionGenerator(config.SystemDefaults.SecretGenerators.PasswordVerificationCode, userEncryptionAlgorithm)
 	repo.userPasswordAlg = crypto.NewBCrypt(config.SystemDefaults.SecretGenerators.PasswordSaltCost)
-	repo.machineKeyAlg = aesCrypto
+	repo.machineKeyAlg = userEncryptionAlgorithm
 	repo.machineKeySize = int(config.SystemDefaults.SecretGenerators.MachineKeySize)
+
+	passwordAlg := crypto.NewBCrypt(config.SystemDefaults.SecretGenerators.PasswordSaltCost)
+	repo.applicationSecretGenerator = crypto.NewHashGenerator(config.SystemDefaults.SecretGenerators.ClientSecretGenerator, passwordAlg)
 	return repo, nil
 }

-func (r *CommandSide) iamByID(ctx context.Context, id string) (_ *IAMWriteModel, err error) {
+func (r *CommandSide) getIAMWriteModel(ctx context.Context) (_ *IAMWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMWriteModel(id)
+	writeModel := NewIAMWriteModel()
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam.go
+++ b/internal/v2/command/iam.go
@@ -3,15 +3,41 @@ package command
 import (
 	"context"

+	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

 //TODO: private
-func (r *CommandSide) GetIAM(ctx context.Context, aggregateID string) (*domain.IAM, error) {
-	iamWriteModel := NewIAMWriteModel(aggregateID)
+func (r *CommandSide) GetIAM(ctx context.Context) (*domain.IAM, error) {
+	iamWriteModel := NewIAMWriteModel()
 	err := r.eventstore.FilterToQueryReducer(ctx, iamWriteModel)
 	if err != nil {
 		return nil, err
 	}
 	return writeModelToIAM(iamWriteModel), nil
 }
+
+func (r *CommandSide) setGlobalOrg(ctx context.Context, iamAgg *iam.Aggregate, iamWriteModel *IAMWriteModel, orgID string) error {
+	err := r.eventstore.FilterToQueryReducer(ctx, iamWriteModel)
+	if err != nil {
+		return err
+	}
+	if iamWriteModel.GlobalOrgID != "" {
+		return caos_errs.ThrowPreconditionFailed(nil, "IAM-HGG24", "Errors.IAM.GlobalOrgAlreadySet")
+	}
+	iamAgg.PushEvents(iam.NewGlobalOrgSetEventEvent(ctx, orgID))
+	return nil
+}
+
+func (r *CommandSide) setIAMProject(ctx context.Context, iamAgg *iam.Aggregate, iamWriteModel *IAMWriteModel, projectID string) error {
+	err := r.eventstore.FilterToQueryReducer(ctx, iamWriteModel)
+	if err != nil {
+		return err
+	}
+	if iamWriteModel.ProjectID != "" {
+		return caos_errs.ThrowPreconditionFailed(nil, "IAM-EGbw2", "Errors.IAM.IAMProjectAlreadySet")
+	}
+	iamAgg.PushEvents(iam.NewIAMProjectSetEvent(ctx, projectID))
+	return nil
+}
--- a/internal/v2/command/iam_idp_config.go
+++ b/internal/v2/command/iam_idp_config.go
@@ -22,7 +22,7 @@ func (r *CommandSide) AddDefaultIDPConfig(ctx context.Context, config *domain.ID
 		return nil, err
 	}
 	//TODO: check name unique on aggregate
-	addedConfig := NewIAMIDPConfigWriteModel(config.AggregateID, idpConfigID)
+	addedConfig := NewIAMIDPConfigWriteModel(idpConfigID)

 	clientSecret, err := crypto.Crypt([]byte(config.OIDCConfig.ClientSecretString), r.idpConfigSecretCrypto)
 	if err != nil {
@@ -58,7 +58,7 @@ func (r *CommandSide) AddDefaultIDPConfig(ctx context.Context, config *domain.ID
 }

 func (r *CommandSide) ChangeDefaultIDPConfig(ctx context.Context, config *domain.IDPConfig) (*domain.IDPConfig, error) {
-	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, config.AggregateID, config.IDPConfigID)
+	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, config.IDPConfigID)
 	if err != nil {
 		return nil, err
 	}
@@ -81,7 +81,7 @@ func (r *CommandSide) ChangeDefaultIDPConfig(ctx context.Context, config *domain
 }

 func (r *CommandSide) DeactivateDefaultIDPConfig(ctx context.Context, idpID string) (*domain.IDPConfig, error) {
-	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, r.iamID, idpID)
+	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, idpID)
 	if err != nil {
 		return nil, err
 	}
@@ -99,7 +99,7 @@ func (r *CommandSide) DeactivateDefaultIDPConfig(ctx context.Context, idpID stri
 }

 func (r *CommandSide) ReactivateDefaultIDPConfig(ctx context.Context, idpID string) (*domain.IDPConfig, error) {
-	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, r.iamID, idpID)
+	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, idpID)
 	if err != nil {
 		return nil, err
 	}
@@ -117,8 +117,8 @@ func (r *CommandSide) ReactivateDefaultIDPConfig(ctx context.Context, idpID stri
 	return writeModelToIDPConfig(existingIDP), nil
 }

-func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, iamID, idpID string) (*domain.IDPConfig, error) {
-	writeModel, err := r.pushDefaultIDPWriteModel(ctx, iamID, idpID, func(a *iam.Aggregate, _ *IAMIDPConfigWriteModel) *iam.Aggregate {
+func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, idpID string) (*domain.IDPConfig, error) {
+	writeModel, err := r.pushDefaultIDPWriteModel(ctx, idpID, func(a *iam.Aggregate, _ *IAMIDPConfigWriteModel) *iam.Aggregate {
 		a.Aggregate = *a.PushEvents(iam_repo.NewIDPConfigRemovedEvent(ctx, idpID))
 		return a
 	})
@@ -129,8 +129,8 @@ func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, iamID, idpID s
 	return writeModelToIDPConfig(writeModel), nil
 }

-func (r *CommandSide) pushDefaultIDPWriteModel(ctx context.Context, iamID, idpID string, eventSetter func(*iam.Aggregate, *IAMIDPConfigWriteModel) *iam.Aggregate) (*IAMIDPConfigWriteModel, error) {
-	writeModel := NewIAMIDPConfigWriteModel(iamID, idpID)
+func (r *CommandSide) pushDefaultIDPWriteModel(ctx context.Context, idpID string, eventSetter func(*iam.Aggregate, *IAMIDPConfigWriteModel) *iam.Aggregate) (*IAMIDPConfigWriteModel, error) {
+	writeModel := NewIAMIDPConfigWriteModel(idpID)
 	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
@@ -145,11 +145,11 @@ func (r *CommandSide) pushDefaultIDPWriteModel(ctx context.Context, iamID, idpID
 	return writeModel, nil
 }

-func (r *CommandSide) iamIDPConfigWriteModelByID(ctx context.Context, iamID, idpID string) (policy *IAMIDPConfigWriteModel, err error) {
+func (r *CommandSide) iamIDPConfigWriteModelByID(ctx context.Context, idpID string) (policy *IAMIDPConfigWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMIDPConfigWriteModel(iamID, idpID)
+	writeModel := NewIAMIDPConfigWriteModel(idpID)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam_idp_config_model.go
+++ b/internal/v2/command/iam_idp_config_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
@@ -11,11 +12,12 @@ type IAMIDPConfigWriteModel struct {
 	IDPConfigWriteModel
 }

-func NewIAMIDPConfigWriteModel(iamID, configID string) *IAMIDPConfigWriteModel {
+func NewIAMIDPConfigWriteModel(configID string) *IAMIDPConfigWriteModel {
 	return &IAMIDPConfigWriteModel{
 		IDPConfigWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 			ConfigID: configID,
 		},
@@ -24,7 +26,8 @@ func NewIAMIDPConfigWriteModel(iamID, configID string) *IAMIDPConfigWriteModel {

 func (wm *IAMIDPConfigWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *IAMIDPConfigWriteModel) AppendEvents(events ...eventstore.EventReader) {
--- a/internal/v2/command/iam_idp_oidc_config.go
+++ b/internal/v2/command/iam_idp_oidc_config.go
@@ -7,7 +7,7 @@ import (
 )

 func (r *CommandSide) ChangeDefaultIDPOIDCConfig(ctx context.Context, config *domain.OIDCIDPConfig) (*domain.OIDCIDPConfig, error) {
-	existingConfig := NewIDPOIDCConfigWriteModel(config.AggregateID, config.IDPConfigID)
+	existingConfig := NewIAMIDPOIDCConfigWriteModel(config.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, existingConfig)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam_idp_oidc_config_model.go
+++ b/internal/v2/command/iam_idp_oidc_config_model.go
@@ -2,22 +2,24 @@ package command

 import (
 	"context"
+	"reflect"
+
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
-	"reflect"
 )

 type IDPOIDCConfigWriteModel struct {
 	OIDCConfigWriteModel
 }

-func NewIDPOIDCConfigWriteModel(iamID, idpConfigID string) *IDPOIDCConfigWriteModel {
+func NewIAMIDPOIDCConfigWriteModel(idpConfigID string) *IDPOIDCConfigWriteModel {
 	return &IDPOIDCConfigWriteModel{
 		OIDCConfigWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 			IDPConfigID: idpConfigID,
 		},
@@ -67,7 +69,8 @@ func (wm *IDPOIDCConfigWriteModel) Reduce() error {

 func (wm *IDPOIDCConfigWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *IDPOIDCConfigWriteModel) NewChangedEvent(
--- a/internal/v2/command/iam_member.go
+++ b/internal/v2/command/iam_member.go
@@ -2,33 +2,22 @@ package command

 import (
 	"context"
-	"github.com/caos/zitadel/internal/v2/domain"
 	"reflect"

 	"github.com/caos/zitadel/internal/errors"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
 )

 func (r *CommandSide) AddIAMMember(ctx context.Context, member *domain.Member) (*domain.Member, error) {
-	//TODO: check if roles valid
-
-	if !member.IsValid() {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-W8m4l", "Errors.IAM.MemberInvalid")
-	}
-
-	addedMember := NewIAMMemberWriteModel(member.AggregateID, member.UserID)
-	err := r.eventstore.FilterToQueryReducer(ctx, addedMember)
+	addedMember := NewIAMMemberWriteModel(member.UserID)
+	iamAgg := IAMAggregateFromWriteModel(&addedMember.MemberWriteModel.WriteModel)
+	err := r.addIAMMember(ctx, iamAgg, addedMember, member)
 	if err != nil {
 		return nil, err
 	}
-	if addedMember.State == domain.MemberStateActive {
-		return nil, errors.ThrowAlreadyExists(nil, "IAM-PtXi1", "Errors.IAM.Member.AlreadyExists")
-	}
-
-	iamAgg := IAMAggregateFromWriteModel(&addedMember.MemberWriteModel.WriteModel)
-	iamAgg.PushEvents(iam_repo.NewMemberAddedEvent(ctx, member.UserID, member.Roles...))

 	err = r.eventstore.PushAggregate(ctx, addedMember, iamAgg)
 	if err != nil {
@@ -38,6 +27,26 @@ func (r *CommandSide) AddIAMMember(ctx context.Context, member *domain.Member) (
 	return memberWriteModelToMember(&addedMember.MemberWriteModel), nil
 }

+func (r *CommandSide) addIAMMember(ctx context.Context, iamAgg *iam_repo.Aggregate, addedMember *IAMMemberWriteModel, member *domain.Member) error {
+	//TODO: check if roles valid
+
+	if !member.IsValid() {
+		return caos_errs.ThrowPreconditionFailed(nil, "IAM-GR34U", "Errors.IAM.MemberInvalid")
+	}
+
+	err := r.eventstore.FilterToQueryReducer(ctx, addedMember)
+	if err != nil {
+		return err
+	}
+	if addedMember.State == domain.MemberStateActive {
+		return errors.ThrowAlreadyExists(nil, "IAM-sdgQ4", "Errors.IAM.Member.AlreadyExists")
+	}
+
+	iamAgg.PushEvents(iam_repo.NewMemberAddedEvent(ctx, member.UserID, member.Roles...))
+
+	return nil
+}
+
 //ChangeIAMMember updates an existing member
 func (r *CommandSide) ChangeIAMMember(ctx context.Context, member *domain.Member) (*domain.Member, error) {
 	//TODO: check if roles valid
@@ -46,7 +55,7 @@ func (r *CommandSide) ChangeIAMMember(ctx context.Context, member *domain.Member
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-LiaZi", "Errors.IAM.MemberInvalid")
 	}

-	existingMember, err := r.iamMemberWriteModelByID(ctx, member.AggregateID, member.UserID)
+	existingMember, err := r.iamMemberWriteModelByID(ctx, member.UserID)
 	if err != nil {
 		return nil, err
 	}
@@ -71,7 +80,7 @@ func (r *CommandSide) ChangeIAMMember(ctx context.Context, member *domain.Member
 }

 func (r *CommandSide) RemoveIAMMember(ctx context.Context, userID string) error {
-	m, err := r.iamMemberWriteModelByID(ctx, r.iamID, userID)
+	m, err := r.iamMemberWriteModelByID(ctx, userID)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
@@ -85,11 +94,11 @@ func (r *CommandSide) RemoveIAMMember(ctx context.Context, userID string) error
 	return r.eventstore.PushAggregate(ctx, m, iamAgg)
 }

-func (r *CommandSide) iamMemberWriteModelByID(ctx context.Context, iamID, userID string) (member *IAMMemberWriteModel, err error) {
+func (r *CommandSide) iamMemberWriteModelByID(ctx context.Context, userID string) (member *IAMMemberWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMMemberWriteModel(iamID, userID)
+	writeModel := NewIAMMemberWriteModel(userID)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam_member_model.go
+++ b/internal/v2/command/iam_member_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

@@ -9,11 +10,12 @@ type IAMMemberWriteModel struct {
 	MemberWriteModel
 }

-func NewIAMMemberWriteModel(iamID, userID string) *IAMMemberWriteModel {
+func NewIAMMemberWriteModel(userID string) *IAMMemberWriteModel {
 	return &IAMMemberWriteModel{
 		MemberWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 			UserID: userID,
 		},
@@ -48,5 +50,5 @@ func (wm *IAMMemberWriteModel) Reduce() error {

 func (wm *IAMMemberWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.MemberWriteModel.AggregateID)
+		AggregateIDs(wm.MemberWriteModel.AggregateID).ResourceOwner(wm.ResourceOwner)
 }
--- a/internal/v2/command/iam_model.go
+++ b/internal/v2/command/iam_model.go
@@ -16,10 +16,11 @@ type IAMWriteModel struct {
 	ProjectID   string
 }

-func NewIAMWriteModel(iamID string) *IAMWriteModel {
+func NewIAMWriteModel() *IAMWriteModel {
 	return &IAMWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: iamID,
+			AggregateID:   domain.IAMID,
+			ResourceOwner: domain.IAMID,
 		},
 	}
 }
@@ -56,7 +57,8 @@ func (wm *IAMWriteModel) Reduce() error {

 func (wm *IAMWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 //
--- a/internal/v2/command/iam_policy_label.go
+++ b/internal/v2/command/iam_policy_label.go
@@ -9,8 +9,7 @@ import (
 )

 func (r *CommandSide) AddDefaultLabelPolicy(ctx context.Context, policy *domain.LabelPolicy) (*domain.LabelPolicy, error) {
-	policy.AggregateID = r.iamID
-	addedPolicy := NewIAMLabelPolicyWriteModel(policy.AggregateID)
+	addedPolicy := NewIAMLabelPolicyWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.LabelPolicyWriteModel.WriteModel)
 	err := r.addDefaultLabelPolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
@@ -40,8 +39,7 @@ func (r *CommandSide) addDefaultLabelPolicy(ctx context.Context, iamAgg *iam_rep
 }

 func (r *CommandSide) ChangeDefaultLabelPolicy(ctx context.Context, policy *domain.LabelPolicy) (*domain.LabelPolicy, error) {
-	policy.AggregateID = r.iamID
-	existingPolicy, err := r.defaultLabelPolicyWriteModelByID(ctx, policy.AggregateID)
+	existingPolicy, err := r.defaultLabelPolicyWriteModelByID(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -66,11 +64,11 @@ func (r *CommandSide) ChangeDefaultLabelPolicy(ctx context.Context, policy *doma
 	return writeModelToLabelPolicy(existingPolicy), nil
 }

-func (r *CommandSide) defaultLabelPolicyWriteModelByID(ctx context.Context, iamID string) (policy *IAMLabelPolicyWriteModel, err error) {
+func (r *CommandSide) defaultLabelPolicyWriteModelByID(ctx context.Context) (policy *IAMLabelPolicyWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMLabelPolicyWriteModel(iamID)
+	writeModel := NewIAMLabelPolicyWriteModel()
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam_policy_label_model.go
+++ b/internal/v2/command/iam_policy_label_model.go
@@ -2,7 +2,9 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

@@ -10,11 +12,12 @@ type IAMLabelPolicyWriteModel struct {
 	LabelPolicyWriteModel
 }

-func NewIAMLabelPolicyWriteModel(iamID string) *IAMLabelPolicyWriteModel {
+func NewIAMLabelPolicyWriteModel() *IAMLabelPolicyWriteModel {
 	return &IAMLabelPolicyWriteModel{
 		LabelPolicyWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 		},
 	}
@@ -37,7 +40,8 @@ func (wm *IAMLabelPolicyWriteModel) Reduce() error {

 func (wm *IAMLabelPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.LabelPolicyWriteModel.AggregateID)
+		AggregateIDs(wm.LabelPolicyWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *IAMLabelPolicyWriteModel) NewChangedEvent(
--- a/internal/v2/command/iam_policy_login.go
+++ b/internal/v2/command/iam_policy_login.go
@@ -11,7 +11,7 @@ import (
 )

 func (r *CommandSide) GetDefaultLoginPolicy(ctx context.Context) (*domain.LoginPolicy, error) {
-	policyWriteModel := NewIAMLoginPolicyWriteModel(r.iamID)
+	policyWriteModel := NewIAMLoginPolicyWriteModel()
 	err := r.eventstore.FilterToQueryReducer(ctx, policyWriteModel)
 	if err != nil {
 		return nil, err
@@ -22,8 +22,7 @@ func (r *CommandSide) GetDefaultLoginPolicy(ctx context.Context) (*domain.LoginP
 }

 func (r *CommandSide) AddDefaultLoginPolicy(ctx context.Context, policy *domain.LoginPolicy) (*domain.LoginPolicy, error) {
-	policy.AggregateID = r.iamID
-	addedPolicy := NewIAMLoginPolicyWriteModel(policy.AggregateID)
+	addedPolicy := NewIAMLoginPolicyWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
 	err := r.addDefaultLoginPolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
@@ -52,8 +51,7 @@ func (r *CommandSide) addDefaultLoginPolicy(ctx context.Context, iamAgg *iam_rep
 }

 func (r *CommandSide) ChangeDefaultLoginPolicy(ctx context.Context, policy *domain.LoginPolicy) (*domain.LoginPolicy, error) {
-	policy.AggregateID = r.iamID
-	existingPolicy := NewIAMLoginPolicyWriteModel(r.iamID)
+	existingPolicy := NewIAMLoginPolicyWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&existingPolicy.LoginPolicyWriteModel.WriteModel)
 	err := r.changeDefaultLoginPolicy(ctx, iamAgg, existingPolicy, policy)
 	if err != nil {
@@ -68,7 +66,6 @@ func (r *CommandSide) ChangeDefaultLoginPolicy(ctx context.Context, policy *doma
 }

 func (r *CommandSide) changeDefaultLoginPolicy(ctx context.Context, iamAgg *iam_repo.Aggregate, existingPolicy *IAMLoginPolicyWriteModel, policy *domain.LoginPolicy) error {
-	policy.AggregateID = r.iamID
 	err := r.defaultLoginPolicyWriteModelByID(ctx, existingPolicy)
 	if err != nil {
 		return err
@@ -86,8 +83,7 @@ func (r *CommandSide) changeDefaultLoginPolicy(ctx context.Context, iamAgg *iam_
 }

 func (r *CommandSide) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, idpProvider *domain.IDPProvider) (*domain.IDPProvider, error) {
-	idpProvider.AggregateID = r.iamID
-	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.AggregateID, idpProvider.IDPConfigID)
+	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
 		return nil, err
@@ -107,8 +103,7 @@ func (r *CommandSide) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, id
 }

 func (r *CommandSide) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context, idpProvider *iam_model.IDPProvider) error {
-	idpProvider.AggregateID = r.iamID
-	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.AggregateID, idpProvider.IDPConfigID)
+	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.IDPConfigID)
 	err := r.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
 		return err
@@ -123,7 +118,7 @@ func (r *CommandSide) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Contex
 }

 func (r *CommandSide) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, secondFactor iam_model.SecondFactorType) (iam_model.SecondFactorType, error) {
-	secondFactorModel := NewIAMSecondFactorWriteModel(r.iamID)
+	secondFactorModel := NewIAMSecondFactorWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
 	err := r.addSecondFactorToDefaultLoginPolicy(ctx, nil, secondFactorModel, secondFactor)
 	if err != nil {
@@ -153,7 +148,7 @@ func (r *CommandSide) addSecondFactorToDefaultLoginPolicy(ctx context.Context, i
 }

 func (r *CommandSide) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, secondFactor iam_model.SecondFactorType) error {
-	secondFactorModel := NewIAMSecondFactorWriteModel(r.iamID)
+	secondFactorModel := NewIAMSecondFactorWriteModel()
 	err := r.eventstore.FilterToQueryReducer(ctx, secondFactorModel)
 	if err != nil {
 		return err
@@ -168,7 +163,7 @@ func (r *CommandSide) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Conte
 }

 func (r *CommandSide) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, multiFactor iam_model.MultiFactorType) (iam_model.MultiFactorType, error) {
-	multiFactorModel := NewIAMMultiFactorWriteModel(r.iamID)
+	multiFactorModel := NewIAMMultiFactorWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&multiFactorModel.MultiFactoryWriteModel.WriteModel)
 	err := r.addMultiFactorToDefaultLoginPolicy(ctx, iamAgg, multiFactorModel, multiFactor)
 	if err != nil {
@@ -197,7 +192,7 @@ func (r *CommandSide) addMultiFactorToDefaultLoginPolicy(ctx context.Context, ia
 }

 func (r *CommandSide) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, multiFactor iam_model.MultiFactorType) error {
-	multiFactorModel := NewIAMMultiFactorWriteModel(r.iamID)
+	multiFactorModel := NewIAMMultiFactorWriteModel()
 	err := r.eventstore.FilterToQueryReducer(ctx, multiFactorModel)
 	if err != nil {
 		return err
--- a/internal/v2/command/iam_policy_login_factors_model.go
+++ b/internal/v2/command/iam_policy_login_factors_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

@@ -9,11 +10,12 @@ type IAMSecondFactorWriteModel struct {
 	SecondFactorWriteModel
 }

-func NewIAMSecondFactorWriteModel(iamID string) *IAMSecondFactorWriteModel {
+func NewIAMSecondFactorWriteModel() *IAMSecondFactorWriteModel {
 	return &IAMSecondFactorWriteModel{
 		SecondFactorWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 		},
 	}
@@ -34,18 +36,20 @@ func (wm *IAMSecondFactorWriteModel) Reduce() error {

 func (wm *IAMSecondFactorWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.WriteModel.AggregateID)
+		AggregateIDs(wm.WriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 type IAMMultiFactorWriteModel struct {
 	MultiFactoryWriteModel
 }

-func NewIAMMultiFactorWriteModel(iamID string) *IAMMultiFactorWriteModel {
+func NewIAMMultiFactorWriteModel() *IAMMultiFactorWriteModel {
 	return &IAMMultiFactorWriteModel{
 		MultiFactoryWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 		},
 	}
@@ -66,5 +70,6 @@ func (wm *IAMMultiFactorWriteModel) Reduce() error {

 func (wm *IAMMultiFactorWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.WriteModel.AggregateID)
+		AggregateIDs(wm.WriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }
--- a/internal/v2/command/iam_policy_login_identity_provider_model.go
+++ b/internal/v2/command/iam_policy_login_identity_provider_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

@@ -9,11 +10,12 @@ type IAMIdentityProviderWriteModel struct {
 	IdentityProviderWriteModel
 }

-func NewIAMIdentityProviderWriteModel(iamID, idpConfigID string) *IAMIdentityProviderWriteModel {
+func NewIAMIdentityProviderWriteModel(idpConfigID string) *IAMIdentityProviderWriteModel {
 	return &IAMIdentityProviderWriteModel{
 		IdentityProviderWriteModel: IdentityProviderWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 			IDPConfigID: idpConfigID,
 		},
@@ -38,5 +40,6 @@ func (wm *IAMIdentityProviderWriteModel) Reduce() error {

 func (wm *IAMIdentityProviderWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }
--- a/internal/v2/command/iam_policy_login_model.go
+++ b/internal/v2/command/iam_policy_login_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
@@ -11,11 +12,12 @@ type IAMLoginPolicyWriteModel struct {
 	LoginPolicyWriteModel
 }

-func NewIAMLoginPolicyWriteModel(iamID string) *IAMLoginPolicyWriteModel {
+func NewIAMLoginPolicyWriteModel() *IAMLoginPolicyWriteModel {
 	return &IAMLoginPolicyWriteModel{
 		LoginPolicyWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 		},
 	}
@@ -42,7 +44,8 @@ func (wm *IAMLoginPolicyWriteModel) Reduce() error {

 func (wm *IAMLoginPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.LoginPolicyWriteModel.AggregateID)
+		AggregateIDs(wm.LoginPolicyWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *IAMLoginPolicyWriteModel) NewChangedEvent(
--- a/internal/v2/command/iam_policy_org_iam.go
+++ b/internal/v2/command/iam_policy_org_iam.go
@@ -9,8 +9,7 @@ import (
 )

 func (r *CommandSide) AddDefaultOrgIAMPolicy(ctx context.Context, policy *domain.OrgIAMPolicy) (*domain.OrgIAMPolicy, error) {
-	policy.AggregateID = r.iamID
-	addedPolicy := NewIAMOrgIAMPolicyWriteModel(policy.AggregateID)
+	addedPolicy := NewIAMOrgIAMPolicyWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
 	err := r.addDefaultOrgIAMPolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
@@ -39,8 +38,7 @@ func (r *CommandSide) addDefaultOrgIAMPolicy(ctx context.Context, iamAgg *iam_re
 }

 func (r *CommandSide) ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *domain.OrgIAMPolicy) (*domain.OrgIAMPolicy, error) {
-	policy.AggregateID = r.iamID
-	existingPolicy, err := r.defaultOrgIAMPolicyWriteModelByID(ctx, policy.AggregateID)
+	existingPolicy, err := r.defaultOrgIAMPolicyWriteModelByID(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -65,7 +63,7 @@ func (r *CommandSide) ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *dom
 }

 func (r *CommandSide) getDefaultOrgIAMPolicy(ctx context.Context) (*domain.OrgIAMPolicy, error) {
-	policyWriteModel, err := r.defaultOrgIAMPolicyWriteModelByID(ctx, r.iamID)
+	policyWriteModel, err := r.defaultOrgIAMPolicyWriteModelByID(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -74,11 +72,11 @@ func (r *CommandSide) getDefaultOrgIAMPolicy(ctx context.Context) (*domain.OrgIA
 	return policy, nil
 }

-func (r *CommandSide) defaultOrgIAMPolicyWriteModelByID(ctx context.Context, iamID string) (policy *IAMOrgIAMPolicyWriteModel, err error) {
+func (r *CommandSide) defaultOrgIAMPolicyWriteModelByID(ctx context.Context) (policy *IAMOrgIAMPolicyWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMOrgIAMPolicyWriteModel(iamID)
+	writeModel := NewIAMOrgIAMPolicyWriteModel()
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam_policy_org_iam_model.go
+++ b/internal/v2/command/iam_policy_org_iam_model.go
@@ -2,7 +2,9 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

@@ -10,11 +12,12 @@ type IAMOrgIAMPolicyWriteModel struct {
 	PolicyOrgIAMWriteModel
 }

-func NewIAMOrgIAMPolicyWriteModel(iamID string) *IAMOrgIAMPolicyWriteModel {
+func NewIAMOrgIAMPolicyWriteModel() *IAMOrgIAMPolicyWriteModel {
 	return &IAMOrgIAMPolicyWriteModel{
 		PolicyOrgIAMWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 		},
 	}
@@ -37,7 +40,8 @@ func (wm *IAMOrgIAMPolicyWriteModel) Reduce() error {

 func (wm *IAMOrgIAMPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.PolicyOrgIAMWriteModel.AggregateID)
+		AggregateIDs(wm.PolicyOrgIAMWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *IAMOrgIAMPolicyWriteModel) NewChangedEvent(ctx context.Context, userLoginMustBeDomain bool) (*iam.OrgIAMPolicyChangedEvent, bool) {
--- a/internal/v2/command/iam_policy_password_age.go
+++ b/internal/v2/command/iam_policy_password_age.go
@@ -9,8 +9,7 @@ import (
 )

 func (r *CommandSide) AddDefaultPasswordAgePolicy(ctx context.Context, policy *domain.PasswordAgePolicy) (*domain.PasswordAgePolicy, error) {
-	policy.AggregateID = r.iamID
-	addedPolicy := NewIAMPasswordAgePolicyWriteModel(policy.AggregateID)
+	addedPolicy := NewIAMPasswordAgePolicyWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
 	err := r.addDefaultPasswordAgePolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
@@ -40,8 +39,7 @@ func (r *CommandSide) addDefaultPasswordAgePolicy(ctx context.Context, iamAgg *i
 }

 func (r *CommandSide) ChangeDefaultPasswordAgePolicy(ctx context.Context, policy *domain.PasswordAgePolicy) (*domain.PasswordAgePolicy, error) {
-	policy.AggregateID = r.iamID
-	existingPolicy, err := r.defaultPasswordAgePolicyWriteModelByID(ctx, policy.AggregateID)
+	existingPolicy, err := r.defaultPasswordAgePolicyWriteModelByID(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -65,11 +63,11 @@ func (r *CommandSide) ChangeDefaultPasswordAgePolicy(ctx context.Context, policy
 	return writeModelToPasswordAgePolicy(existingPolicy), nil
 }

-func (r *CommandSide) defaultPasswordAgePolicyWriteModelByID(ctx context.Context, iamID string) (policy *IAMPasswordAgePolicyWriteModel, err error) {
+func (r *CommandSide) defaultPasswordAgePolicyWriteModelByID(ctx context.Context) (policy *IAMPasswordAgePolicyWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMPasswordAgePolicyWriteModel(iamID)
+	writeModel := NewIAMPasswordAgePolicyWriteModel()
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam_policy_password_age_model.go
+++ b/internal/v2/command/iam_policy_password_age_model.go
@@ -2,7 +2,9 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

@@ -10,11 +12,12 @@ type IAMPasswordAgePolicyWriteModel struct {
 	PasswordAgePolicyWriteModel
 }

-func NewIAMPasswordAgePolicyWriteModel(iamID string) *IAMPasswordAgePolicyWriteModel {
+func NewIAMPasswordAgePolicyWriteModel() *IAMPasswordAgePolicyWriteModel {
 	return &IAMPasswordAgePolicyWriteModel{
 		PasswordAgePolicyWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 		},
 	}
@@ -37,7 +40,8 @@ func (wm *IAMPasswordAgePolicyWriteModel) Reduce() error {

 func (wm *IAMPasswordAgePolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.PasswordAgePolicyWriteModel.AggregateID)
+		AggregateIDs(wm.PasswordAgePolicyWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *IAMPasswordAgePolicyWriteModel) NewChangedEvent(ctx context.Context, expireWarnDays, maxAgeDays uint64) (*iam.PasswordAgePolicyChangedEvent, bool) {
--- a/internal/v2/command/iam_policy_password_complexity.go
+++ b/internal/v2/command/iam_policy_password_complexity.go
@@ -9,7 +9,7 @@ import (
 )

 func (r *CommandSide) GetDefaultPasswordComplexityPolicy(ctx context.Context) (*domain.PasswordComplexityPolicy, error) {
-	policyWriteModel := NewIAMPasswordComplexityPolicyWriteModel(r.iamID)
+	policyWriteModel := NewIAMPasswordComplexityPolicyWriteModel()
 	err := r.eventstore.FilterToQueryReducer(ctx, policyWriteModel)
 	if err != nil {
 		return nil, err
@@ -20,8 +20,7 @@ func (r *CommandSide) GetDefaultPasswordComplexityPolicy(ctx context.Context) (*
 }

 func (r *CommandSide) AddDefaultPasswordComplexityPolicy(ctx context.Context, policy *domain.PasswordComplexityPolicy) (*domain.PasswordComplexityPolicy, error) {
-	policy.AggregateID = r.iamID
-	addedPolicy := NewIAMPasswordComplexityPolicyWriteModel(policy.AggregateID)
+	addedPolicy := NewIAMPasswordComplexityPolicyWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
 	err := r.addDefaultPasswordComplexityPolicy(ctx, iamAgg, addedPolicy, policy)
 	if err != nil {
@@ -55,12 +54,11 @@ func (r *CommandSide) addDefaultPasswordComplexityPolicy(ctx context.Context, ia
 }

 func (r *CommandSide) ChangeDefaultPasswordComplexityPolicy(ctx context.Context, policy *domain.PasswordComplexityPolicy) (*domain.PasswordComplexityPolicy, error) {
-	policy.AggregateID = r.iamID
 	if err := policy.IsValid(); err != nil {
 		return nil, err
 	}

-	existingPolicy, err := r.defaultPasswordComplexityPolicyWriteModelByID(ctx, policy.AggregateID)
+	existingPolicy, err := r.defaultPasswordComplexityPolicyWriteModelByID(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -83,11 +81,11 @@ func (r *CommandSide) ChangeDefaultPasswordComplexityPolicy(ctx context.Context,
 	return writeModelToPasswordComplexityPolicy(existingPolicy), nil
 }

-func (r *CommandSide) defaultPasswordComplexityPolicyWriteModelByID(ctx context.Context, iamID string) (policy *IAMPasswordComplexityPolicyWriteModel, err error) {
+func (r *CommandSide) defaultPasswordComplexityPolicyWriteModelByID(ctx context.Context) (policy *IAMPasswordComplexityPolicyWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMPasswordComplexityPolicyWriteModel(iamID)
+	writeModel := NewIAMPasswordComplexityPolicyWriteModel()
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam_policy_password_complexity_model.go
+++ b/internal/v2/command/iam_policy_password_complexity_model.go
@@ -2,7 +2,9 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

@@ -10,11 +12,12 @@ type IAMPasswordComplexityPolicyWriteModel struct {
 	PasswordComplexityPolicyWriteModel
 }

-func NewIAMPasswordComplexityPolicyWriteModel(iamID string) *IAMPasswordComplexityPolicyWriteModel {
+func NewIAMPasswordComplexityPolicyWriteModel() *IAMPasswordComplexityPolicyWriteModel {
 	return &IAMPasswordComplexityPolicyWriteModel{
 		PasswordComplexityPolicyWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 		},
 	}
@@ -37,7 +40,8 @@ func (wm *IAMPasswordComplexityPolicyWriteModel) Reduce() error {

 func (wm *IAMPasswordComplexityPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.PasswordComplexityPolicyWriteModel.AggregateID)
+		AggregateIDs(wm.PasswordComplexityPolicyWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *IAMPasswordComplexityPolicyWriteModel) NewChangedEvent(
--- a/internal/v2/command/iam_policy_password_lockout.go
+++ b/internal/v2/command/iam_policy_password_lockout.go
@@ -9,8 +9,7 @@ import (
 )

 func (r *CommandSide) AddDefaultPasswordLockoutPolicy(ctx context.Context, policy *domain.PasswordLockoutPolicy) (*domain.PasswordLockoutPolicy, error) {
-	policy.AggregateID = r.iamID
-	addedPolicy := NewIAMPasswordLockoutPolicyWriteModel(policy.AggregateID)
+	addedPolicy := NewIAMPasswordLockoutPolicyWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&addedPolicy.WriteModel)
 	err := r.addDefaultPasswordLockoutPolicy(ctx, nil, addedPolicy, policy)
 	if err != nil {
@@ -40,8 +39,7 @@ func (r *CommandSide) addDefaultPasswordLockoutPolicy(ctx context.Context, iamAg
 }

 func (r *CommandSide) ChangeDefaultPasswordLockoutPolicy(ctx context.Context, policy *domain.PasswordLockoutPolicy) (*domain.PasswordLockoutPolicy, error) {
-	policy.AggregateID = r.iamID
-	existingPolicy, err := r.defaultPasswordLockoutPolicyWriteModelByID(ctx, policy.AggregateID)
+	existingPolicy, err := r.defaultPasswordLockoutPolicyWriteModelByID(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -65,11 +63,11 @@ func (r *CommandSide) ChangeDefaultPasswordLockoutPolicy(ctx context.Context, po
 	return writeModelToPasswordLockoutPolicy(existingPolicy), nil
 }

-func (r *CommandSide) defaultPasswordLockoutPolicyWriteModelByID(ctx context.Context, iamID string) (policy *IAMPasswordLockoutPolicyWriteModel, err error) {
+func (r *CommandSide) defaultPasswordLockoutPolicyWriteModelByID(ctx context.Context) (policy *IAMPasswordLockoutPolicyWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel := NewIAMPasswordLockoutPolicyWriteModel(iamID)
+	writeModel := NewIAMPasswordLockoutPolicyWriteModel()
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/iam_policy_password_lockout_model.go
+++ b/internal/v2/command/iam_policy_password_lockout_model.go
@@ -2,7 +2,9 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
 )

@@ -10,11 +12,12 @@ type IAMPasswordLockoutPolicyWriteModel struct {
 	PasswordLockoutPolicyWriteModel
 }

-func NewIAMPasswordLockoutPolicyWriteModel(iamID string) *IAMPasswordLockoutPolicyWriteModel {
+func NewIAMPasswordLockoutPolicyWriteModel() *IAMPasswordLockoutPolicyWriteModel {
 	return &IAMPasswordLockoutPolicyWriteModel{
 		PasswordLockoutPolicyWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   domain.IAMID,
+				ResourceOwner: domain.IAMID,
 			},
 		},
 	}
@@ -37,7 +40,8 @@ func (wm *IAMPasswordLockoutPolicyWriteModel) Reduce() error {

 func (wm *IAMPasswordLockoutPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
-		AggregateIDs(wm.PasswordLockoutPolicyWriteModel.AggregateID)
+		AggregateIDs(wm.PasswordLockoutPolicyWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *IAMPasswordLockoutPolicyWriteModel) NewChangedEvent(ctx context.Context, maxAttempts uint64, showLockoutFailure bool) (*iam.PasswordLockoutPolicyChangedEvent, bool) {
--- a/internal/v2/command/org.go
+++ b/internal/v2/command/org.go
@@ -32,7 +32,7 @@ func (r *CommandSide) setUpOrg(ctx context.Context, organisation *domain.Org, ad

 	addedMember := NewOrgMemberWriteModel(orgAgg.ID(), userAgg.ID())
 	orgMemberAgg := OrgAggregateFromWriteModel(&addedMember.WriteModel)
-	err = r.addOrgMember(ctx, orgMemberAgg, addedMember, domain.NewMember(orgMemberAgg.ID(), userAgg.ID(), domain.OrgOwnerRole)) //TODO: correct?
+	err = r.addOrgMember(ctx, orgMemberAgg, addedMember, domain.NewMember(orgMemberAgg.ID(), userAgg.ID(), domain.RoleOrgOwner))
 	if err != nil {
 		return nil, nil, nil, err
 	}
--- a/internal/v2/command/org_domain_model.go
+++ b/internal/v2/command/org_domain_model.go
@@ -22,7 +22,8 @@ type OrgDomainWriteModel struct {
 func NewOrgDomainWriteModel(orgID string, domain string) *OrgDomainWriteModel {
 	return &OrgDomainWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: orgID,
+			AggregateID:   orgID,
+			ResourceOwner: orgID,
 		},
 		Domain: domain,
 	}
@@ -86,5 +87,6 @@ func (wm *OrgDomainWriteModel) Reduce() error {

 func (wm *OrgDomainWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, org.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }
--- a/internal/v2/command/org_member_model.go
+++ b/internal/v2/command/org_member_model.go
@@ -13,7 +13,8 @@ func NewOrgMemberWriteModel(orgID, userID string) *OrgMemberWriteModel {
 	return &OrgMemberWriteModel{
 		MemberWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: orgID,
+				AggregateID:   orgID,
+				ResourceOwner: orgID,
 			},
 			UserID: userID,
 		},
@@ -48,5 +49,6 @@ func (wm *OrgMemberWriteModel) Reduce() error {

 func (wm *OrgMemberWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, org.AggregateType).
-		AggregateIDs(wm.MemberWriteModel.AggregateID)
+		AggregateIDs(wm.MemberWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }
--- a/internal/v2/command/org_model.go
+++ b/internal/v2/command/org_model.go
@@ -17,7 +17,8 @@ type OrgWriteModel struct {
 func NewOrgWriteModel(orgID string) *OrgWriteModel {
 	return &OrgWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: orgID,
+			AggregateID:   orgID,
+			ResourceOwner: orgID,
 		},
 	}
 }
@@ -48,7 +49,8 @@ func (wm *OrgWriteModel) Reduce() error {

 func (wm *OrgWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, org.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func OrgAggregateFromWriteModel(wm *eventstore.WriteModel) *org.Aggregate {
--- a/internal/v2/command/org_policy_org_iam_model.go
+++ b/internal/v2/command/org_policy_org_iam_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/repository/org"
 )
@@ -14,7 +15,8 @@ func NewORGOrgIAMPolicyWriteModel(orgID string) *ORGOrgIAMPolicyWriteModel {
 	return &ORGOrgIAMPolicyWriteModel{
 		PolicyOrgIAMWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: orgID,
+				AggregateID:   orgID,
+				ResourceOwner: orgID,
 			},
 		},
 	}
@@ -37,7 +39,8 @@ func (wm *ORGOrgIAMPolicyWriteModel) Reduce() error {

 func (wm *ORGOrgIAMPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, org.AggregateType).
-		AggregateIDs(wm.PolicyOrgIAMWriteModel.AggregateID)
+		AggregateIDs(wm.PolicyOrgIAMWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *ORGOrgIAMPolicyWriteModel) NewChangedEvent(ctx context.Context, userLoginMustBeDomain bool) (*org.OrgIAMPolicyChangedEvent, bool) {
--- a/internal/v2/command/org_policy_password_complexity_model.go
+++ b/internal/v2/command/org_policy_password_complexity_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/repository/org"
 )
@@ -10,11 +11,12 @@ type OrgPasswordComplexityPolicyWriteModel struct {
 	PasswordComplexityPolicyWriteModel
 }

-func NewOrgPasswordComplexityPolicyWriteModel(iamID string) *OrgPasswordComplexityPolicyWriteModel {
+func NewOrgPasswordComplexityPolicyWriteModel(orgID string) *OrgPasswordComplexityPolicyWriteModel {
 	return &OrgPasswordComplexityPolicyWriteModel{
 		PasswordComplexityPolicyWriteModel{
 			WriteModel: eventstore.WriteModel{
-				AggregateID: iamID,
+				AggregateID:   orgID,
+				ResourceOwner: orgID,
 			},
 		},
 	}
@@ -37,7 +39,8 @@ func (wm *OrgPasswordComplexityPolicyWriteModel) Reduce() error {

 func (wm *OrgPasswordComplexityPolicyWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, org.AggregateType).
-		AggregateIDs(wm.PasswordComplexityPolicyWriteModel.AggregateID)
+		AggregateIDs(wm.PasswordComplexityPolicyWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *OrgPasswordComplexityPolicyWriteModel) NewChangedEvent(
--- a/internal/v2/command/project.go
+++ b/internal/v2/command/project.go
@@ -0,0 +1,65 @@
+package command
+
+import (
+	"context"
+
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/project"
+)
+
+func (r *CommandSide) AddProject(ctx context.Context, project *domain.Project, resourceOwner, ownerUserID string) (_ *domain.Project, err error) {
+	projectAgg, addedProject, err := r.addProject(ctx, project, resourceOwner, ownerUserID)
+	if err != nil {
+		return nil, err
+	}
+	err = r.eventstore.PushAggregate(ctx, addedProject, projectAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return projectWriteModelToProject(addedProject), nil
+}
+
+func (r *CommandSide) addProject(ctx context.Context, projectAdd *domain.Project, resourceOwner, ownerUserID string) (_ *project.Aggregate, _ *ProjectWriteModel, err error) {
+	if !projectAdd.IsValid() {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-IOVCC", "Errors.Project.Invalid")
+	}
+	projectAdd.AggregateID, err = r.idGenerator.Next()
+	if err != nil {
+		return nil, nil, err
+	}
+// TODO: Add uniqueness check
+	addedProject := NewProjectWriteModel(projectAdd.AggregateID, resourceOwner)
+	projectAgg := ProjectAggregateFromWriteModel(&addedProject.WriteModel)
+
+	projectRole := domain.RoleOrgOwner
+	//if global { //TODO: !
+	//	projectRole = domain.RoleProjectOwnerGlobal
+	//}
+	projectAgg.PushEvents(
+		project.NewProjectAddedEvent(ctx, projectAdd.Name),
+		project.NewMemberAddedEvent(ctx, ownerUserID, projectRole),
+	)
+	return projectAgg, addedProject, nil
+}
+
+func (r *CommandSide) getProjectByID(ctx context.Context, projectID, resourceOwner string) (*domain.Project, error) {
+	projectWriteModel, err := r.getProjectWriteModelByID(ctx, projectID, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	if projectWriteModel.State == domain.ProjectStateUnspecified || projectWriteModel.State == domain.ProjectStateRemoved {
+		return nil, caos_errs.ThrowNotFound(nil, "PROJECT-Gd2hh", "Errors.Project.NotFound")
+	}
+	return projectWriteModelToProject(projectWriteModel), nil
+}
+
+func (r *CommandSide) getProjectWriteModelByID(ctx context.Context, projectID, resourceOwner string) (*ProjectWriteModel, error) {
+	projectWriteModel := NewProjectWriteModel(projectID, resourceOwner)
+	err := r.eventstore.FilterToQueryReducer(ctx, projectWriteModel)
+	if err != nil {
+		return nil, err
+	}
+	return projectWriteModel, nil
+}
--- a/internal/v2/command/project_application.go
+++ b/internal/v2/command/project_application.go
@@ -0,0 +1,73 @@
+package command
+
+import (
+	"context"
+
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/project"
+)
+
+func (r *CommandSide) AddApplication(ctx context.Context, application *domain.Application, resourceOwner string) (_ *domain.Application, err error) {
+	project, err := r.getProjectByID(ctx, application.AggregateID, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	addedApplication := NewApplicationWriteModel(application.AggregateID, resourceOwner)
+	projectAgg := ProjectAggregateFromWriteModel(&addedApplication.WriteModel)
+	err = r.addApplication(ctx, projectAgg, project, application)
+	if err != nil {
+		return nil, err
+	}
+	err = r.eventstore.PushAggregate(ctx, addedApplication, projectAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return applicationWriteModelToApplication(addedApplication), nil
+}
+
+func (r *CommandSide) addApplication(ctx context.Context, projectAgg *project.Aggregate, proj *domain.Project, application *domain.Application) (err error) {
+	if !application.IsValid(true) {
+		return caos_errs.ThrowPreconditionFailed(nil, "PROJECT-Bff2g", "Errors.Application.Invalid")
+	}
+	application.AppID, err = r.idGenerator.Next()
+	if err != nil {
+		return err
+	}
+
+	projectAgg.PushEvents(project.NewApplicationAddedEvent(ctx, application.AppID, application.Name, application.Type))
+
+	var stringPw string
+	if application.OIDCConfig != nil {
+		application.OIDCConfig.AppID = application.AppID
+		err = application.OIDCConfig.GenerateNewClientID(r.idGenerator, proj)
+		if err != nil {
+			return err
+		}
+		stringPw, err = application.OIDCConfig.GenerateClientSecretIfNeeded(r.applicationSecretGenerator)
+		if err != nil {
+			return err
+		}
+		projectAgg.PushEvents(project.NewOIDCConfigAddedEvent(ctx,
+			application.OIDCConfig.OIDCVersion,
+			application.OIDCConfig.AppID,
+			application.OIDCConfig.ClientID,
+			application.OIDCConfig.ClientSecret,
+			application.OIDCConfig.RedirectUris,
+			application.OIDCConfig.ResponseTypes,
+			application.OIDCConfig.GrantTypes,
+			application.OIDCConfig.ApplicationType,
+			application.OIDCConfig.AuthMethodType,
+			application.OIDCConfig.PostLogoutRedirectUris,
+			application.OIDCConfig.DevMode,
+			application.OIDCConfig.AccessTokenType,
+			application.OIDCConfig.AccessTokenRoleAssertion,
+			application.OIDCConfig.IDTokenRoleAssertion,
+			application.OIDCConfig.IDTokenUserinfoAssertion,
+			application.OIDCConfig.ClockSkew))
+	}
+	_ = stringPw
+
+	return nil
+}
--- a/internal/v2/command/project_application_model.go
+++ b/internal/v2/command/project_application_model.go
@@ -0,0 +1,55 @@
+package command
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/project"
+)
+
+type ApplicationWriteModel struct {
+	eventstore.WriteModel
+
+	AppID      string
+	State      domain.AppState
+	Name       string
+	Type       domain.AppType
+	OIDCConfig *domain.OIDCConfig
+}
+
+func NewApplicationWriteModel(projectID, resourceOwner string) *ApplicationWriteModel {
+	return &ApplicationWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   projectID,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}
+
+func (wm *ApplicationWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *project.ApplicationAddedEvent:
+			wm.WriteModel.AppendEvents(e)
+		}
+	}
+}
+
+func (wm *ApplicationWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *project.ApplicationAddedEvent:
+			wm.Name = e.Name
+			wm.State = domain.AppStateActive
+			//case *project.ApplicationChangedEvent:
+			//	wm.Name = e.Name
+		}
+	}
+	return nil
+}
+
+func (wm *ApplicationWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, project.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
+}
--- a/internal/v2/command/project_converter.go
+++ b/internal/v2/command/project_converter.go
@@ -0,0 +1,25 @@
+package command
+
+import (
+	"github.com/caos/zitadel/internal/v2/domain"
+)
+
+func projectWriteModelToProject(writeModel *ProjectWriteModel) *domain.Project {
+	return &domain.Project{
+		ObjectRoot:           writeModelToObjectRoot(writeModel.WriteModel),
+		Name:                 writeModel.Name,
+		ProjectRoleAssertion: writeModel.ProjectRoleAssertion,
+		ProjectRoleCheck:     writeModel.ProjectRoleCheck,
+	}
+}
+
+func applicationWriteModelToApplication(writeModel *ApplicationWriteModel) *domain.Application {
+	return &domain.Application{
+		ObjectRoot: writeModelToObjectRoot(writeModel.WriteModel),
+		AppID:      writeModel.AggregateID,
+		State:      writeModel.State,
+		Name:       writeModel.Name,
+		Type:       writeModel.Type,
+		//TODO: OIDC Config
+	}
+}
--- a/internal/v2/command/project_member.go
+++ b/internal/v2/command/project_member.go
@@ -0,0 +1,112 @@
+package command
+
+import (
+	"context"
+	"reflect"
+
+	"github.com/caos/zitadel/internal/errors"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/project"
+)
+
+func (r *CommandSide) AddProjectMember(ctx context.Context, member *domain.Member, resourceOwner string) (*domain.Member, error) {
+	addedMember := NewProjectMemberWriteModel(member.AggregateID, member.UserID, resourceOwner)
+	projectAgg := ProjectAggregateFromWriteModel(&addedMember.WriteModel)
+	err := r.addProjectMember(ctx, projectAgg, addedMember, member)
+	if err != nil {
+		return nil, err
+	}
+
+	err = r.eventstore.PushAggregate(ctx, addedMember, projectAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return memberWriteModelToMember(&addedMember.MemberWriteModel), nil
+}
+
+func (r *CommandSide) addProjectMember(ctx context.Context, projectAgg *project.Aggregate, addedMember *ProjectMemberWriteModel, member *domain.Member) error {
+	//TODO: check if roles valid
+
+	if !member.IsValid() {
+		return caos_errs.ThrowPreconditionFailed(nil, "PROJECT-W8m4l", "Errors.Project.MemberInvalid")
+	}
+
+	err := r.eventstore.FilterToQueryReducer(ctx, addedMember)
+	if err != nil {
+		return err
+	}
+	if addedMember.State == domain.MemberStateActive {
+		return errors.ThrowAlreadyExists(nil, "PROJECT-PtXi1", "Errors.Project.Member.AlreadyExists")
+	}
+
+	projectAgg.PushEvents(project.NewMemberAddedEvent(ctx, member.UserID, member.Roles...))
+
+	return nil
+}
+
+//ChangeProjectMember updates an existing member
+func (r *CommandSide) ChangeProjectMember(ctx context.Context, member *domain.Member, resourceOwner string) (*domain.Member, error) {
+	//TODO: check if roles valid
+
+	if !member.IsValid() {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-LiaZi", "Errors.Project.MemberInvalid")
+	}
+
+	existingMember, err := r.projectMemberWriteModelByID(ctx, member.AggregateID, member.UserID, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+
+	if reflect.DeepEqual(existingMember.Roles, member.Roles) {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-LiaZi", "Errors.Project.Member.RolesNotChanged")
+	}
+	projectAgg := ProjectAggregateFromWriteModel(&existingMember.MemberWriteModel.WriteModel)
+	projectAgg.PushEvents(project.NewMemberChangedEvent(ctx, member.UserID, member.Roles...))
+
+	events, err := r.eventstore.PushAggregates(ctx, projectAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	existingMember.AppendEvents(events...)
+	if err = existingMember.Reduce(); err != nil {
+		return nil, err
+	}
+
+	return memberWriteModelToMember(&existingMember.MemberWriteModel), nil
+}
+
+func (r *CommandSide) RemoveProjectMember(ctx context.Context, projectID, userID, resourceOwner string) error {
+	m, err := r.projectMemberWriteModelByID(ctx, projectID, userID, resourceOwner)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	if errors.IsNotFound(err) {
+		return nil
+	}
+
+	projectAgg := ProjectAggregateFromWriteModel(&m.MemberWriteModel.WriteModel)
+	projectAgg.PushEvents(project.NewMemberRemovedEvent(ctx, userID))
+
+	return r.eventstore.PushAggregate(ctx, m, projectAgg)
+}
+
+func (r *CommandSide) projectMemberWriteModelByID(ctx context.Context, projectID, userID, resourceOwner string) (member *ProjectMemberWriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel := NewProjectMemberWriteModel(projectID, userID, resourceOwner)
+	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+
+	if writeModel.State == domain.MemberStateUnspecified || writeModel.State == domain.MemberStateRemoved {
+		return nil, errors.ThrowNotFound(nil, "PROJECT-D8JxR", "Errors.NotFound")
+	}
+
+	return writeModel, nil
+}
--- a/internal/v2/command/project_member_model.go
+++ b/internal/v2/command/project_member_model.go
@@ -0,0 +1,54 @@
+package command
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/project"
+)
+
+type ProjectMemberWriteModel struct {
+	MemberWriteModel
+}
+
+func NewProjectMemberWriteModel(projectID, userID, resourceOwner string) *ProjectMemberWriteModel {
+	return &ProjectMemberWriteModel{
+		MemberWriteModel{
+			WriteModel: eventstore.WriteModel{
+				AggregateID:   projectID,
+				ResourceOwner: resourceOwner,
+			},
+			UserID: userID,
+		},
+	}
+}
+
+func (wm *ProjectMemberWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *project.MemberAddedEvent:
+			if e.UserID != wm.MemberWriteModel.UserID {
+				continue
+			}
+			wm.MemberWriteModel.AppendEvents(&e.MemberAddedEvent)
+		case *project.MemberChangedEvent:
+			if e.UserID != wm.MemberWriteModel.UserID {
+				continue
+			}
+			wm.MemberWriteModel.AppendEvents(&e.MemberChangedEvent)
+		case *project.MemberRemovedEvent:
+			if e.UserID != wm.MemberWriteModel.UserID {
+				continue
+			}
+			wm.MemberWriteModel.AppendEvents(&e.MemberRemovedEvent)
+		}
+	}
+}
+
+func (wm *ProjectMemberWriteModel) Reduce() error {
+	return wm.MemberWriteModel.Reduce()
+}
+
+func (wm *ProjectMemberWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, project.AggregateType).
+		AggregateIDs(wm.MemberWriteModel.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
+}
--- a/internal/v2/command/project_model.go
+++ b/internal/v2/command/project_model.go
@@ -0,0 +1,60 @@
+package command
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/project"
+)
+
+type ProjectWriteModel struct {
+	eventstore.WriteModel
+
+	Name                 string
+	ProjectRoleAssertion bool
+	ProjectRoleCheck     bool
+	State                domain.ProjectState
+}
+
+func NewProjectWriteModel(projectID string, resourceOwner string) *ProjectWriteModel {
+	return &ProjectWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   projectID,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}
+
+func (wm *ProjectWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	wm.WriteModel.AppendEvents(events...)
+	for _, event := range events {
+		switch e := event.(type) {
+		case *project.ProjectAddedEvent:
+			wm.WriteModel.AppendEvents(e)
+		}
+	}
+}
+
+func (wm *ProjectWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *project.ProjectAddedEvent:
+			wm.Name = e.Name
+			wm.State = domain.ProjectStateActive
+			//case *project.ProjectChangedEvent:
+			//	wm.Name = e.Name
+		}
+	}
+	return nil
+}
+
+func (wm *ProjectWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, project.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
+}
+
+func ProjectAggregateFromWriteModel(wm *eventstore.WriteModel) *project.Aggregate {
+	return &project.Aggregate{
+		Aggregate: *eventstore.AggregateFromWriteModel(wm, project.AggregateType, project.AggregateVersion),
+	}
+}
--- a/internal/v2/command/setup.go
+++ b/internal/v2/command/setup.go
@@ -22,7 +22,7 @@ const (
 )

 func (r *CommandSide) ExecuteSetupSteps(ctx context.Context, steps []Step) error {
-	iam, err := r.GetIAM(ctx, r.iamID)
+	iam, err := r.GetIAM(ctx)
 	if err != nil && !caos_errs.IsNotFound(err) {
 		return err
 	}
@@ -32,13 +32,13 @@ func (r *CommandSide) ExecuteSetupSteps(ctx context.Context, steps []Step) error
 	}

 	if iam == nil {
-		iam = &domain.IAM{ObjectRoot: models.ObjectRoot{AggregateID: r.iamID}}
+		iam = &domain.IAM{ObjectRoot: models.ObjectRoot{}}
 	}

-	ctx = setSetUpContextData(ctx, r.iamID)
+	ctx = setSetUpContextData(ctx)

 	for _, step := range steps {
-		iam, err = r.StartSetup(ctx, r.iamID, step.Step())
+		iam, err = r.StartSetup(ctx, step.Step())
 		if err != nil {
 			return err
 		}
@@ -51,12 +51,12 @@ func (r *CommandSide) ExecuteSetupSteps(ctx context.Context, steps []Step) error
 	return nil
 }

-func setSetUpContextData(ctx context.Context, orgID string) context.Context {
-	return authz.SetCtxData(ctx, authz.CtxData{UserID: SetupUser, OrgID: orgID})
+func setSetUpContextData(ctx context.Context) context.Context {
+	return authz.SetCtxData(ctx, authz.CtxData{UserID: SetupUser})
 }

-func (r *CommandSide) StartSetup(ctx context.Context, iamID string, step domain.Step) (*domain.IAM, error) {
-	iamWriteModel, err := r.iamByID(ctx, iamID)
+func (r *CommandSide) StartSetup(ctx context.Context, step domain.Step) (*domain.IAM, error) {
+	iamWriteModel, err := r.getIAMWriteModel(ctx)
 	if err != nil && !caos_errs.IsNotFound(err) {
 		return nil, err
 	}
@@ -68,11 +68,12 @@ func (r *CommandSide) StartSetup(ctx context.Context, iamID string, step domain.
 	if err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Grgh1", "Setup start failed")
 	}
+	logging.LogWithFields("SETUP-fhh21", "step", step).Info("setup step started")
 	return writeModelToIAM(iamWriteModel), nil
 }

 func (r *CommandSide) setup(ctx context.Context, step Step, iamAggregateProvider func(*IAMWriteModel) (*iam_repo.Aggregate, error)) error {
-	iam, err := r.iamByID(ctx, r.iamID)
+	iam, err := r.getIAMWriteModel(ctx)
 	if err != nil && !caos_errs.IsNotFound(err) {
 		return err
 	}
@@ -89,44 +90,6 @@ func (r *CommandSide) setup(ctx context.Context, step Step, iamAggregateProvider
 	if err != nil {
 		return caos_errs.ThrowPreconditionFailedf(nil, "EVENT-dbG31", "Setup %s failed", step.Step())
 	}
+	logging.LogWithFields("SETUP-Sg1t1", "step", step.Step()).Info("setup step done")
 	return nil
 }
-
-//func (r *CommandSide) setupDone(ctx context.Context, iamAgg *iam_repo.Aggregate, event eventstore.EventPusher, aggregates ...eventstore.Aggregater) error {
-//	aggregate := iamAgg.PushEvents(event)
-//
-//	aggregates = append(aggregates, aggregate)
-//	_, err := r.eventstore.PushAggregates(ctx, aggregates...)
-//	if err != nil {
-//		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-Dgd2", "Setup done failed")
-//	}
-//	return nil
-//}
-
-//
-////TODO: should not use readmodel
-//func (r *CommandSide) setup(ctx context.Context, iamID string, step iam_repo.Step, event eventstore.EventPusher) (*iam_model.IAM, error) {
-//	iam, err := r.iamByID(ctx, iamID)
-//	if err != nil && !caos_errs.IsNotFound(err) {
-//		return nil, err
-//	}
-//
-//	if iam != nil && (iam.SetUpStarted >= iam_repo.Step(step) || iam.SetUpStarted != iam.SetUpDone) {
-//		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9so34", "setup error")
-//	}
-//
-//	aggregate := query.AggregateFromReadModel(iam).
-//		PushEvents(event)
-//
-//	events, err := r.eventstore.PushAggregates(ctx, aggregate)
-//	if err != nil {
-//		return nil, err
-//	}
-//
-//	if err = iam.AppendAndReduce(events...); err != nil {
-//		return nil, err
-//	}
-//	return nil, nil
-//	//TODO: return write model
-//	//return readModelToIAM(iam), nil
-//}
--- a/internal/v2/command/setup_step1.go
+++ b/internal/v2/command/setup_step1.go
@@ -3,24 +3,36 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
 	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/v2/repository/project"
+)
+
+const (
+	OIDCResponseTypeCode           = "CODE"
+	OIDCResponseTypeIDToken        = "ID_TOKEN"
+	OIDCResponseTypeToken          = "ID_TOKEN TOKEN"
+	OIDCGrantTypeAuthorizationCode = "AUTHORIZATION_CODE"
+	OIDCGrantTypeImplicit          = "IMPLICIT"
+	OIDCGrantTypeRefreshToken      = "REFRESH_TOKEN"
+	OIDCApplicationTypeNative      = "NATIVE"
+	OIDCApplicationTypeUserAgent   = "USER_AGENT"
+	OIDCApplicationTypeWeb         = "WEB"
+	OIDCAuthMethodTypeNone         = "NONE"
+	OIDCAuthMethodTypeBasic        = "BASIC"
+	OIDCAuthMethodTypePost         = "POST"
 )

 type Step1 struct {
 	GlobalOrg          string
 	IAMProject         string
-	DefaultLoginPolicy LoginPolicy //*iam_model.LoginPolicy
+	DefaultLoginPolicy LoginPolicy
 	Orgs               []Org
-	Owners             []string
-
-	//setup              *Setup
-	//createdUsers       map[string]*usr_model.User
-	//createdOrgs        map[string]*org_model.Org
-	//createdProjects    map[string]*proj_model.Project
-	//pwComplexityPolicy *iam_model.PasswordComplexityPolicyView
 }

 func (s *Step1) Step() domain.Step {
@@ -28,7 +40,7 @@ func (s *Step1) Step() domain.Step {
 }

 func (s *Step1) execute(ctx context.Context, commandSide *CommandSide) error {
-	return commandSide.SetupStep1(ctx, commandSide.iamID, s)
+	return commandSide.SetupStep1(ctx, s)
 }

 type LoginPolicy struct {
@@ -71,10 +83,11 @@ type OIDCApp struct {
 	DevMode                bool
 }

-func (r *CommandSide) SetupStep1(ctx context.Context, iamID string, step1 *Step1) error {
-	iamAgg := iam_repo.NewAggregate(r.iamID, "", 0)
+func (r *CommandSide) SetupStep1(ctx context.Context, step1 *Step1) error {
+	iamWriteModel := NewIAMWriteModel()
+	iamAgg := IAMAggregateFromWriteModel(&iamWriteModel.WriteModel)
 	//create default login policy
-	err := r.addDefaultLoginPolicy(ctx, iamAgg, NewIAMLoginPolicyWriteModel(iamAgg.ID()),
+	err := r.addDefaultLoginPolicy(ctx, iamAgg, NewIAMLoginPolicyWriteModel(),
 		&domain.LoginPolicy{
 			AllowUsernamePassword: step1.DefaultLoginPolicy.AllowUsernamePassword,
 			AllowRegister:         step1.DefaultLoginPolicy.AllowRegister,
@@ -83,6 +96,7 @@ func (r *CommandSide) SetupStep1(ctx context.Context, iamID string, step1 *Step1
 	if err != nil {
 		return err
 	}
+	logging.Log("SETUP-sd2hj").Info("default login policy set up")
 	//create orgs
 	aggregates := make([]eventstore.Aggregater, 0)
 	for _, organisation := range step1.Orgs {
@@ -110,6 +124,8 @@ func (r *CommandSide) SetupStep1(ctx context.Context, iamID string, step1 *Step1
 		if err != nil {
 			return err
 		}
+		logging.LogWithFields("SETUP-Gdsfg", "id", orgAgg.ID(), "name", organisation.Name).Info("org set up")
+
 		if organisation.OrgIamPolicy {
 			err = r.addOrgIAMPolicy(ctx, orgAgg, NewORGOrgIAMPolicyWriteModel(orgAgg.ID()), &domain.OrgIAMPolicy{UserLoginMustBeDomain: false})
 			if err != nil {
@@ -117,24 +133,43 @@ func (r *CommandSide) SetupStep1(ctx context.Context, iamID string, step1 *Step1
 			}
 		}
 		aggregates = append(aggregates, orgAgg, userAgg, orgMemberAgg)
+		if organisation.Name == step1.GlobalOrg {
+			err = r.setGlobalOrg(ctx, iamAgg, iamWriteModel, orgAgg.ID())
+			if err != nil {
+				return err
+			}
+			logging.Log("SETUP-BDn52").Info("global org set")
+		}
 		//projects
-		//create applications
+		for _, proj := range organisation.Projects {
+			project := &domain.Project{Name: proj.Name}
+			projectAgg, _, err := r.addProject(ctx, project, orgAgg.ID(), userAgg.ID())
+			if err != nil {
+				return err
+			}
+			if project.Name == step1.IAMProject {
+				err = r.setIAMProject(ctx, iamAgg, iamWriteModel, projectAgg.ID())
+				if err != nil {
+					return err
+				}
+				logging.Log("SETUP-Bdfs1").Info("IAM project set")
+				err = r.addIAMMember(ctx, iamAgg, NewIAMMemberWriteModel(userAgg.ID()), domain.NewMember(iamAgg.ID(), userAgg.ID(), domain.RoleIAMOwner))
+				if err != nil {
+					return err
+				}
+				logging.Log("SETUP-BSf2h").Info("IAM owner set")
+			}
+			//create applications
+			for _, app := range proj.OIDCApps {
+				err = setUpApplication(ctx, r, projectAgg, project, app)
+				if err != nil {
+					return err
+				}
+			}
+			aggregates = append(aggregates, projectAgg)
+		}
 	}

-	//set iam owners
-	//set global org
-	//set iam project id
-
-	/*aggregates:
-	  iam:
-	  	default login policy
-	  	iam owner
-	  org:
-	  	default
-	  	caos
-	  		zitadel
-
-	*/
 	iamAgg.PushEvents(iam_repo.NewSetupStepDoneEvent(ctx, domain.Step1))

 	_, err = r.eventstore.PushAggregates(ctx, append(aggregates, iamAgg)...)
@@ -143,3 +178,91 @@ func (r *CommandSide) SetupStep1(ctx context.Context, iamID string, step1 *Step1
 	}
 	return nil
 }
+
+func setUpApplication(ctx context.Context, r *CommandSide, projectAgg *project.Aggregate, project *domain.Project, oidcApp OIDCApp) error {
+	app := &domain.Application{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: projectAgg.ID(),
+		},
+		Name: oidcApp.Name,
+		Type: domain.AppTypeOIDC,
+		OIDCConfig: &domain.OIDCConfig{
+			RedirectUris:    oidcApp.RedirectUris,
+			ResponseTypes:   getOIDCResponseTypes(oidcApp.ResponseTypes),
+			GrantTypes:      getOIDCGrantTypes(oidcApp.GrantTypes),
+			ApplicationType: getOIDCApplicationType(oidcApp.ApplicationType),
+			AuthMethodType:  getOIDCAuthMethod(oidcApp.AuthMethodType),
+			DevMode:         oidcApp.DevMode,
+		},
+	}
+	err := r.addApplication(ctx, projectAgg, project, app)
+	if err != nil {
+		return err
+	}
+	logging.LogWithFields("SETUP-Edgw4", "name", app.Name, "clientID", app.OIDCConfig.ClientID).Info("application set up")
+	return nil
+}
+
+func getOIDCResponseTypes(responseTypes []string) []domain.OIDCResponseType {
+	types := make([]domain.OIDCResponseType, len(responseTypes))
+	for i, t := range responseTypes {
+		types[i] = getOIDCResponseType(t)
+	}
+	return types
+}
+
+func getOIDCResponseType(responseType string) domain.OIDCResponseType {
+	switch responseType {
+	case OIDCResponseTypeCode:
+		return domain.OIDCResponseTypeCode
+	case OIDCResponseTypeIDToken:
+		return domain.OIDCResponseTypeIDToken
+	case OIDCResponseTypeToken:
+		return domain.OIDCResponseTypeIDTokenToken
+	}
+	return domain.OIDCResponseTypeCode
+}
+
+func getOIDCGrantTypes(grantTypes []string) []domain.OIDCGrantType {
+	types := make([]domain.OIDCGrantType, len(grantTypes))
+	for i, t := range grantTypes {
+		types[i] = getOIDCGrantType(t)
+	}
+	return types
+}
+
+func getOIDCGrantType(grantTypes string) domain.OIDCGrantType {
+	switch grantTypes {
+	case OIDCGrantTypeAuthorizationCode:
+		return domain.OIDCGrantTypeAuthorizationCode
+	case OIDCGrantTypeImplicit:
+		return domain.OIDCGrantTypeImplicit
+	case OIDCGrantTypeRefreshToken:
+		return domain.OIDCGrantTypeRefreshToken
+	}
+	return domain.OIDCGrantTypeAuthorizationCode
+}
+
+func getOIDCApplicationType(appType string) domain.OIDCApplicationType {
+	switch appType {
+	case OIDCApplicationTypeNative:
+		return domain.OIDCApplicationTypeNative
+	case OIDCApplicationTypeUserAgent:
+		return domain.OIDCApplicationTypeUserAgent
+	case OIDCApplicationTypeWeb:
+		return domain.OIDCApplicationTypeWeb
+	}
+	return domain.OIDCApplicationTypeWeb
+}
+
+func getOIDCAuthMethod(authMethod string) domain.OIDCAuthMethodType {
+	switch authMethod {
+	case OIDCAuthMethodTypeNone:
+		return domain.OIDCAuthMethodTypeNone
+	case OIDCAuthMethodTypeBasic:
+		return domain.OIDCAuthMethodTypeBasic
+	case OIDCAuthMethodTypePost:
+		return domain.OIDCAuthMethodTypePost
+	}
+	return domain.OIDCAuthMethodTypeBasic
+}
--- a/internal/v2/command/setup_step2.go
+++ b/internal/v2/command/setup_step2.go
@@ -3,6 +3,8 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
@@ -23,7 +25,7 @@ func (s *Step2) execute(ctx context.Context, commandSide *CommandSide) error {
 func (r *CommandSide) SetupStep2(ctx context.Context, step *Step2) error {
 	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
 		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
-		err := r.addDefaultPasswordComplexityPolicy(ctx, iamAgg, NewIAMPasswordComplexityPolicyWriteModel(iam.AggregateID), &domain.PasswordComplexityPolicy{
+		err := r.addDefaultPasswordComplexityPolicy(ctx, iamAgg, NewIAMPasswordComplexityPolicyWriteModel(), &domain.PasswordComplexityPolicy{
 			MinLength:    step.DefaultPasswordComplexityPolicy.MinLength,
 			HasLowercase: step.DefaultPasswordComplexityPolicy.HasLowercase,
 			HasUppercase: step.DefaultPasswordComplexityPolicy.HasUppercase,
@@ -33,7 +35,8 @@ func (r *CommandSide) SetupStep2(ctx context.Context, step *Step2) error {
 		if err != nil {
 			return nil, err
 		}
-		return iamAgg, err
+		logging.Log("SETUP-ADgd2").Info("default password complexity policy set up")
+		return iamAgg, nil
 	}
 	return r.setup(ctx, step, fn)
 }
--- a/internal/v2/command/setup_step3.go
+++ b/internal/v2/command/setup_step3.go
@@ -3,6 +3,8 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
@@ -23,13 +25,14 @@ func (s *Step3) execute(ctx context.Context, commandSide *CommandSide) error {
 func (r *CommandSide) SetupStep3(ctx context.Context, step *Step3) error {
 	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
 		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
-		err := r.addDefaultPasswordAgePolicy(ctx, iamAgg, NewIAMPasswordAgePolicyWriteModel(iam.AggregateID), &domain.PasswordAgePolicy{
+		err := r.addDefaultPasswordAgePolicy(ctx, iamAgg, NewIAMPasswordAgePolicyWriteModel(), &domain.PasswordAgePolicy{
 			MaxAgeDays:     step.DefaultPasswordAgePolicy.MaxAgeDays,
 			ExpireWarnDays: step.DefaultPasswordAgePolicy.ExpireWarnDays,
 		})
 		if err != nil {
 			return nil, err
 		}
+		logging.Log("SETUP-DBqgq").Info("default password age policy set up")
 		return iamAgg, nil
 	}
 	return r.setup(ctx, step, fn)
--- a/internal/v2/command/setup_step4.go
+++ b/internal/v2/command/setup_step4.go
@@ -3,6 +3,8 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
@@ -23,13 +25,14 @@ func (s *Step4) execute(ctx context.Context, commandSide *CommandSide) error {
 func (r *CommandSide) SetupStep4(ctx context.Context, step *Step4) error {
 	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
 		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
-		err := r.addDefaultPasswordLockoutPolicy(ctx, iamAgg, NewIAMPasswordLockoutPolicyWriteModel(iam.AggregateID), &domain.PasswordLockoutPolicy{
+		err := r.addDefaultPasswordLockoutPolicy(ctx, iamAgg, NewIAMPasswordLockoutPolicyWriteModel(), &domain.PasswordLockoutPolicy{
 			MaxAttempts:         step.DefaultPasswordLockoutPolicy.MaxAttempts,
 			ShowLockOutFailures: step.DefaultPasswordLockoutPolicy.ShowLockOutFailures,
 		})
 		if err != nil {
 			return nil, err
 		}
+		logging.Log("SETUP-Bfnge").Info("default password lockout policy set up")
 		return iamAgg, nil
 	}
 	return r.setup(ctx, step, fn)
--- a/internal/v2/command/setup_step5.go
+++ b/internal/v2/command/setup_step5.go
@@ -3,6 +3,8 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
@@ -23,12 +25,13 @@ func (s *Step5) execute(ctx context.Context, commandSide *CommandSide) error {
 func (r *CommandSide) SetupStep5(ctx context.Context, step *Step5) error {
 	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
 		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
-		err := r.addDefaultOrgIAMPolicy(ctx, iamAgg, NewIAMOrgIAMPolicyWriteModel(iam.AggregateID), &domain.OrgIAMPolicy{
+		err := r.addDefaultOrgIAMPolicy(ctx, iamAgg, NewIAMOrgIAMPolicyWriteModel(), &domain.OrgIAMPolicy{
 			UserLoginMustBeDomain: step.DefaultOrgIAMPolicy.UserLoginMustBeDomain,
 		})
 		if err != nil {
 			return nil, err
 		}
+		logging.Log("SETUP-ADgd2").Info("default org iam policy set up")
 		return iamAgg, nil
 	}
 	return r.setup(ctx, step, fn)
--- a/internal/v2/command/setup_step6.go
+++ b/internal/v2/command/setup_step6.go
@@ -3,6 +3,8 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
@@ -23,13 +25,14 @@ func (s *Step6) execute(ctx context.Context, commandSide *CommandSide) error {
 func (r *CommandSide) SetupStep6(ctx context.Context, step *Step6) error {
 	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
 		iamAgg := IAMAggregateFromWriteModel(&iam.WriteModel)
-		err := r.addDefaultLabelPolicy(ctx, iamAgg, NewIAMLabelPolicyWriteModel(iam.AggregateID), &domain.LabelPolicy{
+		err := r.addDefaultLabelPolicy(ctx, iamAgg, NewIAMLabelPolicyWriteModel(), &domain.LabelPolicy{
 			PrimaryColor:   step.DefaultLabelPolicy.PrimaryColor,
 			SecondaryColor: step.DefaultLabelPolicy.SecondaryColor,
 		})
 		if err != nil {
 			return nil, err
 		}
+		logging.Log("SETUP-ADgd2").Info("default label policy set up")
 		return iamAgg, nil
 	}
 	return r.setup(ctx, step, fn)
--- a/internal/v2/command/setup_step7.go
+++ b/internal/v2/command/setup_step7.go
@@ -3,6 +3,8 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
@@ -22,7 +24,7 @@ func (s *Step7) execute(ctx context.Context, commandSide *CommandSide) error {

 func (r *CommandSide) SetupStep7(ctx context.Context, step *Step7) error {
 	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
-		secondFactorModel := NewIAMSecondFactorWriteModel(iam.AggregateID)
+		secondFactorModel := NewIAMSecondFactorWriteModel()
 		iamAgg := IAMAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
 		if !step.OTP {
 			return iamAgg, nil
@@ -31,6 +33,7 @@ func (r *CommandSide) SetupStep7(ctx context.Context, step *Step7) error {
 		if err != nil {
 			return nil, err
 		}
+		logging.Log("SETUP-Dggsg").Info("added OTP to 2FA login policy")
 		return iamAgg, nil
 	}
 	return r.setup(ctx, step, fn)
--- a/internal/v2/command/setup_step8.go
+++ b/internal/v2/command/setup_step8.go
@@ -3,6 +3,8 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
@@ -22,7 +24,7 @@ func (s *Step8) execute(ctx context.Context, commandSide *CommandSide) error {

 func (r *CommandSide) SetupStep8(ctx context.Context, step *Step8) error {
 	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
-		secondFactorModel := NewIAMSecondFactorWriteModel(iam.AggregateID)
+		secondFactorModel := NewIAMSecondFactorWriteModel()
 		iamAgg := IAMAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
 		if !step.U2F {
 			return iamAgg, nil
@@ -31,6 +33,7 @@ func (r *CommandSide) SetupStep8(ctx context.Context, step *Step8) error {
 		if err != nil {
 			return nil, err
 		}
+		logging.Log("SETUP-BDhne").Info("added U2F to 2FA login policy")
 		return iamAgg, nil
 	}
 	return r.setup(ctx, step, fn)
--- a/internal/v2/command/setup_step9.go
+++ b/internal/v2/command/setup_step9.go
@@ -3,6 +3,8 @@ package command
 import (
 	"context"

+	"github.com/caos/logging"
+
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
 	iam_repo "github.com/caos/zitadel/internal/v2/repository/iam"
@@ -22,7 +24,7 @@ func (s *Step9) execute(ctx context.Context, commandSide *CommandSide) error {

 func (r *CommandSide) SetupStep9(ctx context.Context, step *Step9) error {
 	fn := func(iam *IAMWriteModel) (*iam_repo.Aggregate, error) {
-		multiFactorModel := NewIAMMultiFactorWriteModel(iam.AggregateID)
+		multiFactorModel := NewIAMMultiFactorWriteModel()
 		iamAgg := IAMAggregateFromWriteModel(&multiFactorModel.MultiFactoryWriteModel.WriteModel)
 		if !step.Passwordless {
 			return iamAgg, nil
@@ -31,10 +33,12 @@ func (r *CommandSide) SetupStep9(ctx context.Context, step *Step9) error {
 		if err != nil {
 			return nil, err
 		}
+		logging.Log("SETUP-AEG2t").Info("allowed passwordless in login policy")
 		err = r.addMultiFactorToDefaultLoginPolicy(ctx, iamAgg, multiFactorModel, iam_model.MultiFactorTypeU2FWithPIN)
 		if err != nil {
 			return nil, err
 		}
+		logging.Log("SETUP-ADfng").Info("added passwordless to MFA login policy")
 		return iamAgg, err
 	}
 	return r.setup(ctx, step, fn)
@@ -46,5 +50,5 @@ func setPasswordlessAllowedInPolicy(ctx context.Context, c *CommandSide, iamAgg
 		return err
 	}
 	policy.PasswordlessType = domain.PasswordlessTypeAllowed
-	return c.changeDefaultLoginPolicy(ctx, iamAgg, NewIAMLoginPolicyWriteModel(iamAgg.ID()), policy)
+	return c.changeDefaultLoginPolicy(ctx, iamAgg, NewIAMLoginPolicyWriteModel(), policy)
 }
--- a/internal/v2/command/user.go
+++ b/internal/v2/command/user.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	"github.com/caos/zitadel/internal/v2/domain"
@@ -48,7 +49,7 @@ func (r *CommandSide) ChangeUsername(ctx context.Context, orgID, userID, userNam
 	if orgID == "" || userID == "" || userName == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2N9fs", "Errors.IDMissing")
 	}
-	existingUser, err := r.userWriteModelByID(ctx, userID)
+	existingUser, err := r.userWriteModelByID(ctx, userID, orgID)
 	if err != nil {
 		return err
 	}
@@ -74,11 +75,11 @@ func (r *CommandSide) ChangeUsername(ctx context.Context, orgID, userID, userNam
 	return r.eventstore.PushAggregate(ctx, existingUser, userAgg)
 }

-func (r *CommandSide) DeactivateUser(ctx context.Context, userID string) (*domain.User, error) {
+func (r *CommandSide) DeactivateUser(ctx context.Context, userID, resourceOwner string) (*domain.User, error) {
 	if userID == "" {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-m0gDf", "Errors.User.UserIDMissing")
 	}
-	existingUser, err := r.userWriteModelByID(ctx, userID)
+	existingUser, err := r.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -98,11 +99,11 @@ func (r *CommandSide) DeactivateUser(ctx context.Context, userID string) (*domai
 	return writeModelToUser(existingUser), nil
 }

-func (r *CommandSide) ReactivateUser(ctx context.Context, userID string) (*domain.User, error) {
+func (r *CommandSide) ReactivateUser(ctx context.Context, userID, resourceOwner string) (*domain.User, error) {
 	if userID == "" {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M9ds", "Errors.User.UserIDMissing")
 	}
-	existingUser, err := r.userWriteModelByID(ctx, userID)
+	existingUser, err := r.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -122,11 +123,11 @@ func (r *CommandSide) ReactivateUser(ctx context.Context, userID string) (*domai
 	return writeModelToUser(existingUser), nil
 }

-func (r *CommandSide) LockUser(ctx context.Context, userID string) (*domain.User, error) {
+func (r *CommandSide) LockUser(ctx context.Context, userID, resourceOwner string) (*domain.User, error) {
 	if userID == "" {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M0sd", "Errors.User.UserIDMissing")
 	}
-	existingUser, err := r.userWriteModelByID(ctx, userID)
+	existingUser, err := r.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -146,11 +147,11 @@ func (r *CommandSide) LockUser(ctx context.Context, userID string) (*domain.User
 	return writeModelToUser(existingUser), nil
 }

-func (r *CommandSide) UnlockUser(ctx context.Context, userID string) (*domain.User, error) {
+func (r *CommandSide) UnlockUser(ctx context.Context, userID, resourceOwner string) (*domain.User, error) {
 	if userID == "" {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-M0dse", "Errors.User.UserIDMissing")
 	}
-	existingUser, err := r.userWriteModelByID(ctx, userID)
+	existingUser, err := r.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -170,11 +171,11 @@ func (r *CommandSide) UnlockUser(ctx context.Context, userID string) (*domain.Us
 	return writeModelToUser(existingUser), nil
 }

-func (r *CommandSide) RemoveUser(ctx context.Context, userID string) error {
+func (r *CommandSide) RemoveUser(ctx context.Context, userID, resourceOwner string) error {
 	if userID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M0ds", "Errors.User.UserIDMissing")
 	}
-	existingUser, err := r.userWriteModelByID(ctx, userID)
+	existingUser, err := r.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -189,11 +190,11 @@ func (r *CommandSide) RemoveUser(ctx context.Context, userID string) error {
 	return r.eventstore.PushAggregate(ctx, existingUser, userAgg)
 }

-func (r *CommandSide) userWriteModelByID(ctx context.Context, userID string) (writeModel *UserWriteModel, err error) {
+func (r *CommandSide) userWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *UserWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewUserWriteModel(userID)
+	writeModel = NewUserWriteModel(userID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_human.go
+++ b/internal/v2/command/user_human.go
@@ -39,7 +39,7 @@ func (r *CommandSide) addHuman(ctx context.Context, orgID, username string, huma
 		return nil, nil, err
 	}

-	addedHuman := NewHumanWriteModel(human.AggregateID)
+	addedHuman := NewHumanWriteModel(human.AggregateID, orgID)
 	//TODO: Check Unique Username
 	if err := human.CheckOrgIAMPolicy(username, orgIAMPolicy); err != nil {
 		return nil, nil, err
@@ -118,7 +118,7 @@ func (r *CommandSide) RegisterHuman(ctx context.Context, orgID, username string,
 		return nil, err
 	}

-	addedHuman := NewHumanWriteModel(human.AggregateID)
+	addedHuman := NewHumanWriteModel(human.AggregateID, orgID)
 	//TODO: Check Unique Username or unique external idp
 	if err := human.CheckOrgIAMPolicy(username, orgIAMPolicy); err != nil {
 		return nil, err
@@ -185,12 +185,12 @@ func (r *CommandSide) RegisterHuman(ctx context.Context, orgID, username string,
 	return writeModelToHuman(addedHuman), nil
 }

-func (r *CommandSide) ResendInitialMail(ctx context.Context, userID, email string) (err error) {
+func (r *CommandSide) ResendInitialMail(ctx context.Context, userID, email, resourceOwner string) (err error) {
 	if userID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M9fs", "Errors.User.UserIDMissing")
 	}

-	existingEmail, err := r.emailWriteModel(ctx, userID)
+	existingEmail, err := r.emailWriteModel(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
--- a/internal/v2/command/user_human_address.go
+++ b/internal/v2/command/user_human_address.go
@@ -8,7 +8,7 @@ import (
 )

 func (r *CommandSide) ChangeHumanAddress(ctx context.Context, address *domain.Address) (*domain.Address, error) {
-	existingAddress, err := r.addressWriteModel(ctx, address.AggregateID)
+	existingAddress, err := r.addressWriteModel(ctx, address.AggregateID, address.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -30,11 +30,11 @@ func (r *CommandSide) ChangeHumanAddress(ctx context.Context, address *domain.Ad
 	return writeModelToAddress(existingAddress), nil
 }

-func (r *CommandSide) addressWriteModel(ctx context.Context, userID string) (writeModel *HumanAddressWriteModel, err error) {
+func (r *CommandSide) addressWriteModel(ctx context.Context, userID, resourceOwner string) (writeModel *HumanAddressWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewHumanAddressWriteModel(userID)
+	writeModel = NewHumanAddressWriteModel(userID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_human_address_model.go
+++ b/internal/v2/command/user_human_address_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/user"
@@ -19,10 +20,11 @@ type HumanAddressWriteModel struct {
 	State domain.AddressState
 }

-func NewHumanAddressWriteModel(userID string) *HumanAddressWriteModel {
+func NewHumanAddressWriteModel(userID, resourceOwner string) *HumanAddressWriteModel {
 	return &HumanAddressWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 	}
 }
@@ -82,7 +84,8 @@ func (wm *HumanAddressWriteModel) Reduce() error {

 func (wm *HumanAddressWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *HumanAddressWriteModel) NewChangedEvent(
--- a/internal/v2/command/user_human_email.go
+++ b/internal/v2/command/user_human_email.go
@@ -13,7 +13,7 @@ func (r *CommandSide) ChangeHumanEmail(ctx context.Context, email *domain.Email)
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M9sf", "Errors.Email.Invalid")
 	}

-	existingEmail, err := r.emailWriteModel(ctx, email.AggregateID)
+	existingEmail, err := r.emailWriteModel(ctx, email.AggregateID, email.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -45,12 +45,12 @@ func (r *CommandSide) ChangeHumanEmail(ctx context.Context, email *domain.Email)
 	return writeModelToEmail(existingEmail), nil
 }

-func (r *CommandSide) CreateHumanEmailVerificationCode(ctx context.Context, userID string) error {
+func (r *CommandSide) CreateHumanEmailVerificationCode(ctx context.Context, userID, resourceOwner string) error {
 	if userID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.UserIDMissing")
 	}

-	existingEmail, err := r.emailWriteModel(ctx, userID)
+	existingEmail, err := r.emailWriteModel(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -73,11 +73,11 @@ func (r *CommandSide) CreateHumanEmailVerificationCode(ctx context.Context, user
 	return r.eventstore.PushAggregate(ctx, existingEmail, userAgg)
 }

-func (r *CommandSide) emailWriteModel(ctx context.Context, userID string) (writeModel *HumanEmailWriteModel, err error) {
+func (r *CommandSide) emailWriteModel(ctx context.Context, userID, resourceOwner string) (writeModel *HumanEmailWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewHumanEmailWriteModel(userID)
+	writeModel = NewHumanEmailWriteModel(userID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_human_email_model.go
+++ b/internal/v2/command/user_human_email_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/user"
@@ -16,10 +17,11 @@ type HumanEmailWriteModel struct {
 	UserState domain.UserState
 }

-func NewHumanEmailWriteModel(userID string) *HumanEmailWriteModel {
+func NewHumanEmailWriteModel(userID, resourceOwner string) *HumanEmailWriteModel {
 	return &HumanEmailWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 	}
 }
@@ -65,7 +67,8 @@ func (wm *HumanEmailWriteModel) Reduce() error {

 func (wm *HumanEmailWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *HumanEmailWriteModel) NewChangedEvent(
--- a/internal/v2/command/user_human_externalidp.go
+++ b/internal/v2/command/user_human_externalidp.go
@@ -17,7 +17,7 @@ func (r *CommandSide) removeHumanExternalIDP(ctx context.Context, externalIDP *d
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3M9ds", "Errors.IDMissing")
 	}

-	existingExternalIDP, err := r.externalIDPWriteModelByID(ctx, externalIDP.AggregateID, externalIDP.IDPConfigID, externalIDP.ExternalUserID)
+	existingExternalIDP, err := r.externalIDPWriteModelByID(ctx, externalIDP.AggregateID, externalIDP.IDPConfigID, externalIDP.ExternalUserID, externalIDP.ResourceOwner)
 	if err != nil {
 		return err
 	}
@@ -39,11 +39,11 @@ func (r *CommandSide) removeHumanExternalIDP(ctx context.Context, externalIDP *d
 	return r.eventstore.PushAggregate(ctx, existingExternalIDP, userAgg)
 }

-func (r *CommandSide) externalIDPWriteModelByID(ctx context.Context, userID, idpConfigID, externalUserID string) (writeModel *HumanExternalIDPWriteModel, err error) {
+func (r *CommandSide) externalIDPWriteModelByID(ctx context.Context, userID, idpConfigID, externalUserID, resourceOwner string) (writeModel *HumanExternalIDPWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewHumanExternalIDPWriteModel(userID, idpConfigID, externalUserID)
+	writeModel = NewHumanExternalIDPWriteModel(userID, idpConfigID, externalUserID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_human_externalidp_model.go
+++ b/internal/v2/command/user_human_externalidp_model.go
@@ -16,10 +16,11 @@ type HumanExternalIDPWriteModel struct {
 	State domain.ExternalIDPState
 }

-func NewHumanExternalIDPWriteModel(userID, idpConfigID, externalUserID string) *HumanExternalIDPWriteModel {
+func NewHumanExternalIDPWriteModel(userID, idpConfigID, externalUserID, resourceOwner string) *HumanExternalIDPWriteModel {
 	return &HumanExternalIDPWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 		IDPConfigID:    idpConfigID,
 		ExternalUserID: externalUserID,
@@ -68,5 +69,6 @@ func (wm *HumanExternalIDPWriteModel) Reduce() error {

 func (wm *HumanExternalIDPWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }
--- a/internal/v2/command/user_human_model.go
+++ b/internal/v2/command/user_human_model.go
@@ -38,10 +38,11 @@ type HumanWriteModel struct {
 	UserState domain.UserState
 }

-func NewHumanWriteModel(userID string) *HumanWriteModel {
+func NewHumanWriteModel(userID, resourceOwner string) *HumanWriteModel {
 	return &HumanWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 	}
 }
@@ -115,7 +116,8 @@ func (wm *HumanWriteModel) Reduce() error {

 func (wm *HumanWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *HumanWriteModel) reduceHumanAddedEvent(e *user.HumanAddedEvent) {
--- a/internal/v2/command/user_human_otp.go
+++ b/internal/v2/command/user_human_otp.go
@@ -8,12 +8,12 @@ import (
 	"github.com/caos/zitadel/internal/v2/repository/user"
 )

-func (r *CommandSide) RemoveHumanOTP(ctx context.Context, userID string) error {
+func (r *CommandSide) RemoveHumanOTP(ctx context.Context, userID, resourceOwner string) error {
 	if userID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5M0sd", "Errors.User.UserIDMissing")
 	}

-	existingOTP, err := r.otpWriteModelByID(ctx, userID)
+	existingOTP, err := r.otpWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -28,11 +28,11 @@ func (r *CommandSide) RemoveHumanOTP(ctx context.Context, userID string) error {
 	return r.eventstore.PushAggregate(ctx, existingOTP, userAgg)
 }

-func (r *CommandSide) otpWriteModelByID(ctx context.Context, userID string) (writeModel *HumanOTPWriteModel, err error) {
+func (r *CommandSide) otpWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *HumanOTPWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewHumanOTPWriteModel(userID)
+	writeModel = NewHumanOTPWriteModel(userID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_human_otp_model.go
+++ b/internal/v2/command/user_human_otp_model.go
@@ -15,10 +15,11 @@ type HumanOTPWriteModel struct {
 	State domain.OTPState
 }

-func NewHumanOTPWriteModel(userID string) *HumanOTPWriteModel {
+func NewHumanOTPWriteModel(userID, resourceOwner string) *HumanOTPWriteModel {
 	return &HumanOTPWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 	}
 }
@@ -53,5 +54,6 @@ func (wm *HumanOTPWriteModel) Reduce() error {

 func (wm *HumanOTPWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }
--- a/internal/v2/command/user_human_password.go
+++ b/internal/v2/command/user_human_password.go
@@ -13,7 +13,7 @@ func (r *CommandSide) SetOneTimePassword(ctx context.Context, orgID, userID, pas
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	existingPassword, err := r.passwordWriteModel(ctx, userID)
+	existingPassword, err := r.passwordWriteModel(ctx, userID, orgID)
 	if err != nil {
 		return err
 	}
@@ -24,11 +24,11 @@ func (r *CommandSide) SetOneTimePassword(ctx context.Context, orgID, userID, pas
 	return r.changePassword(ctx, orgID, userID, "", password, existingPassword)
 }

-func (r *CommandSide) ChangePassword(ctx context.Context, orgID, userID, oldPassword, newPassword, userAgentID string) (err error) {
+func (r *CommandSide) ChangePassword(ctx context.Context, orgID, userID, oldPassword, newPassword, userAgentID, resourceOwner string) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	existingPassword, err := r.passwordWriteModel(ctx, userID)
+	existingPassword, err := r.passwordWriteModel(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -74,8 +74,8 @@ func (r *CommandSide) changePassword(ctx context.Context, orgID, userID, userAge
 	return r.eventstore.PushAggregate(ctx, existingPassword, userAgg)
 }

-func (r *CommandSide) RequestSetPassword(ctx context.Context, userID string, notifyType domain.NotificationType) (err error) {
-	existingHuman, err := r.userWriteModelByID(ctx, userID)
+func (r *CommandSide) RequestSetPassword(ctx context.Context, userID, resourceOwner string, notifyType domain.NotificationType) (err error) {
+	existingHuman, err := r.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -94,11 +94,11 @@ func (r *CommandSide) RequestSetPassword(ctx context.Context, userID string, not
 	return r.eventstore.PushAggregate(ctx, existingHuman, userAgg)
 }

-func (r *CommandSide) passwordWriteModel(ctx context.Context, userID string) (writeModel *HumanPasswordWriteModel, err error) {
+func (r *CommandSide) passwordWriteModel(ctx context.Context, userID, resourceOwner string) (writeModel *HumanPasswordWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewHumanPasswordWriteModel(userID)
+	writeModel = NewHumanPasswordWriteModel(userID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_human_password_model.go
+++ b/internal/v2/command/user_human_password_model.go
@@ -16,10 +16,11 @@ type HumanPasswordWriteModel struct {
 	UserState domain.UserState
 }

-func NewHumanPasswordWriteModel(userID string) *HumanPasswordWriteModel {
+func NewHumanPasswordWriteModel(userID, resourceOwner string) *HumanPasswordWriteModel {
 	return &HumanPasswordWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 	}
 }
@@ -66,5 +67,6 @@ func (wm *HumanPasswordWriteModel) Reduce() error {

 func (wm *HumanPasswordWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }
--- a/internal/v2/command/user_human_phone.go
+++ b/internal/v2/command/user_human_phone.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 	"github.com/caos/zitadel/internal/v2/domain"
@@ -13,7 +14,7 @@ func (r *CommandSide) ChangeHumanPhone(ctx context.Context, phone *domain.Phone)
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M0ds", "Errors.Phone.Invalid")
 	}

-	existingPhone, err := r.phoneWriteModel(ctx, phone.AggregateID)
+	existingPhone, err := r.phoneWriteModel(ctx, phone.AggregateID, phone.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -45,12 +46,12 @@ func (r *CommandSide) ChangeHumanPhone(ctx context.Context, phone *domain.Phone)
 	return writeModelToPhone(existingPhone), nil
 }

-func (r *CommandSide) CreateHumanPhoneVerificationCode(ctx context.Context, userID string) error {
+func (r *CommandSide) CreateHumanPhoneVerificationCode(ctx context.Context, userID, resourceOwner string) error {
 	if userID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.UserIDMissing")
 	}

-	existingPhone, err := r.phoneWriteModel(ctx, userID)
+	existingPhone, err := r.phoneWriteModel(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -69,12 +70,12 @@ func (r *CommandSide) CreateHumanPhoneVerificationCode(ctx context.Context, user
 	return r.eventstore.PushAggregate(ctx, existingPhone, userAgg)
 }

-func (r *CommandSide) RemoveHumanPhone(ctx context.Context, userID string) error {
+func (r *CommandSide) RemoveHumanPhone(ctx context.Context, userID, resourceOwner string) error {
 	if userID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M0ds", "Errors.User.UserIDMissing")
 	}

-	existingPhone, err := r.phoneWriteModel(ctx, userID)
+	existingPhone, err := r.phoneWriteModel(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -88,11 +89,11 @@ func (r *CommandSide) RemoveHumanPhone(ctx context.Context, userID string) error
 	return r.eventstore.PushAggregate(ctx, existingPhone, userAgg)
 }

-func (r *CommandSide) phoneWriteModel(ctx context.Context, userID string) (writeModel *HumanPhoneWriteModel, err error) {
+func (r *CommandSide) phoneWriteModel(ctx context.Context, userID, resourceOwner string) (writeModel *HumanPhoneWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewHumanPhoneWriteModel(userID)
+	writeModel = NewHumanPhoneWriteModel(userID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_human_phone_model.go
+++ b/internal/v2/command/user_human_phone_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/user"
@@ -16,10 +17,11 @@ type HumanPhoneWriteModel struct {
 	State domain.PhoneState
 }

-func NewHumanPhoneWriteModel(userID string) *HumanPhoneWriteModel {
+func NewHumanPhoneWriteModel(userID, resourceOwner string) *HumanPhoneWriteModel {
 	return &HumanPhoneWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 	}
 }
@@ -71,7 +73,8 @@ func (wm *HumanPhoneWriteModel) Reduce() error {

 func (wm *HumanPhoneWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *HumanPhoneWriteModel) NewChangedEvent(
--- a/internal/v2/command/user_human_profile.go
+++ b/internal/v2/command/user_human_profile.go
@@ -12,7 +12,7 @@ func (r *CommandSide) ChangeHumanProfile(ctx context.Context, profile *domain.Pr
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-8io0d", "Errors.User.Profile.Invalid")
 	}

-	existingProfile, err := r.profileWriteModelByID(ctx, profile.AggregateID)
+	existingProfile, err := r.profileWriteModelByID(ctx, profile.AggregateID, profile.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -34,11 +34,11 @@ func (r *CommandSide) ChangeHumanProfile(ctx context.Context, profile *domain.Pr
 	return writeModelToProfile(existingProfile), nil
 }

-func (r *CommandSide) profileWriteModelByID(ctx context.Context, userID string) (writeModel *HumanProfileWriteModel, err error) {
+func (r *CommandSide) profileWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *HumanProfileWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewHumanProfileWriteModel(userID)
+	writeModel = NewHumanProfileWriteModel(userID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_human_profile_model.go
+++ b/internal/v2/command/user_human_profile_model.go
@@ -2,10 +2,12 @@ package command

 import (
 	"context"
+
+	"golang.org/x/text/language"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/user"
-	"golang.org/x/text/language"
 )

 type HumanProfileWriteModel struct {
@@ -21,10 +23,11 @@ type HumanProfileWriteModel struct {
 	UserState domain.UserState
 }

-func NewHumanProfileWriteModel(userID string) *HumanProfileWriteModel {
+func NewHumanProfileWriteModel(userID, resourceOwner string) *HumanProfileWriteModel {
 	return &HumanProfileWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 	}
 }
@@ -89,7 +92,8 @@ func (wm *HumanProfileWriteModel) Reduce() error {

 func (wm *HumanProfileWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *HumanProfileWriteModel) NewChangedEvent(
--- a/internal/v2/command/user_human_webauthn.go
+++ b/internal/v2/command/user_human_webauthn.go
@@ -9,22 +9,22 @@ import (
 	"github.com/caos/zitadel/internal/v2/repository/user"
 )

-func (r *CommandSide) RemoveHumanU2F(ctx context.Context, userID, webAuthNID string) error {
+func (r *CommandSide) RemoveHumanU2F(ctx context.Context, userID, webAuthNID, resourceOwner string) error {
 	event := user.NewHumanU2FRemovedEvent(ctx, webAuthNID)
-	return r.removeHumanWebAuthN(ctx, userID, webAuthNID, event)
+	return r.removeHumanWebAuthN(ctx, userID, webAuthNID, resourceOwner, event)
 }

-func (r *CommandSide) RemoveHumanPasswordless(ctx context.Context, userID, webAuthNID string) error {
+func (r *CommandSide) RemoveHumanPasswordless(ctx context.Context, userID, webAuthNID, resourceOwner string) error {
 	event := user.NewHumanPasswordlessRemovedEvent(ctx, webAuthNID)
-	return r.removeHumanWebAuthN(ctx, userID, webAuthNID, event)
+	return r.removeHumanWebAuthN(ctx, userID, webAuthNID, resourceOwner, event)
 }

-func (r *CommandSide) removeHumanWebAuthN(ctx context.Context, userID, webAuthNID string, event eventstore.EventPusher) error {
+func (r *CommandSide) removeHumanWebAuthN(ctx context.Context, userID, webAuthNID, resourceOwner string, event eventstore.EventPusher) error {
 	if userID == "" || webAuthNID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M9de", "Errors.IDMissing")
 	}

-	existingWebAuthN, err := r.webauthNWriteModelByID(ctx, userID, webAuthNID)
+	existingWebAuthN, err := r.webauthNWriteModelByID(ctx, userID, webAuthNID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -37,11 +37,11 @@ func (r *CommandSide) removeHumanWebAuthN(ctx context.Context, userID, webAuthNI
 	return r.eventstore.PushAggregate(ctx, existingWebAuthN, userAgg)
 }

-func (r *CommandSide) webauthNWriteModelByID(ctx context.Context, userID, webAuthNID string) (writeModel *HumanWebAuthNWriteModel, err error) {
+func (r *CommandSide) webauthNWriteModelByID(ctx context.Context, userID, webAuthNID, resourceOwner string) (writeModel *HumanWebAuthNWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewHumanWebAuthNWriteModel(userID, webAuthNID)
+	writeModel = NewHumanWebAuthNWriteModel(userID, webAuthNID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_human_webauthn_model.go
+++ b/internal/v2/command/user_human_webauthn_model.go
@@ -14,10 +14,11 @@ type HumanWebAuthNWriteModel struct {
 	State domain.WebAuthNState
 }

-func NewHumanWebAuthNWriteModel(userID, wbAuthNTokenID string) *HumanWebAuthNWriteModel {
+func NewHumanWebAuthNWriteModel(userID, wbAuthNTokenID, resourceOwner string) *HumanWebAuthNWriteModel {
 	return &HumanWebAuthNWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 		WebauthNTokenID: wbAuthNTokenID,
 	}
@@ -57,5 +58,6 @@ func (wm *HumanWebAuthNWriteModel) Reduce() error {

 func (wm *HumanWebAuthNWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }
--- a/internal/v2/command/user_machine.go
+++ b/internal/v2/command/user_machine.go
@@ -26,7 +26,7 @@ func (r *CommandSide) AddMachine(ctx context.Context, orgID, username string, ma
 		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-6M0ds", "Errors.User.Invalid")
 	}

-	addedMachine := NewMachineWriteModel(machine.AggregateID)
+	addedMachine := NewMachineWriteModel(machine.AggregateID, orgID)
 	userAgg := UserAggregateFromWriteModel(&addedMachine.WriteModel)
 	userAgg.PushEvents(
 		user.NewMachineAddedEvent(
@@ -40,7 +40,7 @@ func (r *CommandSide) AddMachine(ctx context.Context, orgID, username string, ma
 }

 func (r *CommandSide) ChangeMachine(ctx context.Context, machine *domain.Machine) (*domain.Machine, error) {
-	existingUser, err := r.machineWriteModelByID(ctx, machine.AggregateID)
+	existingUser, err := r.machineWriteModelByID(ctx, machine.AggregateID, machine.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -62,14 +62,14 @@ func (r *CommandSide) ChangeMachine(ctx context.Context, machine *domain.Machine
 	return writeModelToMachine(existingUser), nil
 }

-func (r *CommandSide) machineWriteModelByID(ctx context.Context, userID string) (writeModel *MachineWriteModel, err error) {
+func (r *CommandSide) machineWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *MachineWriteModel, err error) {
 	if userID == "" {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-5M0ds", "Errors.User.UserIDMissing")
 	}
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	writeModel = NewMachineWriteModel(userID)
+	writeModel = NewMachineWriteModel(userID, resourceOwner)
 	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
 	if err != nil {
 		return nil, err
--- a/internal/v2/command/user_machine_model.go
+++ b/internal/v2/command/user_machine_model.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/user"
@@ -17,10 +18,11 @@ type MachineWriteModel struct {
 	UserState   domain.UserState
 }

-func NewMachineWriteModel(userID string) *MachineWriteModel {
+func NewMachineWriteModel(userID, resourceOwner string) *MachineWriteModel {
 	return &MachineWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 	}
 }
@@ -91,7 +93,8 @@ func (wm *MachineWriteModel) Reduce() error {

 func (wm *MachineWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func (wm *MachineWriteModel) NewChangedEvent(
--- a/internal/v2/command/user_model.go
+++ b/internal/v2/command/user_model.go
@@ -1,11 +1,12 @@
 package command

 import (
+	"strings"
+
 	caos_errors "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/user"
-	"strings"
 )

 type UserWriteModel struct {
@@ -15,10 +16,11 @@ type UserWriteModel struct {
 	UserState domain.UserState
 }

-func NewUserWriteModel(userID string) *UserWriteModel {
+func NewUserWriteModel(userID, resourceOwner string) *UserWriteModel {
 	return &UserWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID: userID,
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
 		},
 	}
 }
@@ -86,7 +88,8 @@ func (wm *UserWriteModel) Reduce() error {

 func (wm *UserWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, user.AggregateType).
-		AggregateIDs(wm.AggregateID)
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
 }

 func UserAggregateFromWriteModel(wm *eventstore.WriteModel) *user.Aggregate {
--- a/internal/v2/domain/application.go
+++ b/internal/v2/domain/application.go
@@ -0,0 +1,49 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type Application struct {
+	models.ObjectRoot
+
+	AppID      string
+	State      AppState
+	Name       string
+	Type       AppType
+	OIDCConfig *OIDCConfig
+}
+
+type AppState int32
+
+const (
+	AppStateUnspecified AppState = iota
+	AppStateActive
+	AppStateInactive
+	AppStateRemoved
+)
+
+type AppType int32
+
+const (
+	AppTypeUnspecified AppType = iota
+	AppTypeOIDC
+	AppTypeSAML
+)
+
+func NewApplication(projectID, appID string) *Application {
+	return &Application{ObjectRoot: models.ObjectRoot{AggregateID: projectID}, AppID: appID, State: AppStateActive}
+}
+
+func (a *Application) IsValid(includeConfig bool) bool {
+	if a.Name == "" || a.AggregateID == "" {
+		return false
+	}
+	if !includeConfig {
+		return true
+	}
+	if a.Type == AppTypeOIDC && !a.OIDCConfig.IsValid() {
+		return false
+	}
+	return true
+}
--- a/internal/v2/domain/iam.go
+++ b/internal/v2/domain/iam.go
@@ -4,6 +4,10 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/models"
 )

+const (
+	IAMID = "IAM"
+)
+
 type IAM struct {
 	models.ObjectRoot

--- a/internal/v2/domain/oidc_config.go
+++ b/internal/v2/domain/oidc_config.go
@@ -0,0 +1,152 @@
+package domain
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/id"
+)
+
+type OIDCConfig struct {
+	models.ObjectRoot
+
+	AppID                    string
+	ClientID                 string
+	ClientSecret             *crypto.CryptoValue
+	ClientSecretString       string
+	RedirectUris             []string
+	ResponseTypes            []OIDCResponseType
+	GrantTypes               []OIDCGrantType
+	ApplicationType          OIDCApplicationType
+	AuthMethodType           OIDCAuthMethodType
+	PostLogoutRedirectUris   []string
+	OIDCVersion              OIDCVersion
+	Compliance               *Compliance
+	DevMode                  bool
+	AccessTokenType          OIDCTokenType
+	AccessTokenRoleAssertion bool
+	IDTokenRoleAssertion     bool
+	IDTokenUserinfoAssertion bool
+	ClockSkew                time.Duration
+}
+
+type OIDCVersion int32
+
+const (
+	OIDCVersionV1 OIDCVersion = iota
+)
+
+type OIDCResponseType int32
+
+const (
+	OIDCResponseTypeCode OIDCResponseType = iota
+	OIDCResponseTypeIDToken
+	OIDCResponseTypeIDTokenToken
+)
+
+type OIDCGrantType int32
+
+const (
+	OIDCGrantTypeAuthorizationCode OIDCGrantType = iota
+	OIDCGrantTypeImplicit
+	OIDCGrantTypeRefreshToken
+)
+
+type OIDCApplicationType int32
+
+const (
+	OIDCApplicationTypeWeb OIDCApplicationType = iota
+	OIDCApplicationTypeUserAgent
+	OIDCApplicationTypeNative
+)
+
+type OIDCAuthMethodType int32
+
+const (
+	OIDCAuthMethodTypeBasic OIDCAuthMethodType = iota
+	OIDCAuthMethodTypePost
+	OIDCAuthMethodTypeNone
+)
+
+type Compliance struct {
+	NoneCompliant bool
+	Problems      []string
+}
+
+type OIDCTokenType int32
+
+const (
+	OIDCTokenTypeBearer OIDCTokenType = iota
+	OIDCTokenTypeJWT
+)
+
+func (c *OIDCConfig) IsValid() bool {
+	grantTypes := c.getRequiredGrantTypes()
+	for _, grantType := range grantTypes {
+		ok := containsOIDCGrantType(c.GrantTypes, grantType)
+		if !ok {
+			return false
+		}
+	}
+	return true
+}
+
+//ClientID random_number@projectname (eg. 495894098234@zitadel)
+func (c *OIDCConfig) GenerateNewClientID(idGenerator id.Generator, project *Project) error {
+	rndID, err := idGenerator.Next()
+	if err != nil {
+		return err
+	}
+
+	c.ClientID = fmt.Sprintf("%v@%v", rndID, strings.ReplaceAll(strings.ToLower(project.Name), " ", "_"))
+	return nil
+}
+
+func (c *OIDCConfig) GenerateClientSecretIfNeeded(generator crypto.Generator) (string, error) {
+	if c.AuthMethodType == OIDCAuthMethodTypeNone {
+		return "", nil
+	}
+	return c.GenerateNewClientSecret(generator)
+}
+
+func (c *OIDCConfig) GenerateNewClientSecret(generator crypto.Generator) (string, error) {
+	cryptoValue, stringSecret, err := crypto.NewCode(generator)
+	if err != nil {
+		logging.Log("MODEL-UpnTI").OnError(err).Error("unable to create client secret")
+		return "", errors.ThrowInternal(err, "MODEL-gH2Wl", "Errors.Project.CouldNotGenerateClientSecret")
+	}
+	c.ClientSecret = cryptoValue
+	return stringSecret, nil
+}
+
+func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
+	grantTypes := make([]OIDCGrantType, 0)
+	implicit := false
+	for _, r := range c.ResponseTypes {
+		switch r {
+		case OIDCResponseTypeCode:
+			grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
+		case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
+			if !implicit {
+				implicit = true
+				grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
+			}
+		}
+	}
+	return grantTypes
+}
+
+func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
+	for _, gt := range grantTypes {
+		if gt == grantType {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/v2/domain/project.go
+++ b/internal/v2/domain/project.go
@@ -0,0 +1,31 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type Project struct {
+	models.ObjectRoot
+
+	State   ProjectState
+	Name    string
+	Members []*Member
+	Roles   []*ProjectRole
+	//Applications         []*Application
+	//Grants               []*ProjectGrant
+	ProjectRoleAssertion bool
+	ProjectRoleCheck     bool
+}
+
+type ProjectState int32
+
+const (
+	ProjectStateUnspecified ProjectState = iota
+	ProjectStateActive
+	ProjectStateInactive
+	ProjectStateRemoved
+)
+
+func (o *Project) IsValid() bool {
+	return o.Name != ""
+}
--- a/internal/v2/domain/project_role.go
+++ b/internal/v2/domain/project_role.go
@@ -0,0 +1,21 @@
+package domain
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type ProjectRole struct {
+	models.ObjectRoot
+
+	Key         string
+	DisplayName string
+	Group       string
+}
+
+func NewProjectRole(projectID, key string) *ProjectRole {
+	return &ProjectRole{ObjectRoot: models.ObjectRoot{AggregateID: projectID}, Key: key}
+}
+
+func (p *ProjectRole) IsValid() bool {
+	return p.AggregateID != "" && p.Key != ""
+}
--- a/internal/v2/domain/roles.go
+++ b/internal/v2/domain/roles.go
@@ -1,5 +1,8 @@
 package domain

 const (
-	OrgOwnerRole = "ORG_OWNER"
+	RoleOrgOwner           = "ORG_OWNER"
+	RoleIAMOwner           = "IAM_OWNER"
+	RoleProjectOwner       = "PROJECT_OWNER"
+	RoleProjectOwnerGlobal = "PROJECT_OWNER_GLOBAL"
 )
--- a/internal/v2/repository/iam/event_iam_project_set.go
+++ b/internal/v2/repository/iam/event_iam_project_set.go
@@ -23,7 +23,7 @@ func (e *ProjectSetEvent) Data() interface{} {
 	return e
 }

-func NewProjectSetEvent(ctx context.Context, projectID string) *ProjectSetEvent {
+func NewIAMProjectSetEvent(ctx context.Context, projectID string) *ProjectSetEvent {
 	return &ProjectSetEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
--- a/internal/v2/repository/project/aggregate.go
+++ b/internal/v2/repository/project/aggregate.go
@@ -0,0 +1,31 @@
+package project
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+)
+
+const (
+	AggregateType    = "project"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
+
+func NewAggregate(
+	id,
+	resourceOwner string,
+	previousSequence uint64,
+) *Aggregate {
+
+	return &Aggregate{
+		Aggregate: *eventstore.NewAggregate(
+			id,
+			AggregateType,
+			resourceOwner,
+			AggregateVersion,
+			previousSequence,
+		),
+	}
+}
--- a/internal/v2/repository/project/application.go
+++ b/internal/v2/repository/project/application.go
@@ -0,0 +1,57 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/domain"
+)
+
+const (
+	applicationEventTypePrefix = projectEventTypePrefix + "application."
+	ApplicationAdded           = applicationEventTypePrefix + "added"
+	ApplicationChanged         = applicationEventTypePrefix + "changed"
+	ApplicationDeactivated     = applicationEventTypePrefix + "deactivated"
+	ApplicationReactivated     = applicationEventTypePrefix + "reactivated"
+	ApplicationRemoved         = applicationEventTypePrefix + "removed"
+)
+
+type ApplicationAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID   string         `json:"appId,omitempty"`
+	Name    string         `json:"name,omitempty"`
+	AppType domain.AppType `json:"appType,omitempty"`
+}
+
+func (e *ApplicationAddedEvent) Data() interface{} {
+	return e
+}
+
+func NewApplicationAddedEvent(ctx context.Context, appID, name string, appType domain.AppType) *ApplicationAddedEvent {
+	return &ApplicationAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			ApplicationAdded,
+		),
+		AppID:   appID,
+		Name:    name,
+		AppType: appType,
+	}
+}
+
+func ApplicationAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-Nffg2", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
--- a/internal/v2/repository/project/member.go
+++ b/internal/v2/repository/project/member.go
@@ -0,0 +1,76 @@
+package project
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/member"
+)
+
+var (
+	MemberAddedEventType   = projectEventTypePrefix + member.AddedEventType
+	MemberChangedEventType = projectEventTypePrefix + member.ChangedEventType
+	MemberRemovedEventType = projectEventTypePrefix + member.RemovedEventType
+)
+
+type MemberAddedEvent struct {
+	member.MemberAddedEvent
+}
+
+func NewMemberAddedEvent(
+	ctx context.Context,
+	userID string,
+	roles ...string,
+) *MemberAddedEvent {
+	return &MemberAddedEvent{
+		MemberAddedEvent: *member.NewMemberAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				MemberAddedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+type MemberChangedEvent struct {
+	member.MemberChangedEvent
+}
+
+func NewMemberChangedEvent(
+	ctx context.Context,
+	userID string,
+	roles ...string,
+) *MemberChangedEvent {
+
+	return &MemberChangedEvent{
+		MemberChangedEvent: *member.NewMemberChangedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				MemberChangedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+type MemberRemovedEvent struct {
+	member.MemberRemovedEvent
+}
+
+func NewMemberRemovedEvent(
+	ctx context.Context,
+	userID string,
+) *MemberRemovedEvent {
+
+	return &MemberRemovedEvent{
+		MemberRemovedEvent: *member.NewRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				MemberRemovedEventType,
+			),
+			userID,
+		),
+	}
+}
--- a/internal/v2/repository/project/oidc_config.go
+++ b/internal/v2/repository/project/oidc_config.go
@@ -0,0 +1,102 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/domain"
+)
+
+const (
+	OIDCConfigAdded                = applicationEventTypePrefix + "config.oidc.added"
+	OIDCConfigChanged              = applicationEventTypePrefix + "config.oidc.changed"
+	OIDCConfigSecretChanged        = applicationEventTypePrefix + "config.oidc.secret.changed"
+	OIDCClientSecretCheckSucceeded = applicationEventTypePrefix + "oidc.secret.check.succeeded"
+	OIDCClientSecretCheckFailed    = applicationEventTypePrefix + "oidc.secret.check.failed"
+)
+
+type OIDCConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Version                  domain.OIDCVersion         `json:"oidcVersion,omitempty"`
+	AppID                    string                     `json:"appId"`
+	ClientID                 string                     `json:"clientId,omitempty"`
+	ClientSecret             *crypto.CryptoValue        `json:"clientSecret,omitempty"`
+	RedirectUris             []string                   `json:"redirectUris,omitempty"`
+	ResponseTypes            []domain.OIDCResponseType  `json:"responseTypes,omitempty"`
+	GrantTypes               []domain.OIDCGrantType     `json:"grantTypes,omitempty"`
+	ApplicationType          domain.OIDCApplicationType `json:"applicationType,omitempty"`
+	AuthMethodType           domain.OIDCAuthMethodType  `json:"authMethodType,omitempty"`
+	PostLogoutRedirectUris   []string                   `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                  bool                       `json:"devMode,omitempty"`
+	AccessTokenType          domain.OIDCTokenType       `json:"accessTokenType,omitempty"`
+	AccessTokenRoleAssertion bool                       `json:"accessTokenRoleAssertion,omitempty"`
+	IDTokenRoleAssertion     bool                       `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion bool                       `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                time.Duration              `json:"clockSkew,omitempty"`
+}
+
+func (e *OIDCConfigAddedEvent) Data() interface{} {
+	return e
+}
+
+func NewOIDCConfigAddedEvent(
+	ctx context.Context,
+	version domain.OIDCVersion,
+	appID string,
+	clientID string,
+	clientSecret *crypto.CryptoValue,
+	redirectUris []string,
+	responseTypes []domain.OIDCResponseType,
+	grantTypes []domain.OIDCGrantType,
+	applicationType domain.OIDCApplicationType,
+	authMethodType domain.OIDCAuthMethodType,
+	postLogoutRedirectUris []string,
+	devMode bool,
+	accessTokenType domain.OIDCTokenType,
+	accessTokenRoleAssertion bool,
+	idTokenRoleAssertion bool,
+	idTokenUserinfoAssertion bool,
+	clockSkew time.Duration,
+) *OIDCConfigAddedEvent {
+	return &OIDCConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			OIDCConfigAdded,
+		),
+		Version:                  version,
+		AppID:                    appID,
+		ClientID:                 clientID,
+		ClientSecret:             clientSecret,
+		RedirectUris:             redirectUris,
+		ResponseTypes:            responseTypes,
+		GrantTypes:               grantTypes,
+		ApplicationType:          applicationType,
+		AuthMethodType:           authMethodType,
+		PostLogoutRedirectUris:   postLogoutRedirectUris,
+		DevMode:                  devMode,
+		AccessTokenType:          accessTokenType,
+		AccessTokenRoleAssertion: accessTokenRoleAssertion,
+		IDTokenRoleAssertion:     idTokenRoleAssertion,
+		IDTokenUserinfoAssertion: idTokenUserinfoAssertion,
+		ClockSkew:                clockSkew,
+	}
+}
+
+func OIDCConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
--- a/internal/v2/repository/project/project.go
+++ b/internal/v2/repository/project/project.go
@@ -0,0 +1,54 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+)
+
+const (
+	projectEventTypePrefix = eventstore.EventType("project.")
+	ProjectAdded           = projectEventTypePrefix + "added"
+	ProjectChanged         = projectEventTypePrefix + "changed"
+	ProjectDeactivated     = projectEventTypePrefix + "deactivated"
+	ProjectReactivated     = projectEventTypePrefix + "reactivated"
+	ProjectRemoved         = projectEventTypePrefix + "removed"
+)
+
+type ProjectAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name                 string `json:"name,omitempty"`
+	ProjectRoleAssertion bool   `json:"projectRoleAssertion,omitempty"`
+	ProjectRoleCheck     bool   `json:"projectRoleCheck,omitempty"`
+}
+
+func (e *ProjectAddedEvent) Data() interface{} {
+	return e
+}
+
+func NewProjectAddedEvent(ctx context.Context, name string) *ProjectAddedEvent {
+	return &ProjectAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			ProjectAdded,
+		),
+		Name: name,
+	}
+}
+
+func ProjectAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ProjectAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-Bfg2f", "unable to unmarshal project")
+	}
+
+	return e, nil
+}