feat: remove org (#4148)

* feat(command): remove org * refactor: imports, unused code, error handling * reduce org removed in action * add org deletion to projections * add org removal to projections * add org removal to projections * org removed projection * lint import * projections * fix: table names in tests * fix: table names in tests * logging * add org state * fix(domain): add Owner removed to object details * feat(ListQuery): add with owner removed * fix(org-delete): add bool to functions to select with owner removed * fix(org-delete): add bools to user grants with events to determine if dependencies lost owner * fix(org-delete): add unit tests for owner removed and org removed events * fix(org-delete): add handling of org remove for grants and members * fix(org-delete): correction of unit tests for owner removed * fix(org-delete): update projections, unit tests and get functions * fix(org-delete): add change date to authnkeys and owner removed to org metadata * fix(org-delete): include owner removed for login names * fix(org-delete): some column fixes in projections and build for queries with owner removed * indexes * fix(org-delete): include review changes * fix(org-delete): change user projection name after merge * fix(org-delete): include review changes for project grant where no project owner is necessary * fix(org-delete): include auth and adminapi tables with owner removed information * fix(org-delete): cleanup username and orgdomain uniqueconstraints when org is removed * fix(org-delete): add permissions for org.remove * remove unnecessary unique constraints * fix column order in primary keys * fix(org-delete): include review changes * fix(org-delete): add owner removed indexes and chang setup step to create tables * fix(org-delete): move PK order of instance_id and change added user_grant from review * fix(org-delete): no params for prepareUserQuery * change to step 6 * merge main * fix(org-delete): OldUserName rename to private * fix linting * cleanup * fix: remove org test * create prerelease * chore: delete org-delete as prerelease Co-authored-by: Stefan Benz <stefan@caos.ch> Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-04-23 21:21:32 +00:00 · 2022-11-30 17:01:17 +01:00 · 2022-11-30 17:01:17 +01:00 · f3e6f3b23b
commit f3e6f3b23b
parent 21a4e73bb6
304 changed files with 7293 additions and 3286 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@ -566,6 +566,7 @@ InternalAuthZ:
        - "org.global.read"
        - "org.create"
        - "org.write"
        - "org.delete"
        - "org.member.read"
        - "org.member.write"
        - "org.member.delete"
@ -639,6 +640,7 @@ InternalAuthZ:
        - "org.global.read"
        - "org.create"
        - "org.write"
        - "org.delete"
        - "org.member.read"
        - "org.member.write"
        - "org.member.delete"
@ -710,6 +712,7 @@ InternalAuthZ:
        - "org.global.read"
        - "org.create"
        - "org.write"
        - "org.delete"
        - "org.member.read"
        - "org.member.write"
        - "org.member.delete"
--- a/cmd/setup/06.go
+++ b/cmd/setup/06.go
@ -0,0 +1,28 @@
 package setup
 import (
 	"context"
 	"database/sql"
 	_ "embed"
 )
 var (
 	//go:embed 06/adminapi.sql
 	createAdminViews06 string
 	//go:embed 06/auth.sql
 	createAuthViews06 string
 )
 type OwnerRemoveColumns struct {
 	dbClient *sql.DB
 }
 func (mig *OwnerRemoveColumns) Execute(ctx context.Context) error {
 	stmt := createAdminViews06 + createAuthViews06
 	_, err := mig.dbClient.ExecContext(ctx, stmt)
 	return err
 }
 func (mig *OwnerRemoveColumns) String() string {
 	return "06_resource_owner_columns"
 }
--- a/cmd/setup/06/adminapi.sql
+++ b/cmd/setup/06/adminapi.sql
@ -0,0 +1,30 @@
 CREATE TABLE adminapi.styling2 (
    aggregate_id TEXT NOT NULL,
    creation_date TIMESTAMPTZ NULL,
    change_date TIMESTAMPTZ NULL,
    label_policy_state INT2 NOT NULL DEFAULT 0::INT2,
    sequence INT8 NULL,
    primary_color TEXT NULL,
    background_color TEXT NULL,
    warn_color TEXT NULL,
    font_color TEXT NULL,
    primary_color_dark TEXT NULL,
    background_color_dark TEXT NULL,
    warn_color_dark TEXT NULL,
    font_color_dark TEXT NULL,
    logo_url TEXT NULL,
    icon_url TEXT NULL,
    logo_dark_url TEXT NULL,
    icon_dark_url TEXT NULL,
    font_url TEXT NULL,
    err_msg_popup BOOL NULL,
    disable_watermark BOOL NULL,
    hide_login_name_suffix BOOL NULL,
    instance_id TEXT NOT NULL,
    owner_removed BOOL DEFAULT false,
    PRIMARY KEY (instance_id, aggregate_id, label_policy_state)
 );
 CREATE INDEX owner_removed_idx ON adminapi.styling2 (owner_removed);
--- a/cmd/setup/06/auth.sql
+++ b/cmd/setup/06/auth.sql
@ -0,0 +1,124 @@
 CREATE TABLE auth.users2 (
    id TEXT NULL,
    creation_date TIMESTAMPTZ NULL,
    change_date TIMESTAMPTZ NULL,
    resource_owner TEXT NULL,
    user_state INT2 NULL,
    password_set BOOL NULL,
    password_change_required BOOL NULL,
    password_change TIMESTAMPTZ NULL,
    last_login TIMESTAMPTZ NULL,
    user_name TEXT NULL,
    login_names TEXT[] NULL,
    preferred_login_name TEXT NULL,
    first_name TEXT NULL,
    last_name TEXT NULL,
    nick_name TEXT NULL,
    display_name TEXT NULL,
    preferred_language TEXT NULL,
    gender INT2 NULL,
    email TEXT NULL,
    is_email_verified BOOL NULL,
    phone TEXT NULL,
    is_phone_verified BOOL NULL,
    country TEXT NULL,
    locality TEXT NULL,
    postal_code TEXT NULL,
    region TEXT NULL,
    street_address TEXT NULL,
    otp_state INT2 NULL,
    mfa_max_set_up INT2 NULL,
    mfa_init_skipped TIMESTAMPTZ NULL,
    sequence INT8 NULL,
    init_required BOOL NULL,
    username_change_required BOOL NULL,
    machine_name TEXT NULL,
    machine_description TEXT NULL,
    user_type TEXT NULL,
    u2f_tokens BYTEA NULL,
    passwordless_tokens BYTEA NULL,
    avatar_key TEXT NULL,
    passwordless_init_required BOOL NULL,
    password_init_required BOOL NULL,
    instance_id TEXT NOT NULL,
    owner_removed BOOL DEFAULT false,
    PRIMARY KEY (instance_id, id)
 );
 CREATE INDEX owner_removed_idx ON auth.users2 (owner_removed);
 CREATE TABLE auth.user_external_idps2 (
    external_user_id TEXT NOT NULL,
    idp_config_id TEXT NOT NULL,
    user_id TEXT NULL,
    idp_name TEXT NULL,
    user_display_name TEXT NULL,
    creation_date TIMESTAMPTZ NULL,
    change_date TIMESTAMPTZ NULL,
    sequence INT8 NULL,
    resource_owner TEXT NULL,
    instance_id TEXT NOT NULL,
    owner_removed BOOL DEFAULT false,
    PRIMARY KEY (instance_id, external_user_id, idp_config_id)
 );
 CREATE INDEX owner_removed_idx ON auth.user_external_idps2 (owner_removed);
 CREATE TABLE auth.org_project_mapping2 (
    org_id TEXT NOT NULL,
    project_id TEXT NOT NULL,
    project_grant_id TEXT NULL,
    instance_id TEXT NOT NULL,
    owner_removed BOOL DEFAULT false,
    PRIMARY KEY (instance_id, org_id, project_id)
 );
 CREATE INDEX owner_removed_idx ON auth.org_project_mapping2 (owner_removed);
 CREATE TABLE auth.idp_providers2 (
    aggregate_id TEXT NOT NULL,
    idp_config_id TEXT NOT NULL,
    creation_date TIMESTAMPTZ NULL,
    change_date TIMESTAMPTZ NULL,
    sequence INT8 NULL,
    name TEXT NULL,
    idp_config_type INT2 NULL,
    idp_provider_type INT2 NULL,
    idp_state INT2 NULL,
    styling_type INT2 NULL,
    instance_id TEXT NOT NULL,
    owner_removed BOOL DEFAULT false,
    PRIMARY KEY (instance_id, aggregate_id, idp_config_id)
 );
 CREATE INDEX owner_removed_idx ON auth.idp_providers2 (owner_removed);
 CREATE TABLE auth.idp_configs2 (
    idp_config_id TEXT NOT NULL,
    creation_date TIMESTAMPTZ NULL,
    change_date TIMESTAMPTZ NULL,
    sequence INT8 NULL,
    aggregate_id TEXT NULL,
    name TEXT NULL,
    idp_state INT2 NULL,
    idp_provider_type INT2 NULL,
    is_oidc BOOL NULL,
    oidc_client_id TEXT NULL,
    oidc_client_secret JSONB NULL,
    oidc_issuer TEXT NULL,
    oidc_scopes TEXT[] NULL,
    oidc_idp_display_name_mapping INT2 NULL,
    oidc_idp_username_mapping INT2 NULL,
    styling_type INT2 NULL,
    oauth_authorization_endpoint TEXT NULL,
    oauth_token_endpoint TEXT NULL,
    auto_register BOOL NULL,
    jwt_endpoint TEXT NULL,
    jwt_keys_endpoint TEXT NULL,
    jwt_header_name TEXT NULL,
    instance_id TEXT NOT NULL,
    owner_removed BOOL DEFAULT false,
    PRIMARY KEY (instance_id, idp_config_id)
 );
 CREATE INDEX owner_removed_idx ON auth.idp_configs2 (owner_removed);
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@ -59,6 +59,7 @@ type Steps struct {
 	FirstInstance        *FirstInstance
 	s4EventstoreIndexes  *EventstoreIndexes
 	s5LastFailed         *LastFailed
 	s6OwnerRemoveColumns *OwnerRemoveColumns
 }
 type encryptionKeyConfig struct {
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@ -83,6 +83,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.s4EventstoreIndexes = &EventstoreIndexes{dbClient: dbClient, dbType: config.Database.Type()}
 	steps.s5LastFailed = &LastFailed{dbClient: dbClient}
 	steps.s6OwnerRemoveColumns = &OwnerRemoveColumns{dbClient: dbClient}
 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@ -110,6 +111,8 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	logging.OnError(err).Fatal("unable to migrate step 4")
 	err = migration.Migrate(ctx, eventstoreClient, steps.s5LastFailed)
 	logging.OnError(err).Fatal("unable to migrate step 5")
 	err = migration.Migrate(ctx, eventstoreClient, steps.s6OwnerRemoveColumns)
 	logging.OnError(err).Fatal("unable to migrate step 6")
 	for _, repeatableStep := range repeatableSteps {
 		err = migration.Migrate(ctx, eventstoreClient, repeatableStep)
--- a/console/src/assets/i18n/de.json
+++ b/console/src/assets/i18n/de.json
@ -829,7 +829,8 @@
    "STATE": {
      "0": "Nicht definiert",
      "1": "Aktiv",
-      "2": "Inaktiv"
+      "2": "Inaktiv",
      "3": "Entfernt"
    },
    "MEMBER": {
      "TITLE": "Manager der Organisation verwalten",
--- a/console/src/assets/i18n/en.json
+++ b/console/src/assets/i18n/en.json
@ -829,7 +829,8 @@
    "STATE": {
      "0": "Not defined",
      "1": "Active",
-      "2": "Deactivated"
+      "2": "Deactivated",
      "3": "Removed"
    },
    "MEMBER": {
      "TITLE": "Organization Managers",
--- a/console/src/assets/i18n/fr.json
+++ b/console/src/assets/i18n/fr.json
@ -829,7 +829,8 @@
    "STATE": {
      "0": "Non défini",
      "1": "Actif",
-      "2": "Désactivé"
+      "2": "Désactivé",
      "3": "Supprimé"
    },
    "MEMBER": {
      "TITLE": "Gestionnaires de l'organisation",
--- a/console/src/assets/i18n/it.json
+++ b/console/src/assets/i18n/it.json
@ -829,7 +829,8 @@
    "STATE": {
      "0": "Non definito",
      "1": "Attivo",
-      "2": "Disattivato"
+      "2": "Disattivato",
      "3": "Rimosso"
    },
    "MEMBER": {
      "TITLE": "Manager dell'organizzazione",
--- a/console/src/assets/i18n/zh.json
+++ b/console/src/assets/i18n/zh.json
@ -829,7 +829,8 @@
    "STATE": {
      "0": "未定义",
      "1": "启用",
-      "2": "停用"
+      "2": "停用",
      "3": "移除"
    },
    "MEMBER": {
      "TITLE": "组织管理者",
--- a/docs/docs/apis/proto/management.md
+++ b/docs/docs/apis/proto/management.md
@ -804,6 +804,19 @@ Sets the state of my organisation to active
    POST: /orgs/me/_reactivate
 ### RemoveOrg
 > **rpc** RemoveOrg([RemoveOrgRequest](#removeorgrequest))
 [RemoveOrgResponse](#removeorgresponse)
 Sets the state of my organisation and all its resource (Users, Projects, Grants to and from the org) to removed
 Users of this organisation will not be able login
    DELETE: /orgs/me
 ### SetOrgMetadata
 > **rpc** SetOrgMetadata([SetOrgMetadataRequest](#setorgmetadatarequest))
@ -7051,6 +7064,23 @@ This is an empty response
 ### RemoveOrgRequest
 ### RemoveOrgResponse
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | details |  zitadel.v1.ObjectDetails | - |  |
 ### RemovePersonalAccessTokenRequest
--- a/docs/docs/apis/proto/org.md
+++ b/docs/docs/apis/proto/org.md
@ -135,6 +135,7 @@ title: zitadel/org.proto
 | ORG_STATE_UNSPECIFIED | 0 | - |
 | ORG_STATE_ACTIVE | 1 | - |
 | ORG_STATE_INACTIVE | 2 | - |
 | ORG_STATE_REMOVED | 3 | - |
--- a/internal/admin/repository/eventsourcing/handler/styling.go
+++ b/internal/admin/repository/eventsourcing/handler/styling.go
@ -25,7 +25,7 @@ import (
 )
 const (
-	stylingTable = "adminapi.styling"
+	stylingTable = "adminapi.styling2"
 )
 type Styling struct {
@ -156,6 +156,8 @@ func (m *Styling) processLabelPolicy(event *models.Event) (err error) {
 			return err
 		}
 		return m.view.DeleteInstanceStyling(event)
 	case org.OrgRemovedEventType:
 		return m.view.UpdateOrgOwnerRemovedStyling(event)
 	default:
 		return m.view.ProcessedStylingSequence(event)
 	}
--- a/internal/admin/repository/eventsourcing/view/styling.go
+++ b/internal/admin/repository/eventsourcing/view/styling.go
@ -8,7 +8,7 @@ import (
 )
 const (
-	stylingTyble = "adminapi.styling"
+	stylingTyble = "adminapi.styling2"
 )
 func (v *View) StylingByAggregateIDAndState(aggregateID, instanceID string, state int32) (*model.LabelPolicyView, error) {
@ -31,6 +31,14 @@ func (v *View) DeleteInstanceStyling(event *models.Event) error {
 	return v.ProcessedStylingSequence(event)
 }
 func (v *View) UpdateOrgOwnerRemovedStyling(event *models.Event) error {
 	err := view.UpdateOrgOwnerRemovedStyling(v.Db, stylingTyble, event.InstanceID, event.AggregateID)
 	if err != nil {
 		return err
 	}
 	return v.ProcessedStylingSequence(event)
 }
 func (v *View) GetLatestStylingSequence(instanceID string) (*global_view.CurrentSequence, error) {
 	return v.latestSequence(stylingTyble, instanceID)
 }
--- a/internal/api/assets/login_policy.go
+++ b/internal/api/assets/login_policy.go
@ -376,7 +376,7 @@ func getLabelPolicy(ctx context.Context, defaultPolicy, preview bool, queries *q
 	if preview {
 		return queries.PreviewLabelPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
 	}
-	return queries.ActiveLabelPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	return queries.ActiveLabelPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID, false)
 }
 func getLabelPolicyResourceOwner(ctx context.Context, defaultPolicy, preview bool, queries *query.Queries) string {
--- a/internal/api/grpc/admin/custom_text.go
+++ b/internal/api/grpc/admin/custom_text.go
@ -23,7 +23,7 @@ func (s *Server) GetDefaultInitMessageText(ctx context.Context, req *admin_pb.Ge
 }
 func (s *Server) GetCustomInitMessageText(ctx context.Context, req *admin_pb.GetCustomInitMessageTextRequest) (*admin_pb.GetCustomInitMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.InitCodeMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.InitCodeMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -71,7 +71,7 @@ func (s *Server) GetDefaultPasswordResetMessageText(ctx context.Context, req *ad
 }
 func (s *Server) GetCustomPasswordResetMessageText(ctx context.Context, req *admin_pb.GetCustomPasswordResetMessageTextRequest) (*admin_pb.GetCustomPasswordResetMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.PasswordResetMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.PasswordResetMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -119,7 +119,7 @@ func (s *Server) GetDefaultVerifyEmailMessageText(ctx context.Context, req *admi
 }
 func (s *Server) GetCustomVerifyEmailMessageText(ctx context.Context, req *admin_pb.GetCustomVerifyEmailMessageTextRequest) (*admin_pb.GetCustomVerifyEmailMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.VerifyEmailMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.VerifyEmailMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -167,7 +167,7 @@ func (s *Server) GetDefaultVerifyPhoneMessageText(ctx context.Context, req *admi
 }
 func (s *Server) GetCustomVerifyPhoneMessageText(ctx context.Context, req *admin_pb.GetCustomVerifyPhoneMessageTextRequest) (*admin_pb.GetCustomVerifyPhoneMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.VerifyPhoneMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.VerifyPhoneMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -215,7 +215,7 @@ func (s *Server) GetDefaultDomainClaimedMessageText(ctx context.Context, req *ad
 }
 func (s *Server) GetCustomDomainClaimedMessageText(ctx context.Context, req *admin_pb.GetCustomDomainClaimedMessageTextRequest) (*admin_pb.GetCustomDomainClaimedMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.DomainClaimedMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.DomainClaimedMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -263,7 +263,7 @@ func (s *Server) GetDefaultPasswordlessRegistrationMessageText(ctx context.Conte
 }
 func (s *Server) GetCustomPasswordlessRegistrationMessageText(ctx context.Context, req *admin_pb.GetCustomPasswordlessRegistrationMessageTextRequest) (*admin_pb.GetCustomPasswordlessRegistrationMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.PasswordlessRegistrationMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.PasswordlessRegistrationMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/domain_policy.go
+++ b/internal/api/grpc/admin/domain_policy.go
@ -19,7 +19,7 @@ func (s *Server) GetDomainPolicy(ctx context.Context, _ *admin_pb.GetDomainPolic
 }
 func (s *Server) GetCustomDomainPolicy(ctx context.Context, req *admin_pb.GetCustomDomainPolicyRequest) (*admin_pb.GetCustomDomainPolicyResponse, error) {
-	policy, err := s.query.DomainPolicyByOrg(ctx, true, req.OrgId)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, req.OrgId, false)
 	if err != nil {
 		return nil, err
 	}
@ -154,7 +154,7 @@ func (s *Server) GetOrgIAMPolicy(ctx context.Context, _ *admin_pb.GetOrgIAMPolic
 }
 func (s *Server) GetCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.GetCustomOrgIAMPolicyRequest) (*admin_pb.GetCustomOrgIAMPolicyResponse, error) {
-	policy, err := s.query.DomainPolicyByOrg(ctx, true, req.OrgId)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, req.OrgId, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/export.go
+++ b/internal/api/grpc/admin/export.go
@ -254,7 +254,7 @@ func (s *Server) getDomainPolicy(ctx context.Context, orgID string) (_ *admin_pb
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	queriedDomain, err := s.query.DomainPolicyByOrg(ctx, true, orgID)
+	queriedDomain, err := s.query.DomainPolicyByOrg(ctx, true, orgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -277,7 +277,7 @@ func (s *Server) getDomains(ctx context.Context, orgID string) (_ []*org_pb.Doma
 	if err != nil {
 		return nil, err
 	}
-	orgDomainsQuery, err := s.query.SearchOrgDomains(ctx, &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{orgDomainOrgIDQuery}})
+	orgDomainsQuery, err := s.query.SearchOrgDomains(ctx, &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{orgDomainOrgIDQuery}}, false)
 	if err != nil {
 		return nil, err
 	}
@ -306,7 +306,7 @@ func (s *Server) getIDPs(ctx context.Context, orgID string) (_ []*v1_pb.DataOIDC
 	if err != nil {
 		return nil, nil, err
 	}
-	idps, err := s.query.IDPs(ctx, &query.IDPSearchQueries{Queries: []query.SearchQuery{idpQuery, ownerType}})
+	idps, err := s.query.IDPs(ctx, &query.IDPSearchQueries{Queries: []query.SearchQuery{idpQuery, ownerType}}, false)
 	if err != nil {
 		return nil, nil, err
 	}
@ -314,7 +314,7 @@ func (s *Server) getIDPs(ctx context.Context, orgID string) (_ []*v1_pb.DataOIDC
 	jwtIdps := make([]*v1_pb.DataJWTIDP, 0)
 	for _, idp := range idps.IDPs {
 		if idp.OIDCIDP != nil {
-			clientSecret, err := s.query.GetOIDCIDPClientSecret(ctx, false, orgID, idp.ID)
+			clientSecret, err := s.query.GetOIDCIDPClientSecret(ctx, false, orgID, idp.ID, false)
 			if err != nil && !caos_errors.IsNotFound(err) {
 				return nil, nil, err
 			}
@ -354,7 +354,7 @@ func (s *Server) getLabelPolicy(ctx context.Context, orgID string) (_ *managemen
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	queriedLabel, err := s.query.ActiveLabelPolicyByOrg(ctx, orgID)
+	queriedLabel, err := s.query.ActiveLabelPolicyByOrg(ctx, orgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -379,7 +379,7 @@ func (s *Server) getLoginPolicy(ctx context.Context, orgID string, orgIDPs []str
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	queriedLogin, err := s.query.LoginPolicyByID(ctx, false, orgID)
+	queriedLogin, err := s.query.LoginPolicyByID(ctx, false, orgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -400,7 +400,7 @@ func (s *Server) getLoginPolicy(ctx context.Context, orgID string, orgIDPs []str
 			multiFactors = append(multiFactors, policy_pb.MultiFactorType(factor))
 		}
-		idpLinksQuery, err := s.query.IDPLoginPolicyLinks(ctx, orgID, &query.IDPLoginPolicyLinksSearchQuery{})
+		idpLinksQuery, err := s.query.IDPLoginPolicyLinks(ctx, orgID, &query.IDPLoginPolicyLinksSearchQuery{}, false)
 		if err != nil {
 			return nil, err
 		}
@ -456,7 +456,7 @@ func (s *Server) getUserLinks(ctx context.Context, orgID string) (_ []*idp_pb.ID
 	if err != nil {
 		return nil, err
 	}
-	idpUserLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{Queries: []query.SearchQuery{userLinksResourceOwner}})
+	idpUserLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{Queries: []query.SearchQuery{userLinksResourceOwner}}, false)
 	if err != nil {
 		return nil, err
 	}
@ -479,7 +479,7 @@ func (s *Server) getLockoutPolicy(ctx context.Context, orgID string) (_ *managem
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	queriedLockout, err := s.query.LockoutPolicyByOrg(ctx, false, orgID)
+	queriedLockout, err := s.query.LockoutPolicyByOrg(ctx, false, orgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -495,7 +495,7 @@ func (s *Server) getPasswordComplexityPolicy(ctx context.Context, orgID string)
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	queriedPasswordComplexity, err := s.query.PasswordComplexityPolicyByOrg(ctx, false, orgID)
+	queriedPasswordComplexity, err := s.query.PasswordComplexityPolicyByOrg(ctx, false, orgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -515,7 +515,7 @@ func (s *Server) getPrivacyPolicy(ctx context.Context, orgID string) (_ *managem
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	queriedPrivacy, err := s.query.PrivacyPolicyByOrg(ctx, false, orgID)
+	queriedPrivacy, err := s.query.PrivacyPolicyByOrg(ctx, false, orgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -537,7 +537,7 @@ func (s *Server) getUsers(ctx context.Context, org string, withPasswords bool, w
 	if err != nil {
 		return nil, nil, nil, nil, err
 	}
-	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{orgSearch}})
+	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{orgSearch}}, false)
 	if err != nil {
 		return nil, nil, nil, nil, err
 	}
@ -619,7 +619,7 @@ func (s *Server) getUsers(ctx context.Context, org string, withPasswords bool, w
 				return nil, nil, nil, nil, err
 			}
-			keys, err := s.query.SearchAuthNKeysData(ctx, &query.AuthNKeySearchQueries{Queries: []query.SearchQuery{userIDQuery, orgIDQuery}})
+			keys, err := s.query.SearchAuthNKeysData(ctx, &query.AuthNKeySearchQueries{Queries: []query.SearchQuery{userIDQuery, orgIDQuery}}, false)
 			if err != nil {
 				return nil, nil, nil, nil, err
 			}
@ -640,7 +640,7 @@ func (s *Server) getUsers(ctx context.Context, org string, withPasswords bool, w
 		if err != nil {
 			return nil, nil, nil, nil, err
 		}
-		metadataList, err := s.query.SearchUserMetadata(ctx, false, user.ID, &query.UserMetadataSearchQueries{Queries: []query.SearchQuery{metadataOrgSearch}})
+		metadataList, err := s.query.SearchUserMetadata(ctx, false, user.ID, &query.UserMetadataSearchQueries{Queries: []query.SearchQuery{metadataOrgSearch}}, false)
 		metaspan.EndWithError(err)
 		if err != nil {
 			return nil, nil, nil, nil, err
@ -663,7 +663,7 @@ func (s *Server) getTriggerActions(ctx context.Context, org string, processedAct
 	triggerActions := make([]*management_pb.SetTriggerActionsRequest, 0)
 	for _, flowType := range flowTypes {
-		flow, err := s.query.GetFlow(ctx, flowType, org)
+		flow, err := s.query.GetFlow(ctx, flowType, org, false)
 		if err != nil {
 			return nil, err
 		}
@ -693,7 +693,7 @@ func (s *Server) getActions(ctx context.Context, org string) ([]*v1_pb.DataActio
 	if err != nil {
 		return nil, err
 	}
-	queriedActions, err := s.query.SearchActions(ctx, &query.ActionSearchQueries{Queries: []query.SearchQuery{actionSearch}})
+	queriedActions, err := s.query.SearchActions(ctx, &query.ActionSearchQueries{Queries: []query.SearchQuery{actionSearch}}, false)
 	if err != nil {
 		return nil, err
 	}
@ -720,7 +720,7 @@ func (s *Server) getProjectsAndApps(ctx context.Context, org string) ([]*v1_pb.D
 	if err != nil {
 		return nil, nil, nil, nil, nil, err
 	}
-	queriedProjects, err := s.query.SearchProjects(ctx, &query.ProjectSearchQueries{Queries: []query.SearchQuery{projectSearch}})
+	queriedProjects, err := s.query.SearchProjects(ctx, &query.ProjectSearchQueries{Queries: []query.SearchQuery{projectSearch}}, false)
 	if err != nil {
 		return nil, nil, nil, nil, nil, err
 	}
@ -747,7 +747,7 @@ func (s *Server) getProjectsAndApps(ctx context.Context, org string) ([]*v1_pb.D
 			return nil, nil, nil, nil, nil, err
 		}
-		queriedProjectRoles, err := s.query.SearchProjectRoles(ctx, false, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectRoleSearch}})
+		queriedProjectRoles, err := s.query.SearchProjectRoles(ctx, false, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectRoleSearch}}, false)
 		if err != nil {
 			return nil, nil, nil, nil, nil, err
 		}
@ -764,7 +764,7 @@ func (s *Server) getProjectsAndApps(ctx context.Context, org string) ([]*v1_pb.D
 		if err != nil {
 			return nil, nil, nil, nil, nil, err
 		}
-		apps, err := s.query.SearchApps(ctx, &query.AppSearchQueries{Queries: []query.SearchQuery{appSearch}})
+		apps, err := s.query.SearchApps(ctx, &query.AppSearchQueries{Queries: []query.SearchQuery{appSearch}}, false)
 		if err != nil {
 			return nil, nil, nil, nil, nil, err
 		}
@ -824,7 +824,7 @@ func (s *Server) getProjectsAndApps(ctx context.Context, org string) ([]*v1_pb.D
 			if err != nil {
 				return nil, nil, nil, nil, nil, err
 			}
-			keys, err := s.query.SearchAuthNKeysData(ctx, &query.AuthNKeySearchQueries{Queries: []query.SearchQuery{appIDQuery, projectIDQuery, orgIDQuery}})
+			keys, err := s.query.SearchAuthNKeysData(ctx, &query.AuthNKeySearchQueries{Queries: []query.SearchQuery{appIDQuery, projectIDQuery, orgIDQuery}}, false)
 			if err != nil {
 				return nil, nil, nil, nil, nil, err
 			}
@ -854,7 +854,7 @@ func (s *Server) getNecessaryProjectGrantMembersForOrg(ctx context.Context, org
 				return nil, err
 			}
-			queriedProjectMembers, err := s.query.ProjectGrantMembers(ctx, &query.ProjectGrantMembersQuery{ProjectID: projectID, OrgID: org, GrantID: grantID, MembersQuery: query.MembersQuery{Queries: []query.SearchQuery{search}}})
+			queriedProjectMembers, err := s.query.ProjectGrantMembers(ctx, &query.ProjectGrantMembersQuery{ProjectID: projectID, OrgID: org, GrantID: grantID, MembersQuery: query.MembersQuery{Queries: []query.SearchQuery{search}}}, false)
 			if err != nil {
 				return nil, err
 			}
@ -882,7 +882,7 @@ func (s *Server) getNecessaryProjectMembersForOrg(ctx context.Context, processed
 	projectMembers := make([]*management_pb.AddProjectMemberRequest, 0)
 	for _, projectID := range processedProjects {
-		queriedProjectMembers, err := s.query.ProjectMembers(ctx, &query.ProjectMembersQuery{ProjectID: projectID})
+		queriedProjectMembers, err := s.query.ProjectMembers(ctx, &query.ProjectMembersQuery{ProjectID: projectID}, false)
 		if err != nil {
 			return nil, err
 		}
@ -903,7 +903,7 @@ func (s *Server) getNecessaryProjectMembersForOrg(ctx context.Context, processed
 }
 func (s *Server) getNecessaryOrgMembersForOrg(ctx context.Context, org string, processedUsers []string) ([]*management_pb.AddOrgMemberRequest, error) {
-	queriedOrgMembers, err := s.query.OrgMembers(ctx, &query.OrgMembersQuery{OrgID: org})
+	queriedOrgMembers, err := s.query.OrgMembers(ctx, &query.OrgMembersQuery{OrgID: org}, false)
 	if err != nil {
 		return nil, err
 	}
@ -928,7 +928,7 @@ func (s *Server) getNecessaryProjectGrantsForOrg(ctx context.Context, org string
 	if err != nil {
 		return nil, err
 	}
-	queriedProjectGrants, err := s.query.SearchProjectGrants(ctx, &query.ProjectGrantSearchQueries{Queries: []query.SearchQuery{projectGrantSearchOrg}})
+	queriedProjectGrants, err := s.query.SearchProjectGrants(ctx, &query.ProjectGrantSearchQueries{Queries: []query.SearchQuery{projectGrantSearchOrg}}, false)
 	if err != nil {
 		return nil, err
 	}
@ -966,7 +966,7 @@ func (s *Server) getNecessaryUserGrantsForOrg(ctx context.Context, org string, p
 		return nil, err
 	}
-	queriedUserGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantSearchOrg}})
+	queriedUserGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantSearchOrg}}, false)
 	if err != nil {
 		return nil, err
 	}
@ -1061,7 +1061,7 @@ func (s *Server) getCustomLoginTexts(ctx context.Context, org string, languages
 func (s *Server) getCustomInitMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomInitMessageTextRequest, error) {
 	customTexts := make([]*management_pb.SetCustomInitMessageTextRequest, 0, len(languages))
 	for _, lang := range languages {
-		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.InitCodeMessageType, lang)
+		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.InitCodeMessageType, lang, false)
 		if err != nil {
 			return nil, err
 		}
@ -1086,7 +1086,7 @@ func (s *Server) getCustomInitMessageTexts(ctx context.Context, org string, lang
 func (s *Server) getCustomPasswordResetMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomPasswordResetMessageTextRequest, error) {
 	customTexts := make([]*management_pb.SetCustomPasswordResetMessageTextRequest, 0, len(languages))
 	for _, lang := range languages {
-		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.PasswordResetMessageType, lang)
+		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.PasswordResetMessageType, lang, false)
 		if err != nil {
 			return nil, err
 		}
@ -1111,7 +1111,7 @@ func (s *Server) getCustomPasswordResetMessageTexts(ctx context.Context, org str
 func (s *Server) getCustomVerifyEmailMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomVerifyEmailMessageTextRequest, error) {
 	customTexts := make([]*management_pb.SetCustomVerifyEmailMessageTextRequest, 0, len(languages))
 	for _, lang := range languages {
-		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.VerifyEmailMessageType, lang)
+		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.VerifyEmailMessageType, lang, false)
 		if err != nil {
 			return nil, err
 		}
@ -1136,7 +1136,7 @@ func (s *Server) getCustomVerifyEmailMessageTexts(ctx context.Context, org strin
 func (s *Server) getCustomVerifyPhoneMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomVerifyPhoneMessageTextRequest, error) {
 	customTexts := make([]*management_pb.SetCustomVerifyPhoneMessageTextRequest, 0, len(languages))
 	for _, lang := range languages {
-		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.VerifyPhoneMessageType, lang)
+		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.VerifyPhoneMessageType, lang, false)
 		if err != nil {
 			return nil, err
 		}
@ -1161,7 +1161,7 @@ func (s *Server) getCustomVerifyPhoneMessageTexts(ctx context.Context, org strin
 func (s *Server) getCustomDomainClaimedMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomDomainClaimedMessageTextRequest, error) {
 	customTexts := make([]*management_pb.SetCustomDomainClaimedMessageTextRequest, 0, len(languages))
 	for _, lang := range languages {
-		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.DomainClaimedMessageType, lang)
+		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.DomainClaimedMessageType, lang, false)
 		if err != nil {
 			return nil, err
 		}
@ -1186,7 +1186,7 @@ func (s *Server) getCustomDomainClaimedMessageTexts(ctx context.Context, org str
 func (s *Server) getCustomPasswordlessRegistrationMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomPasswordlessRegistrationMessageTextRequest, error) {
 	customTexts := make([]*management_pb.SetCustomPasswordlessRegistrationMessageTextRequest, 0, len(languages))
 	for _, lang := range languages {
-		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.DomainClaimedMessageType, lang)
+		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.DomainClaimedMessageType, lang, false)
 		if err != nil {
 			return nil, err
 		}
--- a/internal/api/grpc/admin/iam_member.go
+++ b/internal/api/grpc/admin/iam_member.go
@ -22,7 +22,7 @@ func (s *Server) ListIAMMembers(ctx context.Context, req *admin_pb.ListIAMMember
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.IAMMembers(ctx, queries)
+	res, err := s.query.IAMMembers(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/idp.go
+++ b/internal/api/grpc/admin/idp.go
@ -11,7 +11,7 @@ import (
 )
 func (s *Server) GetIDPByID(ctx context.Context, req *admin_pb.GetIDPByIDRequest) (*admin_pb.GetIDPByIDResponse, error) {
-	idp, err := s.query.IDPByIDAndResourceOwner(ctx, true, req.Id, authz.GetInstance(ctx).InstanceID())
+	idp, err := s.query.IDPByIDAndResourceOwner(ctx, true, req.Id, authz.GetInstance(ctx).InstanceID(), false)
 	if err != nil {
 		return nil, err
 	}
@ -23,7 +23,7 @@ func (s *Server) ListIDPs(ctx context.Context, req *admin_pb.ListIDPsRequest) (*
 	if err != nil {
 		return nil, err
 	}
-	resp, err := s.query.IDPs(ctx, queries)
+	resp, err := s.query.IDPs(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -100,7 +100,7 @@ func (s *Server) RemoveIDP(ctx context.Context, req *admin_pb.RemoveIDPRequest)
 	}
 	idps, err := s.query.IDPs(ctx, &query.IDPSearchQueries{
 		Queries: []query.SearchQuery{providerQuery},
-	})
+	}, true)
 	if err != nil {
 		return nil, err
 	}
@ -111,7 +111,7 @@ func (s *Server) RemoveIDP(ctx context.Context, req *admin_pb.RemoveIDPRequest)
 	}
 	userLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{
 		Queries: []query.SearchQuery{idpQuery},
-	})
+	}, true)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/login_policy.go
+++ b/internal/api/grpc/admin/login_policy.go
@ -36,7 +36,7 @@ func (s *Server) UpdateLoginPolicy(ctx context.Context, p *admin_pb.UpdateLoginP
 }
 func (s *Server) ListLoginPolicyIDPs(ctx context.Context, req *admin_pb.ListLoginPolicyIDPsRequest) (*admin_pb.ListLoginPolicyIDPsResponse, error) {
-	res, err := s.query.IDPLoginPolicyLinks(ctx, authz.GetInstance(ctx).InstanceID(), ListLoginPolicyIDPsRequestToQuery(req))
+	res, err := s.query.IDPLoginPolicyLinks(ctx, authz.GetInstance(ctx).InstanceID(), ListLoginPolicyIDPsRequestToQuery(req), false)
 	if err != nil {
 		return nil, err
 	}
@ -67,7 +67,7 @@ func (s *Server) RemoveIDPFromLoginPolicy(ctx context.Context, req *admin_pb.Rem
 	}
 	idps, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{
 		Queries: []query.SearchQuery{idpQuery},
-	})
+	}, true)
 	if err != nil {
 		return nil, err
--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@ -83,7 +83,7 @@ func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain str
 	if err != nil {
 		return nil, err
 	}
-	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{loginName}})
+	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{loginName}}, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/email.go
+++ b/internal/api/grpc/auth/email.go
@ -11,7 +11,7 @@ import (
 )
 func (s *Server) GetMyEmail(ctx context.Context, _ *auth_pb.GetMyEmailRequest) (*auth_pb.GetMyEmailResponse, error) {
-	email, err := s.query.GetHumanEmail(ctx, authz.GetCtxData(ctx).UserID)
+	email, err := s.query.GetHumanEmail(ctx, authz.GetCtxData(ctx).UserID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/idp.go
+++ b/internal/api/grpc/auth/idp.go
@ -13,7 +13,7 @@ func (s *Server) ListMyLinkedIDPs(ctx context.Context, req *auth_pb.ListMyLinked
 	if err != nil {
 		return nil, err
 	}
-	links, err := s.query.IDPUserLinks(ctx, q)
+	links, err := s.query.IDPUserLinks(ctx, q, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/multi_factor.go
+++ b/internal/api/grpc/auth/multi_factor.go
@ -26,7 +26,7 @@ func (s *Server) ListMyAuthFactors(ctx context.Context, _ *auth_pb.ListMyAuthFac
 	if err != nil {
 		return nil, err
 	}
-	authMethods, err := s.query.SearchUserAuthMethods(ctx, query)
+	authMethods, err := s.query.SearchUserAuthMethods(ctx, query, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/password_complexity.go
+++ b/internal/api/grpc/auth/password_complexity.go
@ -9,7 +9,7 @@ import (
 )
 func (s *Server) GetMyPasswordComplexityPolicy(ctx context.Context, _ *auth_pb.GetMyPasswordComplexityPolicyRequest) (*auth_pb.GetMyPasswordComplexityPolicyResponse, error) {
-	policy, err := s.query.PasswordComplexityPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PasswordComplexityPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/passwordless.go
+++ b/internal/api/grpc/auth/passwordless.go
@ -30,7 +30,7 @@ func (s *Server) ListMyPasswordless(ctx context.Context, _ *auth_pb.ListMyPasswo
 	if err != nil {
 		return nil, err
 	}
-	authMethods, err := s.query.SearchUserAuthMethods(ctx, query)
+	authMethods, err := s.query.SearchUserAuthMethods(ctx, query, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/permission.go
+++ b/internal/api/grpc/auth/permission.go
@ -34,7 +34,7 @@ func (s *Server) ListMyProjectPermissions(ctx context.Context, _ *auth_pb.ListMy
 	if err != nil {
 		return nil, err
 	}
-	userGrant, err := s.query.UserGrant(ctx, true, userGrantOrgID, userGrantProjectID, userGrantUserID)
+	userGrant, err := s.query.UserGrant(ctx, true, false, userGrantOrgID, userGrantProjectID, userGrantUserID)
 	if err != nil {
 		return nil, err
 	}
@ -48,7 +48,7 @@ func (s *Server) ListMyMemberships(ctx context.Context, req *auth_pb.ListMyMembe
 	if err != nil {
 		return nil, err
 	}
-	response, err := s.query.Memberships(ctx, request)
+	response, err := s.query.Memberships(ctx, request, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/phone.go
+++ b/internal/api/grpc/auth/phone.go
@ -11,7 +11,7 @@ import (
 )
 func (s *Server) GetMyPhone(ctx context.Context, _ *auth_pb.GetMyPhoneRequest) (*auth_pb.GetMyPhoneResponse, error) {
-	phone, err := s.query.GetHumanPhone(ctx, authz.GetCtxData(ctx).UserID)
+	phone, err := s.query.GetHumanPhone(ctx, authz.GetCtxData(ctx).UserID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/policy.go
+++ b/internal/api/grpc/auth/policy.go
@ -9,7 +9,7 @@ import (
 )
 func (s *Server) GetMyLabelPolicy(ctx context.Context, _ *auth_pb.GetMyLabelPolicyRequest) (*auth_pb.GetMyLabelPolicyResponse, error) {
-	policy, err := s.query.ActiveLabelPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.ActiveLabelPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -19,7 +19,7 @@ func (s *Server) GetMyLabelPolicy(ctx context.Context, _ *auth_pb.GetMyLabelPoli
 }
 func (s *Server) GetMyPrivacyPolicy(ctx context.Context, _ *auth_pb.GetMyPrivacyPolicyRequest) (*auth_pb.GetMyPrivacyPolicyResponse, error) {
-	policy, err := s.query.PrivacyPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PrivacyPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/profile.go
+++ b/internal/api/grpc/auth/profile.go
@ -10,7 +10,7 @@ import (
 )
 func (s *Server) GetMyProfile(ctx context.Context, req *auth_pb.GetMyProfileRequest) (*auth_pb.GetMyProfileResponse, error) {
-	profile, err := s.query.GetHumanProfile(ctx, authz.GetCtxData(ctx).UserID)
+	profile, err := s.query.GetHumanProfile(ctx, authz.GetCtxData(ctx).UserID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/auth/user.go
+++ b/internal/api/grpc/auth/user.go
@ -17,7 +17,7 @@ import (
 )
 func (s *Server) GetMyUser(ctx context.Context, _ *auth_pb.GetMyUserRequest) (*auth_pb.GetMyUserResponse, error) {
-	user, err := s.query.GetUserByID(ctx, true, authz.GetCtxData(ctx).UserID)
+	user, err := s.query.GetUserByID(ctx, true, authz.GetCtxData(ctx).UserID, false)
 	if err != nil {
 		return nil, err
 	}
@ -31,7 +31,7 @@ func (s *Server) RemoveMyUser(ctx context.Context, _ *auth_pb.RemoveMyUserReques
 		return nil, err
 	}
 	queries := &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantUserID}}
-	grants, err := s.query.UserGrants(ctx, queries)
+	grants, err := s.query.UserGrants(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -42,7 +42,7 @@ func (s *Server) RemoveMyUser(ctx context.Context, _ *auth_pb.RemoveMyUserReques
 	}
 	memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
 		Queries: []query.SearchQuery{userQuery},
-	})
+	}, false)
 	if err != nil {
 		return nil, err
 	}
@ -71,7 +71,7 @@ func (s *Server) ListMyMetadata(ctx context.Context, req *auth_pb.ListMyMetadata
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.SearchUserMetadata(ctx, true, authz.GetCtxData(ctx).UserID, queries)
+	res, err := s.query.SearchUserMetadata(ctx, true, authz.GetCtxData(ctx).UserID, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -82,7 +82,7 @@ func (s *Server) ListMyMetadata(ctx context.Context, req *auth_pb.ListMyMetadata
 }
 func (s *Server) GetMyMetadata(ctx context.Context, req *auth_pb.GetMyMetadataRequest) (*auth_pb.GetMyMetadataResponse, error) {
-	data, err := s.query.GetUserMetadataByKey(ctx, true, authz.GetCtxData(ctx).UserID, req.Key)
+	data, err := s.query.GetUserMetadataByKey(ctx, true, authz.GetCtxData(ctx).UserID, req.Key, false)
 	if err != nil {
 		return nil, err
 	}
@ -125,7 +125,7 @@ func (s *Server) ListMyUserGrants(ctx context.Context, req *auth_pb.ListMyUserGr
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.UserGrants(ctx, queries)
+	res, err := s.query.UserGrants(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -154,7 +154,7 @@ func (s *Server) ListMyProjectOrgs(ctx context.Context, req *auth_pb.ListMyProje
 			return nil, err
 		}
-		grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantProjectID, userGrantUserID}})
+		grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantProjectID, userGrantUserID}}, false)
 		if err != nil {
 			return nil, err
 		}
@ -210,7 +210,7 @@ func (s *Server) myOrgsQuery(ctx context.Context, ctxData authz.CtxData) (*query
 	}
 	return s.query.Memberships(ctx, &query.MembershipSearchQuery{
 		Queries: []query.SearchQuery{userQuery},
-	})
+	}, false)
 }
 func isIAMAdmin(memberships []*query.Membership) bool {
--- a/internal/api/grpc/management/actions.go
+++ b/internal/api/grpc/management/actions.go
@ -14,7 +14,7 @@ func (s *Server) ListActions(ctx context.Context, req *mgmt_pb.ListActionsReques
 	if err != nil {
 		return nil, err
 	}
-	actions, err := s.query.SearchActions(ctx, query)
+	actions, err := s.query.SearchActions(ctx, query, false)
 	if err != nil {
 		return nil, err
 	}
@ -25,7 +25,7 @@ func (s *Server) ListActions(ctx context.Context, req *mgmt_pb.ListActionsReques
 }
 func (s *Server) GetAction(ctx context.Context, req *mgmt_pb.GetActionRequest) (*mgmt_pb.GetActionResponse, error) {
-	action, err := s.query.GetActionByID(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
+	action, err := s.query.GetActionByID(ctx, req.Id, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -89,7 +89,7 @@ func (s *Server) ReactivateAction(ctx context.Context, req *mgmt_pb.ReactivateAc
 }
 func (s *Server) DeleteAction(ctx context.Context, req *mgmt_pb.DeleteActionRequest) (*mgmt_pb.DeleteActionResponse, error) {
-	flowTypes, err := s.query.GetFlowTypesOfActionID(ctx, req.Id)
+	flowTypes, err := s.query.GetFlowTypesOfActionID(ctx, req.Id, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/custom_text.go
+++ b/internal/api/grpc/management/custom_text.go
@ -13,7 +13,7 @@ import (
 )
 func (s *Server) GetCustomInitMessageText(ctx context.Context, req *mgmt_pb.GetCustomInitMessageTextRequest) (*mgmt_pb.GetCustomInitMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.InitCodeMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.InitCodeMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -61,7 +61,7 @@ func (s *Server) ResetCustomInitMessageTextToDefault(ctx context.Context, req *m
 }
 func (s *Server) GetCustomPasswordResetMessageText(ctx context.Context, req *mgmt_pb.GetCustomPasswordResetMessageTextRequest) (*mgmt_pb.GetCustomPasswordResetMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.PasswordResetMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.PasswordResetMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -109,7 +109,7 @@ func (s *Server) ResetCustomPasswordResetMessageTextToDefault(ctx context.Contex
 }
 func (s *Server) GetCustomVerifyEmailMessageText(ctx context.Context, req *mgmt_pb.GetCustomVerifyEmailMessageTextRequest) (*mgmt_pb.GetCustomVerifyEmailMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.VerifyEmailMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.VerifyEmailMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -157,7 +157,7 @@ func (s *Server) ResetCustomVerifyEmailMessageTextToDefault(ctx context.Context,
 }
 func (s *Server) GetCustomVerifyPhoneMessageText(ctx context.Context, req *mgmt_pb.GetCustomVerifyPhoneMessageTextRequest) (*mgmt_pb.GetCustomVerifyPhoneMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.VerifyPhoneMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.VerifyPhoneMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -205,7 +205,7 @@ func (s *Server) ResetCustomVerifyPhoneMessageTextToDefault(ctx context.Context,
 }
 func (s *Server) GetCustomDomainClaimedMessageText(ctx context.Context, req *mgmt_pb.GetCustomDomainClaimedMessageTextRequest) (*mgmt_pb.GetCustomDomainClaimedMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.DomainClaimedMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.DomainClaimedMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
@ -253,7 +253,7 @@ func (s *Server) ResetCustomDomainClaimedMessageTextToDefault(ctx context.Contex
 }
 func (s *Server) GetCustomPasswordlessRegistrationMessageText(ctx context.Context, req *mgmt_pb.GetCustomPasswordlessRegistrationMessageTextRequest) (*mgmt_pb.GetCustomPasswordlessRegistrationMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.PasswordlessRegistrationMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetCtxData(ctx).OrgID, domain.PasswordlessRegistrationMessageType, req.Language, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/flow.go
+++ b/internal/api/grpc/management/flow.go
@ -32,7 +32,7 @@ func (s *Server) ListFlowTriggerTypes(ctx context.Context, req *mgmt_pb.ListFlow
 }
 func (s *Server) GetFlow(ctx context.Context, req *mgmt_pb.GetFlowRequest) (*mgmt_pb.GetFlowResponse, error) {
-	flow, err := s.query.GetFlow(ctx, action_grpc.FlowTypeToDomain(req.Type), authz.GetCtxData(ctx).OrgID)
+	flow, err := s.query.GetFlow(ctx, action_grpc.FlowTypeToDomain(req.Type), authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/idp.go
+++ b/internal/api/grpc/management/idp.go
@ -11,7 +11,7 @@ import (
 )
 func (s *Server) GetOrgIDPByID(ctx context.Context, req *mgmt_pb.GetOrgIDPByIDRequest) (*mgmt_pb.GetOrgIDPByIDResponse, error) {
-	idp, err := s.query.IDPByIDAndResourceOwner(ctx, true, req.Id, authz.GetCtxData(ctx).OrgID)
+	idp, err := s.query.IDPByIDAndResourceOwner(ctx, true, req.Id, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -23,7 +23,7 @@ func (s *Server) ListOrgIDPs(ctx context.Context, req *mgmt_pb.ListOrgIDPsReques
 	if err != nil {
 		return nil, err
 	}
-	resp, err := s.query.IDPs(ctx, queries)
+	resp, err := s.query.IDPs(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -80,7 +80,7 @@ func (s *Server) ReactivateOrgIDP(ctx context.Context, req *mgmt_pb.ReactivateOr
 }
 func (s *Server) RemoveOrgIDP(ctx context.Context, req *mgmt_pb.RemoveOrgIDPRequest) (*mgmt_pb.RemoveOrgIDPResponse, error) {
-	idp, err := s.query.IDPByIDAndResourceOwner(ctx, true, req.IdpId, authz.GetCtxData(ctx).OrgID)
+	idp, err := s.query.IDPByIDAndResourceOwner(ctx, true, req.IdpId, authz.GetCtxData(ctx).OrgID, true)
 	if err != nil {
 		return nil, err
 	}
@ -90,7 +90,7 @@ func (s *Server) RemoveOrgIDP(ctx context.Context, req *mgmt_pb.RemoveOrgIDPRequ
 	}
 	userLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{
 		Queries: []query.SearchQuery{idpQuery},
-	})
+	}, true)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/org.go
+++ b/internal/api/grpc/management/org.go
@ -100,8 +100,17 @@ func (s *Server) ReactivateOrg(ctx context.Context, req *mgmt_pb.ReactivateOrgRe
 	}, err
 }
 func (s *Server) RemoveOrg(ctx context.Context, req *mgmt_pb.RemoveOrgRequest) (*mgmt_pb.RemoveOrgResponse, error) {
 	details, err := s.command.RemoveOrg(ctx, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.RemoveOrgResponse{Details: object.DomainToChangeDetailsPb(details)}, nil
 }
 func (s *Server) GetDomainPolicy(ctx context.Context, req *mgmt_pb.GetDomainPolicyRequest) (*mgmt_pb.GetDomainPolicyResponse, error) {
-	policy, err := s.query.DomainPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -111,7 +120,7 @@ func (s *Server) GetDomainPolicy(ctx context.Context, req *mgmt_pb.GetDomainPoli
 }
 func (s *Server) GetOrgIAMPolicy(ctx context.Context, _ *mgmt_pb.GetOrgIAMPolicyRequest) (*mgmt_pb.GetOrgIAMPolicyResponse, error) {
-	policy, err := s.query.DomainPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -131,7 +140,7 @@ func (s *Server) ListOrgDomains(ctx context.Context, req *mgmt_pb.ListOrgDomains
 	}
 	queries.Queries = append(queries.Queries, orgIDQuery)
-	domains, err := s.query.SearchOrgDomains(ctx, queries)
+	domains, err := s.query.SearchOrgDomains(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -227,7 +236,7 @@ func (s *Server) ListOrgMembers(ctx context.Context, req *mgmt_pb.ListOrgMembers
 	if err != nil {
 		return nil, err
 	}
-	members, err := s.query.OrgMembers(ctx, queries)
+	members, err := s.query.OrgMembers(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -289,7 +298,7 @@ func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain, or
 		}
 		queries = append(queries, owner)
 	}
-	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: queries})
+	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: queries}, false)
 	if err != nil {
 		return nil, err
 	}
@ -305,7 +314,7 @@ func (s *Server) ListOrgMetadata(ctx context.Context, req *mgmt_pb.ListOrgMetada
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.SearchOrgMetadata(ctx, true, authz.GetCtxData(ctx).OrgID, metadataQueries)
+	res, err := s.query.SearchOrgMetadata(ctx, true, authz.GetCtxData(ctx).OrgID, metadataQueries, false)
 	if err != nil {
 		return nil, err
 	}
@ -316,7 +325,7 @@ func (s *Server) ListOrgMetadata(ctx context.Context, req *mgmt_pb.ListOrgMetada
 }
 func (s *Server) GetOrgMetadata(ctx context.Context, req *mgmt_pb.GetOrgMetadataRequest) (*mgmt_pb.GetOrgMetadataResponse, error) {
-	data, err := s.query.GetOrgMetadataByKey(ctx, true, authz.GetCtxData(ctx).OrgID, req.Key)
+	data, err := s.query.GetOrgMetadataByKey(ctx, true, authz.GetCtxData(ctx).OrgID, req.Key, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_label.go
+++ b/internal/api/grpc/management/policy_label.go
@ -10,7 +10,7 @@ import (
 )
 func (s *Server) GetLabelPolicy(ctx context.Context, req *mgmt_pb.GetLabelPolicyRequest) (*mgmt_pb.GetLabelPolicyResponse, error) {
-	policy, err := s.query.ActiveLabelPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.ActiveLabelPolicyByOrg(ctx, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_lockout.go
+++ b/internal/api/grpc/management/policy_lockout.go
@ -10,7 +10,7 @@ import (
 )
 func (s *Server) GetLockoutPolicy(ctx context.Context, req *mgmt_pb.GetLockoutPolicyRequest) (*mgmt_pb.GetLockoutPolicyResponse, error) {
-	policy, err := s.query.LockoutPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.LockoutPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_login.go
+++ b/internal/api/grpc/management/policy_login.go
@ -14,7 +14,7 @@ import (
 )
 func (s *Server) GetLoginPolicy(ctx context.Context, req *mgmt_pb.GetLoginPolicyRequest) (*mgmt_pb.GetLoginPolicyResponse, error) {
-	policy, err := s.query.LoginPolicyByID(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.LoginPolicyByID(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -68,7 +68,7 @@ func (s *Server) ResetLoginPolicyToDefault(ctx context.Context, req *mgmt_pb.Res
 }
 func (s *Server) ListLoginPolicyIDPs(ctx context.Context, req *mgmt_pb.ListLoginPolicyIDPsRequest) (*mgmt_pb.ListLoginPolicyIDPsResponse, error) {
-	res, err := s.query.IDPLoginPolicyLinks(ctx, authz.GetCtxData(ctx).OrgID, ListLoginPolicyIDPsRequestToQuery(req))
+	res, err := s.query.IDPLoginPolicyLinks(ctx, authz.GetCtxData(ctx).OrgID, ListLoginPolicyIDPsRequestToQuery(req), false)
 	if err != nil {
 		return nil, err
 	}
@ -99,7 +99,7 @@ func (s *Server) RemoveIDPFromLoginPolicy(ctx context.Context, req *mgmt_pb.Remo
 	}
 	userLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{
 		Queries: []query.SearchQuery{idpQuery},
-	})
+	}, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_password_age.go
+++ b/internal/api/grpc/management/policy_password_age.go
@ -10,7 +10,7 @@ import (
 )
 func (s *Server) GetPasswordAgePolicy(ctx context.Context, req *mgmt_pb.GetPasswordAgePolicyRequest) (*mgmt_pb.GetPasswordAgePolicyResponse, error) {
-	policy, err := s.query.PasswordAgePolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PasswordAgePolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_password_complexity.go
+++ b/internal/api/grpc/management/policy_password_complexity.go
@ -10,7 +10,7 @@ import (
 )
 func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, req *mgmt_pb.GetPasswordComplexityPolicyRequest) (*mgmt_pb.GetPasswordComplexityPolicyResponse, error) {
-	policy, err := s.query.PasswordComplexityPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PasswordComplexityPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/policy_privacy.go
+++ b/internal/api/grpc/management/policy_privacy.go
@ -10,7 +10,7 @@ import (
 )
 func (s *Server) GetPrivacyPolicy(ctx context.Context, _ *mgmt_pb.GetPrivacyPolicyRequest) (*mgmt_pb.GetPrivacyPolicyResponse, error) {
-	policy, err := s.query.PrivacyPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := s.query.PrivacyPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/project.go
+++ b/internal/api/grpc/management/project.go
@ -13,7 +13,7 @@ import (
 )
 func (s *Server) GetProjectByID(ctx context.Context, req *mgmt_pb.GetProjectByIDRequest) (*mgmt_pb.GetProjectByIDResponse, error) {
-	project, err := s.query.ProjectByID(ctx, true, req.Id)
+	project, err := s.query.ProjectByID(ctx, true, req.Id, false)
 	if err != nil {
 		return nil, err
 	}
@ -23,7 +23,7 @@ func (s *Server) GetProjectByID(ctx context.Context, req *mgmt_pb.GetProjectByID
 }
 func (s *Server) GetGrantedProjectByID(ctx context.Context, req *mgmt_pb.GetGrantedProjectByIDRequest) (*mgmt_pb.GetGrantedProjectByIDResponse, error) {
-	grant, err := s.query.ProjectGrantByID(ctx, true, req.GrantId)
+	grant, err := s.query.ProjectGrantByID(ctx, true, req.GrantId, false)
 	if err != nil {
 		return nil, err
 	}
@ -45,7 +45,7 @@ func (s *Server) ListProjects(ctx context.Context, req *mgmt_pb.ListProjectsRequ
 	if err != nil {
 		return nil, err
 	}
-	projects, err := s.query.SearchProjects(ctx, queries)
+	projects, err := s.query.SearchProjects(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -79,7 +79,7 @@ func (s *Server) ListGrantedProjects(ctx context.Context, req *mgmt_pb.ListGrant
 	if err != nil {
 		return nil, err
 	}
-	projects, err := s.query.SearchProjectGrants(ctx, queries)
+	projects, err := s.query.SearchProjectGrants(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -98,7 +98,7 @@ func (s *Server) ListGrantedProjectRoles(ctx context.Context, req *mgmt_pb.ListG
 	if err != nil {
 		return nil, err
 	}
-	roles, err := s.query.SearchGrantedProjectRoles(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID, queries)
+	roles, err := s.query.SearchGrantedProjectRoles(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -172,7 +172,7 @@ func (s *Server) RemoveProject(ctx context.Context, req *mgmt_pb.RemoveProjectRe
 	}
 	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
 		Queries: []query.SearchQuery{projectQuery},
-	})
+	}, false)
 	if err != nil {
 		return nil, err
 	}
@ -198,7 +198,7 @@ func (s *Server) ListProjectRoles(ctx context.Context, req *mgmt_pb.ListProjectR
 	if err != nil {
 		return nil, err
 	}
-	roles, err := s.query.SearchProjectRoles(ctx, true, queries)
+	roles, err := s.query.SearchProjectRoles(ctx, true, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -257,12 +257,12 @@ func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProje
 	}
 	userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
 		Queries: []query.SearchQuery{projectQuery, rolesQuery},
-	})
+	}, false)
 	if err != nil {
 		return nil, err
 	}
-	projectGrants, err := s.query.SearchProjectGrantsByProjectIDAndRoleKey(ctx, req.ProjectId, req.RoleKey)
+	projectGrants, err := s.query.SearchProjectGrantsByProjectIDAndRoleKey(ctx, req.ProjectId, req.RoleKey, false)
 	if err != nil {
 		return nil, err
 	}
@ -288,7 +288,7 @@ func (s *Server) ListProjectMembers(ctx context.Context, req *mgmt_pb.ListProjec
 	if err != nil {
 		return nil, err
 	}
-	members, err := s.query.ProjectMembers(ctx, queries)
+	members, err := s.query.ProjectMembers(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/project_application.go
+++ b/internal/api/grpc/management/project_application.go
@ -14,7 +14,7 @@ import (
 )
 func (s *Server) GetAppByID(ctx context.Context, req *mgmt_pb.GetAppByIDRequest) (*mgmt_pb.GetAppByIDResponse, error) {
-	app, err := s.query.AppByProjectAndAppID(ctx, true, req.ProjectId, req.AppId)
+	app, err := s.query.AppByProjectAndAppID(ctx, true, req.ProjectId, req.AppId, false)
 	if err != nil {
 		return nil, err
 	}
@ -28,7 +28,7 @@ func (s *Server) ListApps(ctx context.Context, req *mgmt_pb.ListAppsRequest) (*m
 	if err != nil {
 		return nil, err
 	}
-	apps, err := s.query.SearchApps(ctx, queries)
+	apps, err := s.query.SearchApps(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -228,7 +228,7 @@ func (s *Server) GetAppKey(ctx context.Context, req *mgmt_pb.GetAppKeyRequest) (
 	if err != nil {
 		return nil, err
 	}
-	key, err := s.query.GetAuthNKeyByID(ctx, true, req.KeyId, resourceOwner, aggregateID, objectID)
+	key, err := s.query.GetAuthNKeyByID(ctx, true, req.KeyId, false, resourceOwner, aggregateID, objectID)
 	if err != nil {
 		return nil, err
 	}
@ -242,7 +242,7 @@ func (s *Server) ListAppKeys(ctx context.Context, req *mgmt_pb.ListAppKeysReques
 	if err != nil {
 		return nil, err
 	}
-	keys, err := s.query.SearchAuthNKeys(ctx, queries)
+	keys, err := s.query.SearchAuthNKeys(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/project_grant.go
+++ b/internal/api/grpc/management/project_grant.go
@ -13,7 +13,7 @@ import (
 )
 func (s *Server) GetProjectGrantByID(ctx context.Context, req *mgmt_pb.GetProjectGrantByIDRequest) (*mgmt_pb.GetProjectGrantByIDResponse, error) {
-	grant, err := s.query.ProjectGrantByID(ctx, true, req.GrantId)
+	grant, err := s.query.ProjectGrantByID(ctx, true, req.GrantId, false)
 	if err != nil {
 		return nil, err
 	}
@ -31,7 +31,7 @@ func (s *Server) ListProjectGrants(ctx context.Context, req *mgmt_pb.ListProject
 	if err != nil {
 		return nil, err
 	}
-	grants, err := s.query.SearchProjectGrants(ctx, queries)
+	grants, err := s.query.SearchProjectGrants(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -54,7 +54,7 @@ func (s *Server) ListAllProjectGrants(ctx context.Context, req *mgmt_pb.ListAllP
 	if err != nil {
 		return nil, err
 	}
-	grants, err := s.query.SearchProjectGrants(ctx, queries)
+	grants, err := s.query.SearchProjectGrants(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -90,7 +90,7 @@ func (s *Server) UpdateProjectGrant(ctx context.Context, req *mgmt_pb.UpdateProj
 	}
 	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
 		Queries: []query.SearchQuery{projectQuery, grantQuery},
-	})
+	}, false)
 	if err != nil {
 		return nil, err
 	}
@ -138,7 +138,7 @@ func (s *Server) RemoveProjectGrant(ctx context.Context, req *mgmt_pb.RemoveProj
 	}
 	userGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
 		Queries: []query.SearchQuery{projectQuery, grantQuery},
-	})
+	}, true)
 	if err != nil {
 		return nil, err
 	}
@ -164,7 +164,7 @@ func (s *Server) ListProjectGrantMembers(ctx context.Context, req *mgmt_pb.ListP
 	if err != nil {
 		return nil, err
 	}
-	response, err := s.query.ProjectGrantMembers(ctx, queries)
+	response, err := s.query.ProjectGrantMembers(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@ -30,7 +30,7 @@ func (s *Server) GetUserByID(ctx context.Context, req *mgmt_pb.GetUserByIDReques
 	if err != nil {
 		return nil, err
 	}
-	user, err := s.query.GetUserByID(ctx, true, req.Id, owner)
+	user, err := s.query.GetUserByID(ctx, true, req.Id, false, owner)
 	if err != nil {
 		return nil, err
 	}
@ -44,7 +44,7 @@ func (s *Server) GetUserByLoginNameGlobal(ctx context.Context, req *mgmt_pb.GetU
 	if err != nil {
 		return nil, err
 	}
-	user, err := s.query.GetUser(ctx, true, loginName)
+	user, err := s.query.GetUser(ctx, true, false, loginName)
 	if err != nil {
 		return nil, err
 	}
@ -63,7 +63,7 @@ func (s *Server) ListUsers(ctx context.Context, req *mgmt_pb.ListUsersRequest) (
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.SearchUsers(ctx, queries)
+	res, err := s.query.SearchUsers(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -86,14 +86,14 @@ func (s *Server) ListUserChanges(ctx context.Context, req *mgmt_pb.ListUserChang
 func (s *Server) IsUserUnique(ctx context.Context, req *mgmt_pb.IsUserUniqueRequest) (*mgmt_pb.IsUserUniqueResponse, error) {
 	orgID := authz.GetCtxData(ctx).OrgID
-	policy, err := s.query.DomainPolicyByOrg(ctx, true, orgID)
+	policy, err := s.query.DomainPolicyByOrg(ctx, true, orgID, false)
 	if err != nil {
 		return nil, err
 	}
 	if !policy.UserLoginMustBeDomain {
 		orgID = ""
 	}
-	unique, err := s.query.IsUserUnique(ctx, req.UserName, req.Email, orgID)
+	unique, err := s.query.IsUserUnique(ctx, req.UserName, req.Email, orgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -111,7 +111,7 @@ func (s *Server) ListUserMetadata(ctx context.Context, req *mgmt_pb.ListUserMeta
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.SearchUserMetadata(ctx, true, req.Id, metadataQueries)
+	res, err := s.query.SearchUserMetadata(ctx, true, req.Id, metadataQueries, false)
 	if err != nil {
 		return nil, err
 	}
@ -126,7 +126,7 @@ func (s *Server) GetUserMetadata(ctx context.Context, req *mgmt_pb.GetUserMetada
 	if err != nil {
 		return nil, err
 	}
-	data, err := s.query.GetUserMetadataByKey(ctx, true, req.Id, req.Key, owner)
+	data, err := s.query.GetUserMetadataByKey(ctx, true, req.Id, req.Key, false, owner)
 	if err != nil {
 		return nil, err
 	}
@ -323,27 +323,11 @@ func (s *Server) UnlockUser(ctx context.Context, req *mgmt_pb.UnlockUserRequest)
 }
 func (s *Server) RemoveUser(ctx context.Context, req *mgmt_pb.RemoveUserRequest) (*mgmt_pb.RemoveUserResponse, error) {
-	userGrantUserQuery, err := query.NewUserGrantUserIDSearchQuery(req.Id)
+	memberships, grants, err := s.removeUserDependencies(ctx, req.Id)
 	if err != nil {
 		return nil, err
 	}
-	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
+	objectDetails, err := s.command.RemoveUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID, memberships, grants...)
 		Queries: []query.SearchQuery{userGrantUserQuery},
 	})
 	if err != nil {
 		return nil, err
 	}
 	membershipsUserQuery, err := query.NewMembershipUserIDQuery(req.Id)
 	if err != nil {
 		return nil, err
 	}
 	memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
 		Queries: []query.SearchQuery{membershipsUserQuery},
 	})
 	if err != nil {
 		return nil, err
 	}
 	objectDetails, err := s.command.RemoveUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID, cascadingMemberships(memberships.Memberships), userGrantsToIDs(grants.UserGrants)...)
 	if err != nil {
 		return nil, err
 	}
@ -352,6 +336,30 @@ func (s *Server) RemoveUser(ctx context.Context, req *mgmt_pb.RemoveUserRequest)
 	}, nil
 }
 func (s *Server) removeUserDependencies(ctx context.Context, userID string) ([]*command.CascadingMembership, []string, error) {
 	userGrantUserQuery, err := query.NewUserGrantUserIDSearchQuery(userID)
 	if err != nil {
 		return nil, nil, err
 	}
 	grants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{
 		Queries: []query.SearchQuery{userGrantUserQuery},
 	}, true)
 	if err != nil {
 		return nil, nil, err
 	}
 	membershipsUserQuery, err := query.NewMembershipUserIDQuery(userID)
 	if err != nil {
 		return nil, nil, err
 	}
 	memberships, err := s.query.Memberships(ctx, &query.MembershipSearchQuery{
 		Queries: []query.SearchQuery{membershipsUserQuery},
 	}, true)
 	if err != nil {
 		return nil, nil, err
 	}
 	return cascadingMemberships(memberships.Memberships), userGrantsToIDs(grants.UserGrants), nil
 }
 func (s *Server) UpdateUserName(ctx context.Context, req *mgmt_pb.UpdateUserNameRequest) (*mgmt_pb.UpdateUserNameResponse, error) {
 	objectDetails, err := s.command.ChangeUsername(ctx, authz.GetCtxData(ctx).OrgID, req.UserId, req.UserName)
 	if err != nil {
@ -367,7 +375,7 @@ func (s *Server) GetHumanProfile(ctx context.Context, req *mgmt_pb.GetHumanProfi
 	if err != nil {
 		return nil, err
 	}
-	profile, err := s.query.GetHumanProfile(ctx, req.UserId, owner)
+	profile, err := s.query.GetHumanProfile(ctx, req.UserId, false, owner)
 	if err != nil {
 		return nil, err
 	}
@ -401,7 +409,7 @@ func (s *Server) GetHumanEmail(ctx context.Context, req *mgmt_pb.GetHumanEmailRe
 	if err != nil {
 		return nil, err
 	}
-	email, err := s.query.GetHumanEmail(ctx, req.UserId, owner)
+	email, err := s.query.GetHumanEmail(ctx, req.UserId, false, owner)
 	if err != nil {
 		return nil, err
 	}
@ -467,7 +475,7 @@ func (s *Server) GetHumanPhone(ctx context.Context, req *mgmt_pb.GetHumanPhoneRe
 	if err != nil {
 		return nil, err
 	}
-	phone, err := s.query.GetHumanPhone(ctx, req.UserId, owner)
+	phone, err := s.query.GetHumanPhone(ctx, req.UserId, false, owner)
 	if err != nil {
 		return nil, err
 	}
@ -583,7 +591,7 @@ func (s *Server) ListHumanAuthFactors(ctx context.Context, req *mgmt_pb.ListHuma
 	if err != nil {
 		return nil, err
 	}
-	authMethods, err := s.query.SearchUserAuthMethods(ctx, query)
+	authMethods, err := s.query.SearchUserAuthMethods(ctx, query, false)
 	if err != nil {
 		return nil, err
 	}
@ -626,7 +634,7 @@ func (s *Server) ListHumanPasswordless(ctx context.Context, req *mgmt_pb.ListHum
 	if err != nil {
 		return nil, err
 	}
-	authMethods, err := s.query.SearchUserAuthMethods(ctx, query)
+	authMethods, err := s.query.SearchUserAuthMethods(ctx, query, false)
 	if err != nil {
 		return nil, err
 	}
@ -698,7 +706,7 @@ func (s *Server) GetMachineKeyByIDs(ctx context.Context, req *mgmt_pb.GetMachine
 	if err != nil {
 		return nil, err
 	}
-	key, err := s.query.GetAuthNKeyByID(ctx, true, req.KeyId, resourceOwner, aggregateID)
+	key, err := s.query.GetAuthNKeyByID(ctx, true, req.KeyId, false, resourceOwner, aggregateID)
 	if err != nil {
 		return nil, err
 	}
@ -712,7 +720,7 @@ func (s *Server) ListMachineKeys(ctx context.Context, req *mgmt_pb.ListMachineKe
 	if err != nil {
 		return nil, err
 	}
-	result, err := s.query.SearchAuthNKeys(ctx, query)
+	result, err := s.query.SearchAuthNKeys(ctx, query, false)
 	if err != nil {
 		return nil, err
 	}
@ -761,7 +769,7 @@ func (s *Server) GetPersonalAccessTokenByIDs(ctx context.Context, req *mgmt_pb.G
 	if err != nil {
 		return nil, err
 	}
-	token, err := s.query.PersonalAccessTokenByID(ctx, true, req.TokenId, resourceOwner, aggregateID)
+	token, err := s.query.PersonalAccessTokenByID(ctx, true, req.TokenId, false, resourceOwner, aggregateID)
 	if err != nil {
 		return nil, err
 	}
@ -775,7 +783,7 @@ func (s *Server) ListPersonalAccessTokens(ctx context.Context, req *mgmt_pb.List
 	if err != nil {
 		return nil, err
 	}
-	result, err := s.query.SearchPersonalAccessTokens(ctx, queries)
+	result, err := s.query.SearchPersonalAccessTokens(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -821,7 +829,7 @@ func (s *Server) ListHumanLinkedIDPs(ctx context.Context, req *mgmt_pb.ListHuman
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.IDPUserLinks(ctx, queries)
+	res, err := s.query.IDPUserLinks(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
@ -845,7 +853,7 @@ func (s *Server) ListUserMemberships(ctx context.Context, req *mgmt_pb.ListUserM
 	if err != nil {
 		return nil, err
 	}
-	response, err := s.query.Memberships(ctx, request)
+	response, err := s.query.Memberships(ctx, request, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@ -19,7 +19,7 @@ func (s *Server) GetUserGrantByID(ctx context.Context, req *mgmt_pb.GetUserGrant
 	if err != nil {
 		return nil, err
 	}
-	grant, err := s.query.UserGrant(ctx, true, idQuery, ownerQuery)
+	grant, err := s.query.UserGrant(ctx, true, false, idQuery, ownerQuery)
 	if err != nil {
 		return nil, err
 	}
@ -33,7 +33,7 @@ func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantR
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.UserGrants(ctx, queries)
+	res, err := s.query.UserGrants(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/org/converter.go
+++ b/internal/api/grpc/org/converter.go
@ -99,6 +99,8 @@ func OrgStateToPb(state domain.OrgState) org_pb.OrgState {
 		return org_pb.OrgState_ORG_STATE_ACTIVE
 	case domain.OrgStateInactive:
 		return org_pb.OrgState_ORG_STATE_INACTIVE
 	case domain.OrgStateRemoved:
 		return org_pb.OrgState_ORG_STATE_REMOVED
 	default:
 		return org_pb.OrgState_ORG_STATE_UNSPECIFIED
 	}
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@ -209,11 +209,11 @@ func (o *OPStorage) assertProjectRoleScopes(ctx context.Context, clientID string
 			return scopes, nil
 		}
 	}
-	projectID, err := o.query.ProjectIDFromOIDCClientID(ctx, clientID)
+	projectID, err := o.query.ProjectIDFromOIDCClientID(ctx, clientID, false)
 	if err != nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-AEG4d", "Errors.Internal")
 	}
-	project, err := o.query.ProjectByID(ctx, false, projectID)
+	project, err := o.query.ProjectByID(ctx, false, projectID, false)
 	if err != nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-w4wIn", "Errors.Internal")
 	}
@ -224,7 +224,7 @@ func (o *OPStorage) assertProjectRoleScopes(ctx context.Context, clientID string
 	if err != nil {
 		return nil, errors.ThrowInternal(err, "OIDC-Cyc78", "Errors.Internal")
 	}
-	roles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
+	roles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}}, false)
 	if err != nil {
 		return nil, err
 	}
@ -236,7 +236,7 @@ func (o *OPStorage) assertProjectRoleScopes(ctx context.Context, clientID string
 func (o *OPStorage) assertClientScopesForPAT(ctx context.Context, token *model.TokenView, clientID string) error {
 	token.Audience = append(token.Audience, clientID)
-	projectID, err := o.query.ProjectIDFromClientID(ctx, clientID)
+	projectID, err := o.query.ProjectIDFromClientID(ctx, clientID, false)
 	if err != nil {
 		return errors.ThrowPreconditionFailed(nil, "OIDC-AEG4d", "Errors.Internal")
 	}
@ -244,7 +244,7 @@ func (o *OPStorage) assertClientScopesForPAT(ctx context.Context, token *model.T
 	if err != nil {
 		return errors.ThrowInternal(err, "OIDC-Cyc78", "Errors.Internal")
 	}
-	roles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
+	roles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}}, false)
 	if err != nil {
 		return err
 	}
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@ -39,7 +39,7 @@ const (
 func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (_ op.Client, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	client, err := o.query.AppByOIDCClientID(ctx, id)
+	client, err := o.query.AppByOIDCClientID(ctx, id, false)
 	if err != nil {
 		return nil, err
 	}
@ -50,7 +50,7 @@ func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (_ op.Cl
 	if err != nil {
 		return nil, errors.ThrowInternal(err, "OIDC-mPxqP", "Errors.Internal")
 	}
-	projectRoles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
+	projectRoles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}}, false)
 	if err != nil {
 		return nil, err
 	}
@ -74,7 +74,7 @@ func (o *OPStorage) GetKeyByIDAndUserID(ctx context.Context, keyID, userID strin
 func (o *OPStorage) GetKeyByIDAndIssuer(ctx context.Context, keyID, issuer string) (_ *jose.JSONWebKey, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	publicKeyData, err := o.query.GetAuthNKeyPublicKeyByIDAndIdentifier(ctx, keyID, issuer)
+	publicKeyData, err := o.query.GetAuthNKeyPublicKeyByIDAndIdentifier(ctx, keyID, issuer, false)
 	if err != nil {
 		return nil, err
 	}
@ -90,7 +90,7 @@ func (o *OPStorage) GetKeyByIDAndIssuer(ctx context.Context, keyID, issuer strin
 }
 func (o *OPStorage) ValidateJWTProfileScopes(ctx context.Context, subject string, scopes []string) ([]string, error) {
-	user, err := o.query.GetUserByID(ctx, true, subject)
+	user, err := o.query.GetUserByID(ctx, true, subject, false)
 	if err != nil {
 		return nil, err
 	}
@ -126,7 +126,7 @@ func (o *OPStorage) AuthorizeClientIDSecret(ctx context.Context, id string, secr
 		UserID: oidcCtx,
 		OrgID:  oidcCtx,
 	})
-	app, err := o.query.AppByClientID(ctx, id)
+	app, err := o.query.AppByClientID(ctx, id, false)
 	if err != nil {
 		return err
 	}
@ -144,7 +144,7 @@ func (o *OPStorage) SetUserinfoFromToken(ctx context.Context, userInfo oidc.User
 		return errors.ThrowPermissionDenied(nil, "OIDC-Dsfb2", "token is not valid or has expired")
 	}
 	if token.ApplicationID != "" {
-		app, err := o.query.AppByOIDCClientID(ctx, token.ApplicationID)
+		app, err := o.query.AppByOIDCClientID(ctx, token.ApplicationID, false)
 		if err != nil {
 			return err
 		}
@ -159,7 +159,7 @@ func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo oidc.Use
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	if applicationID != "" {
-		app, err := o.query.AppByOIDCClientID(ctx, applicationID)
+		app, err := o.query.AppByOIDCClientID(ctx, applicationID, false)
 		if err != nil {
 			return err
 		}
@ -178,7 +178,7 @@ func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection
 	if err != nil {
 		return errors.ThrowPermissionDenied(nil, "OIDC-Dsfb2", "token is not valid or has expired")
 	}
-	projectID, err := o.query.ProjectIDFromClientID(ctx, clientID)
+	projectID, err := o.query.ProjectIDFromClientID(ctx, clientID, false)
 	if err != nil {
 		return errors.ThrowPermissionDenied(nil, "OIDC-Adfg5", "client not found")
 	}
@ -212,7 +212,7 @@ func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection
 func (o *OPStorage) setUserinfo(ctx context.Context, userInfo oidc.UserInfoSetter, userID, applicationID string, scopes []string) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	user, err := o.query.GetUserByID(ctx, true, userID)
+	user, err := o.query.GetUserByID(ctx, true, userID, false)
 	if err != nil {
 		return err
 	}
@ -299,7 +299,7 @@ func (o *OPStorage) setUserinfo(ctx context.Context, userInfo oidc.UserInfoSette
 }
 func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, userInfo oidc.UserInfoSetter) error {
-	queriedActions, err := o.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, domain.TriggerTypePreUserinfoCreation, resourceOwner)
+	queriedActions, err := o.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, domain.TriggerTypePreUserinfoCreation, resourceOwner, false)
 	if err != nil {
 		return err
 	}
@ -319,6 +319,7 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, use
 							true,
 							userInfo.GetSubject(),
 							&query.UserMetadataSearchQueries{Queries: []query.SearchQuery{resourceOwnerQuery}},
 							false,
 						)
 						if err != nil {
 							logging.WithError(err).Info("unable to get md in action")
@ -451,11 +452,11 @@ func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clie
 }
 func (o *OPStorage) privateClaimsFlows(ctx context.Context, userID string, claims map[string]interface{}) (map[string]interface{}, error) {
-	user, err := o.query.GetUserByID(ctx, true, userID)
+	user, err := o.query.GetUserByID(ctx, true, userID, false)
 	if err != nil {
 		return nil, err
 	}
-	queriedActions, err := o.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, domain.TriggerTypePreAccessTokenCreation, user.ResourceOwner)
+	queriedActions, err := o.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, domain.TriggerTypePreAccessTokenCreation, user.ResourceOwner, false)
 	if err != nil {
 		return nil, err
 	}
@ -475,6 +476,7 @@ func (o *OPStorage) privateClaimsFlows(ctx context.Context, userID string, claim
 							true,
 							userID,
 							&query.UserMetadataSearchQueries{Queries: []query.SearchQuery{resourceOwnerQuery}},
 							false,
 						)
 						if err != nil {
 							logging.WithError(err).Info("unable to get md in action")
@ -554,7 +556,7 @@ func (o *OPStorage) privateClaimsFlows(ctx context.Context, userID string, claim
 }
 func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID string, requestedRoles []string) (map[string]map[string]string, error) {
-	projectID, err := o.query.ProjectIDFromClientID(ctx, applicationID)
+	projectID, err := o.query.ProjectIDFromClientID(ctx, applicationID, false)
 	if err != nil {
 		return nil, err
 	}
@ -568,7 +570,7 @@ func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID strin
 	}
 	grants, err := o.query.UserGrants(ctx, &query.UserGrantsQueries{
 		Queries: []query.SearchQuery{projectQuery, userIDQuery},
-	})
+	}, false)
 	if err != nil {
 		return nil, err
 	}
@ -582,7 +584,7 @@ func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID strin
 }
 func (o *OPStorage) assertUserMetaData(ctx context.Context, userID string) (map[string]string, error) {
-	metaData, err := o.query.SearchUserMetadata(ctx, true, userID, &query.UserMetadataSearchQueries{})
+	metaData, err := o.query.SearchUserMetadata(ctx, true, userID, &query.UserMetadataSearchQueries{}, false)
 	if err != nil {
 		return nil, err
 	}
@ -595,7 +597,7 @@ func (o *OPStorage) assertUserMetaData(ctx context.Context, userID string) (map[
 }
 func (o *OPStorage) assertUserResourceOwner(ctx context.Context, userID string) (map[string]string, error) {
-	user, err := o.query.GetUserByID(ctx, true, userID)
+	user, err := o.query.GetUserByID(ctx, true, userID, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/oidc/key.go
+++ b/internal/api/oidc/key.go
@ -92,6 +92,7 @@ func (o *OPStorage) KeySet(ctx context.Context) (keys []op.Key, err error) {
 func (o *OPStorage) SignatureAlgorithms(ctx context.Context) ([]jose.SignatureAlgorithm, error) {
 	key, err := o.SigningKey(ctx)
 	if err != nil {
 		logging.WithError(err).Warn("unable to fetch signing key")
 		return nil, err
 	}
 	return []jose.SignatureAlgorithm{key.SignatureAlgorithm()}, nil
--- a/internal/api/saml/storage.go
+++ b/internal/api/saml/storage.go
@ -49,7 +49,7 @@ type Storage struct {
 }
 func (p *Storage) GetEntityByID(ctx context.Context, entityID string) (*serviceprovider.ServiceProvider, error) {
-	app, err := p.query.AppBySAMLEntityID(ctx, entityID)
+	app, err := p.query.AppBySAMLEntityID(ctx, entityID, false)
 	if err != nil {
 		return nil, err
 	}
@ -63,7 +63,7 @@ func (p *Storage) GetEntityByID(ctx context.Context, entityID string) (*servicep
 }
 func (p *Storage) GetEntityIDByAppID(ctx context.Context, appID string) (string, error) {
-	app, err := p.query.AppByID(ctx, appID)
+	app, err := p.query.AppByID(ctx, appID, false)
 	if err != nil {
 		return "", err
 	}
@ -121,7 +121,7 @@ func (p *Storage) AuthRequestByID(ctx context.Context, id string) (_ models.Auth
 func (p *Storage) SetUserinfoWithUserID(ctx context.Context, userinfo models.AttributeSetter, userID string, attributes []int) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	user, err := p.query.GetUserByID(ctx, true, userID)
+	user, err := p.query.GetUserByID(ctx, true, userID, false)
 	if err != nil {
 		return err
 	}
@ -138,7 +138,7 @@ func (p *Storage) SetUserinfoWithLoginName(ctx context.Context, userinfo models.
 	if err != nil {
 		return err
 	}
-	user, err := p.query.GetUser(ctx, true, loginNameSQ)
+	user, err := p.query.GetUser(ctx, true, false, loginNameSQ)
 	if err != nil {
 		return err
 	}
--- a/internal/api/ui/login/custom_action.go
+++ b/internal/api/ui/login/custom_action.go
@ -25,7 +25,7 @@ func (l *Login) customExternalUserMapping(ctx context.Context, user *domain.Exte
 	if resourceOwner == instance.InstanceID() {
 		resourceOwner = instance.DefaultOrganisationID()
 	}
-	triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeExternalAuthentication, domain.TriggerTypePostAuthentication, resourceOwner)
+	triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeExternalAuthentication, domain.TriggerTypePostAuthentication, resourceOwner, false)
 	if err != nil {
 		return nil, err
 	}
@ -126,7 +126,7 @@ func (l *Login) customExternalUserMapping(ctx context.Context, user *domain.Exte
 }
 func (l *Login) customExternalUserToLoginUserMapping(ctx context.Context, user *domain.Human, tokens *oidc.Tokens, req *domain.AuthRequest, config *iam_model.IDPConfigView, metadata []*domain.Metadata, resourceOwner string) (*domain.Human, []*domain.Metadata, error) {
-	triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeExternalAuthentication, domain.TriggerTypePreCreation, resourceOwner)
+	triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeExternalAuthentication, domain.TriggerTypePreCreation, resourceOwner, false)
 	if err != nil {
 		return nil, nil, err
 	}
@ -230,7 +230,7 @@ func (l *Login) customExternalUserToLoginUserMapping(ctx context.Context, user *
 }
 func (l *Login) customGrants(ctx context.Context, userID string, tokens *oidc.Tokens, req *domain.AuthRequest, config *iam_model.IDPConfigView, resourceOwner string) ([]*domain.UserGrant, error) {
-	triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeExternalAuthentication, domain.TriggerTypePostCreation, resourceOwner)
+	triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeExternalAuthentication, domain.TriggerTypePostCreation, resourceOwner, false)
 	if err != nil {
 		return nil, err
 	}
@ -287,7 +287,7 @@ func (l *Login) customGrants(ctx context.Context, userID string, tokens *oidc.To
 			actions.SetFields("v1",
 				actions.SetFields("getUser", func(c *actions.FieldConfig) interface{} {
 					return func(call goja.FunctionCall) goja.Value {
-						user, err := l.query.GetUserByID(actionCtx, true, userID)
+						user, err := l.query.GetUserByID(actionCtx, true, userID, false)
 						if err != nil {
 							panic(err)
 						}
--- a/internal/api/ui/login/init_password_handler.go
+++ b/internal/api/ui/login/init_password_handler.go
@ -106,7 +106,7 @@ func (l *Login) resendPasswordSet(w http.ResponseWriter, r *http.Request, authRe
 		l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
 		return
 	}
-	user, err := l.query.GetUser(setContext(r.Context(), userOrg), false, loginName)
+	user, err := l.query.GetUser(setContext(r.Context(), userOrg), false, false, loginName)
 	if err != nil {
 		l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
 		return
@ -149,7 +149,7 @@ func (l *Login) renderInitPassword(w http.ResponseWriter, r *http.Request, authR
 		}
 	}
 	if authReq == nil {
-		user, err := l.query.GetUserByID(r.Context(), false, userID)
+		user, err := l.query.GetUserByID(r.Context(), false, userID, false)
 		if err == nil {
 			l.customTexts(r.Context(), translator, user.ResourceOwner)
 		}
--- a/internal/api/ui/login/init_user_handler.go
+++ b/internal/api/ui/login/init_user_handler.go
@ -142,7 +142,7 @@ func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *
 		}
 	}
 	if authReq == nil {
-		user, err := l.query.GetUserByID(r.Context(), false, userID)
+		user, err := l.query.GetUserByID(r.Context(), false, userID, false)
 		if err == nil {
 			l.customTexts(r.Context(), translator, user.ResourceOwner)
 		}
--- a/internal/api/ui/login/login.go
+++ b/internal/api/ui/login/login.go
@ -152,7 +152,7 @@ func (l *Login) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgName string
 	if err != nil {
 		return nil, err
 	}
-	users, err := l.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{loginName}})
+	users, err := l.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{loginName}}, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/ui/login/mail_verify_handler.go
+++ b/internal/api/ui/login/mail_verify_handler.go
@ -100,7 +100,7 @@ func (l *Login) renderMailVerification(w http.ResponseWriter, r *http.Request, a
 		profileData: l.getProfileData(authReq),
 	}
 	if authReq == nil {
-		user, err := l.query.GetUserByID(r.Context(), false, userID)
+		user, err := l.query.GetUserByID(r.Context(), false, userID, false)
 		if err == nil {
 			l.customTexts(r.Context(), translator, user.ResourceOwner)
 		}
--- a/internal/api/ui/login/password_complexity_policy_handler.go
+++ b/internal/api/ui/login/password_complexity_policy_handler.go
@ -22,7 +22,7 @@ func (l *Login) getPasswordComplexityPolicy(r *http.Request, orgID string) *iam_
 }
 func (l *Login) getPasswordComplexityPolicyByUserID(r *http.Request, userID string) *iam_model.PasswordComplexityPolicyView {
-	user, err := l.query.GetUserByID(r.Context(), false, userID)
+	user, err := l.query.GetUserByID(r.Context(), false, userID, false)
 	if err != nil {
 		logging.WithFields("userID", userID).OnError(err).Error("could not load user for password complexity policy")
 		return nil
--- a/internal/api/ui/login/password_reset_handler.go
+++ b/internal/api/ui/login/password_reset_handler.go
@ -23,7 +23,7 @@ func (l *Login) handlePasswordReset(w http.ResponseWriter, r *http.Request) {
 		l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
 		return
 	}
-	user, err := l.query.GetUser(setContext(r.Context(), authReq.UserOrgID), true, loginName)
+	user, err := l.query.GetUser(setContext(r.Context(), authReq.UserOrgID), true, false, loginName)
 	if err != nil {
 		l.renderPasswordResetDone(w, r, authReq, err)
 		return
--- a/internal/api/ui/login/passwordless_registration_handler.go
+++ b/internal/api/ui/login/passwordless_registration_handler.go
@ -114,7 +114,7 @@ func (l *Login) renderPasswordlessRegistration(w http.ResponseWriter, r *http.Re
 		disabled,
 	}
 	if authReq == nil {
-		policy, err := l.query.ActiveLabelPolicyByOrg(r.Context(), orgID)
+		policy, err := l.query.ActiveLabelPolicyByOrg(r.Context(), orgID, false)
 		logging.Log("HANDL-XjWKE").OnError(err).Error("unable to get active label policy")
 		data.LabelPolicy = labelPolicyToDomain(policy)
--- a/internal/api/ui/login/policy_handler.go
+++ b/internal/api/ui/login/policy_handler.go
@ -15,7 +15,7 @@ func (l *Login) getOrgDomainPolicy(r *http.Request, orgID string) (*query.Domain
 	if orgID == "" {
 		return l.query.DefaultDomainPolicy(r.Context())
 	}
-	return l.query.DomainPolicyByOrg(r.Context(), false, orgID)
+	return l.query.DomainPolicyByOrg(r.Context(), false, orgID, false)
 }
 func (l *Login) getIDPConfigByID(r *http.Request, idpConfigID string) (*iam_model.IDPConfigView, error) {
@ -26,12 +26,12 @@ func (l *Login) getLoginPolicy(r *http.Request, orgID string) (*query.LoginPolic
 	if orgID == "" {
 		return l.query.DefaultLoginPolicy(r.Context())
 	}
-	return l.query.LoginPolicyByID(r.Context(), false, orgID)
+	return l.query.LoginPolicyByID(r.Context(), false, orgID, false)
 }
 func (l *Login) getLabelPolicy(r *http.Request, orgID string) (*query.LabelPolicy, error) {
 	if orgID == "" {
 		return l.query.DefaultActiveLabelPolicy(r.Context())
 	}
-	return l.query.ActiveLabelPolicyByOrg(r.Context(), orgID)
+	return l.query.ActiveLabelPolicyByOrg(r.Context(), orgID, false)
 }
--- a/internal/api/ui/login/register_option_handler.go
+++ b/internal/api/ui/login/register_option_handler.go
@ -109,7 +109,7 @@ func (l *Login) passLoginHintToRegistration(r *http.Request, authReq *domain.Aut
 		logging.WithFields("authRequest", authReq.ID, "org", authReq.RequestedOrgID).Error("unable to search query for registration loginHint")
 		return data
 	}
-	domains, err := l.query.SearchOrgDomains(r.Context(), &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{searchQuery}})
+	domains, err := l.query.SearchOrgDomains(r.Context(), &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{searchQuery}}, false)
 	if err != nil {
 		logging.WithFields("authRequest", authReq.ID, "org", authReq.RequestedOrgID).Error("unable to load domains for registration loginHint")
 		return data
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@ -384,7 +384,7 @@ func (l *Login) getBaseData(r *http.Request, authReq *domain.AuthRequest, titleI
 		}
 		privacyPolicy = authReq.PrivacyPolicy
 	} else {
-		labelPolicy, _ := l.query.ActiveLabelPolicyByOrg(r.Context(), baseData.PrivateLabelingOrgID)
+		labelPolicy, _ := l.query.ActiveLabelPolicyByOrg(r.Context(), baseData.PrivateLabelingOrgID, false)
 		if labelPolicy != nil {
 			baseData.LabelPolicy = labelPolicy.ToDomain()
 		}
@ -549,7 +549,7 @@ func (l *Login) addLoginTranslations(translator *i18n.Translator, customTexts []
 func (l *Login) customTexts(ctx context.Context, translator *i18n.Translator, orgID string) {
 	instanceID := authz.GetInstance(ctx).InstanceID()
-	instanceTexts, err := l.query.CustomTextListByTemplate(ctx, instanceID, domain.LoginCustomText)
+	instanceTexts, err := l.query.CustomTextListByTemplate(ctx, instanceID, domain.LoginCustomText, false)
 	if err != nil {
 		logging.WithFields("instanceID", instanceID).Warn("unable to load custom texts for instance")
 		return
@ -558,7 +558,7 @@ func (l *Login) customTexts(ctx context.Context, translator *i18n.Translator, or
 	if orgID == "" {
 		return
 	}
-	orgTexts, err := l.query.CustomTextListByTemplate(ctx, orgID, domain.LoginCustomText)
+	orgTexts, err := l.query.CustomTextListByTemplate(ctx, orgID, domain.LoginCustomText, false)
 	if err != nil {
 		logging.WithFields("instanceID", instanceID, "org", orgID).Warn("unable to load custom texts for org")
 		return
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@ -57,11 +57,11 @@ type AuthRequestRepo struct {
 }
 type labelPolicyProvider interface {
-	ActiveLabelPolicyByOrg(context.Context, string) (*query.LabelPolicy, error)
+	ActiveLabelPolicyByOrg(context.Context, string, bool) (*query.LabelPolicy, error)
 }
 type privacyPolicyProvider interface {
-	PrivacyPolicyByOrg(context.Context, bool, string) (*query.PrivacyPolicy, error)
+	PrivacyPolicyByOrg(context.Context, bool, string, bool) (*query.PrivacyPolicy, error)
 }
 type userSessionViewProvider interface {
@ -73,11 +73,11 @@ type userViewProvider interface {
 }
 type loginPolicyViewProvider interface {
-	LoginPolicyByID(context.Context, bool, string) (*query.LoginPolicy, error)
+	LoginPolicyByID(context.Context, bool, string, bool) (*query.LoginPolicy, error)
 }
 type lockoutPolicyViewProvider interface {
-	LockoutPolicyByOrg(context.Context, bool, string) (*query.LockoutPolicy, error)
+	LockoutPolicyByOrg(context.Context, bool, string, bool) (*query.LockoutPolicy, error)
 }
 type idpProviderViewProvider interface {
@ -85,7 +85,7 @@ type idpProviderViewProvider interface {
 }
 type idpUserLinksProvider interface {
-	IDPUserLinks(ctx context.Context, queries *query.IDPUserLinksSearchQuery) (*query.IDPUserLinks, error)
+	IDPUserLinks(ctx context.Context, queries *query.IDPUserLinksSearchQuery, withOwnerRemoved bool) (*query.IDPUserLinks, error)
 }
 type userEventProvider interface {
@ -102,17 +102,17 @@ type orgViewProvider interface {
 }
 type userGrantProvider interface {
-	ProjectByClientID(context.Context, string) (*query.Project, error)
+	ProjectByClientID(context.Context, string, bool) (*query.Project, error)
 	UserGrantsByProjectAndUserID(context.Context, string, string) ([]*query.UserGrant, error)
 }
 type projectProvider interface {
-	ProjectByClientID(context.Context, string) (*query.Project, error)
+	ProjectByClientID(context.Context, string, bool) (*query.Project, error)
 	OrgProjectMappingByIDs(orgID, projectID, instanceID string) (*project_view_model.OrgProjectMapping, error)
 }
 type applicationProvider interface {
-	AppByOIDCClientID(context.Context, string) (*query.App, error)
+	AppByOIDCClientID(context.Context, string, bool) (*query.App, error)
 }
 func (repo *AuthRequestRepo) Health(ctx context.Context) error {
@ -127,7 +127,7 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *dom
 		return nil, err
 	}
 	request.ID = reqID
-	project, err := repo.ProjectProvider.ProjectByClientID(ctx, request.ApplicationID)
+	project, err := repo.ProjectProvider.ProjectByClientID(ctx, request.ApplicationID, false)
 	if err != nil {
 		return nil, err
 	}
@ -135,7 +135,7 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *dom
 	if err != nil {
 		return nil, err
 	}
-	appIDs, err := repo.Query.SearchClientIDs(ctx, &query.AppSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
+	appIDs, err := repo.Query.SearchClientIDs(ctx, &query.AppSearchQueries{Queries: []query.SearchQuery{projectIDQuery}}, false)
 	if err != nil {
 		return nil, err
 	}
@ -547,7 +547,7 @@ func (repo *AuthRequestRepo) getAuthRequest(ctx context.Context, id, userAgentID
 }
 func (repo *AuthRequestRepo) getLoginPolicyAndIDPProviders(ctx context.Context, orgID string) (*query.LoginPolicy, []*domain.IDPProvider, error) {
-	policy, err := repo.LoginPolicyViewProvider.LoginPolicyByID(ctx, false, orgID)
+	policy, err := repo.LoginPolicyViewProvider.LoginPolicyByID(ctx, false, orgID, false)
 	if err != nil {
 		return nil, nil, err
 	}
@ -710,7 +710,7 @@ func (repo *AuthRequestRepo) checkDomainDiscovery(ctx context.Context, request *
 		return false
 	}
 	// and if the login policy allows domain discovery
-	policy, err := repo.Query.LoginPolicyByID(ctx, true, org.ID)
+	policy, err := repo.Query.LoginPolicyByID(ctx, true, org.ID, false)
 	if err != nil || !policy.AllowDomainDiscovery {
 		return false
 	}
@ -997,7 +997,7 @@ func checkExternalIDPsOfUser(ctx context.Context, idpUserLinksProvider idpUserLi
 	if err != nil {
 		return nil, err
 	}
-	return idpUserLinksProvider.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{Queries: []query.SearchQuery{userIDQuery}})
+	return idpUserLinksProvider.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{Queries: []query.SearchQuery{userIDQuery}}, false)
 }
 func (repo *AuthRequestRepo) usersForUserSelection(request *domain.AuthRequest) ([]domain.UserSelection, error) {
@ -1113,7 +1113,7 @@ func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView, reques
 }
 func (repo *AuthRequestRepo) GetPrivacyPolicy(ctx context.Context, orgID string) (*domain.PrivacyPolicy, error) {
-	policy, err := repo.PrivacyPolicyProvider.PrivacyPolicyByOrg(ctx, false, orgID)
+	policy, err := repo.PrivacyPolicyProvider.PrivacyPolicyByOrg(ctx, false, orgID, false)
 	if errors.IsNotFound(err) {
 		return new(domain.PrivacyPolicy), nil
 	}
@ -1141,7 +1141,7 @@ func privacyPolicyToDomain(p *query.PrivacyPolicy) *domain.PrivacyPolicy {
 }
 func (repo *AuthRequestRepo) getLockoutPolicy(ctx context.Context, orgID string) (*query.LockoutPolicy, error) {
-	policy, err := repo.LockoutPolicyViewProvider.LockoutPolicyByOrg(ctx, false, orgID)
+	policy, err := repo.LockoutPolicyViewProvider.LockoutPolicyByOrg(ctx, false, orgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -1149,7 +1149,7 @@ func (repo *AuthRequestRepo) getLockoutPolicy(ctx context.Context, orgID string)
 }
 func (repo *AuthRequestRepo) getLabelPolicy(ctx context.Context, orgID string) (*domain.LabelPolicy, error) {
-	policy, err := repo.LabelPolicyProvider.ActiveLabelPolicyByOrg(ctx, orgID)
+	policy, err := repo.LabelPolicyProvider.ActiveLabelPolicyByOrg(ctx, orgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -1187,7 +1187,7 @@ func labelPolicyToDomain(p *query.LabelPolicy) *domain.LabelPolicy {
 }
 func (repo *AuthRequestRepo) getLoginTexts(ctx context.Context, aggregateID string) ([]*domain.CustomText, error) {
-	loginTexts, err := repo.Query.CustomTextListByTemplate(ctx, aggregateID, domain.LoginCustomText)
+	loginTexts, err := repo.Query.CustomTextListByTemplate(ctx, aggregateID, domain.LoginCustomText, false)
 	if err != nil {
 		return nil, err
 	}
@ -1198,7 +1198,7 @@ func (repo *AuthRequestRepo) hasSucceededPage(ctx context.Context, request *doma
 	if _, ok := request.Request.(*domain.AuthRequestOIDC); !ok {
 		return false, nil
 	}
-	app, err := provider.AppByOIDCClientID(ctx, request.ApplicationID)
+	app, err := provider.AppByOIDCClientID(ctx, request.ApplicationID, false)
 	if err != nil {
 		return false, err
 	}
@ -1206,7 +1206,7 @@ func (repo *AuthRequestRepo) hasSucceededPage(ctx context.Context, request *doma
 }
 func (repo *AuthRequestRepo) getDomainPolicy(ctx context.Context, orgID string) (*query.DomainPolicy, error) {
-	return repo.Query.DomainPolicyByOrg(ctx, false, orgID)
+	return repo.Query.DomainPolicyByOrg(ctx, false, orgID, false)
 }
 func setOrgID(ctx context.Context, orgViewProvider orgViewProvider, request *domain.AuthRequest) error {
@ -1420,7 +1420,7 @@ func userGrantRequired(ctx context.Context, request *domain.AuthRequest, user *u
 	var project *query.Project
 	switch request.Request.Type() {
 	case domain.AuthRequestTypeOIDC, domain.AuthRequestTypeSAML:
-		project, err = userGrantProvider.ProjectByClientID(ctx, request.ApplicationID)
+		project, err = userGrantProvider.ProjectByClientID(ctx, request.ApplicationID, false)
 		if err != nil {
 			return false, err
 		}
@ -1441,7 +1441,7 @@ func projectRequired(ctx context.Context, request *domain.AuthRequest, projectPr
 	var project *query.Project
 	switch request.Request.Type() {
 	case domain.AuthRequestTypeOIDC, domain.AuthRequestTypeSAML:
-		project, err = projectProvider.ProjectByClientID(ctx, request.ApplicationID)
+		project, err = projectProvider.ProjectByClientID(ctx, request.ApplicationID, false)
 		if err != nil {
 			return false, err
 		}
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@ -132,7 +132,7 @@ type mockLoginPolicy struct {
 	policy *query.LoginPolicy
 }
-func (m *mockLoginPolicy) LoginPolicyByID(ctx context.Context, _ bool, id string) (*query.LoginPolicy, error) {
+func (m *mockLoginPolicy) LoginPolicyByID(ctx context.Context, _ bool, id string, _ bool) (*query.LoginPolicy, error) {
 	return m.policy, nil
 }
@ -140,7 +140,7 @@ type mockLockoutPolicy struct {
 	policy *query.LockoutPolicy
 }
-func (m *mockLockoutPolicy) LockoutPolicyByOrg(context.Context, bool, string) (*query.LockoutPolicy, error) {
+func (m *mockLockoutPolicy) LockoutPolicyByOrg(context.Context, bool, string, bool) (*query.LockoutPolicy, error) {
 	return m.policy, nil
 }
@ -195,7 +195,7 @@ type mockUserGrants struct {
 	userGrants int
 }
-func (m *mockUserGrants) ProjectByClientID(ctx context.Context, s string) (*query.Project, error) {
+func (m *mockUserGrants) ProjectByClientID(ctx context.Context, s string, _ bool) (*query.Project, error) {
 	return &query.Project{ProjectRoleCheck: m.roleCheck}, nil
 }
@ -212,7 +212,7 @@ type mockProject struct {
 	projectCheck bool
 }
-func (m *mockProject) ProjectByClientID(ctx context.Context, s string) (*query.Project, error) {
+func (m *mockProject) ProjectByClientID(ctx context.Context, s string, _ bool) (*query.Project, error) {
 	return &query.Project{HasProjectCheck: m.projectCheck}, nil
 }
@ -227,7 +227,7 @@ type mockApp struct {
 	app *query.App
 }
-func (m *mockApp) AppByOIDCClientID(ctx context.Context, id string) (*query.App, error) {
+func (m *mockApp) AppByOIDCClientID(ctx context.Context, id string, _ bool) (*query.App, error) {
 	if m.app != nil {
 		return m.app, nil
 	}
@ -238,7 +238,7 @@ type mockIDPUserLinks struct {
 	idps []*query.IDPUserLink
 }
-func (m *mockIDPUserLinks) IDPUserLinks(ctx context.Context, queries *query.IDPUserLinksSearchQuery) (*query.IDPUserLinks, error) {
+func (m *mockIDPUserLinks) IDPUserLinks(ctx context.Context, queries *query.IDPUserLinksSearchQuery, withOwnerRemoved bool) (*query.IDPUserLinks, error) {
 	return &query.IDPUserLinks{Links: m.idps}, nil
 }
--- a/internal/auth/repository/eventsourcing/eventstore/org.go
+++ b/internal/auth/repository/eventsourcing/eventstore/org.go
@ -31,7 +31,7 @@ func (repo *OrgRepository) GetIDPConfigByID(ctx context.Context, idpConfigID str
 }
 func (repo *OrgRepository) GetMyPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error) {
-	policy, err := repo.Query.PasswordComplexityPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID)
+	policy, err := repo.Query.PasswordComplexityPolicyByOrg(ctx, true, authz.GetCtxData(ctx).OrgID, false)
 	if err != nil {
 		return nil, err
 	}
@ -39,11 +39,11 @@ func (repo *OrgRepository) GetMyPasswordComplexityPolicy(ctx context.Context) (*
 }
 func (repo *OrgRepository) GetLoginText(ctx context.Context, orgID string) ([]*domain.CustomText, error) {
-	loginTexts, err := repo.Query.CustomTextListByTemplate(ctx, authz.GetInstance(ctx).InstanceID(), domain.LoginCustomText)
+	loginTexts, err := repo.Query.CustomTextListByTemplate(ctx, authz.GetInstance(ctx).InstanceID(), domain.LoginCustomText, false)
 	if err != nil {
 		return nil, err
 	}
-	orgLoginTexts, err := repo.Query.CustomTextListByTemplate(ctx, orgID, domain.LoginCustomText)
+	orgLoginTexts, err := repo.Query.CustomTextListByTemplate(ctx, orgID, domain.LoginCustomText, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/auth/repository/eventsourcing/handler/idp_config.go
+++ b/internal/auth/repository/eventsourcing/handler/idp_config.go
@ -17,7 +17,7 @@ import (
 )
 const (
-	idpConfigTable = "auth.idp_configs"
+	idpConfigTable = "auth.idp_configs2"
 )
 type IDPConfig struct {
@ -121,6 +121,8 @@ func (i *IDPConfig) processIdpConfig(providerType iam_model.IDPProviderType, eve
 		return i.view.DeleteIDPConfig(idp.IDPConfigID, event)
 	case instance.InstanceRemovedEventType:
 		return i.view.DeleteInstanceIDPs(event)
 	case org.OrgRemovedEventType:
 		return i.view.UpdateOrgOwnerRemovedIDPs(event)
 	default:
 		return i.view.ProcessedIDPConfigSequence(event)
 	}
--- a/internal/auth/repository/eventsourcing/handler/idp_providers.go
+++ b/internal/auth/repository/eventsourcing/handler/idp_providers.go
@ -21,7 +21,7 @@ import (
 )
 const (
-	idpProviderTable = "auth.idp_providers"
+	idpProviderTable = "auth.idp_providers2"
 )
 type IDPProvider struct {
@ -140,7 +140,9 @@ func (i *IDPProvider) processIdpProvider(event *models.Event) (err error) {
 	case org.LoginPolicyRemovedEventType:
 		return i.view.DeleteIDPProvidersByAggregateID(event.AggregateID, event.InstanceID, event)
 	case instance.InstanceRemovedEventType:
-		return i.view.DeleteInstanceIDPs(event)
+		return i.view.DeleteInstanceIDPProviders(event)
 	case org.OrgRemovedEventType:
 		return i.view.UpdateOrgOwnerRemovedIDPProviders(event)
 	default:
 		return i.view.ProcessedIDPProviderSequence(event)
 	}
@ -194,9 +196,9 @@ func (i *IDPProvider) OnSuccess(instanceIDs []string) error {
 }
 func (i *IDPProvider) getOrgIDPConfig(instanceID, aggregateID, idpConfigID string) (*query2.IDP, error) {
-	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, aggregateID)
+	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, aggregateID, false)
 }
 func (i *IDPProvider) getDefaultIDPConfig(instanceID, idpConfigID string) (*query2.IDP, error) {
-	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, instanceID)
+	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, instanceID, false)
 }
--- a/internal/auth/repository/eventsourcing/handler/org_project_mapping.go
+++ b/internal/auth/repository/eventsourcing/handler/org_project_mapping.go
@ -12,11 +12,12 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore/v1/spooler"
 	view_model "github.com/zitadel/zitadel/internal/project/repository/view/model"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 )
 const (
-	orgProjectMappingTable = "auth.org_project_mapping"
+	orgProjectMappingTable = "auth.org_project_mapping2"
 )
 type OrgProjectMapping struct {
@ -108,6 +109,8 @@ func (p *OrgProjectMapping) Reduce(event *es_models.Event) (err error) {
 		}
 	case instance.InstanceRemovedEventType:
 		return p.view.DeleteInstanceOrgProjectMappings(event)
 	case org.OrgRemovedEventType:
 		return p.view.UpdateOwnerRemovedOrgProjectMappings(event)
 	default:
 		return p.view.ProcessedOrgProjectMappingSequence(event)
 	}
--- a/internal/auth/repository/eventsourcing/handler/refresh_token.go
+++ b/internal/auth/repository/eventsourcing/handler/refresh_token.go
@ -13,6 +13,7 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore/v1/query"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/spooler"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	view_model "github.com/zitadel/zitadel/internal/user/repository/view/model"
@ -114,6 +115,8 @@ func (t *RefreshToken) Reduce(event *es_models.Event) (err error) {
 		return t.view.DeleteUserRefreshTokens(event.AggregateID, event.InstanceID, event)
 	case instance.InstanceRemovedEventType:
 		return t.view.DeleteInstanceRefreshTokens(event)
 	case org.OrgRemovedEventType:
 		return t.view.DeleteOrgRefreshTokens(event)
 	default:
 		return t.view.ProcessedRefreshTokenSequence(event)
 	}
--- a/internal/auth/repository/eventsourcing/handler/token.go
+++ b/internal/auth/repository/eventsourcing/handler/token.go
@ -17,6 +17,7 @@ import (
 	project_es_model "github.com/zitadel/zitadel/internal/project/repository/eventsourcing/model"
 	proj_view "github.com/zitadel/zitadel/internal/project/repository/view"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	user_repo "github.com/zitadel/zitadel/internal/repository/user"
@ -151,6 +152,11 @@ func (t *Token) Reduce(event *es_models.Event) (err error) {
 		return t.view.DeleteApplicationTokens(event, applicationsIDs...)
 	case instance.InstanceRemovedEventType:
 		return t.view.DeleteInstanceTokens(event)
 	case org.OrgRemovedEventType:
 		// deletes all tokens including PATs, which is expected for now
 		// if there is an undo of the org deletion in the future,
 		// we will need to have a look on how to handle the deleted PATs
 		return t.view.DeleteOrgTokens(event)
 	default:
 		return t.view.ProcessedTokenSequence(event)
 	}
--- a/internal/auth/repository/eventsourcing/handler/user.go
+++ b/internal/auth/repository/eventsourcing/handler/user.go
@ -24,7 +24,7 @@ import (
 )
 const (
-	userTable = "auth.users"
+	userTable = "auth.users2"
 )
 type User struct {
@ -228,6 +228,8 @@ func (u *User) ProcessOrg(event *es_models.Event) (err error) {
 		return u.fillLoginNamesOnOrgUsers(event)
 	case org.OrgDomainPrimarySetEventType:
 		return u.fillPreferredLoginNamesOnOrgUsers(event)
 	case org.OrgRemovedEventType:
 		return u.view.UpdateOrgOwnerRemovedUsers(event)
 	default:
 		return u.view.ProcessedUserSequence(event)
 	}
--- a/internal/auth/repository/eventsourcing/handler/user_external_idps.go
+++ b/internal/auth/repository/eventsourcing/handler/user_external_idps.go
@ -22,7 +22,7 @@ import (
 )
 const (
-	externalIDPTable = "auth.user_external_idps"
+	externalIDPTable = "auth.user_external_idps2"
 )
 type ExternalIDP struct {
@ -153,6 +153,8 @@ func (i *ExternalIDP) processIdpConfig(event *es_models.Event) (err error) {
 		return i.view.PutExternalIDPs(event, exterinalIDPs...)
 	case instance.InstanceRemovedEventType:
 		return i.view.DeleteInstanceExternalIDPs(event)
 	case org.OrgRemovedEventType:
 		return i.view.UpdateOrgOwnerRemovedExternalIDPs(event)
 	default:
 		return i.view.ProcessedExternalIDPSequence(event)
 	}
@ -184,9 +186,9 @@ func (i *ExternalIDP) OnSuccess(instanceIDs []string) error {
 }
 func (i *ExternalIDP) getOrgIDPConfig(instanceID, aggregateID, idpConfigID string) (*query2.IDP, error) {
-	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, aggregateID)
+	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, aggregateID, false)
 }
 func (i *ExternalIDP) getDefaultIDPConfig(instanceID, idpConfigID string) (*query2.IDP, error) {
-	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, instanceID)
+	return i.queries.IDPByIDAndResourceOwner(withInstanceID(context.Background(), instanceID), false, idpConfigID, instanceID, false)
 }
--- a/internal/auth/repository/eventsourcing/handler/user_session.go
+++ b/internal/auth/repository/eventsourcing/handler/user_session.go
@ -156,6 +156,8 @@ func (u *UserSession) Reduce(event *models.Event) (err error) {
 		return u.view.DeleteUserSessions(event.AggregateID, event.InstanceID, event)
 	case instance.InstanceRemovedEventType:
 		return u.view.DeleteInstanceUserSessions(event)
 	case org.OrgRemovedEventType:
 		return u.view.DeleteOrgUserSessions(event)
 	default:
 		return u.view.ProcessedUserSessionSequence(event)
 	}
--- a/internal/auth/repository/eventsourcing/repository.go
+++ b/internal/auth/repository/eventsourcing/repository.go
@ -127,7 +127,7 @@ func (q queryViewWrapper) UserGrantsByProjectAndUserID(ctx context.Context, proj
 		return nil, err
 	}
 	queries := &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantUserID, userGrantProjectID}}
-	grants, err := q.Queries.UserGrants(ctx, queries)
+	grants, err := q.Queries.UserGrants(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/auth/repository/eventsourcing/view/external_idps.go
+++ b/internal/auth/repository/eventsourcing/view/external_idps.go
@ -9,7 +9,7 @@ import (
 )
 const (
-	externalIDPTable = "auth.user_external_idps"
+	externalIDPTable = "auth.user_external_idps2"
 )
 func (v *View) ExternalIDPByExternalUserIDAndIDPConfigID(externalUserID, idpConfigID, instanceID string) (*model.ExternalIDPView, error) {
@ -64,6 +64,14 @@ func (v *View) DeleteInstanceExternalIDPs(event *models.Event) error {
 	return v.ProcessedExternalIDPSequence(event)
 }
 func (v *View) UpdateOrgOwnerRemovedExternalIDPs(event *models.Event) error {
 	err := view.UpdateOrgOwnerRemovedExternalIDPs(v.Db, externalIDPTable, event.InstanceID, event.ResourceOwner)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	return v.ProcessedExternalIDPSequence(event)
 }
 func (v *View) GetLatestExternalIDPSequence(instanceID string) (*global_view.CurrentSequence, error) {
 	return v.latestSequence(externalIDPTable, instanceID)
 }
--- a/internal/auth/repository/eventsourcing/view/idp_configs.go
+++ b/internal/auth/repository/eventsourcing/view/idp_configs.go
@ -10,7 +10,7 @@ import (
 )
 const (
-	idpConfigTable = "auth.idp_configs"
+	idpConfigTable = "auth.idp_configs2"
 )
 func (v *View) IDPConfigByID(idpID, instanceID string) (*iam_es_model.IDPConfigView, error) {
@ -49,6 +49,14 @@ func (v *View) DeleteInstanceIDPs(event *models.Event) error {
 	return v.ProcessedIDPConfigSequence(event)
 }
 func (v *View) UpdateOrgOwnerRemovedIDPs(event *models.Event) error {
 	err := view.UpdateOrgOwnerRemovedIDPs(v.Db, idpConfigTable, event.InstanceID, event.AggregateID)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	return v.ProcessedIDPConfigSequence(event)
 }
 func (v *View) GetLatestIDPConfigSequence(instanceID string) (*global_view.CurrentSequence, error) {
 	return v.latestSequence(idpConfigTable, instanceID)
 }
--- a/internal/auth/repository/eventsourcing/view/idp_providers.go
+++ b/internal/auth/repository/eventsourcing/view/idp_providers.go
@ -10,7 +10,7 @@ import (
 )
 const (
-	idpProviderTable = "auth.idp_providers"
+	idpProviderTable = "auth.idp_providers2"
 )
 func (v *View) IDPProviderByAggregateAndIDPConfigID(aggregateID, idpConfigID, instanceID string) (*model.IDPProviderView, error) {
@ -69,6 +69,14 @@ func (v *View) DeleteInstanceIDPProviders(event *models.Event) error {
 	return v.ProcessedIDPProviderSequence(event)
 }
 func (v *View) UpdateOrgOwnerRemovedIDPProviders(event *models.Event) error {
 	err := view.UpdateOrgOwnerRemovedIDPProviders(v.Db, idpProviderTable, event.InstanceID, event.AggregateID)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	return v.ProcessedIDPProviderSequence(event)
 }
 func (v *View) GetLatestIDPProviderSequence(instanceID string) (*global_view.CurrentSequence, error) {
 	return v.latestSequence(idpProviderTable, instanceID)
 }
--- a/internal/auth/repository/eventsourcing/view/org_project_mapping.go
+++ b/internal/auth/repository/eventsourcing/view/org_project_mapping.go
@ -9,15 +9,15 @@ import (
 )
 const (
-	orgPrgojectMappingTable = "auth.org_project_mapping"
+	orgProjectMappingTable = "auth.org_project_mapping2"
 )
 func (v *View) OrgProjectMappingByIDs(orgID, projectID, instanceID string) (*model.OrgProjectMapping, error) {
-	return view.OrgProjectMappingByIDs(v.Db, orgPrgojectMappingTable, orgID, projectID, instanceID)
+	return view.OrgProjectMappingByIDs(v.Db, orgProjectMappingTable, orgID, projectID, instanceID)
 }
 func (v *View) PutOrgProjectMapping(mapping *model.OrgProjectMapping, event *models.Event) error {
-	err := view.PutOrgProjectMapping(v.Db, orgPrgojectMappingTable, mapping)
+	err := view.PutOrgProjectMapping(v.Db, orgProjectMappingTable, mapping)
 	if err != nil {
 		return err
 	}
@ -25,7 +25,7 @@ func (v *View) PutOrgProjectMapping(mapping *model.OrgProjectMapping, event *mod
 }
 func (v *View) DeleteOrgProjectMapping(orgID, projectID, instanceID string, event *models.Event) error {
-	err := view.DeleteOrgProjectMapping(v.Db, orgPrgojectMappingTable, orgID, projectID, instanceID)
+	err := view.DeleteOrgProjectMapping(v.Db, orgProjectMappingTable, orgID, projectID, instanceID)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
@ -33,7 +33,15 @@ func (v *View) DeleteOrgProjectMapping(orgID, projectID, instanceID string, even
 }
 func (v *View) DeleteInstanceOrgProjectMappings(event *models.Event) error {
-	err := view.DeleteInstanceOrgProjectMappings(v.Db, orgPrgojectMappingTable, event.InstanceID)
+	err := view.DeleteInstanceOrgProjectMappings(v.Db, orgProjectMappingTable, event.InstanceID)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	return v.ProcessedOrgProjectMappingSequence(event)
 }
 func (v *View) UpdateOwnerRemovedOrgProjectMappings(event *models.Event) error {
 	err := view.UpdateOwnerRemovedOrgProjectMappings(v.Db, orgProjectMappingTable, event.InstanceID, event.AggregateID)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
@ -41,31 +49,31 @@ func (v *View) DeleteInstanceOrgProjectMappings(event *models.Event) error {
 }
 func (v *View) DeleteOrgProjectMappingsByProjectID(projectID, instanceID string) error {
-	return view.DeleteOrgProjectMappingsByProjectID(v.Db, orgPrgojectMappingTable, projectID, instanceID)
+	return view.DeleteOrgProjectMappingsByProjectID(v.Db, orgProjectMappingTable, projectID, instanceID)
 }
 func (v *View) DeleteOrgProjectMappingsByProjectGrantID(projectGrantID, instanceID string) error {
-	return view.DeleteOrgProjectMappingsByProjectGrantID(v.Db, orgPrgojectMappingTable, projectGrantID, instanceID)
+	return view.DeleteOrgProjectMappingsByProjectGrantID(v.Db, orgProjectMappingTable, projectGrantID, instanceID)
 }
 func (v *View) GetLatestOrgProjectMappingSequence(instanceID string) (*repository.CurrentSequence, error) {
-	return v.latestSequence(orgPrgojectMappingTable, instanceID)
+	return v.latestSequence(orgProjectMappingTable, instanceID)
 }
 func (v *View) GetLatestOrgProjectMappingSequences(instanceIDs []string) ([]*repository.CurrentSequence, error) {
-	return v.latestSequences(orgPrgojectMappingTable, instanceIDs)
+	return v.latestSequences(orgProjectMappingTable, instanceIDs)
 }
 func (v *View) ProcessedOrgProjectMappingSequence(event *models.Event) error {
-	return v.saveCurrentSequence(orgPrgojectMappingTable, event)
+	return v.saveCurrentSequence(orgProjectMappingTable, event)
 }
 func (v *View) UpdateOrgProjectMappingSpoolerRunTimestamp(instanceIDs []string) error {
-	return v.updateSpoolerRunSequence(orgPrgojectMappingTable, instanceIDs)
+	return v.updateSpoolerRunSequence(orgProjectMappingTable, instanceIDs)
 }
 func (v *View) GetLatestOrgProjectMappingFailedEvent(sequence uint64, instanceID string) (*repository.FailedEvent, error) {
-	return v.latestFailedEvent(orgPrgojectMappingTable, instanceID, sequence)
+	return v.latestFailedEvent(orgProjectMappingTable, instanceID, sequence)
 }
 func (v *View) ProcessedOrgProjectMappingFailedEvent(failedEvent *repository.FailedEvent) error {
--- a/internal/auth/repository/eventsourcing/view/refresh_token.go
+++ b/internal/auth/repository/eventsourcing/view/refresh_token.go
@ -73,6 +73,14 @@ func (v *View) DeleteInstanceRefreshTokens(event *models.Event) error {
 	return v.ProcessedRefreshTokenSequence(event)
 }
 func (v *View) DeleteOrgRefreshTokens(event *models.Event) error {
 	err := usr_view.DeleteOrgRefreshTokens(v.Db, refreshTokenTable, event.InstanceID, event.ResourceOwner)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	return v.ProcessedRefreshTokenSequence(event)
 }
 func (v *View) GetLatestRefreshTokenSequence(instanceID string) (*repository.CurrentSequence, error) {
 	return v.latestSequence(refreshTokenTable, instanceID)
 }
--- a/internal/auth/repository/eventsourcing/view/token.go
+++ b/internal/auth/repository/eventsourcing/view/token.go
@ -84,6 +84,14 @@ func (v *View) DeleteInstanceTokens(event *models.Event) error {
 	return v.ProcessedTokenSequence(event)
 }
 func (v *View) DeleteOrgTokens(event *models.Event) error {
 	err := usr_view.DeleteOrgTokens(v.Db, tokenTable, event.InstanceID, event.ResourceOwner)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	return v.ProcessedTokenSequence(event)
 }
 func (v *View) GetLatestTokenSequence(instanceID string) (*repository.CurrentSequence, error) {
 	return v.latestSequence(tokenTable, instanceID)
 }
--- a/internal/auth/repository/eventsourcing/view/user.go
+++ b/internal/auth/repository/eventsourcing/view/user.go
@ -14,7 +14,7 @@ import (
 )
 const (
-	userTable = "auth.users"
+	userTable = "auth.users2"
 )
 func (v *View) UserByID(userID, instanceID string) (*model.UserView, error) {
@ -97,7 +97,7 @@ func (v *View) UserByPhoneAndResourceOwner(phone, resourceOwner, instanceID stri
 func (v *View) userByID(instanceID string, queries ...query.SearchQuery) (*model.UserView, error) {
 	ctx := authz.WithInstanceID(context.Background(), instanceID)
-	queriedUser, err := v.query.GetNotifyUser(ctx, true, queries...)
+	queriedUser, err := v.query.GetNotifyUser(ctx, true, false, queries...)
 	if err != nil {
 		return nil, err
 	}
@ -189,6 +189,14 @@ func (v *View) DeleteInstanceUsers(event *models.Event) error {
 	return v.ProcessedUserSequence(event)
 }
 func (v *View) UpdateOrgOwnerRemovedUsers(event *models.Event) error {
 	err := view.UpdateOrgOwnerRemovedUsers(v.Db, userTable, event.InstanceID, event.AggregateID)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	return v.ProcessedUserSequence(event)
 }
 func (v *View) GetLatestUserSequence(instanceID string) (*repository.CurrentSequence, error) {
 	return v.latestSequence(userTable, instanceID)
 }
--- a/internal/auth/repository/eventsourcing/view/user_session.go
+++ b/internal/auth/repository/eventsourcing/view/user_session.go
@ -64,6 +64,14 @@ func (v *View) DeleteInstanceUserSessions(event *models.Event) error {
 	return v.ProcessedUserSessionSequence(event)
 }
 func (v *View) DeleteOrgUserSessions(event *models.Event) error {
 	err := view.DeleteOrgUserSessions(v.Db, userSessionTable, event.InstanceID, event.ResourceOwner)
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
 	return v.ProcessedUserSessionSequence(event)
 }
 func (v *View) GetLatestUserSessionSequence(instanceID string) (*repository.CurrentSequence, error) {
 	return v.latestSequence(userSessionTable, instanceID)
 }
--- a/internal/authz/repository/eventsourcing/eventstore/user_membership.go
+++ b/internal/authz/repository/eventsourcing/eventstore/user_membership.go
@ -40,7 +40,7 @@ func (repo *UserMembershipRepo) searchUserMemberships(ctx context.Context) (_ []
 	}
 	memberships, err := repo.Queries.Memberships(ctx, &query.MembershipSearchQuery{
 		Queries: []query.SearchQuery{userIDQuery, query.Or(orgIDsQuery, grantedIDQuery)},
-	})
+	}, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/authz/repository/eventsourcing/view/application.go
+++ b/internal/authz/repository/eventsourcing/view/application.go
@ -9,7 +9,7 @@ import (
 )
 func (v *View) ApplicationByOIDCClientID(ctx context.Context, clientID string) (*query.App, error) {
-	return v.Query.AppByOIDCClientID(ctx, clientID)
+	return v.Query.AppByOIDCClientID(ctx, clientID, false)
 }
 func (v *View) ApplicationByProjecIDAndAppName(ctx context.Context, projectID, appName string) (_ *query.App, err error) {
@ -32,7 +32,7 @@ func (v *View) ApplicationByProjecIDAndAppName(ctx context.Context, projectID, a
 		},
 	}
-	apps, err := v.Query.SearchApps(ctx, queries)
+	apps, err := v.Query.SearchApps(ctx, queries, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/command/custom_login_text_model.go
+++ b/internal/command/custom_login_text_model.go
@ -21,11 +21,9 @@ func (wm *CustomLoginTextsReadModel) Reduce() error {
 		case *policy.CustomTextSetEvent:
 			wm.CustomLoginTexts[e.Template+e.Language.String()] = &CustomText{Language: e.Language, Template: e.Template}
 		case *policy.CustomTextTemplateRemovedEvent:
 			if _, ok := wm.CustomLoginTexts[e.Template+e.Language.String()]; ok {
 			delete(wm.CustomLoginTexts, e.Template+e.Language.String())
 		}
 	}
 	}
 	return wm.WriteModel.Reduce()
 }
--- a/internal/command/custom_message_text_model.go
+++ b/internal/command/custom_message_text_model.go
@ -168,10 +168,8 @@ func (wm *CustomMessageTemplatesReadModel) Reduce() error {
 				wm.CustomMessageTemplate[e.Template+e.Language.String()].FooterText = ""
 			}
 		case *policy.CustomTextTemplateRemovedEvent:
 			if _, ok := wm.CustomMessageTemplate[e.Template+e.Language.String()]; ok {
 			delete(wm.CustomMessageTemplate, e.Template+e.Language.String())
 		}
 	}
 	}
 	return wm.WriteModel.Reduce()
 }
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@ -397,11 +397,7 @@ func (c *Commands) UpdateInstance(ctx context.Context, name string) (*domain.Obj
 	if err != nil {
 		return nil, err
 	}
-	return &domain.ObjectDetails{
+	return pushedEventsToObjectDetails(events), nil
 		Sequence:      events[len(events)-1].Sequence(),
 		EventDate:     events[len(events)-1].CreationDate(),
 		ResourceOwner: events[len(events)-1].Aggregate().ResourceOwner,
 	}, nil
 }
 func (c *Commands) SetDefaultLanguage(ctx context.Context, defaultLanguage language.Tag) (*domain.ObjectDetails, error) {
@ -415,11 +411,7 @@ func (c *Commands) SetDefaultLanguage(ctx context.Context, defaultLanguage langu
 	if err != nil {
 		return nil, err
 	}
-	return &domain.ObjectDetails{
+	return pushedEventsToObjectDetails(events), nil
 		Sequence:      events[len(events)-1].Sequence(),
 		EventDate:     events[len(events)-1].CreationDate(),
 		ResourceOwner: events[len(events)-1].Aggregate().ResourceOwner,
 	}, nil
 }
 func (c *Commands) SetDefaultOrg(ctx context.Context, orgID string) (*domain.ObjectDetails, error) {
@ -433,11 +425,7 @@ func (c *Commands) SetDefaultOrg(ctx context.Context, orgID string) (*domain.Obj
 	if err != nil {
 		return nil, err
 	}
-	return &domain.ObjectDetails{
+	return pushedEventsToObjectDetails(events), nil
 		Sequence:      events[len(events)-1].Sequence(),
 		EventDate:     events[len(events)-1].CreationDate(),
 		ResourceOwner: events[len(events)-1].Aggregate().ResourceOwner,
 	}, nil
 }
 func (c *Commands) ChangeSystemConfig(ctx context.Context, externalDomain string, externalPort uint16, externalSecure bool) error {
--- a/internal/command/instance_custom_login_text.go
+++ b/internal/command/instance_custom_login_text.go
@ -42,6 +42,9 @@ func (c *Commands) RemoveCustomInstanceLoginTexts(ctx context.Context, lang lang
 	}
 	iamAgg := InstanceAggregateFromWriteModel(&customText.WriteModel)
 	pushedEvents, err := c.eventstore.Push(ctx, instance.NewCustomTextTemplateRemovedEvent(ctx, iamAgg, domain.LoginCustomText, lang))
 	if err != nil {
 		return nil, err
 	}
 	err = AppendAndReduce(customText, pushedEvents...)
 	if err != nil {
 		return nil, err
--- a/internal/command/instance_member.go
+++ b/internal/command/instance_member.go
@ -8,7 +8,6 @@ import (
 	"github.com/zitadel/zitadel/internal/command/preparation"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
@ -20,7 +19,7 @@ func (c *Commands) AddInstanceMemberCommand(a *instance.Aggregate, userID string
 			return nil, errors.ThrowInvalidArgument(nil, "INSTA-SDSfs", "Errors.Invalid.Argument")
 		}
 		if len(domain.CheckForInvalidRoles(roles, domain.IAMRolePrefix, c.zitadelRoles)) > 0 {
-			return nil, caos_errs.ThrowInvalidArgument(nil, "INSTANCE-4m0fS", "Errors.IAM.MemberInvalid")
+			return nil, errors.ThrowInvalidArgument(nil, "INSTANCE-4m0fS", "Errors.IAM.MemberInvalid")
 		}
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 				if exists, err := ExistsUser(ctx, filter, userID, ""); err != nil || !exists {
@ -91,10 +90,10 @@ func (c *Commands) AddInstanceMember(ctx context.Context, userID string, roles .
 // ChangeInstanceMember updates an existing member
 func (c *Commands) ChangeInstanceMember(ctx context.Context, member *domain.Member) (*domain.Member, error) {
 	if !member.IsIAMValid() {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "INSTANCE-LiaZi", "Errors.IAM.MemberInvalid")
+		return nil, errors.ThrowInvalidArgument(nil, "INSTANCE-LiaZi", "Errors.IAM.MemberInvalid")
 	}
 	if len(domain.CheckForInvalidRoles(member.Roles, domain.IAMRolePrefix, c.zitadelRoles)) > 0 {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "INSTANCE-3m9fs", "Errors.IAM.MemberInvalid")
+		return nil, errors.ThrowInvalidArgument(nil, "INSTANCE-3m9fs", "Errors.IAM.MemberInvalid")
 	}
 	existingMember, err := c.instanceMemberWriteModelByID(ctx, member.UserID)
@ -103,7 +102,7 @@ func (c *Commands) ChangeInstanceMember(ctx context.Context, member *domain.Memb
 	}
 	if reflect.DeepEqual(existingMember.Roles, member.Roles) {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "INSTANCE-LiaZi", "Errors.IAM.Member.RolesNotChanged")
+		return nil, errors.ThrowPreconditionFailed(nil, "INSTANCE-LiaZi", "Errors.IAM.Member.RolesNotChanged")
 	}
 	instanceAgg := InstanceAggregateFromWriteModel(&existingMember.MemberWriteModel.WriteModel)
 	pushedEvents, err := c.eventstore.Push(ctx, instance.NewMemberChangedEvent(ctx, instanceAgg, member.UserID, member.Roles...))
@ -120,7 +119,7 @@ func (c *Commands) ChangeInstanceMember(ctx context.Context, member *domain.Memb
 func (c *Commands) RemoveInstanceMember(ctx context.Context, userID string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "INSTANCE-LiaZi", "Errors.IDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "INSTANCE-LiaZi", "Errors.IDMissing")
 	}
 	memberWriteModel, err := c.instanceMemberWriteModelByID(ctx, userID)
 	if err != nil && !errors.IsNotFound(err) {
--- a/internal/command/instance_settings.go
+++ b/internal/command/instance_settings.go
@ -8,7 +8,6 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 )
@ -73,7 +72,7 @@ func prepareAddSecretGeneratorConfig(a *instance.Aggregate, typ domain.SecretGen
 func (c *Commands) ChangeSecretGeneratorConfig(ctx context.Context, generatorType domain.SecretGeneratorType, config *crypto.GeneratorConfig) (*domain.ObjectDetails, error) {
 	if generatorType == domain.SecretGeneratorTypeUnspecified {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-33k9f", "Errors.SecretGenerator.TypeMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-33k9f", "Errors.SecretGenerator.TypeMissing")
 	}
 	generatorWriteModel, err := c.getSecretConfig(ctx, generatorType)
@ -81,7 +80,7 @@ func (c *Commands) ChangeSecretGeneratorConfig(ctx context.Context, generatorTyp
 		return nil, err
 	}
 	if generatorWriteModel.State == domain.SecretGeneratorStateUnspecified || generatorWriteModel.State == domain.SecretGeneratorStateRemoved {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3n9ls", "Errors.SecretGenerator.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-3n9ls", "Errors.SecretGenerator.NotFound")
 	}
 	instanceAgg := InstanceAggregateFromWriteModel(&generatorWriteModel.WriteModel)
@ -99,7 +98,7 @@ func (c *Commands) ChangeSecretGeneratorConfig(ctx context.Context, generatorTyp
 		return nil, err
 	}
 	if !hasChanged {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-m0o3f", "Errors.NoChangesFound")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-m0o3f", "Errors.NoChangesFound")
 	}
 	pushedEvents, err := c.eventstore.Push(ctx, changedEvent)
 	if err != nil {
@ -114,7 +113,7 @@ func (c *Commands) ChangeSecretGeneratorConfig(ctx context.Context, generatorTyp
 func (c *Commands) RemoveSecretGeneratorConfig(ctx context.Context, generatorType domain.SecretGeneratorType) (*domain.ObjectDetails, error) {
 	if generatorType == domain.SecretGeneratorTypeUnspecified {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-2j9lw", "Errors.SecretGenerator.TypeMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-2j9lw", "Errors.SecretGenerator.TypeMissing")
 	}
 	generatorWriteModel, err := c.getSecretConfig(ctx, generatorType)
@ -122,7 +121,7 @@ func (c *Commands) RemoveSecretGeneratorConfig(ctx context.Context, generatorTyp
 		return nil, err
 	}
 	if generatorWriteModel.State == domain.SecretGeneratorStateUnspecified || generatorWriteModel.State == domain.SecretGeneratorStateRemoved {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-b8les", "Errors.SecretGenerator.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-b8les", "Errors.SecretGenerator.NotFound")
 	}
 	instanceAgg := InstanceAggregateFromWriteModel(&generatorWriteModel.WriteModel)
 	pushedEvents, err := c.eventstore.Push(ctx, instance.NewSecretGeneratorRemovedEvent(ctx, instanceAgg, generatorType))
--- a/internal/command/org.go
+++ b/internal/command/org.go
@ -8,9 +8,9 @@ import (
 	"github.com/zitadel/zitadel/internal/command/preparation"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	user_repo "github.com/zitadel/zitadel/internal/repository/user"
 )
@ -105,8 +105,8 @@ func (c *Commands) getOrg(ctx context.Context, orgID string) (*domain.Org, error
 	if err != nil {
 		return nil, err
 	}
-	if writeModel.State == domain.OrgStateUnspecified || writeModel.State == domain.OrgStateRemoved {
+	if !isOrgStateExists(writeModel.State) {
-		return nil, caos_errs.ThrowInternal(err, "COMMAND-4M9sf", "Errors.Org.NotFound")
+		return nil, errors.ThrowInternal(err, "COMMAND-4M9sf", "Errors.Org.NotFound")
 	}
 	return orgWriteModelToOrg(writeModel), nil
 }
@ -116,8 +116,8 @@ func (c *Commands) checkOrgExists(ctx context.Context, orgID string) error {
 	if err != nil {
 		return err
 	}
-	if orgWriteModel.State == domain.OrgStateUnspecified || orgWriteModel.State == domain.OrgStateRemoved {
+	if !isOrgStateExists(orgWriteModel.State) {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-QXPGs", "Errors.Org.NotFound")
+		return errors.ThrowPreconditionFailed(nil, "COMMAND-QXPGs", "Errors.Org.NotFound")
 	}
 	return nil
 }
@ -128,7 +128,7 @@ func (c *Commands) AddOrgWithID(ctx context.Context, name, userID, resourceOwner
 		return nil, err
 	}
 	if existingOrg.State != domain.OrgStateUnspecified {
-		return nil, caos_errs.ThrowNotFound(nil, "ORG-lapo2m", "Errors.Org.AlreadyExisting")
+		return nil, errors.ThrowNotFound(nil, "ORG-lapo2m", "Errors.Org.AlreadyExisting")
 	}
 	return c.addOrgWithIDAndMember(ctx, name, userID, resourceOwner, orgID, claimedUserIDs)
@ -136,12 +136,12 @@ func (c *Commands) AddOrgWithID(ctx context.Context, name, userID, resourceOwner
 func (c *Commands) AddOrg(ctx context.Context, name, userID, resourceOwner string, claimedUserIDs []string) (*domain.Org, error) {
 	if name = strings.TrimSpace(name); name == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "EVENT-Mf9sd", "Errors.Org.Invalid")
+		return nil, errors.ThrowInvalidArgument(nil, "EVENT-Mf9sd", "Errors.Org.Invalid")
 	}
 	orgID, err := c.idGenerator.Next()
 	if err != nil {
-		return nil, caos_errs.ThrowInternal(err, "COMMA-OwciI", "Errors.Internal")
+		return nil, errors.ThrowInternal(err, "COMMA-OwciI", "Errors.Internal")
 	}
 	return c.addOrgWithIDAndMember(ctx, name, userID, resourceOwner, orgID, claimedUserIDs)
@ -176,18 +176,18 @@ func (c *Commands) addOrgWithIDAndMember(ctx context.Context, name, userID, reso
 func (c *Commands) ChangeOrg(ctx context.Context, orgID, name string) (*domain.ObjectDetails, error) {
 	name = strings.TrimSpace(name)
 	if orgID == "" || name == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "EVENT-Mf9sd", "Errors.Org.Invalid")
+		return nil, errors.ThrowInvalidArgument(nil, "EVENT-Mf9sd", "Errors.Org.Invalid")
 	}
 	orgWriteModel, err := c.getOrgWriteModelByID(ctx, orgID)
 	if err != nil {
 		return nil, err
 	}
-	if orgWriteModel.State == domain.OrgStateUnspecified || orgWriteModel.State == domain.OrgStateRemoved {
+	if !isOrgStateExists(orgWriteModel.State) {
-		return nil, caos_errs.ThrowNotFound(nil, "ORG-1MRds", "Errors.Org.NotFound")
+		return nil, errors.ThrowNotFound(nil, "ORG-1MRds", "Errors.Org.NotFound")
 	}
 	if orgWriteModel.Name == name {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-4VSdf", "Errors.Org.NotChanged")
+		return nil, errors.ThrowPreconditionFailed(nil, "ORG-4VSdf", "Errors.Org.NotChanged")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&orgWriteModel.WriteModel)
 	events := make([]eventstore.Command, 0)
@ -215,11 +215,11 @@ func (c *Commands) DeactivateOrg(ctx context.Context, orgID string) (*domain.Obj
 	if err != nil {
 		return nil, err
 	}
-	if orgWriteModel.State == domain.OrgStateUnspecified || orgWriteModel.State == domain.OrgStateRemoved {
+	if !isOrgStateExists(orgWriteModel.State) {
-		return nil, caos_errs.ThrowNotFound(nil, "ORG-oL9nT", "Errors.Org.NotFound")
+		return nil, errors.ThrowNotFound(nil, "ORG-oL9nT", "Errors.Org.NotFound")
 	}
 	if orgWriteModel.State == domain.OrgStateInactive {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Dbs2g", "Errors.Org.AlreadyDeactivated")
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Dbs2g", "Errors.Org.AlreadyDeactivated")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&orgWriteModel.WriteModel)
 	pushedEvents, err := c.eventstore.Push(ctx, org.NewOrgDeactivatedEvent(ctx, orgAgg))
@ -238,11 +238,11 @@ func (c *Commands) ReactivateOrg(ctx context.Context, orgID string) (*domain.Obj
 	if err != nil {
 		return nil, err
 	}
-	if orgWriteModel.State == domain.OrgStateUnspecified || orgWriteModel.State == domain.OrgStateRemoved {
+	if !isOrgStateExists(orgWriteModel.State) {
-		return nil, caos_errs.ThrowNotFound(nil, "ORG-Dgf3g", "Errors.Org.NotFound")
+		return nil, errors.ThrowNotFound(nil, "ORG-Dgf3g", "Errors.Org.NotFound")
 	}
 	if orgWriteModel.State == domain.OrgStateActive {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-bfnrh", "Errors.Org.AlreadyActive")
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-bfnrh", "Errors.Org.AlreadyActive")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&orgWriteModel.WriteModel)
 	pushedEvents, err := c.eventstore.Push(ctx, org.NewOrgReactivatedEvent(ctx, orgAgg))
@ -256,8 +256,251 @@ func (c *Commands) ReactivateOrg(ctx context.Context, orgID string) (*domain.Obj
 	return writeModelToObjectDetails(&orgWriteModel.WriteModel), nil
 }
 func (c *Commands) RemoveOrg(ctx context.Context, id string) (*domain.ObjectDetails, error) {
 	orgAgg := org.NewAggregate(id)
 	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, c.prepareRemoveOrg(orgAgg))
 	if err != nil {
 		return nil, err
 	}
 	events, err := c.eventstore.Push(ctx, cmds...)
 	if err != nil {
 		return nil, err
 	}
 	return &domain.ObjectDetails{
 		Sequence:      events[len(events)-1].Sequence(),
 		EventDate:     events[len(events)-1].CreationDate(),
 		ResourceOwner: events[len(events)-1].Aggregate().InstanceID,
 	}, nil
 }
 func (c *Commands) prepareRemoveOrg(a *org.Aggregate) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 			writeModel, err := c.getOrgWriteModelByID(ctx, a.ID)
 			if err != nil {
 				return nil, errors.ThrowPreconditionFailed(err, "COMMA-wG9p1", "Errors.Org.NotFound")
 			}
 			if !isOrgStateExists(writeModel.State) {
 				return nil, errors.ThrowNotFound(nil, "COMMA-aps2n", "Errors.Org.NotFound")
 			}
 			domainPolicy, err := c.getOrgDomainPolicy(ctx, a.ID)
 			if err != nil {
 				return nil, err
 			}
 			usernames, err := OrgUsers(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}
 			domains, err := OrgDomains(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}
 			links, err := OrgUserIDPLinks(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}
 			entityIds, err := OrgSamlEntityIDs(ctx, filter, a.ID)
 			if err != nil {
 				return nil, err
 			}
 			return []eventstore.Command{org.NewOrgRemovedEvent(ctx, &a.Aggregate, writeModel.Name, usernames, domainPolicy.UserLoginMustBeDomain, domains, links, entityIds)}, nil
 		}, nil
 	}
 }
 func OrgUserIDPLinks(ctx context.Context, filter preparation.FilterToQueryReducer, orgID string) ([]*domain.UserIDPLink, error) {
 	events, err := filter(ctx, eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
 		ResourceOwner(orgID).
 		OrderAsc().
 		AddQuery().
 		AggregateTypes(user_repo.AggregateType).
 		EventTypes(
 			user_repo.UserIDPLinkAddedType, user_repo.UserIDPLinkRemovedType, user_repo.UserIDPLinkCascadeRemovedType,
 		).Builder())
 	if err != nil {
 		return nil, err
 	}
 	links := make([]*domain.UserIDPLink, 0)
 	for _, event := range events {
 		switch eventTyped := event.(type) {
 		case *user_repo.UserIDPLinkAddedEvent:
 			links = append(links, &domain.UserIDPLink{
 				IDPConfigID:    eventTyped.IDPConfigID,
 				ExternalUserID: eventTyped.ExternalUserID,
 				DisplayName:    eventTyped.DisplayName,
 			})
 		case *user_repo.UserIDPLinkRemovedEvent:
 			for i := range links {
 				if links[i].ExternalUserID == eventTyped.ExternalUserID &&
 					links[i].IDPConfigID == eventTyped.IDPConfigID {
 					links[i] = links[len(links)-1]
 					links[len(links)-1] = nil
 					links = links[:len(links)-1]
 					break
 				}
 			}
 		case *user_repo.UserIDPLinkCascadeRemovedEvent:
 			for i := range links {
 				if links[i].ExternalUserID == eventTyped.ExternalUserID &&
 					links[i].IDPConfigID == eventTyped.IDPConfigID {
 					links[i] = links[len(links)-1]
 					links[len(links)-1] = nil
 					links = links[:len(links)-1]
 					break
 				}
 			}
 		}
 	}
 	return links, nil
 }
 type samlEntityID struct {
 	appID    string
 	entityID string
 }
 func OrgSamlEntityIDs(ctx context.Context, filter preparation.FilterToQueryReducer, orgID string) ([]string, error) {
 	events, err := filter(ctx, eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
 		ResourceOwner(orgID).
 		OrderAsc().
 		AddQuery().
 		AggregateTypes(project.AggregateType).
 		EventTypes(
 			project.SAMLConfigAddedType, project.SAMLConfigChangedType, project.ApplicationRemovedType,
 		).Builder())
 	if err != nil {
 		return nil, err
 	}
 	entityIDs := make([]samlEntityID, 0)
 	for _, event := range events {
 		switch eventTyped := event.(type) {
 		case *project.SAMLConfigAddedEvent:
 			entityIDs = append(entityIDs, samlEntityID{appID: eventTyped.AppID, entityID: eventTyped.EntityID})
 		case *project.SAMLConfigChangedEvent:
 			for i := range entityIDs {
 				if entityIDs[i].appID == eventTyped.AppID {
 					entityIDs[i].entityID = eventTyped.EntityID
 					break
 				}
 			}
 		case *project.ApplicationRemovedEvent:
 			for i := range entityIDs {
 				if entityIDs[i].appID == eventTyped.AppID {
 					entityIDs[i] = entityIDs[len(entityIDs)-1]
 					entityIDs = entityIDs[:len(entityIDs)-1]
 					break
 				}
 			}
 		}
 	}
 	ids := make([]string, len(entityIDs))
 	for i := range entityIDs {
 		ids[i] = entityIDs[i].entityID
 	}
 	return ids, nil
 }
 func OrgDomains(ctx context.Context, filter preparation.FilterToQueryReducer, orgID string) ([]string, error) {
 	events, err := filter(ctx, eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
 		ResourceOwner(orgID).
 		OrderAsc().
 		AddQuery().
 		AggregateTypes(org.AggregateType).
 		EventTypes(
 			org.OrgDomainVerifiedEventType,
 			org.OrgDomainRemovedEventType,
 		).Builder())
 	if err != nil {
 		return nil, err
 	}
 	names := make([]string, 0)
 	for _, event := range events {
 		switch eventTyped := event.(type) {
 		case *org.DomainVerifiedEvent:
 			names = append(names, eventTyped.Domain)
 		case *org.DomainRemovedEvent:
 			for i := range names {
 				if names[i] == eventTyped.Domain {
 					names[i] = names[len(names)-1]
 					names = names[:len(names)-1]
 					break
 				}
 			}
 		}
 	}
 	return names, nil
 }
 type userIDName struct {
 	name string
 	id   string
 }
 func OrgUsers(ctx context.Context, filter preparation.FilterToQueryReducer, orgID string) ([]string, error) {
 	events, err := filter(ctx, eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
 		InstanceID(authz.GetInstance(ctx).InstanceID()).
 		ResourceOwner(orgID).
 		OrderAsc().
 		AddQuery().
 		AggregateTypes(user_repo.AggregateType).
 		EventTypes(
 			user_repo.HumanAddedType,
 			user_repo.MachineAddedEventType,
 			user_repo.HumanRegisteredType,
 			user_repo.UserDomainClaimedType,
 			user_repo.UserUserNameChangedType,
 			user_repo.UserRemovedType,
 		).Builder())
 	if err != nil {
 		return nil, err
 	}
 	users := make([]userIDName, 0)
 	for _, event := range events {
 		switch eventTyped := event.(type) {
 		case *user_repo.HumanAddedEvent:
 			users = append(users, userIDName{eventTyped.UserName, eventTyped.Aggregate().ID})
 		case *user_repo.MachineAddedEvent:
 			users = append(users, userIDName{eventTyped.UserName, eventTyped.Aggregate().ID})
 		case *user_repo.HumanRegisteredEvent:
 			users = append(users, userIDName{eventTyped.UserName, eventTyped.Aggregate().ID})
 		case *user_repo.DomainClaimedEvent:
 			for i := range users {
 				if users[i].id == eventTyped.Aggregate().ID {
 					users[i].name = eventTyped.UserName
 				}
 			}
 		case *user_repo.UsernameChangedEvent:
 			for i := range users {
 				if users[i].id == eventTyped.Aggregate().ID {
 					users[i].name = eventTyped.UserName
 				}
 			}
 		case *user_repo.UserRemovedEvent:
 			for i := range users {
 				if users[i].id == eventTyped.Aggregate().ID {
 					users[i] = users[len(users)-1]
 					users = users[:len(users)-1]
 					break
 				}
 			}
 		}
 	}
 	names := make([]string, len(users))
 	for i := range users {
 		names[i] = users[i].name
 	}
 	return names, nil
 }
 func ExistsOrg(ctx context.Context, filter preparation.FilterToQueryReducer, id string) (exists bool, err error) {
 	events, err := filter(ctx, eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
 		InstanceID(authz.GetInstance(ctx).InstanceID()).
 		ResourceOwner(id).
 		OrderAsc().
 		AddQuery().
@ -287,7 +530,7 @@ func ExistsOrg(ctx context.Context, filter preparation.FilterToQueryReducer, id
 func (c *Commands) addOrgWithID(ctx context.Context, organisation *domain.Org, orgID string, claimedUserIDs []string) (_ *eventstore.Aggregate, _ *OrgWriteModel, _ []eventstore.Command, err error) {
 	if !organisation.IsValid() {
-		return nil, nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMM-deLSk", "Errors.Org.Invalid")
+		return nil, nil, nil, errors.ThrowInvalidArgument(nil, "COMM-deLSk", "Errors.Org.Invalid")
 	}
 	organisation.AggregateID = orgID
@ -316,3 +559,16 @@ func (c *Commands) getOrgWriteModelByID(ctx context.Context, orgID string) (*Org
 	}
 	return orgWriteModel, nil
 }
 func isOrgStateExists(state domain.OrgState) bool {
 	return !hasOrgState(state, domain.OrgStateRemoved, domain.OrgStateUnspecified)
 }
 func hasOrgState(check domain.OrgState, states ...domain.OrgState) bool {
 	for _, state := range states {
 		if check == state {
 			return true
 		}
 	}
 	return false
 }
--- a/internal/command/org_custom_login_text.go
+++ b/internal/command/org_custom_login_text.go
@ -60,6 +60,9 @@ func (c *Commands) RemoveOrgLoginTexts(ctx context.Context, resourceOwner string
 	}
 	orgAgg := OrgAggregateFromWriteModel(&customText.WriteModel)
 	pushedEvents, err := c.eventstore.Push(ctx, org.NewCustomTextTemplateRemovedEvent(ctx, orgAgg, domain.LoginCustomText, lang))
 	if err != nil {
 		return nil, err
 	}
 	err = AppendAndReduce(customText, pushedEvents...)
 	if err != nil {
 		return nil, err
--- a/internal/command/org_member.go
+++ b/internal/command/org_member.go
@ -128,6 +128,9 @@ func (c *Commands) ChangeOrgMember(ctx context.Context, member *domain.Member) (
 	}
 	orgAgg := OrgAggregateFromWriteModel(&existingMember.MemberWriteModel.WriteModel)
 	pushedEvents, err := c.eventstore.Push(ctx, org.NewMemberChangedEvent(ctx, orgAgg, member.UserID, member.Roles...))
 	if err != nil {
 		return nil, err
 	}
 	err = AppendAndReduce(existingMember, pushedEvents...)
 	if err != nil {
 		return nil, err
--- a/internal/command/org_model.go
+++ b/internal/command/org_model.go
@ -41,7 +41,7 @@ func (wm *OrgWriteModel) Reduce() error {
 			wm.PrimaryDomain = e.Domain
 		}
 	}
-	return nil
+	return wm.WriteModel.Reduce()
 }
 func (wm *OrgWriteModel) Query() *eventstore.SearchQueryBuilder {
--- a/internal/command/org_policy_login_factors_model.go
+++ b/internal/command/org_policy_login_factors_model.go
@ -161,10 +161,10 @@ func (wm *OrgAuthFactorsAllowedWriteModel) Reduce() error {
 			wm.ensureMultiFactor(e.MFAType)
 			wm.MultiFactors[e.MFAType].Org = domain.FactorStateRemoved
 		case *org.LoginPolicyRemovedEvent:
-			for factorType, _ := range wm.SecondFactors {
+			for factorType := range wm.SecondFactors {
 				wm.SecondFactors[factorType].Org = domain.FactorStateRemoved
 			}
-			for factorType, _ := range wm.MultiFactors {
+			for factorType := range wm.MultiFactors {
 				wm.MultiFactors[factorType].Org = domain.FactorStateRemoved
 			}
 		}
--- a/internal/command/org_test.go
+++ b/internal/command/org_test.go
@ -17,6 +17,7 @@ import (
 	id_mock "github.com/zitadel/zitadel/internal/id/mock"
 	"github.com/zitadel/zitadel/internal/repository/member"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/user"
 )
@ -1006,3 +1007,274 @@ func TestCommandSide_ReactivateOrg(t *testing.T) {
 		})
 	}
 }
 func TestCommandSide_RemoveOrg(t *testing.T) {
 	type fields struct {
 		eventstore  *eventstore.Eventstore
 		idGenerator id.Generator
 	}
 	type args struct {
 		ctx   context.Context
 		orgID string
 	}
 	type res struct {
 		err func(error) bool
 	}
 	tests := []struct {
 		name   string
 		fields fields
 		args   args
 		res    res
 	}{
 		{
 			name: "org not found, error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 			},
 			res: res{
 				err: errors.IsNotFound,
 			},
 		},
 		{
 			name: "org already removed, error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgAddedEvent(context.Background(),
 								&org.NewAggregate("org1").Aggregate,
 								"org"),
 						),
 						eventFromEventPusher(
 							org.NewOrgRemovedEvent(context.Background(),
 								&org.NewAggregate("org1").Aggregate,
 								"org", []string{}, false, []string{}, []*domain.UserIDPLink{}, []string{}),
 						),
 					),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 			},
 			res: res{
 				err: errors.IsNotFound,
 			},
 		},
 		{
 			name: "push failed, error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgAddedEvent(context.Background(),
 								&org.NewAggregate("org1").Aggregate,
 								"org"),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1").Aggregate,
 								true,
 								true,
 								true,
 							),
 						),
 					),
 					expectFilter(),
 					expectFilter(),
 					expectFilter(),
 					expectFilter(),
 					expectPushFailed(
 						errors.ThrowInternal(nil, "id", "message"),
 						[]*repository.Event{
 							eventFromEventPusher(
 								org.NewOrgRemovedEvent(
 									context.Background(), &org.NewAggregate("org1").Aggregate, "org", []string{}, false, []string{}, []*domain.UserIDPLink{}, []string{},
 								),
 							),
 						},
 						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgNameUniqueConstraint("org")),
 					),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 			},
 			res: res{
 				err: errors.IsInternal,
 			},
 		},
 		{
 			name: "remove org",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgAddedEvent(context.Background(),
 								&org.NewAggregate("org1").Aggregate,
 								"org"),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1").Aggregate,
 								true,
 								true,
 								true,
 							),
 						),
 					),
 					expectFilter(),
 					expectFilter(),
 					expectFilter(),
 					expectFilter(),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
 								org.NewOrgRemovedEvent(
 									context.Background(), &org.NewAggregate("org1").Aggregate, "org", []string{}, false, []string{}, []*domain.UserIDPLink{}, []string{},
 								),
 							),
 						},
 						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgNameUniqueConstraint("org")),
 					),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 			},
 			res: res{},
 		},
 		{
 			name: "remove org with usernames and domains",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusher(
 							org.NewOrgAddedEvent(context.Background(),
 								&org.NewAggregate("org1").Aggregate,
 								"org"),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewDomainPolicyAddedEvent(context.Background(),
 								&org.NewAggregate("org1").Aggregate,
 								true,
 								true,
 								true,
 							),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
 								&user.NewAggregate("user1", "org1").Aggregate,
 								"user1",
 								"firstname1",
 								"lastname1",
 								"nickname1",
 								"displayname1",
 								language.German,
 								domain.GenderMale,
 								"email1",
 								true,
 							),
 						), eventFromEventPusher(
 							user.NewMachineAddedEvent(context.Background(),
 								&user.NewAggregate("user2", "org1").Aggregate,
 								"user2",
 								"name",
 								"description",
 								true,
 							),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							org.NewDomainVerifiedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, "domain1"),
 						),
 						eventFromEventPusher(
 							org.NewDomainVerifiedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, "domain2"),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							user.NewUserIDPLinkAddedEvent(context.Background(), &user.NewAggregate("user1", "org1").Aggregate, "config1", "display1", "id1"),
 						),
 						eventFromEventPusher(
 							user.NewUserIDPLinkAddedEvent(context.Background(), &user.NewAggregate("user2", "org1").Aggregate, "config2", "display2", "id2"),
 						),
 					),
 					expectFilter(
 						eventFromEventPusher(
 							project.NewSAMLConfigAddedEvent(context.Background(), &project.NewAggregate("project1", "org1").Aggregate, "app1", "entity1", []byte{}, ""),
 						),
 						eventFromEventPusher(
 							project.NewSAMLConfigAddedEvent(context.Background(), &project.NewAggregate("project2", "org1").Aggregate, "app2", "entity2", []byte{}, ""),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
 								org.NewOrgRemovedEvent(context.Background(), &org.NewAggregate("org1").Aggregate, "org",
 									[]string{"user1", "user2"},
 									false,
 									[]string{"domain1", "domain2"},
 									[]*domain.UserIDPLink{{IDPConfigID: "config1", ExternalUserID: "id1", DisplayName: "display1"}, {IDPConfigID: "config2", ExternalUserID: "id2", DisplayName: "display2"}},
 									[]string{"entity1", "entity2"},
 								),
 							),
 						},
 						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgNameUniqueConstraint("org")),
 						uniqueConstraintsFromEventConstraint(user.NewRemoveUsernameUniqueConstraint("user1", "org1", true)),
 						uniqueConstraintsFromEventConstraint(user.NewRemoveUsernameUniqueConstraint("user2", "org1", true)),
 						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgDomainUniqueConstraint("domain1")),
 						uniqueConstraintsFromEventConstraint(org.NewRemoveOrgDomainUniqueConstraint("domain2")),
 						uniqueConstraintsFromEventConstraint(user.NewRemoveUserIDPLinkUniqueConstraint("config1", "id1")),
 						uniqueConstraintsFromEventConstraint(user.NewRemoveUserIDPLinkUniqueConstraint("config2", "id2")),
 						uniqueConstraintsFromEventConstraint(project.NewRemoveSAMLConfigEntityIDUniqueConstraint("entity1")),
 						uniqueConstraintsFromEventConstraint(project.NewRemoveSAMLConfigEntityIDUniqueConstraint("entity2")),
 					),
 				),
 			},
 			args: args{
 				ctx:   context.Background(),
 				orgID: "org1",
 			},
 			res: res{},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
 				eventstore:  tt.fields.eventstore,
 				idGenerator: tt.fields.idGenerator,
 			}
 			_, err := r.RemoveOrg(tt.args.ctx, tt.args.orgID)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
 			if tt.res.err != nil && !tt.res.err(err) {
 				t.Errorf("got wrong err: %v ", err)
 			}
 		})
 	}
 }
--- a/internal/command/project.go
+++ b/internal/command/project.go
@ -9,7 +9,6 @@ import (
 	"github.com/zitadel/zitadel/internal/command/preparation"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/project"
 )
@ -20,14 +19,14 @@ func (c *Commands) AddProjectWithID(ctx context.Context, project *domain.Project
 		return nil, err
 	}
 	if existingProject.State != domain.ProjectStateUnspecified {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-opamwu", "Errors.Project.AlreadyExisting")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-opamwu", "Errors.Project.AlreadyExisting")
 	}
 	return c.addProjectWithID(ctx, project, resourceOwner, projectID)
 }
 func (c *Commands) AddProject(ctx context.Context, project *domain.Project, resourceOwner, ownerUserID string) (_ *domain.Project, err error) {
 	if !project.IsValid() {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "PROJECT-IOVCC", "Errors.Project.Invalid")
+		return nil, errors.ThrowInvalidArgument(nil, "PROJECT-IOVCC", "Errors.Project.Invalid")
 	}
 	projectID, err := c.idGenerator.Next()
@ -67,7 +66,7 @@ func (c *Commands) addProjectWithID(ctx context.Context, projectAdd *domain.Proj
 func (c *Commands) addProjectWithIDWithOwner(ctx context.Context, projectAdd *domain.Project, resourceOwner, ownerUserID, projectID string) (_ *domain.Project, err error) {
 	if !projectAdd.IsValid() {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "PROJECT-IOVCC", "Errors.Project.Invalid")
+		return nil, errors.ThrowInvalidArgument(nil, "PROJECT-IOVCC", "Errors.Project.Invalid")
 	}
 	projectAdd.AggregateID = projectID
 	addedProject := NewProjectWriteModel(projectAdd.AggregateID, resourceOwner)
@ -154,7 +153,7 @@ func (c *Commands) getProjectByID(ctx context.Context, projectID, resourceOwner
 		return nil, err
 	}
 	if projectWriteModel.State == domain.ProjectStateUnspecified || projectWriteModel.State == domain.ProjectStateRemoved {
-		return nil, caos_errs.ThrowNotFound(nil, "PROJECT-Gd2hh", "Errors.Project.NotFound")
+		return nil, errors.ThrowNotFound(nil, "PROJECT-Gd2hh", "Errors.Project.NotFound")
 	}
 	return projectWriteModelToProject(projectWriteModel), nil
 }
@ -165,14 +164,14 @@ func (c *Commands) checkProjectExists(ctx context.Context, projectID, resourceOw
 		return err
 	}
 	if projectWriteModel.State == domain.ProjectStateUnspecified || projectWriteModel.State == domain.ProjectStateRemoved {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-EbFMN", "Errors.Project.NotFound")
+		return errors.ThrowPreconditionFailed(nil, "COMMAND-EbFMN", "Errors.Project.NotFound")
 	}
 	return nil
 }
 func (c *Commands) ChangeProject(ctx context.Context, projectChange *domain.Project, resourceOwner string) (*domain.Project, error) {
 	if !projectChange.IsValid() || projectChange.AggregateID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-4m9vS", "Errors.Project.Invalid")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-4m9vS", "Errors.Project.Invalid")
 	}
 	existingProject, err := c.getProjectWriteModelByID(ctx, projectChange.AggregateID, resourceOwner)
@ -180,7 +179,7 @@ func (c *Commands) ChangeProject(ctx context.Context, projectChange *domain.Proj
 		return nil, err
 	}
 	if existingProject.State == domain.ProjectStateUnspecified || existingProject.State == domain.ProjectStateRemoved {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingProject.WriteModel)
@ -196,7 +195,7 @@ func (c *Commands) ChangeProject(ctx context.Context, projectChange *domain.Proj
 		return nil, err
 	}
 	if !hasChanged {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M0fs", "Errors.NoChangesFound")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-2M0fs", "Errors.NoChangesFound")
 	}
 	pushedEvents, err := c.eventstore.Push(ctx, changedEvent)
 	if err != nil {
@ -211,7 +210,7 @@ func (c *Commands) ChangeProject(ctx context.Context, projectChange *domain.Proj
 func (c *Commands) DeactivateProject(ctx context.Context, projectID string, resourceOwner string) (*domain.ObjectDetails, error) {
 	if projectID == "" || resourceOwner == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-88iF0", "Errors.Project.ProjectIDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-88iF0", "Errors.Project.ProjectIDMissing")
 	}
 	existingProject, err := c.getProjectWriteModelByID(ctx, projectID, resourceOwner)
@ -219,10 +218,10 @@ func (c *Commands) DeactivateProject(ctx context.Context, projectID string, reso
 		return nil, err
 	}
 	if existingProject.State == domain.ProjectStateUnspecified || existingProject.State == domain.ProjectStateRemoved {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-112M9", "Errors.Project.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-112M9", "Errors.Project.NotFound")
 	}
 	if existingProject.State != domain.ProjectStateActive {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-mki55", "Errors.Project.NotActive")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-mki55", "Errors.Project.NotActive")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingProject.WriteModel)
@ -239,7 +238,7 @@ func (c *Commands) DeactivateProject(ctx context.Context, projectID string, reso
 func (c *Commands) ReactivateProject(ctx context.Context, projectID string, resourceOwner string) (*domain.ObjectDetails, error) {
 	if projectID == "" || resourceOwner == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-3ihsF", "Errors.Project.ProjectIDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-3ihsF", "Errors.Project.ProjectIDMissing")
 	}
 	existingProject, err := c.getProjectWriteModelByID(ctx, projectID, resourceOwner)
@ -247,10 +246,10 @@ func (c *Commands) ReactivateProject(ctx context.Context, projectID string, reso
 		return nil, err
 	}
 	if existingProject.State == domain.ProjectStateUnspecified || existingProject.State == domain.ProjectStateRemoved {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
 	}
 	if existingProject.State != domain.ProjectStateInactive {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5M9bs", "Errors.Project.NotInactive")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-5M9bs", "Errors.Project.NotInactive")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingProject.WriteModel)
@ -267,7 +266,7 @@ func (c *Commands) ReactivateProject(ctx context.Context, projectID string, reso
 func (c *Commands) RemoveProject(ctx context.Context, projectID, resourceOwner string, cascadingUserGrantIDs ...string) (*domain.ObjectDetails, error) {
 	if projectID == "" || resourceOwner == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-66hM9", "Errors.Project.ProjectIDMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-66hM9", "Errors.Project.ProjectIDMissing")
 	}
 	existingProject, err := c.getProjectWriteModelByID(ctx, projectID, resourceOwner)
@ -275,7 +274,7 @@ func (c *Commands) RemoveProject(ctx context.Context, projectID, resourceOwner s
 		return nil, err
 	}
 	if existingProject.State == domain.ProjectStateUnspecified || existingProject.State == domain.ProjectStateRemoved {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
 	}
 	samlEntityIDsAgg, err := c.getSAMLEntityIdsWriteModelByProjectID(ctx, projectID, resourceOwner)
--- a/Show More
+++ b/Show More