feat: policies on aggregates (#799)

* feat: move pw policy

* feat: default pw complexity policy

* fix: org password complexity policy

* fix: org password complexity policy

* fix: pw complexity policy with setup

* fix: age and lockout policies on aggregates

* fix: migration

* fix: org iam policy

* fix: org iam policy

* fix: org iam policy

* fix: tests

* fix: policy request

* fix: merge master

* fix(console): policies frontend (#817)

* fix policy build

* fix: age, complexity, lockout policies

* fix: ready return err of setup not done

* fix: fix remove policies in spoolers

* fix: fix remove policies in spoolers

* feat(console): policy settings for iam and org (#824)

* fix policy build

* fix: age, complexity, lockout policies

* fix pwd complexity

* policy remove action

* add imports

* fix accounts card, enable mgmt login policy

* lint

* add iam policy to admin

* toasts, i18n, show default

* routing, i18n

* reset policy, toast i18n, cleanup, routing

* policy delete permission

* lint style

* delete iam policy

* delete non project from grid list, i18n

* lint ts, style

* fix: remove instead delete

* feat(console): delete external idp from user (#835)

* dialog i18n, delete column and function

* dialog i18n

* fix rm button

* Update console/src/assets/i18n/de.json

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* Update console/src/assets/i18n/de.json

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* fix: revert env, rename policy, remove comments

* fix: lowercase sich

* fix: pr requests

* Update internal/iam/repository/eventsourcing/eventstore_test.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* fix: tests

* fix: tests

* fix(console): policies (#839)

* fix: nil pointer on get userdata (#815)

* fix: external login (#818)

* fix: external login

* fix: external login

* feat(console): delete user (#819)

* add action col to user table, i18n

* delete user from detail component

* lint

* fix(console): cleanup user detail and member components, user/me redirect, permission guards, filter, org policy guard, user table, scss cleanup (#808)

* fix: remove user.write guard for filtering

* border color

* fix user routing from member tables

* idp detail layout

* generic contact component

* fix redirect to auth user, user grant disable

* disable policy action without permission, i18n

* user-create flex fix, contact ng-content

* rm unused styles

* sidenav divider

* lint

* chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console (#806)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 10.1.3 to 10.1.4.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v10.1.3...v10.1.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/language-service from 10.1.3 to 10.1.4 in /console (#805)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump @angular/language-service in /console

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 10.1.3 to 10.1.4.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/10.1.4/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console (#804)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console

Bumps [codelyzer](https://github.com/mgechev/codelyzer) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/mgechev/codelyzer/releases)
- [Changelog](https://github.com/mgechev/codelyzer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mgechev/codelyzer/commits/6.0.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular-devkit/build-angular from 0.1000.8 to 0.1001.4 in /console (#803)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps-dev): bump @angular-devkit/build-angular in /console

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1000.8 to 0.1001.4.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console (#802)

* fix: user session with external login (#797)

* fix: user session with external login

* fix: tests

* fix: tests

* fix: change idp config name

* fix(container): stop copying / and instead only copy zitadel (#691)

* chore: stop copying / and instead only copy zitadel

* Update Dockerfile

* Update release.yml

* enable anchors debug

* fix(container): don't copy alpine content into scratch execpt pwd

* chore: remove need step

* merge master

* chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console

Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.0 to 8.3.1.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v8.3.0...v8.3.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* create memberstable as common component

* iam member cleanup

* iam + org m table, user table service user avatar

* toast config

* fix selection emitter

* fix project grant table width

* project grant members refactor

* theme optimizations

* member table col delete

* lint

* fix table row color

* refactor grey color

* lint scss

* org list redirect on click, fix user table undef

* refresh table after grant add

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>

* fix(console): intercept navigator.language, set browser lang as default for user without explicit setting, user table outline, member create dialog import (#820)

* i18n interceptor, set language to browser lang

* nullcheck

* rm external idp log

* fix module imports, rm user displayname from i18n

* Update console/src/assets/i18n/de.json

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* fix: delete external idps from users (#822)

* fix(console): permission regex, account switcher null check, restrict app and member create access (#821)

* fix member table disable, gerneal regexp

* fix user session card, app disable

* memberships max count

* fix policy permissions

* permission check for member add dialog

* lint

* rm accounts log

* rm id regex

* fix: handle usermemberships on project and project grant delete (#825)

* fix: go handler

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>

* fix: tests

* fix: not needed error handling

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>

internal/admin/repository/eventsourcing/eventstore/iam.go

@@ -242,3 +242,75 @@ func (repo *IAMRepository) RemoveIDPProviderFromLoginPolicy(ctx context.Context,
 	}
 	return es_sdk.PushAggregates(ctx, repo.Eventstore.PushAggregates, nil, aggregates...)
 }
+
+func (repo *IAMRepository) GetDefaultPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error) {
+	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordComplexityViewToModel(policy), nil
+}
+
+func (repo *IAMRepository) AddDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.AddPasswordComplexityPolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) ChangeDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.ChangePasswordComplexityPolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) GetDefaultPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error) {
+	policy, err := repo.View.PasswordAgePolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordAgeViewToModel(policy), nil
+}
+
+func (repo *IAMRepository) AddDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.AddPasswordAgePolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) ChangeDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.ChangePasswordAgePolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) {
+	policy, err := repo.View.PasswordLockoutPolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordLockoutViewToModel(policy), nil
+}
+
+func (repo *IAMRepository) AddDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.AddPasswordLockoutPolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) ChangeDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.ChangePasswordLockoutPolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) GetOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error) {
+	policy, err := repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.OrgIAMViewToModel(policy), nil
+}
+
+func (repo *IAMRepository) AddDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.AddOrgIAMPolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.ChangeOrgIAMPolicy(ctx, policy)
+}

internal/admin/repository/eventsourcing/eventstore/org.go

@@ -2,6 +2,9 @@ package eventstore
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_view "github.com/caos/zitadel/internal/iam/repository/view/model"
 
 	"github.com/caos/logging"
 	admin_model "github.com/caos/zitadel/internal/admin/model"
@@ -10,11 +13,10 @@ import (
 	"github.com/caos/zitadel/internal/eventstore"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/sdk"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	org_es "github.com/caos/zitadel/internal/org/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/org/repository/view/model"
-	policy_model "github.com/caos/zitadel/internal/policy/model"
-	policy_es "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	usr_es "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 )
 
@@ -23,10 +25,9 @@ const (
 )
 
 type OrgRepo struct {
-	Eventstore       eventstore.Eventstore
-	OrgEventstore    *org_es.OrgEventstore
-	UserEventstore   *usr_es.UserEventstore
-	PolicyEventstore *policy_es.PolicyEventstore
+	Eventstore     eventstore.Eventstore
+	OrgEventstore  *org_es.OrgEventstore
+	UserEventstore *usr_es.UserEventstore
 
 	View *admin_view.View
 
@@ -35,11 +36,12 @@ type OrgRepo struct {
 }
 
 func (repo *OrgRepo) SetUpOrg(ctx context.Context, setUp *admin_model.SetupOrg) (*admin_model.SetupOrg, error) {
-	pwPolicy, err := repo.PolicyEventstore.GetPasswordComplexityPolicy(ctx, policy_model.DefaultPolicy)
+	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if err != nil {
 		return nil, err
 	}
-	orgPolicy, err := repo.OrgEventstore.GetOrgIAMPolicy(ctx, policy_model.DefaultPolicy)
+	pwPolicyView := iam_view.PasswordComplexityViewToModel(pwPolicy)
+	orgPolicy, err := repo.GetDefaultOrgIAMPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -54,7 +56,7 @@ func (repo *OrgRepo) SetUpOrg(ctx context.Context, setUp *admin_model.SetupOrg)
 	if err != nil {
 		return nil, err
 	}
-	user, userAggregates, err := repo.UserEventstore.PrepareCreateUser(ctx, setUp.User, pwPolicy, orgPolicy, org.AggregateID)
+	user, userAggregates, err := repo.UserEventstore.PrepareCreateUser(ctx, setUp.User, pwPolicyView, orgPolicy, org.AggregateID)
 	if err != nil {
 		return nil, err
 	}
@@ -92,7 +94,7 @@ func (repo *OrgRepo) SearchOrgs(ctx context.Context, query *org_model.OrgSearchR
 	result := &org_model.OrgSearchResult{
 		Offset:      query.Offset,
 		Limit:       query.Limit,
-		TotalResult: uint64(count),
+		TotalResult: count,
 		Result:      model.OrgsToModel(orgs),
 	}
 	if err == nil {
@@ -106,18 +108,34 @@ func (repo *OrgRepo) IsOrgUnique(ctx context.Context, name, domain string) (isUn
 	return repo.OrgEventstore.IsOrgUnique(ctx, name, domain)
 }
 
-func (repo *OrgRepo) GetOrgIamPolicyByID(ctx context.Context, id string) (*org_model.OrgIAMPolicy, error) {
-	return repo.OrgEventstore.GetOrgIAMPolicy(ctx, id)
+func (repo *OrgRepo) GetOrgIAMPolicyByID(ctx context.Context, id string) (*iam_model.OrgIAMPolicyView, error) {
+	policy, err := repo.View.OrgIAMPolicyByAggregateID(id)
+	if errors.IsNotFound(err) {
+		return repo.GetDefaultOrgIAMPolicy(ctx)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.OrgIAMViewToModel(policy), err
 }
 
-func (repo *OrgRepo) CreateOrgIamPolicy(ctx context.Context, policy *org_model.OrgIAMPolicy) (*org_model.OrgIAMPolicy, error) {
+func (repo *OrgRepo) GetDefaultOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error) {
+	policy, err := repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	policy.Default = true
+	return iam_es_model.OrgIAMViewToModel(policy), err
+}
+
+func (repo *OrgRepo) CreateOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
 	return repo.OrgEventstore.AddOrgIAMPolicy(ctx, policy)
 }
 
-func (repo *OrgRepo) ChangeOrgIamPolicy(ctx context.Context, policy *org_model.OrgIAMPolicy) (*org_model.OrgIAMPolicy, error) {
+func (repo *OrgRepo) ChangeOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
 	return repo.OrgEventstore.ChangeOrgIAMPolicy(ctx, policy)
 }
 
-func (repo *OrgRepo) RemoveOrgIamPolicy(ctx context.Context, id string) error {
+func (repo *OrgRepo) RemoveOrgIAMPolicy(ctx context.Context, id string) error {
 	return repo.OrgEventstore.RemoveOrgIAMPolicy(ctx, id)
 }

internal/admin/repository/eventsourcing/eventstore/user.go

@@ -2,18 +2,22 @@ package eventstore
 
 import (
 	"context"
+	admin_view "github.com/caos/zitadel/internal/admin/repository/eventsourcing/view"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_view "github.com/caos/zitadel/internal/iam/repository/view/model"
 
 	"github.com/caos/zitadel/internal/api/authz"
 	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
-	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	usr_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 )
 
 type UserRepo struct {
-	UserEvents   *usr_event.UserEventstore
-	PolicyEvents *policy_event.PolicyEventstore
-	OrgEvents    *org_event.OrgEventstore
+	UserEvents     *usr_event.UserEventstore
+	OrgEvents      *org_event.OrgEventstore
+	View           *admin_view.View
+	SystemDefaults systemdefaults.SystemDefaults
 }
 
 func (repo *UserRepo) UserByID(ctx context.Context, id string) (project *usr_model.User, err error) {
@@ -21,15 +25,23 @@ func (repo *UserRepo) UserByID(ctx context.Context, id string) (project *usr_mod
 }
 
 func (repo *UserRepo) CreateUser(ctx context.Context, user *usr_model.User) (*usr_model.User, error) {
-	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if caos_errs.IsNotFound(err) {
+		pwPolicy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
+	pwPolicyView := iam_view.PasswordComplexityViewToModel(pwPolicy)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if err != nil && caos_errs.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+		if err != nil {
+			return nil, err
+		}
 	}
-	return repo.UserEvents.CreateUser(ctx, user, pwPolicy, orgPolicy)
+	orgPolicyView := iam_view.OrgIAMViewToModel(orgPolicy)
+	return repo.UserEvents.CreateUser(ctx, user, pwPolicyView, orgPolicyView)
 }
 
 func (repo *UserRepo) RegisterUser(ctx context.Context, user *usr_model.User, resourceOwner string) (*usr_model.User, error) {
@@ -37,13 +49,22 @@ func (repo *UserRepo) RegisterUser(ctx context.Context, user *usr_model.User, re
 	if resourceOwner != "" {
 		policyResourceOwner = resourceOwner
 	}
-	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, policyResourceOwner)
+	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(policyResourceOwner)
+	if caos_errs.IsNotFound(err) {
+		pwPolicy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, policyResourceOwner)
+	pwPolicyView := iam_view.PasswordComplexityViewToModel(pwPolicy)
+
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(policyResourceOwner)
+	if caos_errs.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	return repo.UserEvents.RegisterUser(ctx, user, pwPolicy, orgPolicy, resourceOwner)
+	orgPolicyView := iam_view.OrgIAMViewToModel(orgPolicy)
+	return repo.UserEvents.RegisterUser(ctx, user, pwPolicyView, orgPolicyView, resourceOwner)
 }

internal/admin/repository/eventsourcing/handler/handler.go

@@ -42,7 +42,11 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, ev
 		&IDPProvider{handler: handler{view, bulkLimit, configs.cycleDuration("LoginPolicy"), errorCount},
 			systemDefaults: defaults, iamEvents: repos.IamEvents, orgEvents: repos.OrgEvents},
 		&User{handler: handler{view, bulkLimit, configs.cycleDuration("User"), errorCount},
-			eventstore: eventstore, orgEvents: repos.OrgEvents},
+			eventstore: eventstore, orgEvents: repos.OrgEvents, iamEvents: repos.IamEvents, systemDefaults: defaults},
+		&PasswordComplexityPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("PasswordComplexityPolicy"), errorCount}},
+		&PasswordAgePolicy{handler: handler{view, bulkLimit, configs.cycleDuration("PasswordAgePolicy"), errorCount}},
+		&PasswordLockoutPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("PasswordLockoutPolicy"), errorCount}},
+		&OrgIAMPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("OrgIAMPolicy"), errorCount}},
 		&ExternalIDP{handler: handler{view, bulkLimit, configs.cycleDuration("User"), errorCount},
 			orgEvents: repos.OrgEvents, iamEvents: repos.IamEvents, systemDefaults: defaults},
 	}

internal/admin/repository/eventsourcing/handler/org_iam_policy.go

@@ -0,0 +1,69 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+type OrgIAMPolicy struct {
+	handler
+}
+
+const (
+	orgIAMPolicyTable = "adminapi.org_iam_policies"
+)
+
+func (m *OrgIAMPolicy) ViewModel() string {
+	return orgIAMPolicyTable
+}
+
+func (m *OrgIAMPolicy) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestOrgIAMPolicySequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.OrgAggregate, iam_es_model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *OrgIAMPolicy) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.OrgAggregate, iam_es_model.IAMAggregate:
+		err = m.processOrgIAMPolicy(event)
+	}
+	return err
+}
+
+func (m *OrgIAMPolicy) processOrgIAMPolicy(event *models.Event) (err error) {
+	policy := new(iam_model.OrgIAMPolicyView)
+	switch event.Type {
+	case iam_es_model.OrgIAMPolicyAdded, model.OrgIAMPolicyAdded:
+		err = policy.AppendEvent(event)
+	case iam_es_model.OrgIAMPolicyChanged, model.OrgIAMPolicyChanged:
+		policy, err = m.view.OrgIAMPolicyByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = policy.AppendEvent(event)
+	case model.OrgIAMPolicyRemoved:
+		return m.view.DeleteOrgIAMPolicy(event.AggregateID, event.Sequence)
+	default:
+		return m.view.ProcessedOrgIAMPolicySequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutOrgIAMPolicy(policy, policy.Sequence)
+}
+
+func (m *OrgIAMPolicy) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-Wm8fs", "id", event.AggregateID).WithError(err).Warn("something went wrong in orgIAM policy handler")
+	return spooler.HandleError(event, err, m.view.GetLatestOrgIAMPolicyFailedEvent, m.view.ProcessedOrgIAMPolicyFailedEvent, m.view.ProcessedOrgIAMPolicySequence, m.errorCountUntilSkip)
+}

internal/admin/repository/eventsourcing/handler/password_age_policy.go

@@ -0,0 +1,69 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+type PasswordAgePolicy struct {
+	handler
+}
+
+const (
+	passwordAgePolicyTable = "adminapi.password_age_policies"
+)
+
+func (m *PasswordAgePolicy) ViewModel() string {
+	return passwordAgePolicyTable
+}
+
+func (m *PasswordAgePolicy) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestPasswordAgePolicySequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.OrgAggregate, iam_es_model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *PasswordAgePolicy) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.OrgAggregate, iam_es_model.IAMAggregate:
+		err = m.processPasswordAgePolicy(event)
+	}
+	return err
+}
+
+func (m *PasswordAgePolicy) processPasswordAgePolicy(event *models.Event) (err error) {
+	policy := new(iam_model.PasswordAgePolicyView)
+	switch event.Type {
+	case iam_es_model.PasswordAgePolicyAdded, model.PasswordAgePolicyAdded:
+		err = policy.AppendEvent(event)
+	case iam_es_model.PasswordAgePolicyChanged, model.PasswordAgePolicyChanged:
+		policy, err = m.view.PasswordAgePolicyByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = policy.AppendEvent(event)
+	case model.PasswordAgePolicyRemoved:
+		return m.view.DeletePasswordAgePolicy(event.AggregateID, event.Sequence)
+	default:
+		return m.view.ProcessedPasswordAgePolicySequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutPasswordAgePolicy(policy, policy.Sequence)
+}
+
+func (m *PasswordAgePolicy) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-nD8sie", "id", event.AggregateID).WithError(err).Warn("something went wrong in passwordAge policy handler")
+	return spooler.HandleError(event, err, m.view.GetLatestPasswordAgePolicyFailedEvent, m.view.ProcessedPasswordAgePolicyFailedEvent, m.view.ProcessedPasswordAgePolicySequence, m.errorCountUntilSkip)
+}

internal/admin/repository/eventsourcing/handler/password_complexity_policy.go

@@ -0,0 +1,69 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+type PasswordComplexityPolicy struct {
+	handler
+}
+
+const (
+	passwordComplexityPolicyTable = "adminapi.password_complexity_policies"
+)
+
+func (m *PasswordComplexityPolicy) ViewModel() string {
+	return passwordComplexityPolicyTable
+}
+
+func (m *PasswordComplexityPolicy) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestPasswordComplexityPolicySequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.OrgAggregate, iam_es_model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *PasswordComplexityPolicy) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.OrgAggregate, iam_es_model.IAMAggregate:
+		err = m.processPasswordComplexityPolicy(event)
+	}
+	return err
+}
+
+func (m *PasswordComplexityPolicy) processPasswordComplexityPolicy(event *models.Event) (err error) {
+	policy := new(iam_model.PasswordComplexityPolicyView)
+	switch event.Type {
+	case iam_es_model.PasswordComplexityPolicyAdded, model.PasswordComplexityPolicyAdded:
+		err = policy.AppendEvent(event)
+	case iam_es_model.PasswordComplexityPolicyChanged, model.PasswordComplexityPolicyChanged:
+		policy, err = m.view.PasswordComplexityPolicyByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = policy.AppendEvent(event)
+	case model.PasswordComplexityPolicyRemoved:
+		return m.view.DeletePasswordComplexityPolicy(event.AggregateID, event.Sequence)
+	default:
+		return m.view.ProcessedPasswordComplexityPolicySequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutPasswordComplexityPolicy(policy, policy.Sequence)
+}
+
+func (m *PasswordComplexityPolicy) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-Wm8fs", "id", event.AggregateID).WithError(err).Warn("something went wrong in passwordComplexity policy handler")
+	return spooler.HandleError(event, err, m.view.GetLatestPasswordComplexityPolicyFailedEvent, m.view.ProcessedPasswordComplexityPolicyFailedEvent, m.view.ProcessedPasswordComplexityPolicySequence, m.errorCountUntilSkip)
+}

internal/admin/repository/eventsourcing/handler/password_lockout_policy.go

@@ -0,0 +1,69 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+type PasswordLockoutPolicy struct {
+	handler
+}
+
+const (
+	passwordLockoutPolicyTable = "adminapi.password_lockout_policies"
+)
+
+func (m *PasswordLockoutPolicy) ViewModel() string {
+	return passwordLockoutPolicyTable
+}
+
+func (m *PasswordLockoutPolicy) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestPasswordLockoutPolicySequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.OrgAggregate, iam_es_model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *PasswordLockoutPolicy) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.OrgAggregate, iam_es_model.IAMAggregate:
+		err = m.processPasswordLockoutPolicy(event)
+	}
+	return err
+}
+
+func (m *PasswordLockoutPolicy) processPasswordLockoutPolicy(event *models.Event) (err error) {
+	policy := new(iam_model.PasswordLockoutPolicyView)
+	switch event.Type {
+	case iam_es_model.PasswordLockoutPolicyAdded, model.PasswordLockoutPolicyAdded:
+		err = policy.AppendEvent(event)
+	case iam_es_model.PasswordLockoutPolicyChanged, model.PasswordLockoutPolicyChanged:
+		policy, err = m.view.PasswordLockoutPolicyByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = policy.AppendEvent(event)
+	case model.PasswordLockoutPolicyRemoved:
+		return m.view.DeletePasswordLockoutPolicy(event.AggregateID, event.Sequence)
+	default:
+		return m.view.ProcessedPasswordLockoutPolicySequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutPasswordLockoutPolicy(policy, policy.Sequence)
+}
+
+func (m *PasswordLockoutPolicy) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-nD8sie", "id", event.AggregateID).WithError(err).Warn("something went wrong in passwordLockout policy handler")
+	return spooler.HandleError(event, err, m.view.GetLatestPasswordLockoutPolicyFailedEvent, m.view.ProcessedPasswordLockoutPolicyFailedEvent, m.view.ProcessedPasswordLockoutPolicySequence, m.errorCountUntilSkip)
+}

internal/admin/repository/eventsourcing/handler/user.go

@@ -2,6 +2,8 @@ package handler
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	iam_es "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 
 	"github.com/caos/logging"
 
@@ -18,8 +20,10 @@ import (
 
 type User struct {
 	handler
-	eventstore eventstore.Eventstore
-	orgEvents  *org_events.OrgEventstore
+	eventstore     eventstore.Eventstore
+	orgEvents      *org_events.OrgEventstore
+	iamEvents      *iam_es.IAMEventstore
+	systemDefaults systemdefaults.SystemDefaults
 }
 
 const (
@@ -136,9 +140,12 @@ func (u *User) fillLoginNamesOnOrgUsers(event *models.Event) error {
 	if err != nil {
 		return err
 	}
-	policy, err := u.orgEvents.GetOrgIAMPolicy(context.Background(), event.ResourceOwner)
-	if err != nil {
-		return err
+	policy := org.OrgIamPolicy
+	if policy == nil {
+		policy, err = u.iamEvents.GetOrgIAMPolicy(context.Background(), u.systemDefaults.IamID)
+		if err != nil {
+			return err
+		}
 	}
 	users, err := u.view.UsersByOrgID(event.AggregateID)
 	if err != nil {
@@ -155,9 +162,12 @@ func (u *User) fillPreferredLoginNamesOnOrgUsers(event *models.Event) error {
 	if err != nil {
 		return err
 	}
-	policy, err := u.orgEvents.GetOrgIAMPolicy(context.Background(), event.ResourceOwner)
-	if err != nil {
-		return err
+	policy := org.OrgIamPolicy
+	if policy == nil {
+		policy, err = u.iamEvents.GetOrgIAMPolicy(context.Background(), u.systemDefaults.IamID)
+		if err != nil {
+			return err
+		}
 	}
 	if !policy.UserLoginMustBeDomain {
 		return nil
@@ -177,9 +187,12 @@ func (u *User) fillLoginNames(user *view_model.UserView) (err error) {
 	if err != nil {
 		return err
 	}
-	policy, err := u.orgEvents.GetOrgIAMPolicy(context.Background(), user.ResourceOwner)
-	if err != nil {
-		return err
+	policy := org.OrgIamPolicy
+	if policy == nil {
+		policy, err = u.iamEvents.GetOrgIAMPolicy(context.Background(), u.systemDefaults.IamID)
+		if err != nil {
+			return err
+		}
 	}
 	user.SetLoginNames(policy, org.Domains)
 	user.PreferredLoginName = user.GenerateLoginName(org.GetPrimaryDomain().Domain, policy.UserLoginMustBeDomain)

internal/admin/repository/eventsourcing/repository.go

@@ -13,7 +13,6 @@ import (
 	es_spol "github.com/caos/zitadel/internal/eventstore/spooler"
 	es_iam "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 	es_org "github.com/caos/zitadel/internal/org/repository/eventsourcing"
-	es_policy "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	es_usr "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 )
 
@@ -30,6 +29,7 @@ type EsRepository struct {
 	eventstore.OrgRepo
 	eventstore.IAMRepository
 	eventstore.AdministratorRepo
+	eventstore.UserRepo
 }
 
 func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, roles []string) (*EsRepository, error) {
@@ -55,13 +55,6 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, r
 	if err != nil {
 		return nil, err
 	}
-	policy, err := es_policy.StartPolicy(es_policy.PolicyConfig{
-		Eventstore: es,
-		Cache:      conf.Eventstore.Cache,
-	}, systemDefaults)
-	if err != nil {
-		return nil, err
-	}
 	sqlClient, err := conf.View.Start()
 	if err != nil {
 		return nil, err
@@ -76,13 +69,12 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, r
 	return &EsRepository{
 		spooler: spool,
 		OrgRepo: eventstore.OrgRepo{
-			Eventstore:       es,
-			OrgEventstore:    org,
-			UserEventstore:   user,
-			PolicyEventstore: policy,
-			View:             view,
-			SearchLimit:      conf.SearchLimit,
-			SystemDefaults:   systemDefaults,
+			Eventstore:     es,
+			OrgEventstore:  org,
+			UserEventstore: user,
+			View:           view,
+			SearchLimit:    conf.SearchLimit,
+			SystemDefaults: systemDefaults,
 		},
 		IAMRepository: eventstore.IAMRepository{
 			IAMEventstore:  iam,
@@ -96,6 +88,12 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, r
 		AdministratorRepo: eventstore.AdministratorRepo{
 			View: view,
 		},
+		UserRepo: eventstore.UserRepo{
+			UserEvents:     user,
+			OrgEvents:      org,
+			View:           view,
+			SystemDefaults: systemDefaults,
+		},
 	}, nil
 }
 

internal/admin/repository/eventsourcing/view/org_iam_policy.go

@@ -0,0 +1,48 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	orgIAMPolicyTable = "adminapi.org_iam_policies"
+)
+
+func (v *View) OrgIAMPolicyByAggregateID(aggregateID string) (*model.OrgIAMPolicyView, error) {
+	return view.GetOrgIAMPolicyByAggregateID(v.Db, orgIAMPolicyTable, aggregateID)
+}
+
+func (v *View) PutOrgIAMPolicy(policy *model.OrgIAMPolicyView, sequence uint64) error {
+	err := view.PutOrgIAMPolicy(v.Db, orgIAMPolicyTable, policy)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedOrgIAMPolicySequence(sequence)
+}
+
+func (v *View) DeleteOrgIAMPolicy(aggregateID string, eventSequence uint64) error {
+	err := view.DeleteOrgIAMPolicy(v.Db, orgIAMPolicyTable, aggregateID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedOrgIAMPolicySequence(eventSequence)
+}
+
+func (v *View) GetLatestOrgIAMPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(orgIAMPolicyTable)
+}
+
+func (v *View) ProcessedOrgIAMPolicySequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(orgIAMPolicyTable, eventSequence)
+}
+
+func (v *View) GetLatestOrgIAMPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(orgIAMPolicyTable, sequence)
+}
+
+func (v *View) ProcessedOrgIAMPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}

internal/admin/repository/eventsourcing/view/password_age_policy.go

@@ -0,0 +1,48 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	passwordAgePolicyTable = "adminapi.password_age_policies"
+)
+
+func (v *View) PasswordAgePolicyByAggregateID(aggregateID string) (*model.PasswordAgePolicyView, error) {
+	return view.GetPasswordAgePolicyByAggregateID(v.Db, passwordAgePolicyTable, aggregateID)
+}
+
+func (v *View) PutPasswordAgePolicy(policy *model.PasswordAgePolicyView, sequence uint64) error {
+	err := view.PutPasswordAgePolicy(v.Db, passwordAgePolicyTable, policy)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedPasswordAgePolicySequence(sequence)
+}
+
+func (v *View) DeletePasswordAgePolicy(aggregateID string, eventSequence uint64) error {
+	err := view.DeletePasswordAgePolicy(v.Db, passwordAgePolicyTable, aggregateID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedPasswordAgePolicySequence(eventSequence)
+}
+
+func (v *View) GetLatestPasswordAgePolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(passwordAgePolicyTable)
+}
+
+func (v *View) ProcessedPasswordAgePolicySequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(passwordAgePolicyTable, eventSequence)
+}
+
+func (v *View) GetLatestPasswordAgePolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(passwordAgePolicyTable, sequence)
+}
+
+func (v *View) ProcessedPasswordAgePolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}

internal/admin/repository/eventsourcing/view/password_complexity_policy.go

@@ -0,0 +1,48 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	passwordComplexityPolicyTable = "adminapi.password_complexity_policies"
+)
+
+func (v *View) PasswordComplexityPolicyByAggregateID(aggregateID string) (*model.PasswordComplexityPolicyView, error) {
+	return view.GetPasswordComplexityPolicyByAggregateID(v.Db, passwordComplexityPolicyTable, aggregateID)
+}
+
+func (v *View) PutPasswordComplexityPolicy(policy *model.PasswordComplexityPolicyView, sequence uint64) error {
+	err := view.PutPasswordComplexityPolicy(v.Db, passwordComplexityPolicyTable, policy)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedPasswordComplexityPolicySequence(sequence)
+}
+
+func (v *View) DeletePasswordComplexityPolicy(aggregateID string, eventSequence uint64) error {
+	err := view.DeletePasswordComplexityPolicy(v.Db, passwordComplexityPolicyTable, aggregateID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedPasswordComplexityPolicySequence(eventSequence)
+}
+
+func (v *View) GetLatestPasswordComplexityPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(passwordComplexityPolicyTable)
+}
+
+func (v *View) ProcessedPasswordComplexityPolicySequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(passwordComplexityPolicyTable, eventSequence)
+}
+
+func (v *View) GetLatestPasswordComplexityPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(passwordComplexityPolicyTable, sequence)
+}
+
+func (v *View) ProcessedPasswordComplexityPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}

internal/admin/repository/eventsourcing/view/password_lockout_policy.go

@@ -0,0 +1,48 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	passwordLockoutPolicyTable = "adminapi.password_lockout_policies"
+)
+
+func (v *View) PasswordLockoutPolicyByAggregateID(aggregateID string) (*model.PasswordLockoutPolicyView, error) {
+	return view.GetPasswordLockoutPolicyByAggregateID(v.Db, passwordLockoutPolicyTable, aggregateID)
+}
+
+func (v *View) PutPasswordLockoutPolicy(policy *model.PasswordLockoutPolicyView, sequence uint64) error {
+	err := view.PutPasswordLockoutPolicy(v.Db, passwordLockoutPolicyTable, policy)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedPasswordLockoutPolicySequence(sequence)
+}
+
+func (v *View) DeletePasswordLockoutPolicy(aggregateID string, eventSequence uint64) error {
+	err := view.DeletePasswordLockoutPolicy(v.Db, passwordLockoutPolicyTable, aggregateID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedPasswordLockoutPolicySequence(eventSequence)
+}
+
+func (v *View) GetLatestPasswordLockoutPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(passwordLockoutPolicyTable)
+}
+
+func (v *View) ProcessedPasswordLockoutPolicySequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(passwordLockoutPolicyTable, eventSequence)
+}
+
+func (v *View) GetLatestPasswordLockoutPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(passwordLockoutPolicyTable, sequence)
+}
+
+func (v *View) ProcessedPasswordLockoutPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}

internal/admin/repository/iam.go

@@ -28,4 +28,20 @@ type IAMRepository interface {
 	SearchDefaultIDPProviders(ctx context.Context, request *iam_model.IDPProviderSearchRequest) (*iam_model.IDPProviderSearchResponse, error)
 	AddIDPProviderToLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) (*iam_model.IDPProvider, error)
 	RemoveIDPProviderFromLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) error
+
+	GetDefaultPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error)
+	AddDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error)
+	ChangeDefaultPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error)
+
+	GetDefaultPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error)
+	AddDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error)
+	ChangeDefaultPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error)
+
+	GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error)
+	AddDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error)
+	ChangeDefaultPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error)
+
+	GetDefaultOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error)
+	AddDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error)
+	ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error)
 }

internal/admin/repository/org.go

@@ -2,6 +2,7 @@ package repository
 
 import (
 	"context"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 
 	admin_model "github.com/caos/zitadel/internal/admin/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
@@ -13,8 +14,9 @@ type OrgRepository interface {
 	OrgByID(ctx context.Context, id string) (*org_model.Org, error)
 	SearchOrgs(ctx context.Context, query *org_model.OrgSearchRequest) (*org_model.OrgSearchResult, error)
 
-	GetOrgIamPolicyByID(ctx context.Context, id string) (*org_model.OrgIAMPolicy, error)
-	CreateOrgIamPolicy(ctx context.Context, policy *org_model.OrgIAMPolicy) (*org_model.OrgIAMPolicy, error)
-	ChangeOrgIamPolicy(ctx context.Context, policy *org_model.OrgIAMPolicy) (*org_model.OrgIAMPolicy, error)
-	RemoveOrgIamPolicy(ctx context.Context, id string) error
+	GetOrgIAMPolicyByID(ctx context.Context, id string) (*iam_model.OrgIAMPolicyView, error)
+	GetDefaultOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error)
+	CreateOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error)
+	ChangeOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error)
+	RemoveOrgIAMPolicy(ctx context.Context, id string) error
 }

internal/api/api.go

@@ -103,20 +103,20 @@ func handleReadiness(checks []ValidationFunction) func(w http.ResponseWriter, r
 	return func(w http.ResponseWriter, r *http.Request) {
 		err := validate(r.Context(), checks)
 		if err == nil {
-			http_util.MarshalJSON(w, "ok")
+			http_util.MarshalJSON(w, "ok", nil, http.StatusOK)
 			return
 		}
-		http_util.MarshalJSON(w, err)
+		http_util.MarshalJSON(w, nil, err, http.StatusPreconditionFailed)
 	}
 }
 
 func (a *API) handleClientID(w http.ResponseWriter, r *http.Request) {
 	id, err := a.health.VerifierClientID(r.Context(), "Zitadel Console")
 	if err != nil {
-		http_util.MarshalJSON(w, err)
+		http_util.MarshalJSON(w, nil, err, http.StatusPreconditionFailed)
 		return
 	}
-	http_util.MarshalJSON(w, id)
+	http_util.MarshalJSON(w, id, nil, http.StatusOK)
 }
 
 type ValidationFunction func(ctx context.Context) error

internal/api/grpc/admin/login_policy.go

@@ -14,7 +14,7 @@ func (s *Server) GetDefaultLoginPolicy(ctx context.Context, _ *empty.Empty) (*ad
 	return loginPolicyViewFromModel(result), nil
 }
 
-func (s *Server) UpdateDefaultLoginPolicy(ctx context.Context, policy *admin.DefaultLoginPolicy) (*admin.DefaultLoginPolicy, error) {
+func (s *Server) UpdateDefaultLoginPolicy(ctx context.Context, policy *admin.DefaultLoginPolicyRequest) (*admin.DefaultLoginPolicy, error) {
 	result, err := s.iam.ChangeDefaultLoginPolicy(ctx, loginPolicyToModel(policy))
 	if err != nil {
 		return nil, err

internal/api/grpc/admin/login_policy_converter.go

@@ -1,11 +1,13 @@
 package admin
 
 import (
+	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
 )
 
-func loginPolicyToModel(policy *admin.DefaultLoginPolicy) *iam_model.LoginPolicy {
+func loginPolicyToModel(policy *admin.DefaultLoginPolicyRequest) *iam_model.LoginPolicy {
 	return &iam_model.LoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
@@ -14,18 +16,34 @@ func loginPolicyToModel(policy *admin.DefaultLoginPolicy) *iam_model.LoginPolicy
 }
 
 func loginPolicyFromModel(policy *iam_model.LoginPolicy) *admin.DefaultLoginPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-3Fsm9").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-5Gsko").OnError(err).Debug("date parse failed")
+
 	return &admin.DefaultLoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
 	}
 }
 
 func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *admin.DefaultLoginPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-3Gk9s").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-6Jlos").OnError(err).Debug("date parse failed")
+
 	return &admin.DefaultLoginPolicyView{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIDP,
 		AllowRegister:         policy.AllowRegister,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
 	}
 }
 

internal/api/grpc/admin/org.go

@@ -38,31 +38,47 @@ func (s *Server) SetUpOrg(ctx context.Context, orgSetUp *admin.OrgSetUpRequest)
 	return setUpOrgResponseFromModel(setUp), err
 }
 
-func (s *Server) GetOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.org.GetOrgIamPolicyByID(ctx, in.OrgId)
+func (s *Server) GetDefaultOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *admin.OrgIamPolicyView, err error) {
+	policy, err := s.iam.GetDefaultOrgIAMPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return orgIamPolicyFromModel(policy), err
+	return orgIAMPolicyViewFromModel(policy), err
+}
+
+func (s *Server) UpdateDefaultOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
+	policy, err := s.iam.ChangeDefaultOrgIAMPolicy(ctx, orgIAMPolicyRequestToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return orgIAMPolicyFromModel(policy), err
+}
+
+func (s *Server) GetOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *admin.OrgIamPolicyView, err error) {
+	policy, err := s.org.GetOrgIAMPolicyByID(ctx, in.OrgId)
+	if err != nil {
+		return nil, err
+	}
+	return orgIAMPolicyViewFromModel(policy), err
 }
 
 func (s *Server) CreateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.org.CreateOrgIamPolicy(ctx, orgIamPolicyRequestToModel(in))
+	policy, err := s.org.CreateOrgIAMPolicy(ctx, orgIAMPolicyRequestToModel(in))
 	if err != nil {
 		return nil, err
 	}
-	return orgIamPolicyFromModel(policy), err
+	return orgIAMPolicyFromModel(policy), err
 }
 
 func (s *Server) UpdateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.org.ChangeOrgIamPolicy(ctx, orgIamPolicyRequestToModel(in))
+	policy, err := s.org.ChangeOrgIAMPolicy(ctx, orgIAMPolicyRequestToModel(in))
 	if err != nil {
 		return nil, err
 	}
-	return orgIamPolicyFromModel(policy), err
+	return orgIAMPolicyFromModel(policy), err
 }
 
-func (s *Server) DeleteOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *empty.Empty, err error) {
-	err = s.org.RemoveOrgIamPolicy(ctx, in.OrgId)
+func (s *Server) RemoveOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *empty.Empty, err error) {
+	err = s.org.RemoveOrgIAMPolicy(ctx, in.OrgId)
 	return &empty.Empty{}, err
 }

internal/api/grpc/admin/org_converter.go

@@ -2,6 +2,7 @@ package admin
 
 import (
 	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/golang/protobuf/ptypes"
 
 	admin_model "github.com/caos/zitadel/internal/admin/model"
@@ -196,7 +197,7 @@ func orgQueryMethodToModel(method admin.OrgSearchMethod) model.SearchMethod {
 	}
 }
 
-func orgIamPolicyFromModel(policy *org_model.OrgIAMPolicy) *admin.OrgIamPolicy {
+func orgIAMPolicyFromModel(policy *iam_model.OrgIAMPolicy) *admin.OrgIamPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-ush36").OnError(err).Debug("unable to get timestamp from time")
 
@@ -205,20 +206,32 @@ func orgIamPolicyFromModel(policy *org_model.OrgIAMPolicy) *admin.OrgIamPolicy {
 
 	return &admin.OrgIamPolicy{
 		OrgId:                 policy.AggregateID,
-		Description:           policy.Description,
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-		Default:               policy.Default,
 		CreationDate:          creationDate,
 		ChangeDate:            changeDate,
 	}
 }
 
-func orgIamPolicyRequestToModel(policy *admin.OrgIamPolicyRequest) *org_model.OrgIAMPolicy {
-	return &org_model.OrgIAMPolicy{
+func orgIAMPolicyViewFromModel(policy *iam_model.OrgIAMPolicyView) *admin.OrgIamPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-ush36").OnError(err).Debug("unable to get timestamp from time")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-Ps9fW").OnError(err).Debug("unable to get timestamp from time")
+
+	return &admin.OrgIamPolicyView{
+		OrgId:                 policy.AggregateID,
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
+	}
+}
+
+func orgIAMPolicyRequestToModel(policy *admin.OrgIamPolicyRequest) *iam_model.OrgIAMPolicy {
+	return &iam_model.OrgIAMPolicy{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: policy.OrgId,
 		},
-		Description:           policy.Description,
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
 	}
 }

internal/api/grpc/admin/password_age_policy.go

@@ -0,0 +1,23 @@
+package admin
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultPasswordAgePolicyView, error) {
+	result, err := s.iam.GetDefaultPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyViewFromModel(result), nil
+}
+
+func (s *Server) UpdateDefaultPasswordAgePolicy(ctx context.Context, policy *admin.DefaultPasswordAgePolicyRequest) (*admin.DefaultPasswordAgePolicy, error) {
+	result, err := s.iam.ChangeDefaultPasswordAgePolicy(ctx, passwordAgePolicyToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyFromModel(result), nil
+}

internal/api/grpc/admin/password_age_policy_converter.go

@@ -0,0 +1,45 @@
+package admin
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordAgePolicyToModel(policy *admin.DefaultPasswordAgePolicyRequest) *iam_model.PasswordAgePolicy {
+	return &iam_model.PasswordAgePolicy{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+	}
+}
+
+func passwordAgePolicyFromModel(policy *iam_model.PasswordAgePolicy) *admin.DefaultPasswordAgePolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-mH9os").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-3tGs9").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordAgePolicy{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		CreationDate:   creationDate,
+		ChangeDate:     changeDate,
+	}
+}
+
+func passwordAgePolicyViewFromModel(policy *iam_model.PasswordAgePolicyView) *admin.DefaultPasswordAgePolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-2Gs9o").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-8Hjss").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordAgePolicyView{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		CreationDate:   creationDate,
+		ChangeDate:     changeDate,
+	}
+}

internal/api/grpc/admin/password_complexity_policy.go

@@ -0,0 +1,23 @@
+package admin
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultPasswordComplexityPolicyView, error) {
+	result, err := s.iam.GetDefaultPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyViewFromModel(result), nil
+}
+
+func (s *Server) UpdateDefaultPasswordComplexityPolicy(ctx context.Context, policy *admin.DefaultPasswordComplexityPolicyRequest) (*admin.DefaultPasswordComplexityPolicy, error) {
+	result, err := s.iam.ChangeDefaultPasswordComplexityPolicy(ctx, passwordComplexityPolicyToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyFromModel(result), nil
+}

internal/api/grpc/admin/password_complexity_policy_converter.go

@@ -0,0 +1,54 @@
+package admin
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordComplexityPolicyToModel(policy *admin.DefaultPasswordComplexityPolicyRequest) *iam_model.PasswordComplexityPolicy {
+	return &iam_model.PasswordComplexityPolicy{
+		MinLength:    policy.MinLength,
+		HasUppercase: policy.HasUppercase,
+		HasLowercase: policy.HasLowercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+	}
+}
+
+func passwordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicy) *admin.DefaultPasswordComplexityPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-6Zhs9").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-bMso0").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordComplexityPolicy{
+		MinLength:    policy.MinLength,
+		HasUppercase: policy.HasUppercase,
+		HasLowercase: policy.HasLowercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}
+
+func passwordComplexityPolicyViewFromModel(policy *iam_model.PasswordComplexityPolicyView) *admin.DefaultPasswordComplexityPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-rTs9f").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-ks9Zt").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordComplexityPolicyView{
+		MinLength:    policy.MinLength,
+		HasUppercase: policy.HasUppercase,
+		HasLowercase: policy.HasLowercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}

internal/api/grpc/admin/password_lockout_policy.go

@@ -0,0 +1,23 @@
+package admin
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultPasswordLockoutPolicyView, error) {
+	result, err := s.iam.GetDefaultPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyViewFromModel(result), nil
+}
+
+func (s *Server) UpdateDefaultPasswordLockoutPolicy(ctx context.Context, policy *admin.DefaultPasswordLockoutPolicyRequest) (*admin.DefaultPasswordLockoutPolicy, error) {
+	result, err := s.iam.ChangeDefaultPasswordLockoutPolicy(ctx, passwordLockoutPolicyToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyFromModel(result), nil
+}

internal/api/grpc/admin/password_lockout_policy_converter.go

@@ -0,0 +1,45 @@
+package admin
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordLockoutPolicyToModel(policy *admin.DefaultPasswordLockoutPolicyRequest) *iam_model.PasswordLockoutPolicy {
+	return &iam_model.PasswordLockoutPolicy{
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockoutFailure,
+	}
+}
+
+func passwordLockoutPolicyFromModel(policy *iam_model.PasswordLockoutPolicy) *admin.DefaultPasswordLockoutPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-4Gsm9f").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-3Gms9").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordLockoutPolicy{
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		CreationDate:       creationDate,
+		ChangeDate:         changeDate,
+	}
+}
+
+func passwordLockoutPolicyViewFromModel(policy *iam_model.PasswordLockoutPolicyView) *admin.DefaultPasswordLockoutPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-7Hmlo").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-0oLgs").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultPasswordLockoutPolicyView{
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		CreationDate:       creationDate,
+		ChangeDate:         changeDate,
+	}
+}

internal/api/grpc/auth/policy_complexity_converter.go

@@ -2,13 +2,13 @@ package auth
 
 import (
 	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/golang/protobuf/ptypes"
 
-	"github.com/caos/zitadel/internal/policy/model"
 	"github.com/caos/zitadel/pkg/grpc/auth"
 )
 
-func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *auth.PasswordComplexityPolicy {
+func passwordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicyView) *auth.PasswordComplexityPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-Lsi3d").OnError(err).Debug("unable to parse timestamp")
 
@@ -19,7 +19,6 @@ func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *
 		Id:           policy.AggregateID,
 		CreationDate: creationDate,
 		ChangeDate:   changeDate,
-		Description:  policy.Description,
 		Sequence:     policy.Sequence,
 		MinLength:    policy.MinLength,
 		HasLowercase: policy.HasLowercase,

internal/api/grpc/management/login_policy.go

@@ -14,16 +14,24 @@ func (s *Server) GetLoginPolicy(ctx context.Context, _ *empty.Empty) (*managemen
 	return loginPolicyViewFromModel(result), nil
 }
 
-func (s *Server) CreateLoginPolicy(ctx context.Context, policy *management.LoginPolicyAdd) (*management.LoginPolicy, error) {
-	result, err := s.org.AddLoginPolicy(ctx, loginPolicyAddToModel(policy))
+func (s *Server) GetDefaultLoginPolicy(ctx context.Context, _ *empty.Empty) (*management.LoginPolicyView, error) {
+	result, err := s.org.GetDefaultLoginPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return loginPolicyViewFromModel(result), nil
+}
+
+func (s *Server) CreateLoginPolicy(ctx context.Context, policy *management.LoginPolicyRequest) (*management.LoginPolicy, error) {
+	result, err := s.org.AddLoginPolicy(ctx, loginPolicyRequestToModel(policy))
 	if err != nil {
 		return nil, err
 	}
 	return loginPolicyFromModel(result), nil
 }
 
-func (s *Server) UpdateLoginPolicy(ctx context.Context, policy *management.LoginPolicy) (*management.LoginPolicy, error) {
-	result, err := s.org.ChangeLoginPolicy(ctx, loginPolicyToModel(policy))
+func (s *Server) UpdateLoginPolicy(ctx context.Context, policy *management.LoginPolicyRequest) (*management.LoginPolicy, error) {
+	result, err := s.org.ChangeLoginPolicy(ctx, loginPolicyRequestToModel(policy))
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/management/login_policy_converter.go

@@ -1,18 +1,13 @@
 package management
 
 import (
+	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
 )
 
-func loginPolicyAddToModel(policy *management.LoginPolicyAdd) *iam_model.LoginPolicy {
-	return &iam_model.LoginPolicy{
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowExternalIdp:      policy.AllowExternalIdp,
-		AllowRegister:         policy.AllowRegister,
-	}
-}
-func loginPolicyToModel(policy *management.LoginPolicy) *iam_model.LoginPolicy {
+func loginPolicyRequestToModel(policy *management.LoginPolicyRequest) *iam_model.LoginPolicy {
 	return &iam_model.LoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
@@ -21,19 +16,35 @@ func loginPolicyToModel(policy *management.LoginPolicy) *iam_model.LoginPolicy {
 }
 
 func loginPolicyFromModel(policy *iam_model.LoginPolicy) *management.LoginPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-2Fsm8").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-3Flo0").OnError(err).Debug("date parse failed")
+
 	return &management.LoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
 	}
 }
 
 func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *management.LoginPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-5Tsm8").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-8dJgs").OnError(err).Debug("date parse failed")
+
 	return &management.LoginPolicyView{
 		Default:               policy.Default,
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIDP,
 		AllowRegister:         policy.AllowRegister,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
 	}
 }
 

internal/api/grpc/management/org.go

@@ -98,10 +98,10 @@ func (s *Server) OrgChanges(ctx context.Context, changesRequest *management.Chan
 	return orgChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
 }
 
-func (s *Server) GetMyOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *management.OrgIamPolicy, err error) {
+func (s *Server) GetMyOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *management.OrgIamPolicyView, err error) {
 	policy, err := s.org.GetMyOrgIamPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return orgIamPolicyFromModel(policy), err
+	return orgIamPolicyViewFromModel(policy), err
 }

internal/api/grpc/management/org_converter.go

@@ -2,6 +2,7 @@ package management
 
 import (
 	"encoding/json"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 
 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
@@ -227,10 +228,8 @@ func orgChangesToMgtAPI(changes *org_model.OrgChanges) (_ []*management.Change)
 	return result
 }
 
-func orgIamPolicyFromModel(policy *org_model.OrgIAMPolicy) *management.OrgIamPolicy {
-	return &management.OrgIamPolicy{
-		OrgId:                 policy.AggregateID,
-		Description:           policy.Description,
+func orgIamPolicyViewFromModel(policy *iam_model.OrgIAMPolicyView) *management.OrgIamPolicyView {
+	return &management.OrgIamPolicyView{
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
 		Default:               policy.Default,
 	}

internal/api/grpc/management/password_age_policy.go

@@ -0,0 +1,44 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicyView, error) {
+	result, err := s.org.GetPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyViewFromModel(result), nil
+}
+
+func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicyView, error) {
+	result, err := s.org.GetDefaultPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyViewFromModel(result), nil
+}
+
+func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyRequest) (*management.PasswordAgePolicy, error) {
+	result, err := s.org.AddPasswordAgePolicy(ctx, passwordAgePolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyFromModel(result), nil
+}
+
+func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyRequest) (*management.PasswordAgePolicy, error) {
+	result, err := s.org.ChangePasswordAgePolicy(ctx, passwordAgePolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyFromModel(result), nil
+}
+
+func (s *Server) RemovePasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	err := s.org.RemovePasswordAgePolicy(ctx)
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/password_age_policy_converter.go

@@ -0,0 +1,46 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordAgePolicyRequestToModel(policy *management.PasswordAgePolicyRequest) *iam_model.PasswordAgePolicy {
+	return &iam_model.PasswordAgePolicy{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+	}
+}
+
+func passwordAgePolicyFromModel(policy *iam_model.PasswordAgePolicy) *management.PasswordAgePolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-bMd9o").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-jFs89").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordAgePolicy{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		CreationDate:   changeDate,
+		ChangeDate:     creationDate,
+	}
+}
+
+func passwordAgePolicyViewFromModel(policy *iam_model.PasswordAgePolicyView) *management.PasswordAgePolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-4Bms9").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-6Hmlo").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordAgePolicyView{
+		Default:        policy.Default,
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		ChangeDate:     changeDate,
+		CreationDate:   creationDate,
+	}
+}

internal/api/grpc/management/password_complexity_policy.go

@@ -0,0 +1,44 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicyView, error) {
+	result, err := s.org.GetPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyViewFromModel(result), nil
+}
+
+func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicyView, error) {
+	result, err := s.org.GetDefaultPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyViewFromModel(result), nil
+}
+
+func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) (*management.PasswordComplexityPolicy, error) {
+	result, err := s.org.AddPasswordComplexityPolicy(ctx, passwordComplexityPolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyFromModel(result), nil
+}
+
+func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) (*management.PasswordComplexityPolicy, error) {
+	result, err := s.org.ChangePasswordComplexityPolicy(ctx, passwordComplexityPolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyFromModel(result), nil
+}
+
+func (s *Server) RemovePasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	err := s.org.RemovePasswordComplexityPolicy(ctx)
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/password_complexity_policy_converter.go

@@ -0,0 +1,55 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordComplexityPolicyRequestToModel(policy *management.PasswordComplexityPolicyRequest) *iam_model.PasswordComplexityPolicy {
+	return &iam_model.PasswordComplexityPolicy{
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasSymbol:    policy.HasSymbol,
+		HasNumber:    policy.HasNumber,
+	}
+}
+
+func passwordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicy) *management.PasswordComplexityPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-5Gslo").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-Bmd9e").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordComplexityPolicy{
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasSymbol:    policy.HasSymbol,
+		HasNumber:    policy.HasNumber,
+		CreationDate: changeDate,
+		ChangeDate:   creationDate,
+	}
+}
+
+func passwordComplexityPolicyViewFromModel(policy *iam_model.PasswordComplexityPolicyView) *management.PasswordComplexityPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-wmi8f").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-dmOp0").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordComplexityPolicyView{
+		Default:      policy.Default,
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasSymbol:    policy.HasSymbol,
+		HasNumber:    policy.HasNumber,
+		CreationDate: changeDate,
+		ChangeDate:   creationDate,
+	}
+}

internal/api/grpc/management/password_lockout_policy.go

@@ -0,0 +1,44 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicyView, error) {
+	result, err := s.org.GetPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyViewFromModel(result), nil
+}
+
+func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicyView, error) {
+	result, err := s.org.GetDefaultPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyViewFromModel(result), nil
+}
+
+func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) (*management.PasswordLockoutPolicy, error) {
+	result, err := s.org.AddPasswordLockoutPolicy(ctx, passwordLockoutPolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyFromModel(result), nil
+}
+
+func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) (*management.PasswordLockoutPolicy, error) {
+	result, err := s.org.ChangePasswordLockoutPolicy(ctx, passwordLockoutPolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyFromModel(result), nil
+}
+
+func (s *Server) RemovePasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	err := s.org.RemovePasswordLockoutPolicy(ctx)
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/password_lockout_policy_converter.go

@@ -0,0 +1,46 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordLockoutPolicyRequestToModel(policy *management.PasswordLockoutPolicyRequest) *iam_model.PasswordLockoutPolicy {
+	return &iam_model.PasswordLockoutPolicy{
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockoutFailure,
+	}
+}
+
+func passwordLockoutPolicyFromModel(policy *iam_model.PasswordLockoutPolicy) *management.PasswordLockoutPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-bMd9o").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-jFs89").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordLockoutPolicy{
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		CreationDate:       changeDate,
+		ChangeDate:         creationDate,
+	}
+}
+
+func passwordLockoutPolicyViewFromModel(policy *iam_model.PasswordLockoutPolicyView) *management.PasswordLockoutPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-4Bms9").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-6Hmlo").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordLockoutPolicyView{
+		Default:            policy.Default,
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		ChangeDate:         changeDate,
+		CreationDate:       creationDate,
+	}
+}

internal/api/grpc/management/policy.go

@@ -1,112 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyCreate) (*management.PasswordComplexityPolicy, error) {
-	policyresp, err := s.policy.CreatePasswordComplexityPolicy(ctx, passwordComplexityPolicyCreateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordComplexityPolicyFromModel(policyresp), nil
-}
-
-func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicy, error) {
-	policy, err := s.policy.GetPasswordComplexityPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordComplexityPolicyFromModel(policy), nil
-}
-
-func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicy, error) {
-	policy, err := s.policy.GetDefaultPasswordComplexityPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordComplexityPolicyFromModel(policy), nil
-}
-
-func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyUpdate) (*management.PasswordComplexityPolicy, error) {
-	policyresp, err := s.policy.UpdatePasswordComplexityPolicy(ctx, passwordComplexityPolicyUpdateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordComplexityPolicyFromModel(policyresp), nil
-}
-
-func (s *Server) DeletePasswordComplexityPolicy(ctx context.Context, ID *management.PasswordComplexityPolicyID) (*empty.Empty, error) {
-	return nil, errors.ThrowUnimplemented(nil, "GRPC-skw3f", "Not implemented")
-}
-
-func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyCreate) (*management.PasswordAgePolicy, error) {
-	policyresp, err := s.policy.CreatePasswordAgePolicy(ctx, passwordAgePolicyCreateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordAgePolicyFromModel(policyresp), nil
-}
-
-func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicy, error) {
-	policy, err := s.policy.GetPasswordAgePolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordAgePolicyFromModel(policy), nil
-}
-
-func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyUpdate) (*management.PasswordAgePolicy, error) {
-	policyresp, err := s.policy.UpdatePasswordAgePolicy(ctx, passwordAgePolicyUpdateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordAgePolicyFromModel(policyresp), nil
-}
-
-func (s *Server) DeletePasswordAgePolicy(ctx context.Context, ID *management.PasswordAgePolicyID) (*empty.Empty, error) {
-	return nil, errors.ThrowUnimplemented(nil, "GRPC-plo67", "Not implemented")
-}
-
-func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyCreate) (*management.PasswordLockoutPolicy, error) {
-	policyresp, err := s.policy.CreatePasswordLockoutPolicy(ctx, passwordLockoutPolicyCreateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordLockoutPolicyFromModel(policyresp), nil
-}
-
-func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicy, error) {
-	policy, err := s.policy.GetPasswordLockoutPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordLockoutPolicyFromModel(policy), nil
-}
-
-func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyUpdate) (*management.PasswordLockoutPolicy, error) {
-	policyresp, err := s.policy.UpdatePasswordLockoutPolicy(ctx, passwordLockoutPolicyUpdateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordLockoutPolicyFromModel(policyresp), nil
-}
-
-func (s *Server) DeletePasswordLockoutPolicy(ctx context.Context, ID *management.PasswordLockoutPolicyID) (*empty.Empty, error) {
-	return nil, errors.ThrowUnimplemented(nil, "GRPC-GHkd9", "Not implemented")
-}

internal/api/grpc/management/policy_age_converter.go

@@ -1,68 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-
-	"github.com/caos/zitadel/internal/eventstore/models"
-	"github.com/caos/zitadel/internal/policy/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func passwordAgePolicyFromModel(policy *model.PasswordAgePolicy) *management.PasswordAgePolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-6ILdB").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-ngUzJ").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.PasswordAgePolicy{
-		Id:             policy.AggregateID,
-		CreationDate:   creationDate,
-		ChangeDate:     changeDate,
-		Sequence:       policy.Sequence,
-		Description:    policy.Description,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		MaxAgeDays:     policy.MaxAgeDays,
-		IsDefault:      policy.AggregateID == "",
-	}
-}
-
-func passwordAgePolicyToModel(policy *management.PasswordAgePolicy) *model.PasswordAgePolicy {
-	creationDate, err := ptypes.Timestamp(policy.CreationDate)
-	logging.Log("GRPC-2QSfU").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.Timestamp(policy.ChangeDate)
-	logging.Log("GRPC-LdU91").OnError(err).Debug("unable to parse timestamp")
-
-	return &model.PasswordAgePolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID:  policy.Id,
-			CreationDate: creationDate,
-			ChangeDate:   changeDate,
-			Sequence:     policy.Sequence,
-		},
-		Description:    policy.Description,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		MaxAgeDays:     policy.MaxAgeDays,
-	}
-}
-
-func passwordAgePolicyCreateToModel(policy *management.PasswordAgePolicyCreate) *model.PasswordAgePolicy {
-	return &model.PasswordAgePolicy{
-		Description:    policy.Description,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		MaxAgeDays:     policy.MaxAgeDays,
-	}
-}
-
-func passwordAgePolicyUpdateToModel(policy *management.PasswordAgePolicyUpdate) *model.PasswordAgePolicy {
-	return &model.PasswordAgePolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: policy.Id,
-		},
-		Description:    policy.Description,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		MaxAgeDays:     policy.MaxAgeDays,
-	}
-}

internal/api/grpc/management/policy_complexity_converter.go

@@ -1,81 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-
-	"github.com/golang/protobuf/ptypes"
-
-	"github.com/caos/zitadel/internal/eventstore/models"
-	"github.com/caos/zitadel/internal/policy/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *management.PasswordComplexityPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-cQRHE").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-PVA1c").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.PasswordComplexityPolicy{
-		Id:           policy.AggregateID,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Description:  policy.Description,
-		Sequence:     policy.Sequence,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-		IsDefault:    policy.AggregateID == "",
-	}
-}
-
-func passwordComplexityPolicyToModel(policy *management.PasswordComplexityPolicy) *model.PasswordComplexityPolicy {
-	creationDate, err := ptypes.Timestamp(policy.CreationDate)
-	logging.Log("GRPC-asmEZ").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.Timestamp(policy.ChangeDate)
-	logging.Log("GRPC-MCE4o").OnError(err).Debug("unable to parse timestamp")
-
-	return &model.PasswordComplexityPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID:  policy.Id,
-			CreationDate: creationDate,
-			ChangeDate:   changeDate,
-			Sequence:     policy.Sequence,
-		},
-		Description:  policy.Description,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-	}
-}
-
-func passwordComplexityPolicyCreateToModel(policy *management.PasswordComplexityPolicyCreate) *model.PasswordComplexityPolicy {
-	return &model.PasswordComplexityPolicy{
-		Description:  policy.Description,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-	}
-}
-
-func passwordComplexityPolicyUpdateToModel(policy *management.PasswordComplexityPolicyUpdate) *model.PasswordComplexityPolicy {
-	return &model.PasswordComplexityPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: policy.Id,
-		},
-		Description:  policy.Description,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-	}
-}

internal/api/grpc/management/policy_lockout_converter.go

@@ -1,70 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-
-	"github.com/golang/protobuf/ptypes"
-
-	"github.com/caos/zitadel/internal/eventstore/models"
-	"github.com/caos/zitadel/internal/policy/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func passwordLockoutPolicyFromModel(policy *model.PasswordLockoutPolicy) *management.PasswordLockoutPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-JRSbT").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-1sizr").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.PasswordLockoutPolicy{
-		Id:                  policy.AggregateID,
-		CreationDate:        creationDate,
-		ChangeDate:          changeDate,
-		Sequence:            policy.Sequence,
-		Description:         policy.Description,
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockOutFailures,
-		IsDefault:           policy.AggregateID == "",
-	}
-}
-
-func passwordLockoutPolicyToModel(policy *management.PasswordLockoutPolicy) *model.PasswordLockoutPolicy {
-	creationDate, err := ptypes.Timestamp(policy.CreationDate)
-	logging.Log("GRPC-8a511").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.Timestamp(policy.ChangeDate)
-	logging.Log("GRPC-2rdGv").OnError(err).Debug("unable to parse timestamp")
-
-	return &model.PasswordLockoutPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID:  policy.Id,
-			CreationDate: creationDate,
-			ChangeDate:   changeDate,
-			Sequence:     policy.Sequence,
-		},
-		Description: policy.Description,
-
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockOutFailures,
-	}
-}
-
-func passwordLockoutPolicyCreateToModel(policy *management.PasswordLockoutPolicyCreate) *model.PasswordLockoutPolicy {
-	return &model.PasswordLockoutPolicy{
-		Description:         policy.Description,
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockOutFailures,
-	}
-}
-
-func passwordLockoutPolicyUpdateToModel(policy *management.PasswordLockoutPolicyUpdate) *model.PasswordLockoutPolicy {
-	return &model.PasswordLockoutPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: policy.Id,
-		},
-		Description:         policy.Description,
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockOutFailures,
-	}
-}

internal/api/grpc/management/server.go

@@ -19,7 +19,6 @@ var _ management.ManagementServiceServer = (*Server)(nil)
 
 type Server struct {
 	project        repository.ProjectRepository
-	policy         repository.PolicyRepository
 	org            repository.OrgRepository
 	user           repository.UserRepository
 	usergrant      repository.UserGrantRepository
@@ -35,7 +34,6 @@ type Config struct {
 func CreateServer(repo repository.Repository, sd systemdefaults.SystemDefaults) *Server {
 	return &Server{
 		project:        repo,
-		policy:         repo,
 		org:            repo,
 		user:           repo,
 		usergrant:      repo,

internal/api/http/marshal.go

@@ -7,7 +7,11 @@ import (
 	"github.com/caos/logging"
 )
 
-func MarshalJSON(w http.ResponseWriter, i interface{}) {
+func MarshalJSON(w http.ResponseWriter, i interface{}, err error, statusCode int) {
+	if err != nil {
+		http.Error(w, err.Error(), statusCode)
+		return
+	}
 	b, err := json.Marshal(i)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)

internal/auth/repository/eventsourcing/eventstore/auth_request.go

@@ -7,7 +7,6 @@ import (
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	iam_es_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
-	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	"time"
 
 	"github.com/caos/logging"
@@ -30,7 +29,6 @@ import (
 type AuthRequestRepo struct {
 	UserEvents   *user_event.UserEventstore
 	OrgEvents    *org_event.OrgEventstore
-	PolicyEvents *policy_event.PolicyEventstore
 	AuthRequests cache.AuthRequestCache
 	View         *view.View
 
@@ -264,15 +262,23 @@ func (repo *AuthRequestRepo) AutoRegisterExternalUser(ctx context.Context, regis
 	if resourceOwner != "" {
 		policyResourceOwner = resourceOwner
 	}
-	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, policyResourceOwner)
+	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(policyResourceOwner)
+	if errors.IsNotFound(err) {
+		pwPolicy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.IAMID)
+	}
 	if err != nil {
 		return err
 	}
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, policyResourceOwner)
+	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(pwPolicy)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(policyResourceOwner)
+	if errors.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.IAMID)
+	}
 	if err != nil {
 		return err
 	}
-	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, externalIDP, pwPolicy, orgPolicy, resourceOwner)
+	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
+	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, externalIDP, pwPolicyView, orgPolicyView, resourceOwner)
 	if err != nil {
 		return err
 	}

internal/auth/repository/eventsourcing/eventstore/org.go

@@ -3,6 +3,9 @@ package eventstore
 import (
 	"context"
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/errors"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 
@@ -13,8 +16,6 @@ import (
 	org_model "github.com/caos/zitadel/internal/org/model"
 	org_es "github.com/caos/zitadel/internal/org/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/org/repository/view/model"
-	policy_model "github.com/caos/zitadel/internal/policy/model"
-	policy_es "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	usr_es "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 )
 
@@ -23,12 +24,12 @@ const (
 )
 
 type OrgRepository struct {
-	SearchLimit      uint64
-	OrgEventstore    *org_es.OrgEventstore
-	UserEventstore   *usr_es.UserEventstore
-	PolicyEventstore *policy_es.PolicyEventstore
+	SearchLimit    uint64
+	OrgEventstore  *org_es.OrgEventstore
+	UserEventstore *usr_es.UserEventstore
 
-	View *auth_view.View
+	View           *auth_view.View
+	SystemDefaults systemdefaults.SystemDefaults
 }
 
 func (repo *OrgRepository) SearchOrgs(ctx context.Context, request *org_model.OrgSearchRequest) (*org_model.OrgSearchResult, error) {
@@ -53,14 +54,16 @@ func (repo *OrgRepository) SearchOrgs(ctx context.Context, request *org_model.Or
 }
 
 func (repo *OrgRepository) RegisterOrg(ctx context.Context, register *auth_model.RegisterOrg) (*auth_model.RegisterOrg, error) {
-	pwPolicy, err := repo.PolicyEventstore.GetPasswordComplexityPolicy(ctx, policy_model.DefaultPolicy)
+	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if err != nil {
 		return nil, err
 	}
-	orgPolicy, err := repo.OrgEventstore.GetOrgIAMPolicy(ctx, policy_model.DefaultPolicy)
+	pwPolicyView := iam_view_model.PasswordComplexityViewToModel(pwPolicy)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if err != nil {
 		return nil, err
 	}
+	orgPolicyView := iam_view_model.OrgIAMViewToModel(orgPolicy)
 	users := func(ctx context.Context, domain string) ([]*es_models.Aggregate, error) {
 		userIDs, err := repo.View.UserIDsByDomain(domain)
 		if err != nil {
@@ -72,7 +75,7 @@ func (repo *OrgRepository) RegisterOrg(ctx context.Context, register *auth_model
 	if err != nil {
 		return nil, err
 	}
-	user, userAggregates, err := repo.UserEventstore.PrepareRegisterUser(ctx, register.User, nil, pwPolicy, orgPolicy, org.AggregateID)
+	user, userAggregates, err := repo.UserEventstore.PrepareRegisterUser(ctx, register.User, nil, pwPolicyView, orgPolicyView, org.AggregateID)
 	if err != nil {
 		return nil, err
 	}
@@ -95,12 +98,25 @@ func (repo *OrgRepository) RegisterOrg(ctx context.Context, register *auth_model
 	return RegisterToModel(registerModel), nil
 }
 
-func (repo *OrgRepository) GetDefaultOrgIamPolicy(ctx context.Context) *org_model.OrgIAMPolicy {
-	return repo.OrgEventstore.GetDefaultOrgIAMPolicy(ctx)
+func (repo *OrgRepository) GetDefaultOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error) {
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	policy := iam_view_model.OrgIAMViewToModel(orgPolicy)
+	policy.IAMDomain = repo.SystemDefaults.Domain
+	return policy, err
 }
 
-func (repo *OrgRepository) GetOrgIamPolicy(ctx context.Context, orgID string) (*org_model.OrgIAMPolicy, error) {
-	return repo.OrgEventstore.GetOrgIAMPolicy(ctx, orgID)
+func (repo *OrgRepository) GetOrgIAMPolicy(ctx context.Context, orgID string) (*iam_model.OrgIAMPolicyView, error) {
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(orgID)
+	if errors.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_view_model.OrgIAMViewToModel(orgPolicy), nil
 }
 
 func (repo *OrgRepository) GetIDPConfigByID(ctx context.Context, idpConfigID string) (*iam_model.IDPConfigView, error) {
@@ -110,3 +126,18 @@ func (repo *OrgRepository) GetIDPConfigByID(ctx context.Context, idpConfigID str
 	}
 	return iam_view_model.IDPConfigViewToModel(idpConfig), nil
 }
+
+func (repo *OrgRepository) GetMyPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error) {
+	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+		if err != nil {
+			return nil, err
+		}
+		policy.Default = true
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_view_model.PasswordComplexityViewToModel(policy), err
+}

internal/auth/repository/eventsourcing/eventstore/policy.go

@@ -1,18 +0,0 @@
-package eventstore
-
-import (
-	"context"
-
-	"github.com/caos/zitadel/internal/api/authz"
-	pol_model "github.com/caos/zitadel/internal/policy/model"
-	pol_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
-)
-
-type PolicyRepo struct {
-	PolicyEvents *pol_event.PolicyEventstore
-}
-
-func (repo *PolicyRepo) GetMyPasswordComplexityPolicy(ctx context.Context) (*pol_model.PasswordComplexityPolicy, error) {
-	ctxData := authz.GetCtxData(ctx)
-	return repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, ctxData.OrgID)
-}

internal/auth/repository/eventsourcing/eventstore/user.go

@@ -2,6 +2,8 @@ package eventstore
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 
 	"github.com/caos/logging"
 
@@ -13,7 +15,6 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/sdk"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
-	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/user/model"
 	user_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 	usr_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
@@ -21,12 +22,12 @@ import (
 )
 
 type UserRepo struct {
-	SearchLimit  uint64
-	Eventstore   eventstore.Eventstore
-	UserEvents   *user_event.UserEventstore
-	OrgEvents    *org_event.OrgEventstore
-	PolicyEvents *policy_event.PolicyEventstore
-	View         *view.View
+	SearchLimit    uint64
+	Eventstore     eventstore.Eventstore
+	UserEvents     *user_event.UserEventstore
+	OrgEvents      *org_event.OrgEventstore
+	View           *view.View
+	SystemDefaults systemdefaults.SystemDefaults
 }
 
 func (repo *UserRepo) Health(ctx context.Context) error {
@@ -46,15 +47,23 @@ func (repo *UserRepo) registerUser(ctx context.Context, registerUser *model.User
 	if resourceOwner != "" {
 		policyResourceOwner = resourceOwner
 	}
-	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, policyResourceOwner)
+	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(policyResourceOwner)
+	if errors.IsNotFound(err) {
+		pwPolicy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, policyResourceOwner)
+	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(pwPolicy)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(policyResourceOwner)
+	if errors.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, externalIDP, pwPolicy, orgPolicy, resourceOwner)
+	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
+	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, externalIDP, pwPolicyView, orgPolicyView, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -215,20 +224,28 @@ func (repo *UserRepo) ChangeMyAddress(ctx context.Context, address *model.Addres
 }
 
 func (repo *UserRepo) ChangeMyPassword(ctx context.Context, old, new string) error {
-	policy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return err
 	}
-	_, err = repo.UserEvents.ChangePassword(ctx, policy, authz.GetCtxData(ctx).UserID, old, new)
+	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(policy)
+	_, err = repo.UserEvents.ChangePassword(ctx, pwPolicyView, authz.GetCtxData(ctx).UserID, old, new)
 	return err
 }
 
 func (repo *UserRepo) ChangePassword(ctx context.Context, userID, old, new string) error {
-	policy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return err
 	}
-	_, err = repo.UserEvents.ChangePassword(ctx, policy, userID, old, new)
+	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(policy)
+	_, err = repo.UserEvents.ChangePassword(ctx, pwPolicyView, userID, old, new)
 	return err
 }
 
@@ -279,11 +296,15 @@ func (repo *UserRepo) RemoveMyMfaOTP(ctx context.Context) error {
 
 func (repo *UserRepo) ChangeMyUsername(ctx context.Context, username string) error {
 	ctxData := authz.GetCtxData(ctx)
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, ctxData.OrgID)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(ctxData.OrgID)
+	if errors.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return err
 	}
-	return repo.UserEvents.ChangeUsername(ctx, ctxData.UserID, username, orgPolicy)
+	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
+	return repo.UserEvents.ChangeUsername(ctx, ctxData.UserID, username, orgPolicyView)
 }
 func (repo *UserRepo) ResendInitVerificationMail(ctx context.Context, userID string) error {
 	_, err := repo.UserEvents.CreateInitializeUserCodeByID(ctx, userID)
@@ -291,11 +312,15 @@ func (repo *UserRepo) ResendInitVerificationMail(ctx context.Context, userID str
 }
 
 func (repo *UserRepo) VerifyInitCode(ctx context.Context, userID, code, password string) error {
-	policy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return err
 	}
-	return repo.UserEvents.VerifyInitCode(ctx, policy, userID, code, password)
+	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(policy)
+	return repo.UserEvents.VerifyInitCode(ctx, pwPolicyView, userID, code, password)
 }
 
 func (repo *UserRepo) SkipMfaInit(ctx context.Context, userID string) error {
@@ -311,11 +336,15 @@ func (repo *UserRepo) RequestPasswordReset(ctx context.Context, loginname string
 }
 
 func (repo *UserRepo) SetPassword(ctx context.Context, userID, code, password string) error {
-	policy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return err
 	}
-	return repo.UserEvents.SetPassword(ctx, policy, userID, code, password)
+	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(policy)
+	return repo.UserEvents.SetPassword(ctx, pwPolicyView, userID, code, password)
 }
 
 func (repo *UserRepo) SignOut(ctx context.Context, agentID string) error {
@@ -369,11 +398,15 @@ func (repo *UserRepo) MyUserChanges(ctx context.Context, lastSequence uint64, li
 
 func (repo *UserRepo) ChangeUsername(ctx context.Context, userID, username string) error {
 	policyResourceOwner := authz.GetCtxData(ctx).OrgID
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, policyResourceOwner)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(policyResourceOwner)
+	if errors.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return err
 	}
-	return repo.UserEvents.ChangeUsername(ctx, userID, username, orgPolicy)
+	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
+	return repo.UserEvents.ChangeUsername(ctx, userID, username, orgPolicyView)
 }
 
 func checkIDs(ctx context.Context, obj es_models.ObjectRoot) error {

internal/auth/repository/eventsourcing/handler/handler.go

@@ -37,7 +37,8 @@ type EventstoreRepos struct {
 
 func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, eventstore eventstore.Eventstore, repos EventstoreRepos, systemDefaults sd.SystemDefaults) []query.Handler {
 	return []query.Handler{
-		&User{handler: handler{view, bulkLimit, configs.cycleDuration("User"), errorCount}, orgEvents: repos.OrgEvents},
+		&User{handler: handler{view, bulkLimit, configs.cycleDuration("User"), errorCount},
+			orgEvents: repos.OrgEvents, iamEvents: repos.IamEvents, iamID: systemDefaults.IamID},
 		&UserSession{handler: handler{view, bulkLimit, configs.cycleDuration("UserSession"), errorCount}, userEvents: repos.UserEvents},
 		&UserMembership{handler: handler{view, bulkLimit, configs.cycleDuration("UserMembership"), errorCount}, orgEvents: repos.OrgEvents, projectEvents: repos.ProjectEvents},
 		&Token{handler: handler{view, bulkLimit, configs.cycleDuration("Token"), errorCount}, ProjectEvents: repos.ProjectEvents},
@@ -57,6 +58,8 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, ev
 		&IDPConfig{handler: handler{view, bulkLimit, configs.cycleDuration("IDPConfig"), errorCount}},
 		&IDPProvider{handler: handler{view, bulkLimit, configs.cycleDuration("IDPProvider"), errorCount}, systemDefaults: systemDefaults, orgEvents: repos.OrgEvents, iamEvents: repos.IamEvents},
 		&ExternalIDP{handler: handler{view, bulkLimit, configs.cycleDuration("ExternalIDP"), errorCount}, systemDefaults: systemDefaults, orgEvents: repos.OrgEvents, iamEvents: repos.IamEvents},
+		&PasswordComplexityPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("PasswordComplexityPolicy"), errorCount}},
+		&OrgIAMPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("OrgIAMPolicy"), errorCount}},
 	}
 }
 

internal/auth/repository/eventsourcing/handler/org_iam_policy.go

@@ -0,0 +1,69 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+type OrgIAMPolicy struct {
+	handler
+}
+
+const (
+	orgIAMPolicyTable = "auth.org_iam_policies"
+)
+
+func (m *OrgIAMPolicy) ViewModel() string {
+	return orgIAMPolicyTable
+}
+
+func (m *OrgIAMPolicy) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestOrgIAMPolicySequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.OrgAggregate, iam_es_model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *OrgIAMPolicy) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.OrgAggregate, iam_es_model.IAMAggregate:
+		err = m.processOrgIAMPolicy(event)
+	}
+	return err
+}
+
+func (m *OrgIAMPolicy) processOrgIAMPolicy(event *models.Event) (err error) {
+	policy := new(iam_model.OrgIAMPolicyView)
+	switch event.Type {
+	case iam_es_model.OrgIAMPolicyAdded, model.OrgIAMPolicyAdded:
+		err = policy.AppendEvent(event)
+	case iam_es_model.OrgIAMPolicyChanged, model.OrgIAMPolicyChanged:
+		policy, err = m.view.OrgIAMPolicyByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = policy.AppendEvent(event)
+	case model.OrgIAMPolicyRemoved:
+		return m.view.DeleteOrgIAMPolicy(event.AggregateID, event.Sequence)
+	default:
+		return m.view.ProcessedOrgIAMPolicySequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutOrgIAMPolicy(policy, policy.Sequence)
+}
+
+func (m *OrgIAMPolicy) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-3Gj8s", "id", event.AggregateID).WithError(err).Warn("something went wrong in orgIAM policy handler")
+	return spooler.HandleError(event, err, m.view.GetLatestOrgIAMPolicyFailedEvent, m.view.ProcessedOrgIAMPolicyFailedEvent, m.view.ProcessedOrgIAMPolicySequence, m.errorCountUntilSkip)
+}

internal/auth/repository/eventsourcing/handler/password_complexity_policy.go

@@ -0,0 +1,69 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+type PasswordComplexityPolicy struct {
+	handler
+}
+
+const (
+	passwordComplexityPolicyTable = "auth.password_complexity_policies"
+)
+
+func (m *PasswordComplexityPolicy) ViewModel() string {
+	return passwordComplexityPolicyTable
+}
+
+func (m *PasswordComplexityPolicy) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestPasswordComplexityPolicySequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.OrgAggregate, iam_es_model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *PasswordComplexityPolicy) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.OrgAggregate, iam_es_model.IAMAggregate:
+		err = m.processPasswordComplexityPolicy(event)
+	}
+	return err
+}
+
+func (m *PasswordComplexityPolicy) processPasswordComplexityPolicy(event *models.Event) (err error) {
+	policy := new(iam_model.PasswordComplexityPolicyView)
+	switch event.Type {
+	case iam_es_model.PasswordComplexityPolicyAdded, model.PasswordComplexityPolicyAdded:
+		err = policy.AppendEvent(event)
+	case iam_es_model.PasswordComplexityPolicyChanged, model.PasswordComplexityPolicyChanged:
+		policy, err = m.view.PasswordComplexityPolicyByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = policy.AppendEvent(event)
+	case model.PasswordComplexityPolicyRemoved:
+		return m.view.DeletePasswordComplexityPolicy(event.AggregateID, event.Sequence)
+	default:
+		return m.view.ProcessedPasswordComplexityPolicySequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutPasswordComplexityPolicy(policy, policy.Sequence)
+}
+
+func (m *PasswordComplexityPolicy) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-4Djo9", "id", event.AggregateID).WithError(err).Warn("something went wrong in passwordComplexity policy handler")
+	return spooler.HandleError(event, err, m.view.GetLatestPasswordComplexityPolicyFailedEvent, m.view.ProcessedPasswordComplexityPolicyFailedEvent, m.view.ProcessedPasswordComplexityPolicySequence, m.errorCountUntilSkip)
+}

internal/auth/repository/eventsourcing/handler/user.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"context"
+	iam_es "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	org_model "github.com/caos/zitadel/internal/org/model"
@@ -21,6 +22,8 @@ type User struct {
 	handler
 	eventstore eventstore.Eventstore
 	orgEvents  *org_events.OrgEventstore
+	iamEvents  *iam_es.IAMEventstore
+	iamID      string
 }
 
 const (
@@ -126,9 +129,12 @@ func (u *User) fillLoginNames(user *view_model.UserView) (err error) {
 	if err != nil {
 		return err
 	}
-	policy, err := u.orgEvents.GetOrgIAMPolicy(context.Background(), user.ResourceOwner)
-	if err != nil {
-		return err
+	policy := org.OrgIamPolicy
+	if policy == nil {
+		policy, err = u.iamEvents.GetOrgIAMPolicy(context.Background(), u.iamID)
+		if err != nil {
+			return err
+		}
 	}
 	user.SetLoginNames(policy, org.Domains)
 	user.PreferredLoginName = user.GenerateLoginName(org.GetPrimaryDomain().Domain, policy.UserLoginMustBeDomain)
@@ -155,9 +161,12 @@ func (u *User) fillLoginNamesOnOrgUsers(event *models.Event) error {
 	if err != nil {
 		return err
 	}
-	policy, err := u.orgEvents.GetOrgIAMPolicy(context.Background(), event.ResourceOwner)
-	if err != nil {
-		return err
+	policy := org.OrgIamPolicy
+	if policy == nil {
+		policy, err = u.iamEvents.GetOrgIAMPolicy(context.Background(), u.iamID)
+		if err != nil {
+			return err
+		}
 	}
 	users, err := u.view.UsersByOrgID(event.AggregateID)
 	if err != nil {
@@ -174,9 +183,12 @@ func (u *User) fillPreferredLoginNamesOnOrgUsers(event *models.Event) error {
 	if err != nil {
 		return err
 	}
-	policy, err := u.orgEvents.GetOrgIAMPolicy(context.Background(), event.ResourceOwner)
-	if err != nil {
-		return err
+	policy := org.OrgIamPolicy
+	if policy == nil {
+		policy, err = u.iamEvents.GetOrgIAMPolicy(context.Background(), u.iamID)
+		if err != nil {
+			return err
+		}
 	}
 	if !policy.UserLoginMustBeDomain {
 		return nil

internal/auth/repository/eventsourcing/repository.go

@@ -19,7 +19,6 @@ import (
 	"github.com/caos/zitadel/internal/id"
 	es_key "github.com/caos/zitadel/internal/key/repository/eventsourcing"
 	es_org "github.com/caos/zitadel/internal/org/repository/eventsourcing"
-	es_policy "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	es_proj "github.com/caos/zitadel/internal/project/repository/eventsourcing"
 	es_user "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 )
@@ -45,7 +44,6 @@ type EsRepository struct {
 	eventstore.UserGrantRepo
 	eventstore.OrgRepository
 	eventstore.IAMRepository
-	eventstore.PolicyRepo
 }
 
 func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, authZRepo *authz_repo.EsRepository) (*EsRepository, error) {
@@ -69,16 +67,7 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
 	if err != nil {
 		return nil, err
 	}
-	policy, err := es_policy.StartPolicy(
-		es_policy.PolicyConfig{
-			Eventstore: es,
-			Cache:      conf.Eventstore.Cache,
-		},
-		systemDefaults,
-	)
-	if err != nil {
-		return nil, err
-	}
+
 	user, err := es_user.StartUser(
 		es_user.UserConfig{
 			Eventstore: es,
@@ -128,17 +117,16 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
 	return &EsRepository{
 		spool,
 		eventstore.UserRepo{
-			SearchLimit:  conf.SearchLimit,
-			Eventstore:   es,
-			UserEvents:   user,
-			OrgEvents:    org,
-			PolicyEvents: policy,
-			View:         view,
+			SearchLimit:    conf.SearchLimit,
+			Eventstore:     es,
+			UserEvents:     user,
+			OrgEvents:      org,
+			View:           view,
+			SystemDefaults: systemDefaults,
 		},
 		eventstore.AuthRequestRepo{
 			UserEvents:                 user,
 			OrgEvents:                  org,
-			PolicyEvents:               policy,
 			AuthRequests:               authReq,
 			View:                       view,
 			UserSessionViewProvider:    view,
@@ -176,19 +164,16 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
 			AuthZRepo:   authZRepo,
 		},
 		eventstore.OrgRepository{
-			SearchLimit:      conf.SearchLimit,
-			View:             view,
-			OrgEventstore:    org,
-			PolicyEventstore: policy,
-			UserEventstore:   user,
+			SearchLimit:    conf.SearchLimit,
+			View:           view,
+			OrgEventstore:  org,
+			UserEventstore: user,
+			SystemDefaults: systemDefaults,
 		},
 		eventstore.IAMRepository{
 			IAMEvents: iam,
 			IAMID:     systemDefaults.IamID,
 		},
-		eventstore.PolicyRepo{
-			PolicyEvents: policy,
-		},
 	}, nil
 }
 

internal/auth/repository/eventsourcing/view/org_iam_policy.go

@@ -0,0 +1,48 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	orgIAMPolicyTable = "auth.org_iam_policies"
+)
+
+func (v *View) OrgIAMPolicyByAggregateID(aggregateID string) (*model.OrgIAMPolicyView, error) {
+	return view.GetOrgIAMPolicyByAggregateID(v.Db, orgIAMPolicyTable, aggregateID)
+}
+
+func (v *View) PutOrgIAMPolicy(policy *model.OrgIAMPolicyView, sequence uint64) error {
+	err := view.PutOrgIAMPolicy(v.Db, orgIAMPolicyTable, policy)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedOrgIAMPolicySequence(sequence)
+}
+
+func (v *View) DeleteOrgIAMPolicy(aggregateID string, eventSequence uint64) error {
+	err := view.DeleteOrgIAMPolicy(v.Db, orgIAMPolicyTable, aggregateID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedOrgIAMPolicySequence(eventSequence)
+}
+
+func (v *View) GetLatestOrgIAMPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(orgIAMPolicyTable)
+}
+
+func (v *View) ProcessedOrgIAMPolicySequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(orgIAMPolicyTable, eventSequence)
+}
+
+func (v *View) GetLatestOrgIAMPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(orgIAMPolicyTable, sequence)
+}
+
+func (v *View) ProcessedOrgIAMPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}

internal/auth/repository/eventsourcing/view/password_complexity_policy.go

@@ -0,0 +1,48 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	passwordComplexityPolicyTable = "auth.password_complexity_policies"
+)
+
+func (v *View) PasswordComplexityPolicyByAggregateID(aggregateID string) (*model.PasswordComplexityPolicyView, error) {
+	return view.GetPasswordComplexityPolicyByAggregateID(v.Db, passwordComplexityPolicyTable, aggregateID)
+}
+
+func (v *View) PutPasswordComplexityPolicy(policy *model.PasswordComplexityPolicyView, sequence uint64) error {
+	err := view.PutPasswordComplexityPolicy(v.Db, passwordComplexityPolicyTable, policy)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedPasswordComplexityPolicySequence(sequence)
+}
+
+func (v *View) DeletePasswordComplexityPolicy(aggregateID string, eventSequence uint64) error {
+	err := view.DeletePasswordComplexityPolicy(v.Db, passwordComplexityPolicyTable, aggregateID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedPasswordComplexityPolicySequence(eventSequence)
+}
+
+func (v *View) GetLatestPasswordComplexityPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(passwordComplexityPolicyTable)
+}
+
+func (v *View) ProcessedPasswordComplexityPolicySequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(passwordComplexityPolicyTable, eventSequence)
+}
+
+func (v *View) GetLatestPasswordComplexityPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(passwordComplexityPolicyTable, sequence)
+}
+
+func (v *View) ProcessedPasswordComplexityPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}

internal/auth/repository/org.go

@@ -4,12 +4,12 @@ import (
 	"context"
 	auth_model "github.com/caos/zitadel/internal/auth/model"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
-	org_model "github.com/caos/zitadel/internal/org/model"
 )
 
 type OrgRepository interface {
 	RegisterOrg(context.Context, *auth_model.RegisterOrg) (*auth_model.RegisterOrg, error)
-	GetOrgIamPolicy(ctx context.Context, orgID string) (*org_model.OrgIAMPolicy, error)
-	GetDefaultOrgIamPolicy(ctx context.Context) *org_model.OrgIAMPolicy
+	GetOrgIAMPolicy(ctx context.Context, orgID string) (*iam_model.OrgIAMPolicyView, error)
+	GetDefaultOrgIAMPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error)
 	GetIDPConfigByID(ctx context.Context, idpConfigID string) (*iam_model.IDPConfigView, error)
+	GetMyPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error)
 }

internal/auth/repository/policy.go

@@ -1,10 +0,0 @@
-package repository
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/policy/model"
-)
-
-type PolicyRepository interface {
-	GetMyPasswordComplexityPolicy(ctx context.Context) (*model.PasswordComplexityPolicy, error)
-}

internal/auth/repository/repository.go

@@ -13,7 +13,6 @@ type Repository interface {
 	KeyRepository
 	UserSessionRepository
 	UserGrantRepository
-	PolicyRepository
 	OrgRepository
 	IAMRepository
 }

internal/config/systemdefaults/system_defaults.go

@@ -9,8 +9,6 @@ import (
 	"github.com/caos/zitadel/internal/notification/providers/email"
 	"github.com/caos/zitadel/internal/notification/providers/twilio"
 	"github.com/caos/zitadel/internal/notification/templates"
-	org_model "github.com/caos/zitadel/internal/org/model"
-	pol "github.com/caos/zitadel/internal/policy"
 )
 
 type SystemDefaults struct {
@@ -22,7 +20,6 @@ type SystemDefaults struct {
 	IDPConfigVerificationKey *crypto.KeyConfig
 	Multifactors             MultifactorConfig
 	VerificationLifetimes    VerificationLifetimes
-	DefaultPolicies          DefaultPolicies
 	DomainVerification       DomainVerification
 	IamID                    string
 	Notifications            Notifications
@@ -60,13 +57,6 @@ type VerificationLifetimes struct {
 	MfaHardwareCheck   types.Duration
 }
 
-type DefaultPolicies struct {
-	Age        pol.PasswordAgePolicyDefault
-	Complexity pol.PasswordComplexityPolicyDefault
-	Lockout    pol.PasswordLockoutPolicyDefault
-	OrgIam     org_model.OrgIAMPolicy
-}
-
 type DomainVerification struct {
 	VerificationKey       *crypto.KeyConfig
 	VerificationGenerator crypto.GeneratorConfig

internal/iam/model/iam.go

@@ -8,21 +8,27 @@ type Step int
 
 const (
 	Step1 Step = iota + 1
-	//TODO: label policy
-	// Step2
+	Step2
+	Step3
+	Step4
+	Step5
 	//StepCount marks the the length of possible steps (StepCount-1 == last possible step)
 	StepCount
 )
 
 type IAM struct {
 	es_models.ObjectRoot
-	GlobalOrgID        string
-	IAMProjectID       string
-	SetUpDone          Step
-	SetUpStarted       Step
-	Members            []*IAMMember
-	IDPs               []*IDPConfig
-	DefaultLoginPolicy *LoginPolicy
+	GlobalOrgID                     string
+	IAMProjectID                    string
+	SetUpDone                       Step
+	SetUpStarted                    Step
+	Members                         []*IAMMember
+	IDPs                            []*IDPConfig
+	DefaultLoginPolicy              *LoginPolicy
+	DefaultOrgIAMPolicy             *OrgIAMPolicy
+	DefaultPasswordComplexityPolicy *PasswordComplexityPolicy
+	DefaultPasswordAgePolicy        *PasswordAgePolicy
+	DefaultPasswordLockoutPolicy    *PasswordLockoutPolicy
 }
 
 func (iam *IAM) GetMember(userID string) (int, *IAMMember) {

internal/iam/model/org_iam_policy.go

@@ -7,16 +7,7 @@ import (
 type OrgIAMPolicy struct {
 	models.ObjectRoot
 
-	Description           string
 	State                 PolicyState
 	UserLoginMustBeDomain bool
 	Default               bool
-	IamDomain             string
 }
-
-type PolicyState int32
-
-const (
-	PolicyStateActive PolicyState = iota
-	PolicyStateRemoved
-)

internal/iam/model/org_iam_policy_view.go

@@ -0,0 +1,47 @@
+package model
+
+import (
+	"github.com/caos/zitadel/internal/model"
+	"time"
+)
+
+type OrgIAMPolicyView struct {
+	AggregateID           string
+	UserLoginMustBeDomain bool
+	IAMDomain             string
+	Default               bool
+
+	CreationDate time.Time
+	ChangeDate   time.Time
+	Sequence     uint64
+}
+
+type OrgIAMPolicySearchRequest struct {
+	Offset        uint64
+	Limit         uint64
+	SortingColumn OrgIAMPolicySearchKey
+	Asc           bool
+	Queries       []*OrgIAMPolicySearchQuery
+}
+
+type OrgIAMPolicySearchKey int32
+
+const (
+	OrgIAMPolicySearchKeyUnspecified OrgIAMPolicySearchKey = iota
+	OrgIAMPolicySearchKeyAggregateID
+)
+
+type OrgIAMPolicySearchQuery struct {
+	Key    OrgIAMPolicySearchKey
+	Method model.SearchMethod
+	Value  interface{}
+}
+
+type OrgIAMPolicySearchResponse struct {
+	Offset      uint64
+	Limit       uint64
+	TotalResult uint64
+	Result      []*OrgIAMPolicyView
+	Sequence    uint64
+	Timestamp   time.Time
+}

internal/iam/model/password_age_policy.go

@@ -7,7 +7,6 @@ import (
 type PasswordAgePolicy struct {
 	models.ObjectRoot
 
-	Description    string
 	State          PolicyState
 	MaxAgeDays     uint64
 	ExpireWarnDays uint64

internal/iam/model/password_age_policy_view.go

@@ -0,0 +1,47 @@
+package model
+
+import (
+	"github.com/caos/zitadel/internal/model"
+	"time"
+)
+
+type PasswordAgePolicyView struct {
+	AggregateID    string
+	MaxAgeDays     uint64
+	ExpireWarnDays uint64
+	Default        bool
+
+	CreationDate time.Time
+	ChangeDate   time.Time
+	Sequence     uint64
+}
+
+type PasswordAgePolicySearchRequest struct {
+	Offset        uint64
+	Limit         uint64
+	SortingColumn PasswordAgePolicySearchKey
+	Asc           bool
+	Queries       []*PasswordAgePolicySearchQuery
+}
+
+type PasswordAgePolicySearchKey int32
+
+const (
+	PasswordAgePolicySearchKeyUnspecified PasswordAgePolicySearchKey = iota
+	PasswordAgePolicySearchKeyAggregateID
+)
+
+type PasswordAgePolicySearchQuery struct {
+	Key    PasswordAgePolicySearchKey
+	Method model.SearchMethod
+	Value  interface{}
+}
+
+type PasswordAgePolicySearchResponse struct {
+	Offset      uint64
+	Limit       uint64
+	TotalResult uint64
+	Result      []*PasswordAgePolicyView
+	Sequence    uint64
+	Timestamp   time.Time
+}

internal/iam/model/password_complexity_policy.go

@@ -0,0 +1,32 @@
+package model
+
+import (
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"regexp"
+)
+
+var (
+	hasStringLowerCase = regexp.MustCompile(`[a-z]`).MatchString
+	hasStringUpperCase = regexp.MustCompile(`[A-Z]`).MatchString
+	hasNumber          = regexp.MustCompile(`[0-9]`).MatchString
+	hasSymbol          = regexp.MustCompile(`[^A-Za-z0-9]`).MatchString
+)
+
+type PasswordComplexityPolicy struct {
+	models.ObjectRoot
+
+	State        PolicyState
+	MinLength    uint64
+	HasLowercase bool
+	HasUppercase bool
+	HasNumber    bool
+	HasSymbol    bool
+}
+
+func (p *PasswordComplexityPolicy) IsValid() error {
+	if p.MinLength == 0 || p.MinLength > 72 {
+		return caos_errs.ThrowInvalidArgument(nil, "MODEL-Lsp0e", "Errors.User.PasswordComplexityPolicy.MinLengthNotAllowed")
+	}
+	return nil
+}

internal/iam/model/password_complexity_policy_view.go

@@ -0,0 +1,74 @@
+package model
+
+import (
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/model"
+	"time"
+)
+
+type PasswordComplexityPolicyView struct {
+	AggregateID  string
+	MinLength    uint64
+	HasLowercase bool
+	HasUppercase bool
+	HasNumber    bool
+	HasSymbol    bool
+	Default      bool
+
+	CreationDate time.Time
+	ChangeDate   time.Time
+	Sequence     uint64
+}
+
+type PasswordComplexityPolicySearchRequest struct {
+	Offset        uint64
+	Limit         uint64
+	SortingColumn PasswordComplexityPolicySearchKey
+	Asc           bool
+	Queries       []*PasswordComplexityPolicySearchQuery
+}
+
+type PasswordComplexityPolicySearchKey int32
+
+const (
+	PasswordComplexityPolicySearchKeyUnspecified PasswordComplexityPolicySearchKey = iota
+	PasswordComplexityPolicySearchKeyAggregateID
+)
+
+type PasswordComplexityPolicySearchQuery struct {
+	Key    PasswordComplexityPolicySearchKey
+	Method model.SearchMethod
+	Value  interface{}
+}
+
+type PasswordComplexityPolicySearchResponse struct {
+	Offset      uint64
+	Limit       uint64
+	TotalResult uint64
+	Result      []*PasswordComplexityPolicyView
+	Sequence    uint64
+	Timestamp   time.Time
+}
+
+func (p *PasswordComplexityPolicyView) Check(password string) error {
+	if p.MinLength != 0 && uint64(len(password)) < p.MinLength {
+		return caos_errs.ThrowInvalidArgument(nil, "MODEL-HuJf6", "Errors.User.PasswordComplexityPolicy.MinLength")
+	}
+
+	if p.HasLowercase && !hasStringLowerCase(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "MODEL-co3Xw", "Errors.User.PasswordComplexityPolicy.HasLower")
+	}
+
+	if p.HasUppercase && !hasStringUpperCase(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "MODEL-VoaRj", "Errors.User.PasswordComplexityPolicy.HasUpper")
+	}
+
+	if p.HasNumber && !hasNumber(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "MODEL-ZBv4H", "Errors.User.PasswordComplexityPolicy.HasNumber")
+	}
+
+	if p.HasSymbol && !hasSymbol(password) {
+		return caos_errs.ThrowInvalidArgument(nil, "MODEL-ZDLwA", "Errors.User.PasswordComplexityPolicy.HasSymbol")
+	}
+	return nil
+}

internal/iam/model/password_complexity_policy_view_test.go

@@ -6,7 +6,7 @@ import (
 
 func TestCheckPasswordComplexityPolicy(t *testing.T) {
 	type args struct {
-		policy   *PasswordComplexityPolicy
+		policy   *PasswordComplexityPolicyView
 		password string
 	}
 	tests := []struct {
@@ -17,7 +17,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has minlength ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: false,
 					HasUppercase: false,
 					HasSymbol:    false,
@@ -31,7 +31,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has minlength not ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: false,
 					HasUppercase: false,
 					HasSymbol:    false,
@@ -45,7 +45,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has lowercase ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: true,
 					HasUppercase: false,
 					HasSymbol:    false,
@@ -59,7 +59,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has lowercase not ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: true,
 					HasUppercase: false,
 					HasSymbol:    false,
@@ -73,7 +73,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has uppercase ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: false,
 					HasUppercase: true,
 					HasSymbol:    false,
@@ -87,7 +87,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has uppercase not ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: false,
 					HasUppercase: true,
 					HasSymbol:    false,
@@ -101,7 +101,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has symbol ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: false,
 					HasUppercase: false,
 					HasSymbol:    true,
@@ -115,7 +115,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has symbol not ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: false,
 					HasUppercase: false,
 					HasSymbol:    true,
@@ -129,7 +129,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has number ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: false,
 					HasUppercase: false,
 					HasSymbol:    false,
@@ -143,7 +143,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has number not ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: false,
 					HasUppercase: false,
 					HasSymbol:    false,
@@ -157,7 +157,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has everything ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: true,
 					HasUppercase: true,
 					HasSymbol:    true,
@@ -171,7 +171,7 @@ func TestCheckPasswordComplexityPolicy(t *testing.T) {
 		{
 			name: "has everything not ok",
 			args: args{
-				policy: &PasswordComplexityPolicy{
+				policy: &PasswordComplexityPolicyView{
 					HasLowercase: true,
 					HasUppercase: true,
 					HasSymbol:    true,

internal/iam/model/password_lockout_policy.go

@@ -1,11 +1,12 @@
 package model
 
-import "github.com/caos/zitadel/internal/eventstore/models"
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+)
 
 type PasswordLockoutPolicy struct {
 	models.ObjectRoot
 
-	Description         string
 	State               PolicyState
 	MaxAttempts         uint64
 	ShowLockOutFailures bool

internal/iam/model/password_lockout_policy_view.go

@@ -0,0 +1,47 @@
+package model
+
+import (
+	"github.com/caos/zitadel/internal/model"
+	"time"
+)
+
+type PasswordLockoutPolicyView struct {
+	AggregateID         string
+	MaxAttempts         uint64
+	ShowLockOutFailures bool
+	Default             bool
+
+	CreationDate time.Time
+	ChangeDate   time.Time
+	Sequence     uint64
+}
+
+type PasswordLockoutPolicySearchRequest struct {
+	Offset        uint64
+	Limit         uint64
+	SortingColumn PasswordLockoutPolicySearchKey
+	Asc           bool
+	Queries       []*PasswordLockoutPolicySearchQuery
+}
+
+type PasswordLockoutPolicySearchKey int32
+
+const (
+	PasswordLockoutPolicySearchKeyUnspecified PasswordLockoutPolicySearchKey = iota
+	PasswordLockoutPolicySearchKeyAggregateID
+)
+
+type PasswordLockoutPolicySearchQuery struct {
+	Key    PasswordLockoutPolicySearchKey
+	Method model.SearchMethod
+	Value  interface{}
+}
+
+type PasswordLockoutPolicySearchResponse struct {
+	Offset      uint64
+	Limit       uint64
+	TotalResult uint64
+	Result      []*PasswordLockoutPolicyView
+	Sequence    uint64
+	Timestamp   time.Time
+}

internal/iam/repository/eventsourcing/eventstore.go

@@ -2,7 +2,6 @@ package eventsourcing
 
 import (
 	"context"
-
 	"github.com/caos/zitadel/internal/cache/config"
 	sd "github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/crypto"
@@ -102,6 +101,15 @@ func (es *IAMEventstore) SetupDone(ctx context.Context, iamID string, step iam_m
 	return model.IAMToModel(repoIam), nil
 }
 
+func (es *IAMEventstore) PrepareSetupDone(ctx context.Context, iam *model.IAM, aggregate *models.Aggregate, step iam_model.Step) (*model.IAM, *models.Aggregate, func(ctx context.Context, aggregates ...*models.Aggregate) error, error) {
+	iam.SetUpDone = model.Step(step)
+	agg, err := IAMSetupDoneEvent(ctx, aggregate, iam)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return iam, agg, es.PushAggregates, nil
+}
+
 func (es *IAMEventstore) SetGlobalOrg(ctx context.Context, iamID, globalOrg string) (*iam_model.IAM, error) {
 	iam, err := es.IAMByID(ctx, iamID)
 	if err != nil {
@@ -407,20 +415,31 @@ func (es *IAMEventstore) ChangeIDPOIDCConfig(ctx context.Context, config *iam_mo
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-Sldk8", "Errors.Internal")
 }
 
-func (es *IAMEventstore) AddLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
+func (es *IAMEventstore) PrepareAddLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*model.IAM, *models.Aggregate, error) {
 	if policy == nil || !policy.IsValid() {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.IAM.LoginPolicyInvalid")
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.IAM.LoginPolicyInvalid")
 	}
 	iam, err := es.IAMByID(ctx, policy.AggregateID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	repoIam := model.IAMFromModel(iam)
 	repoLoginPolicy := model.LoginPolicyFromModel(policy)
 
-	addAggregate := LoginPolicyAddedAggregate(es.Eventstore.AggregateCreator(), repoIam, repoLoginPolicy)
-	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	addAggregate, err := LoginPolicyAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoIam, repoLoginPolicy)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoIam, addAggregate, nil
+}
+
+func (es *IAMEventstore) AddLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
+	repoIam, addAggregate, err := es.PrepareAddLoginPolicy(ctx, policy)
+	if err != nil {
+		return nil, err
+	}
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
 	if err != nil {
 		return nil, err
 	}
@@ -506,3 +525,232 @@ func (es *IAMEventstore) RemoveIDPProviderFromLoginPolicy(ctx context.Context, p
 	es.iamCache.cacheIAM(repoIam)
 	return nil
 }
+
+func (es *IAMEventstore) PrepareAddPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*model.IAM, *models.Aggregate, error) {
+	if policy == nil {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.IAM.PasswordComplexityPolicy.Empty")
+	}
+	if err := policy.IsValid(); err != nil {
+		return nil, nil, err
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoPasswordComplexityPolicy := model.PasswordComplexityPolicyFromModel(policy)
+
+	addAggregate, err := PasswordComplexityPolicyAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoIam, repoPasswordComplexityPolicy)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoIam, addAggregate, nil
+}
+
+func (es *IAMEventstore) AddPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	repoIam, addAggregate, err := es.PrepareAddPasswordComplexityPolicy(ctx, policy)
+	if err != nil {
+		return nil, err
+	}
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.PasswordComplexityPolicyToModel(repoIam.DefaultPasswordComplexityPolicy), nil
+}
+
+func (es *IAMEventstore) ChangePasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	if policy == nil {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.IAM.PasswordComplexityPolicy.Empty")
+	}
+	if err := policy.IsValid(); err != nil {
+		return nil, err
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoPasswordComplexityPolicy := model.PasswordComplexityPolicyFromModel(policy)
+
+	addAggregate := PasswordComplexityPolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoIam, repoPasswordComplexityPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.PasswordComplexityPolicyToModel(repoIam.DefaultPasswordComplexityPolicy), nil
+}
+
+func (es *IAMEventstore) PrepareAddPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*model.IAM, *models.Aggregate, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-2dGt6", "Errors.IAM.PasswordAgePolicy.Empty")
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoPasswordAgePolicy := model.PasswordAgePolicyFromModel(policy)
+
+	addAggregate, err := PasswordAgePolicyAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoIam, repoPasswordAgePolicy)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoIam, addAggregate, nil
+}
+
+func (es *IAMEventstore) AddPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	repoIam, addAggregate, err := es.PrepareAddPasswordAgePolicy(ctx, policy)
+	if err != nil {
+		return nil, err
+	}
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.PasswordAgePolicyToModel(repoIam.DefaultPasswordAgePolicy), nil
+}
+
+func (es *IAMEventstore) ChangePasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-2Fgt6", "Errors.IAM.PasswordAgePolicy.Empty")
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoPasswordAgePolicy := model.PasswordAgePolicyFromModel(policy)
+
+	addAggregate := PasswordAgePolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoIam, repoPasswordAgePolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.PasswordAgePolicyToModel(repoIam.DefaultPasswordAgePolicy), nil
+}
+
+func (es *IAMEventstore) PrepareAddPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*model.IAM, *models.Aggregate, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-3R56z", "Errors.IAM.PasswordLockoutPolicy.Empty")
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoPasswordLockoutPolicy := model.PasswordLockoutPolicyFromModel(policy)
+
+	addAggregate, err := PasswordLockoutPolicyAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoIam, repoPasswordLockoutPolicy)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoIam, addAggregate, nil
+}
+
+func (es *IAMEventstore) AddPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	repoIam, addAggregate, err := es.PrepareAddPasswordLockoutPolicy(ctx, policy)
+	if err != nil {
+		return nil, err
+	}
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.PasswordLockoutPolicyToModel(repoIam.DefaultPasswordLockoutPolicy), nil
+}
+
+func (es *IAMEventstore) ChangePasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-6Zsj9", "Errors.IAM.PasswordLockoutPolicy.Empty")
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoPasswordLockoutPolicy := model.PasswordLockoutPolicyFromModel(policy)
+
+	addAggregate := PasswordLockoutPolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoIam, repoPasswordLockoutPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.PasswordLockoutPolicyToModel(repoIam.DefaultPasswordLockoutPolicy), nil
+}
+
+func (es *IAMEventstore) GetOrgIAMPolicy(ctx context.Context, iamID string) (*iam_model.OrgIAMPolicy, error) {
+	existingIAM, err := es.IAMByID(ctx, iamID)
+	if err != nil {
+		return nil, err
+	}
+	if existingIAM.DefaultOrgIAMPolicy == nil {
+		return nil, caos_errs.ThrowNotFound(nil, "EVENT-2Fj8s", "Errors.IAM.OrgIAM.NotExisting")
+	}
+	return existingIAM.DefaultOrgIAMPolicy, nil
+}
+
+func (es *IAMEventstore) PrepareAddOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*model.IAM, *models.Aggregate, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-3R56z", "Errors.IAM.OrgIAMPolicy.Empty")
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoOrgIAMPolicy := model.OrgIAMPolicyFromModel(policy)
+
+	addAggregate, err := OrgIAMPolicyAddedAggregate(ctx, es.Eventstore.AggregateCreator(), repoIam, repoOrgIAMPolicy)
+	if err != nil {
+		return nil, nil, err
+	}
+	return repoIam, addAggregate, nil
+}
+
+func (es *IAMEventstore) AddOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+	repoIam, addAggregate, err := es.PrepareAddOrgIAMPolicy(ctx, policy)
+	if err != nil {
+		return nil, err
+	}
+	err = es_sdk.PushAggregates(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.OrgIAMPolicyToModel(repoIam.DefaultOrgIAMPolicy), nil
+}
+
+func (es *IAMEventstore) ChangeOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-6Zsj9", "Errors.IAM.OrgIAMPolicy.Empty")
+	}
+	iam, err := es.IAMByID(ctx, policy.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+
+	repoIam := model.IAMFromModel(iam)
+	repoOrgIAMPolicy := model.OrgIAMPolicyFromModel(policy)
+
+	addAggregate := OrgIAMPolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoIam, repoOrgIAMPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	es.iamCache.cacheIAM(repoIam)
+	return model.OrgIAMPolicyToModel(repoIam.DefaultOrgIAMPolicy), nil
+}

internal/iam/repository/eventsourcing/eventstore_mock_test.go

@@ -39,11 +39,11 @@ func GetSonyFlacke() id.Generator {
 	return id.SonyFlakeGenerator
 }
 
-func GetMockIamByIDOK(ctrl *gomock.Controller) *IAMEventstore {
+func GetMockIAMByIDOK(ctrl *gomock.Controller) *IAMEventstore {
 	data, _ := json.Marshal(model.IAM{GlobalOrgID: "GlobalOrgID"})
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.GlobalOrgSet, Data: data},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.GlobalOrgSet, Data: data},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
@@ -57,9 +57,9 @@ func GetMockIamByIDNoEvents(ctrl *gomock.Controller) *IAMEventstore {
 	return GetMockedEventstore(ctrl, mockEs)
 }
 
-func GetMockManipulateIam(ctrl *gomock.Controller) *IAMEventstore {
+func GetMockManipulateIAM(ctrl *gomock.Controller) *IAMEventstore {
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
@@ -68,9 +68,9 @@ func GetMockManipulateIam(ctrl *gomock.Controller) *IAMEventstore {
 	return GetMockedEventstore(ctrl, mockEs)
 }
 
-func GetMockManipulateIamWithCrypto(ctrl *gomock.Controller) *IAMEventstore {
+func GetMockManipulateIAMWithCrypto(ctrl *gomock.Controller) *IAMEventstore {
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
@@ -79,11 +79,11 @@ func GetMockManipulateIamWithCrypto(ctrl *gomock.Controller) *IAMEventstore {
 	return GetMockedEventstoreWithCrypto(ctrl, mockEs)
 }
 
-func GetMockManipulateIamWithMember(ctrl *gomock.Controller) *IAMEventstore {
+func GetMockManipulateIAMWithMember(ctrl *gomock.Controller) *IAMEventstore {
 	memberData, _ := json.Marshal(model.IAMMember{UserID: "UserID", Roles: []string{"Role"}})
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMMemberAdded, Data: memberData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMMemberAdded, Data: memberData},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
@@ -92,13 +92,13 @@ func GetMockManipulateIamWithMember(ctrl *gomock.Controller) *IAMEventstore {
 	return GetMockedEventstore(ctrl, mockEs)
 }
 
-func GetMockManipulateIamWithOIDCIdp(ctrl *gomock.Controller) *IAMEventstore {
+func GetMockManipulateIAMWithOIDCIdp(ctrl *gomock.Controller) *IAMEventstore {
 	idpData, _ := json.Marshal(model.IDPConfig{IDPConfigID: "IDPConfigID", Name: "Name"})
 	oidcData, _ := json.Marshal(model.OIDCIDPConfig{IDPConfigID: "IDPConfigID", ClientID: "ClientID"})
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IDPConfigAdded, Data: idpData},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.OIDCIDPConfigAdded, Data: oidcData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IDPConfigAdded, Data: idpData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.OIDCIDPConfigAdded, Data: oidcData},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
@@ -107,13 +107,13 @@ func GetMockManipulateIamWithOIDCIdp(ctrl *gomock.Controller) *IAMEventstore {
 	return GetMockedEventstore(ctrl, mockEs)
 }
 
-func GetMockManipulateIamWithLoginPolicy(ctrl *gomock.Controller) *IAMEventstore {
+func GetMockManipulateIAMWithLoginPolicy(ctrl *gomock.Controller) *IAMEventstore {
 	policyData, _ := json.Marshal(model.LoginPolicy{AllowRegister: true, AllowUsernamePassword: true, AllowExternalIdp: true})
 	idpProviderData, _ := json.Marshal(model.IDPProvider{IDPConfigID: "IDPConfigID", Type: 1})
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.LoginPolicyAdded, Data: policyData},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.LoginPolicyIDPProviderAdded, Data: idpProviderData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.LoginPolicyAdded, Data: policyData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.LoginPolicyIDPProviderAdded, Data: idpProviderData},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
@@ -122,7 +122,59 @@ func GetMockManipulateIamWithLoginPolicy(ctrl *gomock.Controller) *IAMEventstore
 	return GetMockedEventstore(ctrl, mockEs)
 }
 
-func GetMockManipulateIamNotExisting(ctrl *gomock.Controller) *IAMEventstore {
+func GetMockManipulateIAMWithPasswodComplexityPolicy(ctrl *gomock.Controller) *IAMEventstore {
+	policyData, _ := json.Marshal(model.PasswordComplexityPolicy{MinLength: 10})
+	events := []*es_models.Event{
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.PasswordComplexityPolicyAdded, Data: policyData},
+	}
+	mockEs := mock.NewMockEventstore(ctrl)
+	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
+	mockEs.EXPECT().AggregateCreator().Return(es_models.NewAggregateCreator("TEST"))
+	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
+	return GetMockedEventstore(ctrl, mockEs)
+}
+
+func GetMockManipulateIAMWithPasswordAgePolicy(ctrl *gomock.Controller) *IAMEventstore {
+	policyData, _ := json.Marshal(model.PasswordAgePolicy{MaxAgeDays: 10, ExpireWarnDays: 10})
+	events := []*es_models.Event{
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.PasswordAgePolicyAdded, Data: policyData},
+	}
+	mockEs := mock.NewMockEventstore(ctrl)
+	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
+	mockEs.EXPECT().AggregateCreator().Return(es_models.NewAggregateCreator("TEST"))
+	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
+	return GetMockedEventstore(ctrl, mockEs)
+}
+
+func GetMockManipulateIAMWithPasswordLockoutPolicy(ctrl *gomock.Controller) *IAMEventstore {
+	policyData, _ := json.Marshal(model.PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true})
+	events := []*es_models.Event{
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.PasswordLockoutPolicyAdded, Data: policyData},
+	}
+	mockEs := mock.NewMockEventstore(ctrl)
+	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
+	mockEs.EXPECT().AggregateCreator().Return(es_models.NewAggregateCreator("TEST"))
+	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
+	return GetMockedEventstore(ctrl, mockEs)
+}
+
+func GetMockManipulateIAMWithOrgIAMPolicy(ctrl *gomock.Controller) *IAMEventstore {
+	policyData, _ := json.Marshal(model.OrgIAMPolicy{UserLoginMustBeDomain: true})
+	events := []*es_models.Event{
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgIAMPolicyAdded, Data: policyData},
+	}
+	mockEs := mock.NewMockEventstore(ctrl)
+	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
+	mockEs.EXPECT().AggregateCreator().Return(es_models.NewAggregateCreator("TEST"))
+	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
+	return GetMockedEventstore(ctrl, mockEs)
+}
+
+func GetMockManipulateIAMNotExisting(ctrl *gomock.Controller) *IAMEventstore {
 	events := []*es_models.Event{}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)

internal/iam/repository/eventsourcing/iam.go

@@ -57,6 +57,10 @@ func IAMSetupDoneAggregate(aggCreator *es_models.AggregateCreator, iam *model.IA
 	}
 }
 
+func IAMSetupDoneEvent(ctx context.Context, agg *es_models.Aggregate, iam *model.IAM) (*es_models.Aggregate, error) {
+	return agg.AppendEvent(model.IAMSetupDone, &struct{ Step model.Step }{Step: iam.SetUpDone})
+}
+
 func IAMSetGlobalOrgAggregate(aggCreator *es_models.AggregateCreator, iam *model.IAM, globalOrg string) func(ctx context.Context) (*es_models.Aggregate, error) {
 	return func(ctx context.Context) (*es_models.Aggregate, error) {
 		if globalOrg == "" {
@@ -228,24 +232,22 @@ func OIDCIDPConfigChangedAggregate(aggCreator *es_models.AggregateCreator, exist
 	}
 }
 
-func LoginPolicyAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.LoginPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
-	return func(ctx context.Context) (*es_models.Aggregate, error) {
-		if policy == nil {
-			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Smla8", "Errors.Internal")
-		}
-		agg, err := IAMAggregate(ctx, aggCreator, existing)
-		if err != nil {
-			return nil, err
-		}
-		validationQuery := es_models.NewSearchQuery().
-			AggregateTypeFilter(model.IAMAggregate).
-			EventTypesFilter(model.LoginPolicyAdded).
-			AggregateIDFilter(existing.AggregateID)
-
-		validation := checkExistingLoginPolicyValidation()
-		agg.SetPrecondition(validationQuery, validation)
-		return agg.AppendEvent(model.LoginPolicyAdded, policy)
+func LoginPolicyAddedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.LoginPolicy) (*es_models.Aggregate, error) {
+	if policy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Smla8", "Errors.Internal")
 	}
+	agg, err := IAMAggregate(ctx, aggCreator, existing)
+	if err != nil {
+		return nil, err
+	}
+	validationQuery := es_models.NewSearchQuery().
+		AggregateTypeFilter(model.IAMAggregate).
+		EventTypesFilter(model.LoginPolicyAdded).
+		AggregateIDFilter(existing.AggregateID)
+
+	validation := checkExistingLoginPolicyValidation()
+	agg.SetPrecondition(validationQuery, validation)
+	return agg.AppendEvent(model.LoginPolicyAdded, policy)
 }
 
 func LoginPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.LoginPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
@@ -295,6 +297,146 @@ func LoginPolicyIDPProviderRemovedAggregate(ctx context.Context, aggCreator *es_
 	return agg.AppendEvent(model.LoginPolicyIDPProviderRemoved, provider)
 }
 
+func PasswordComplexityPolicyAddedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.PasswordComplexityPolicy) (*es_models.Aggregate, error) {
+	if policy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Smla8", "Errors.Internal")
+	}
+	agg, err := IAMAggregate(ctx, aggCreator, existing)
+	if err != nil {
+		return nil, err
+	}
+	validationQuery := es_models.NewSearchQuery().
+		AggregateTypeFilter(model.IAMAggregate).
+		EventTypesFilter(model.PasswordComplexityPolicyAdded).
+		AggregateIDFilter(existing.AggregateID)
+
+	validation := checkExistingPasswordComplexityPolicyValidation()
+	agg.SetPrecondition(validationQuery, validation)
+	return agg.AppendEvent(model.PasswordComplexityPolicyAdded, policy)
+}
+
+func PasswordComplexityPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.PasswordComplexityPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Mlco9", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		changes := existing.DefaultPasswordComplexityPolicy.Changes(policy)
+		if len(changes) == 0 {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Smk8d", "Errors.NoChangesFound")
+		}
+		return agg.AppendEvent(model.PasswordComplexityPolicyChanged, changes)
+	}
+}
+
+func PasswordAgePolicyAddedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.PasswordAgePolicy) (*es_models.Aggregate, error) {
+	if policy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-T7sui", "Errors.Internal")
+	}
+	agg, err := IAMAggregate(ctx, aggCreator, existing)
+	if err != nil {
+		return nil, err
+	}
+	validationQuery := es_models.NewSearchQuery().
+		AggregateTypeFilter(model.IAMAggregate).
+		EventTypesFilter(model.PasswordAgePolicyAdded).
+		AggregateIDFilter(existing.AggregateID)
+
+	validation := checkExistingPasswordAgePolicyValidation()
+	agg.SetPrecondition(validationQuery, validation)
+	return agg.AppendEvent(model.PasswordAgePolicyAdded, policy)
+}
+
+func PasswordAgePolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.PasswordAgePolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-3Gs0o", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		changes := existing.DefaultPasswordAgePolicy.Changes(policy)
+		if len(changes) == 0 {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-3Wdos", "Errors.NoChangesFound")
+		}
+		return agg.AppendEvent(model.PasswordAgePolicyChanged, changes)
+	}
+}
+
+func PasswordLockoutPolicyAddedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.PasswordLockoutPolicy) (*es_models.Aggregate, error) {
+	if policy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-w5Tds", "Errors.Internal")
+	}
+	agg, err := IAMAggregate(ctx, aggCreator, existing)
+	if err != nil {
+		return nil, err
+	}
+	validationQuery := es_models.NewSearchQuery().
+		AggregateTypeFilter(model.IAMAggregate).
+		EventTypesFilter(model.PasswordLockoutPolicyAdded).
+		AggregateIDFilter(existing.AggregateID)
+
+	validation := checkExistingPasswordLockoutPolicyValidation()
+	agg.SetPrecondition(validationQuery, validation)
+	return agg.AppendEvent(model.PasswordLockoutPolicyAdded, policy)
+}
+
+func PasswordLockoutPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.PasswordLockoutPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-2D0fs", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		changes := existing.DefaultPasswordLockoutPolicy.Changes(policy)
+		if len(changes) == 0 {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-7Hsk9", "Errors.NoChangesFound")
+		}
+		return agg.AppendEvent(model.PasswordLockoutPolicyChanged, changes)
+	}
+}
+
+func OrgIAMPolicyAddedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.OrgIAMPolicy) (*es_models.Aggregate, error) {
+	if policy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-w5Tds", "Errors.Internal")
+	}
+	agg, err := IAMAggregate(ctx, aggCreator, existing)
+	if err != nil {
+		return nil, err
+	}
+	validationQuery := es_models.NewSearchQuery().
+		AggregateTypeFilter(model.IAMAggregate).
+		EventTypesFilter(model.OrgIAMPolicyAdded).
+		AggregateIDFilter(existing.AggregateID)
+
+	validation := checkExistingOrgIAMPolicyValidation()
+	agg.SetPrecondition(validationQuery, validation)
+	return agg.AppendEvent(model.OrgIAMPolicyAdded, policy)
+}
+
+func OrgIAMPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.IAM, policy *model.OrgIAMPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-2D0fs", "Errors.Internal")
+		}
+		agg, err := IAMAggregate(ctx, aggCreator, existing)
+		if err != nil {
+			return nil, err
+		}
+		changes := existing.DefaultOrgIAMPolicy.Changes(policy)
+		if len(changes) == 0 {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-7Hsk9", "Errors.NoChangesFound")
+		}
+		return agg.AppendEvent(model.OrgIAMPolicyChanged, changes)
+	}
+}
+
 func checkExistingLoginPolicyValidation() func(...*es_models.Event) error {
 	return func(events ...*es_models.Event) error {
 		for _, event := range events {
@@ -307,6 +449,54 @@ func checkExistingLoginPolicyValidation() func(...*es_models.Event) error {
 	}
 }
 
+func checkExistingPasswordComplexityPolicyValidation() func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		for _, event := range events {
+			switch event.Type {
+			case model.PasswordComplexityPolicyAdded:
+				return errors.ThrowPreconditionFailed(nil, "EVENT-Ski9d", "Errors.IAM.PasswordComplexityPolicy.AlreadyExists")
+			}
+		}
+		return nil
+	}
+}
+
+func checkExistingPasswordAgePolicyValidation() func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		for _, event := range events {
+			switch event.Type {
+			case model.PasswordAgePolicyAdded:
+				return errors.ThrowPreconditionFailed(nil, "EVENT-Ski9d", "Errors.IAM.PasswordAgePolicy.AlreadyExists")
+			}
+		}
+		return nil
+	}
+}
+
+func checkExistingPasswordLockoutPolicyValidation() func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		for _, event := range events {
+			switch event.Type {
+			case model.PasswordLockoutPolicyAdded:
+				return errors.ThrowPreconditionFailed(nil, "EVENT-Ski9d", "Errors.IAM.PasswordLockoutPolicy.AlreadyExists")
+			}
+		}
+		return nil
+	}
+}
+
+func checkExistingOrgIAMPolicyValidation() func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		for _, event := range events {
+			switch event.Type {
+			case model.OrgIAMPolicyAdded:
+				return errors.ThrowPreconditionFailed(nil, "EVENT-bSm8f", "Errors.IAM.OrgIAMPolicy.AlreadyExists")
+			}
+		}
+		return nil
+	}
+}
+
 func checkExistingLoginPolicyIDPProviderValidation(idpConfigID string) func(...*es_models.Event) error {
 	return func(events ...*es_models.Event) error {
 		idpConfigs := make([]*model.IDPConfig, 0)

internal/iam/repository/eventsourcing/iam_test.go

@@ -1158,7 +1158,7 @@ func TestLoginPolicyAddedAggregate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			agg, err := LoginPolicyAddedAggregate(tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)(tt.args.ctx)
+			agg, err := LoginPolicyAddedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)
 
 			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
 				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
@@ -1467,3 +1467,779 @@ func TestLoginPolicyIdpProviderRemovedAggregate(t *testing.T) {
 		})
 	}
 }
+
+func TestPasswordComplexityPolicyAddedAggregate(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		existingIAM *model.IAM
+		newPolicy   *model.PasswordComplexityPolicy
+		aggCreator  *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add password complexity policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID"},
+				newPolicy: &model.PasswordComplexityPolicy{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					MinLength:  10,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordComplexityPolicyAdded},
+			},
+		},
+		{
+			name: "existing iam nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "complexity policy config nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, IAMProjectID: "IAMProjectID"},
+				newPolicy:   nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordComplexityPolicyAddedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestPasswordComplexityPolicyChangedAggregate(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		existingIAM *model.IAM
+		newPolicy   *model.PasswordComplexityPolicy
+		aggCreator  *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change password complexity policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID",
+					DefaultPasswordComplexityPolicy: &model.PasswordComplexityPolicy{
+						MinLength: 10,
+					}},
+				newPolicy: &model.PasswordComplexityPolicy{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					MinLength:  5,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordComplexityPolicyChanged},
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID",
+					DefaultPasswordComplexityPolicy: &model.PasswordComplexityPolicy{
+						MinLength: 10,
+					}},
+				newPolicy: &model.PasswordComplexityPolicy{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					MinLength:  10,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "complexity policy config nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, IAMProjectID: "IAMProjectID"},
+				newPolicy:   nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordComplexityPolicyChangedAggregate(tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)(tt.args.ctx)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestPasswordAgePolicyAddedAggregate(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		existingIAM *model.IAM
+		newPolicy   *model.PasswordAgePolicy
+		aggCreator  *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add password age policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID"},
+				newPolicy: &model.PasswordAgePolicy{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAgeDays: 10,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordAgePolicyAdded},
+			},
+		},
+		{
+			name: "existing iam nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "age policy config nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, IAMProjectID: "IAMProjectID"},
+				newPolicy:   nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordAgePolicyAddedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestPasswordAgePolicyChangedAggregate(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		existingIAM *model.IAM
+		newPolicy   *model.PasswordAgePolicy
+		aggCreator  *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change password age policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID",
+					DefaultPasswordAgePolicy: &model.PasswordAgePolicy{
+						MaxAgeDays: 10,
+					}},
+				newPolicy: &model.PasswordAgePolicy{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAgeDays: 5,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordAgePolicyChanged},
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID",
+					DefaultPasswordAgePolicy: &model.PasswordAgePolicy{
+						MaxAgeDays: 10,
+					}},
+				newPolicy: &model.PasswordAgePolicy{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAgeDays: 10,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "age policy config nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, IAMProjectID: "IAMProjectID"},
+				newPolicy:   nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordAgePolicyChangedAggregate(tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)(tt.args.ctx)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestPasswordLockoutPolicyAddedAggregate(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		existingIAM *model.IAM
+		newPolicy   *model.PasswordLockoutPolicy
+		aggCreator  *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add password lockout policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID"},
+				newPolicy: &model.PasswordLockoutPolicy{
+					ObjectRoot:  models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAttempts: 10,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordLockoutPolicyAdded},
+			},
+		},
+		{
+			name: "existing iam nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "lockout policy config nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, IAMProjectID: "IAMProjectID"},
+				newPolicy:   nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordLockoutPolicyAddedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestPasswordLockoutPolicyChangedAggregate(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		existingIAM *model.IAM
+		newPolicy   *model.PasswordLockoutPolicy
+		aggCreator  *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change password lockout policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID",
+					DefaultPasswordLockoutPolicy: &model.PasswordLockoutPolicy{
+						MaxAttempts: 10,
+					}},
+				newPolicy: &model.PasswordLockoutPolicy{
+					ObjectRoot:  models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAttempts: 5,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordLockoutPolicyChanged},
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID",
+					DefaultPasswordLockoutPolicy: &model.PasswordLockoutPolicy{
+						MaxAttempts: 10,
+					}},
+				newPolicy: &model.PasswordLockoutPolicy{
+					ObjectRoot:  models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAttempts: 10,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "lockout policy config nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, IAMProjectID: "IAMProjectID"},
+				newPolicy:   nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordLockoutPolicyChangedAggregate(tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)(tt.args.ctx)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestOrgIAMPolicyAddedAggregate(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		existingIAM *model.IAM
+		newPolicy   *model.OrgIAMPolicy
+		aggCreator  *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add org iam policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID"},
+				newPolicy: &model.OrgIAMPolicy{
+					ObjectRoot:            models.ObjectRoot{AggregateID: "AggregateID"},
+					UserLoginMustBeDomain: true,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.OrgIAMPolicyAdded},
+			},
+		},
+		{
+			name: "existing iam nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "lockout policy config nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, IAMProjectID: "IAMProjectID"},
+				newPolicy:   nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := OrgIAMPolicyAddedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestOrgIAMPolicyChangedAggregate(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		existingIAM *model.IAM
+		newPolicy   *model.OrgIAMPolicy
+		aggCreator  *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change org iam policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID",
+					DefaultOrgIAMPolicy: &model.OrgIAMPolicy{
+						UserLoginMustBeDomain: true,
+					}},
+				newPolicy: &model.OrgIAMPolicy{
+					ObjectRoot:            models.ObjectRoot{AggregateID: "AggregateID"},
+					UserLoginMustBeDomain: false,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.OrgIAMPolicyChanged},
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					IAMProjectID: "IAMProjectID",
+					DefaultOrgIAMPolicy: &model.OrgIAMPolicy{
+						UserLoginMustBeDomain: true,
+					}},
+				newPolicy: &model.OrgIAMPolicy{
+					ObjectRoot:            models.ObjectRoot{AggregateID: "AggregateID"},
+					UserLoginMustBeDomain: true,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "org iam policy config nil",
+			args: args{
+				ctx:         authz.NewMockContext("orgID", "userID"),
+				existingIAM: &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}, IAMProjectID: "IAMProjectID"},
+				newPolicy:   nil,
+				aggCreator:  models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := OrgIAMPolicyChangedAggregate(tt.args.aggCreator, tt.args.existingIAM, tt.args.newPolicy)(tt.args.ctx)
+
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/iam.go

@@ -16,21 +16,24 @@ const (
 type Step int
 
 const (
-	Step1 = Step(model.Step1)
-	//TODO: label policy
-	// Step2     = Step(model.Step2)
+	Step1     = Step(model.Step1)
+	Step2     = Step(model.Step2)
 	StepCount = Step(model.StepCount)
 )
 
 type IAM struct {
 	es_models.ObjectRoot
-	SetUpStarted       Step         `json:"-"`
-	SetUpDone          Step         `json:"-"`
-	GlobalOrgID        string       `json:"globalOrgId,omitempty"`
-	IAMProjectID       string       `json:"iamProjectId,omitempty"`
-	Members            []*IAMMember `json:"-"`
-	IDPs               []*IDPConfig `json:"-"`
-	DefaultLoginPolicy *LoginPolicy `json:"-"`
+	SetUpStarted                    Step                      `json:"-"`
+	SetUpDone                       Step                      `json:"-"`
+	GlobalOrgID                     string                    `json:"globalOrgId,omitempty"`
+	IAMProjectID                    string                    `json:"iamProjectId,omitempty"`
+	Members                         []*IAMMember              `json:"-"`
+	IDPs                            []*IDPConfig              `json:"-"`
+	DefaultLoginPolicy              *LoginPolicy              `json:"-"`
+	DefaultOrgIAMPolicy             *OrgIAMPolicy             `json:"-"`
+	DefaultPasswordComplexityPolicy *PasswordComplexityPolicy `json:"-"`
+	DefaultPasswordAgePolicy        *PasswordAgePolicy        `json:"-"`
+	DefaultPasswordLockoutPolicy    *PasswordLockoutPolicy    `json:"-"`
 }
 
 func IAMFromModel(iam *model.IAM) *IAM {
@@ -48,6 +51,18 @@ func IAMFromModel(iam *model.IAM) *IAM {
 	if iam.DefaultLoginPolicy != nil {
 		converted.DefaultLoginPolicy = LoginPolicyFromModel(iam.DefaultLoginPolicy)
 	}
+	if iam.DefaultPasswordComplexityPolicy != nil {
+		converted.DefaultPasswordComplexityPolicy = PasswordComplexityPolicyFromModel(iam.DefaultPasswordComplexityPolicy)
+	}
+	if iam.DefaultPasswordAgePolicy != nil {
+		converted.DefaultPasswordAgePolicy = PasswordAgePolicyFromModel(iam.DefaultPasswordAgePolicy)
+	}
+	if iam.DefaultPasswordLockoutPolicy != nil {
+		converted.DefaultPasswordLockoutPolicy = PasswordLockoutPolicyFromModel(iam.DefaultPasswordLockoutPolicy)
+	}
+	if iam.DefaultOrgIAMPolicy != nil {
+		converted.DefaultOrgIAMPolicy = OrgIAMPolicyFromModel(iam.DefaultOrgIAMPolicy)
+	}
 	return converted
 }
 
@@ -66,6 +81,18 @@ func IAMToModel(iam *IAM) *model.IAM {
 	if iam.DefaultLoginPolicy != nil {
 		converted.DefaultLoginPolicy = LoginPolicyToModel(iam.DefaultLoginPolicy)
 	}
+	if iam.DefaultPasswordComplexityPolicy != nil {
+		converted.DefaultPasswordComplexityPolicy = PasswordComplexityPolicyToModel(iam.DefaultPasswordComplexityPolicy)
+	}
+	if iam.DefaultPasswordAgePolicy != nil {
+		converted.DefaultPasswordAgePolicy = PasswordAgePolicyToModel(iam.DefaultPasswordAgePolicy)
+	}
+	if iam.DefaultPasswordLockoutPolicy != nil {
+		converted.DefaultPasswordLockoutPolicy = PasswordLockoutPolicyToModel(iam.DefaultPasswordLockoutPolicy)
+	}
+	if iam.DefaultOrgIAMPolicy != nil {
+		converted.DefaultOrgIAMPolicy = OrgIAMPolicyToModel(iam.DefaultOrgIAMPolicy)
+	}
 	return converted
 }
 
@@ -134,6 +161,22 @@ func (i *IAM) AppendEvent(event *es_models.Event) (err error) {
 		return i.appendAddIDPProviderToLoginPolicyEvent(event)
 	case LoginPolicyIDPProviderRemoved:
 		return i.appendRemoveIDPProviderFromLoginPolicyEvent(event)
+	case PasswordComplexityPolicyAdded:
+		return i.appendAddPasswordComplexityPolicyEvent(event)
+	case PasswordComplexityPolicyChanged:
+		return i.appendChangePasswordComplexityPolicyEvent(event)
+	case PasswordAgePolicyAdded:
+		return i.appendAddPasswordAgePolicyEvent(event)
+	case PasswordAgePolicyChanged:
+		return i.appendChangePasswordAgePolicyEvent(event)
+	case PasswordLockoutPolicyAdded:
+		return i.appendAddPasswordLockoutPolicyEvent(event)
+	case PasswordLockoutPolicyChanged:
+		return i.appendChangePasswordLockoutPolicyEvent(event)
+	case OrgIAMPolicyAdded:
+		return i.appendAddOrgIAMPolicyEvent(event)
+	case OrgIAMPolicyChanged:
+		return i.appendChangeOrgIAMPolicyEvent(event)
 	}
 
 	return err

internal/iam/repository/eventsourcing/model/org_iam_policy.go

@@ -0,0 +1,63 @@
+package model
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+type OrgIAMPolicy struct {
+	models.ObjectRoot
+
+	State                 int32 `json:"-"`
+	UserLoginMustBeDomain bool  `json:"userLoginMustBeDomain"`
+}
+
+func OrgIAMPolicyFromModel(policy *iam_model.OrgIAMPolicy) *OrgIAMPolicy {
+	return &OrgIAMPolicy{
+		ObjectRoot:            policy.ObjectRoot,
+		State:                 int32(policy.State),
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+	}
+}
+
+func OrgIAMPolicyToModel(policy *OrgIAMPolicy) *iam_model.OrgIAMPolicy {
+	return &iam_model.OrgIAMPolicy{
+		ObjectRoot:            policy.ObjectRoot,
+		State:                 iam_model.PolicyState(policy.State),
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+	}
+}
+
+func (p *OrgIAMPolicy) Changes(changed *OrgIAMPolicy) map[string]interface{} {
+	changes := make(map[string]interface{}, 1)
+
+	if p.UserLoginMustBeDomain != changed.UserLoginMustBeDomain {
+		changes["userLoginMustBeDomain"] = changed.UserLoginMustBeDomain
+	}
+	return changes
+}
+
+func (i *IAM) appendAddOrgIAMPolicyEvent(event *es_models.Event) error {
+	i.DefaultOrgIAMPolicy = new(OrgIAMPolicy)
+	err := i.DefaultOrgIAMPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	i.DefaultOrgIAMPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (i *IAM) appendChangeOrgIAMPolicyEvent(event *es_models.Event) error {
+	return i.DefaultOrgIAMPolicy.SetData(event)
+}
+
+func (p *OrgIAMPolicy) SetData(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/eventsourcing/model/org_iam_policy_test.go

@@ -0,0 +1,125 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"testing"
+)
+
+func TestOrgIAMPolicyChanges(t *testing.T) {
+	type args struct {
+		existing *OrgIAMPolicy
+		new      *OrgIAMPolicy
+	}
+	type res struct {
+		changesLen int
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "org iam policy all attributes change",
+			args: args{
+				existing: &OrgIAMPolicy{UserLoginMustBeDomain: true},
+				new:      &OrgIAMPolicy{UserLoginMustBeDomain: false},
+			},
+			res: res{
+				changesLen: 1,
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				existing: &OrgIAMPolicy{UserLoginMustBeDomain: true},
+				new:      &OrgIAMPolicy{UserLoginMustBeDomain: true},
+			},
+			res: res{
+				changesLen: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			changes := tt.args.existing.Changes(tt.args.new)
+			if len(changes) != tt.res.changesLen {
+				t.Errorf("got wrong changes len: expected: %v, actual: %v ", tt.res.changesLen, len(changes))
+			}
+		})
+	}
+}
+
+func TestAppendAddOrgIAMPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *OrgIAMPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add org iam policy event",
+			args: args{
+				iam:    new(IAM),
+				policy: &OrgIAMPolicy{UserLoginMustBeDomain: true},
+				event:  new(es_models.Event),
+			},
+			result: &IAM{DefaultOrgIAMPolicy: &OrgIAMPolicy{UserLoginMustBeDomain: true}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddOrgIAMPolicyEvent(tt.args.event)
+			if tt.result.DefaultOrgIAMPolicy.UserLoginMustBeDomain != tt.args.iam.DefaultOrgIAMPolicy.UserLoginMustBeDomain {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultOrgIAMPolicy.UserLoginMustBeDomain, tt.args.iam.DefaultOrgIAMPolicy.UserLoginMustBeDomain)
+			}
+		})
+	}
+}
+
+func TestAppendChangeOrgIAMPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *OrgIAMPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append change org iam policy event",
+			args: args{
+				iam: &IAM{DefaultOrgIAMPolicy: &OrgIAMPolicy{
+					UserLoginMustBeDomain: true,
+				}},
+				policy: &OrgIAMPolicy{UserLoginMustBeDomain: false},
+				event:  &es_models.Event{},
+			},
+			result: &IAM{DefaultOrgIAMPolicy: &OrgIAMPolicy{
+				UserLoginMustBeDomain: false,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendChangeOrgIAMPolicyEvent(tt.args.event)
+			if tt.result.DefaultOrgIAMPolicy.UserLoginMustBeDomain != tt.args.iam.DefaultOrgIAMPolicy.UserLoginMustBeDomain {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultOrgIAMPolicy.UserLoginMustBeDomain, tt.args.iam.DefaultOrgIAMPolicy.UserLoginMustBeDomain)
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/password_age_policy.go

@@ -0,0 +1,69 @@
+package model
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+type PasswordAgePolicy struct {
+	models.ObjectRoot
+
+	State          int32  `json:"-"`
+	MaxAgeDays     uint64 `json:"maxAgeDays"`
+	ExpireWarnDays uint64 `json:"expireWarnDays"`
+}
+
+func PasswordAgePolicyFromModel(policy *iam_model.PasswordAgePolicy) *PasswordAgePolicy {
+	return &PasswordAgePolicy{
+		ObjectRoot:     policy.ObjectRoot,
+		State:          int32(policy.State),
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+	}
+}
+
+func PasswordAgePolicyToModel(policy *PasswordAgePolicy) *iam_model.PasswordAgePolicy {
+	return &iam_model.PasswordAgePolicy{
+		ObjectRoot:     policy.ObjectRoot,
+		State:          iam_model.PolicyState(policy.State),
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+	}
+}
+
+func (p *PasswordAgePolicy) Changes(changed *PasswordAgePolicy) map[string]interface{} {
+	changes := make(map[string]interface{}, 1)
+
+	if p.MaxAgeDays != changed.MaxAgeDays {
+		changes["maxAgeDays"] = changed.MaxAgeDays
+	}
+	if p.ExpireWarnDays != changed.ExpireWarnDays {
+		changes["expireWarnDays"] = changed.ExpireWarnDays
+	}
+	return changes
+}
+
+func (i *IAM) appendAddPasswordAgePolicyEvent(event *es_models.Event) error {
+	i.DefaultPasswordAgePolicy = new(PasswordAgePolicy)
+	err := i.DefaultPasswordAgePolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	i.DefaultPasswordAgePolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (i *IAM) appendChangePasswordAgePolicyEvent(event *es_models.Event) error {
+	return i.DefaultPasswordAgePolicy.SetData(event)
+}
+
+func (p *PasswordAgePolicy) SetData(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/eventsourcing/model/password_age_policy_test.go

@@ -0,0 +1,128 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"testing"
+)
+
+func TestPasswordAgePolicyChanges(t *testing.T) {
+	type args struct {
+		existing *PasswordAgePolicy
+		new      *PasswordAgePolicy
+	}
+	type res struct {
+		changesLen int
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "age policy all attributes change",
+			args: args{
+				existing: &PasswordAgePolicy{MaxAgeDays: 365, ExpireWarnDays: 5},
+				new:      &PasswordAgePolicy{MaxAgeDays: 730, ExpireWarnDays: 10},
+			},
+			res: res{
+				changesLen: 2,
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				existing: &PasswordAgePolicy{MaxAgeDays: 10, ExpireWarnDays: 10},
+				new:      &PasswordAgePolicy{MaxAgeDays: 10, ExpireWarnDays: 10},
+			},
+			res: res{
+				changesLen: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			changes := tt.args.existing.Changes(tt.args.new)
+			if len(changes) != tt.res.changesLen {
+				t.Errorf("got wrong changes len: expected: %v, actual: %v ", tt.res.changesLen, len(changes))
+			}
+		})
+	}
+}
+
+func TestAppendAddPasswordAgePolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordAgePolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add password age policy event",
+			args: args{
+				iam:    new(IAM),
+				policy: &PasswordAgePolicy{MaxAgeDays: 10, ExpireWarnDays: 10},
+				event:  new(es_models.Event),
+			},
+			result: &IAM{DefaultPasswordAgePolicy: &PasswordAgePolicy{MaxAgeDays: 10, ExpireWarnDays: 10}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddPasswordAgePolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordAgePolicy.MaxAgeDays != tt.args.iam.DefaultPasswordAgePolicy.MaxAgeDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordAgePolicy.MaxAgeDays, tt.args.iam.DefaultPasswordAgePolicy.MaxAgeDays)
+			}
+			if tt.result.DefaultPasswordAgePolicy.ExpireWarnDays != tt.args.iam.DefaultPasswordAgePolicy.ExpireWarnDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordAgePolicy.ExpireWarnDays, tt.args.iam.DefaultPasswordAgePolicy.ExpireWarnDays)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordAgePolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordAgePolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append change password age policy event",
+			args: args{
+				iam: &IAM{DefaultPasswordAgePolicy: &PasswordAgePolicy{
+					MaxAgeDays: 10,
+				}},
+				policy: &PasswordAgePolicy{MaxAgeDays: 5},
+				event:  &es_models.Event{},
+			},
+			result: &IAM{DefaultPasswordAgePolicy: &PasswordAgePolicy{
+				MaxAgeDays: 5,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendChangePasswordAgePolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordAgePolicy.MaxAgeDays != tt.args.iam.DefaultPasswordAgePolicy.MaxAgeDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordAgePolicy.MaxAgeDays, tt.args.iam.DefaultPasswordAgePolicy.MaxAgeDays)
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/password_complexity_policy.go

@@ -1,22 +1,16 @@
-package eventsourcing
+package model
 
 import (
 	"encoding/json"
-
-	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
-	"github.com/caos/zitadel/internal/policy/model"
-)
-
-const (
-	policyComplexityVersion = "v1"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 )
 
 type PasswordComplexityPolicy struct {
 	models.ObjectRoot
 
-	Description  string `json:"description,omitempty"`
 	State        int32  `json:"-"`
 	MinLength    uint64 `json:"minLength"`
 	HasLowercase bool   `json:"hasLowercase"`
@@ -25,11 +19,33 @@ type PasswordComplexityPolicy struct {
 	HasSymbol    bool   `json:"hasSymbol"`
 }
 
-func (p *PasswordComplexityPolicy) ComplexityChanges(changed *PasswordComplexityPolicy) map[string]interface{} {
-	changes := make(map[string]interface{}, 1)
-	if changed.Description != "" && p.Description != changed.Description {
-		changes["description"] = changed.Description
+func PasswordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicy) *PasswordComplexityPolicy {
+	return &PasswordComplexityPolicy{
+		ObjectRoot:   policy.ObjectRoot,
+		State:        int32(policy.State),
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
 	}
+}
+
+func PasswordComplexityPolicyToModel(policy *PasswordComplexityPolicy) *iam_model.PasswordComplexityPolicy {
+	return &iam_model.PasswordComplexityPolicy{
+		ObjectRoot:   policy.ObjectRoot,
+		State:        iam_model.PolicyState(policy.State),
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+	}
+}
+
+func (p *PasswordComplexityPolicy) Changes(changed *PasswordComplexityPolicy) map[string]interface{} {
+	changes := make(map[string]interface{}, 1)
+
 	if p.MinLength != changed.MinLength {
 		changes["minLength"] = changed.MinLength
 	}
@@ -48,51 +64,24 @@ func (p *PasswordComplexityPolicy) ComplexityChanges(changed *PasswordComplexity
 	return changes
 }
 
-func PasswordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *PasswordComplexityPolicy {
-	return &PasswordComplexityPolicy{
-		ObjectRoot:   policy.ObjectRoot,
-		Description:  policy.Description,
-		State:        int32(policy.State),
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-	}
-}
-
-func PasswordComplexityPolicyToModel(policy *PasswordComplexityPolicy) *model.PasswordComplexityPolicy {
-	return &model.PasswordComplexityPolicy{
-		ObjectRoot:   policy.ObjectRoot,
-		Description:  policy.Description,
-		State:        model.PolicyState(policy.State),
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-	}
-}
-
-func (p *PasswordComplexityPolicy) AppendEvents(events ...*es_models.Event) error {
-	for _, event := range events {
-		if err := p.AppendEvent(event); err != nil {
-			return err
-		}
+func (i *IAM) appendAddPasswordComplexityPolicyEvent(event *es_models.Event) error {
+	i.DefaultPasswordComplexityPolicy = new(PasswordComplexityPolicy)
+	err := i.DefaultPasswordComplexityPolicy.SetData(event)
+	if err != nil {
+		return err
 	}
+	i.DefaultPasswordComplexityPolicy.ObjectRoot.CreationDate = event.CreationDate
 	return nil
 }
 
-func (p *PasswordComplexityPolicy) AppendEvent(event *es_models.Event) error {
-	p.ObjectRoot.AppendEvent(event)
+func (i *IAM) appendChangePasswordComplexityPolicyEvent(event *es_models.Event) error {
+	return i.DefaultPasswordComplexityPolicy.SetData(event)
+}
 
-	switch event.Type {
-	case model.PasswordComplexityPolicyAdded, model.PasswordComplexityPolicyChanged:
-		if err := json.Unmarshal(event.Data, p); err != nil {
-			logging.Log("EVEN-idl93").WithError(err).Error("could not unmarshal event data")
-			return err
-		}
-		return nil
+func (p *PasswordComplexityPolicy) SetData(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
 	}
 	return nil
 }

internal/iam/repository/eventsourcing/model/password_complexity_policy_test.go

@@ -0,0 +1,137 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"testing"
+)
+
+func TestPasswordComplexityPolicyChanges(t *testing.T) {
+	type args struct {
+		existing *PasswordComplexityPolicy
+		new      *PasswordComplexityPolicy
+	}
+	type res struct {
+		changesLen int
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "loginpolicy all attributes change",
+			args: args{
+				existing: &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true},
+				new:      &PasswordComplexityPolicy{MinLength: 5, HasUppercase: false, HasLowercase: false, HasNumber: false, HasSymbol: false},
+			},
+			res: res{
+				changesLen: 5,
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				existing: &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true},
+				new:      &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true},
+			},
+			res: res{
+				changesLen: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			changes := tt.args.existing.Changes(tt.args.new)
+			if len(changes) != tt.res.changesLen {
+				t.Errorf("got wrong changes len: expected: %v, actual: %v ", tt.res.changesLen, len(changes))
+			}
+		})
+	}
+}
+
+func TestAppendAddPasswordComplexityPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordComplexityPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add password complexity policy event",
+			args: args{
+				iam:    new(IAM),
+				policy: &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true},
+				event:  new(es_models.Event),
+			},
+			result: &IAM{DefaultPasswordComplexityPolicy: &PasswordComplexityPolicy{MinLength: 10, HasUppercase: true, HasLowercase: true, HasNumber: true, HasSymbol: true}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddPasswordComplexityPolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordComplexityPolicy.MinLength != tt.args.iam.DefaultPasswordComplexityPolicy.MinLength {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.MinLength, tt.args.iam.DefaultPasswordComplexityPolicy.MinLength)
+			}
+			if tt.result.DefaultPasswordComplexityPolicy.HasUppercase != tt.args.iam.DefaultPasswordComplexityPolicy.HasUppercase {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.HasUppercase, tt.args.iam.DefaultPasswordComplexityPolicy.HasUppercase)
+			}
+			if tt.result.DefaultPasswordComplexityPolicy.HasLowercase != tt.args.iam.DefaultPasswordComplexityPolicy.HasLowercase {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.HasLowercase, tt.args.iam.DefaultPasswordComplexityPolicy.HasLowercase)
+			}
+			if tt.result.DefaultPasswordComplexityPolicy.HasNumber != tt.args.iam.DefaultPasswordComplexityPolicy.HasNumber {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.HasNumber, tt.args.iam.DefaultPasswordComplexityPolicy.HasNumber)
+			}
+			if tt.result.DefaultPasswordComplexityPolicy.HasSymbol != tt.args.iam.DefaultPasswordComplexityPolicy.HasSymbol {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.HasSymbol, tt.args.iam.DefaultPasswordComplexityPolicy.HasSymbol)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordComplexityPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordComplexityPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append change password complexity policy event",
+			args: args{
+				iam: &IAM{DefaultPasswordComplexityPolicy: &PasswordComplexityPolicy{
+					MinLength: 10,
+				}},
+				policy: &PasswordComplexityPolicy{MinLength: 5},
+				event:  &es_models.Event{},
+			},
+			result: &IAM{DefaultPasswordComplexityPolicy: &PasswordComplexityPolicy{
+				MinLength: 5,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendChangePasswordComplexityPolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordComplexityPolicy.MinLength != tt.args.iam.DefaultPasswordComplexityPolicy.MinLength {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordComplexityPolicy.MinLength, tt.args.iam.DefaultPasswordComplexityPolicy.MinLength)
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/password_lockout_policy.go

@@ -0,0 +1,69 @@
+package model
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+type PasswordLockoutPolicy struct {
+	models.ObjectRoot
+
+	State               int32  `json:"-"`
+	MaxAttempts         uint64 `json:"maxAttempts"`
+	ShowLockOutFailures bool   `json:"showLockOutFailures"`
+}
+
+func PasswordLockoutPolicyFromModel(policy *iam_model.PasswordLockoutPolicy) *PasswordLockoutPolicy {
+	return &PasswordLockoutPolicy{
+		ObjectRoot:          policy.ObjectRoot,
+		State:               int32(policy.State),
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+	}
+}
+
+func PasswordLockoutPolicyToModel(policy *PasswordLockoutPolicy) *iam_model.PasswordLockoutPolicy {
+	return &iam_model.PasswordLockoutPolicy{
+		ObjectRoot:          policy.ObjectRoot,
+		State:               iam_model.PolicyState(policy.State),
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+	}
+}
+
+func (p *PasswordLockoutPolicy) Changes(changed *PasswordLockoutPolicy) map[string]interface{} {
+	changes := make(map[string]interface{}, 2)
+
+	if p.MaxAttempts != changed.MaxAttempts {
+		changes["maxAttempts"] = changed.MaxAttempts
+	}
+	if p.ShowLockOutFailures != changed.ShowLockOutFailures {
+		changes["showLockOutFailures"] = changed.ShowLockOutFailures
+	}
+	return changes
+}
+
+func (i *IAM) appendAddPasswordLockoutPolicyEvent(event *es_models.Event) error {
+	i.DefaultPasswordLockoutPolicy = new(PasswordLockoutPolicy)
+	err := i.DefaultPasswordLockoutPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	i.DefaultPasswordLockoutPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (i *IAM) appendChangePasswordLockoutPolicyEvent(event *es_models.Event) error {
+	return i.DefaultPasswordLockoutPolicy.SetData(event)
+}
+
+func (p *PasswordLockoutPolicy) SetData(event *es_models.Event) error {
+	err := json.Unmarshal(event.Data, p)
+	if err != nil {
+		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/eventsourcing/model/password_lockout_policy_test.go

@@ -0,0 +1,128 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"testing"
+)
+
+func TestPasswordLockoutPolicyChanges(t *testing.T) {
+	type args struct {
+		existing *PasswordLockoutPolicy
+		new      *PasswordLockoutPolicy
+	}
+	type res struct {
+		changesLen int
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "lockout policy all attributes change",
+			args: args{
+				existing: &PasswordLockoutPolicy{MaxAttempts: 365, ShowLockOutFailures: true},
+				new:      &PasswordLockoutPolicy{MaxAttempts: 730, ShowLockOutFailures: false},
+			},
+			res: res{
+				changesLen: 2,
+			},
+		},
+		{
+			name: "no changes",
+			args: args{
+				existing: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true},
+				new:      &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true},
+			},
+			res: res{
+				changesLen: 0,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			changes := tt.args.existing.Changes(tt.args.new)
+			if len(changes) != tt.res.changesLen {
+				t.Errorf("got wrong changes len: expected: %v, actual: %v ", tt.res.changesLen, len(changes))
+			}
+		})
+	}
+}
+
+func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordLockoutPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append add password lockout policy event",
+			args: args{
+				iam:    new(IAM),
+				policy: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true},
+				event:  new(es_models.Event),
+			},
+			result: &IAM{DefaultPasswordLockoutPolicy: &PasswordLockoutPolicy{MaxAttempts: 10, ShowLockOutFailures: true}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendAddPasswordLockoutPolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordLockoutPolicy.MaxAttempts != tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordLockoutPolicy.MaxAttempts, tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts)
+			}
+			if tt.result.DefaultPasswordLockoutPolicy.ShowLockOutFailures != tt.args.iam.DefaultPasswordLockoutPolicy.ShowLockOutFailures {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordLockoutPolicy.ShowLockOutFailures, tt.args.iam.DefaultPasswordLockoutPolicy.ShowLockOutFailures)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
+	type args struct {
+		iam    *IAM
+		policy *PasswordLockoutPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *IAM
+	}{
+		{
+			name: "append change password lockout policy event",
+			args: args{
+				iam: &IAM{DefaultPasswordLockoutPolicy: &PasswordLockoutPolicy{
+					MaxAttempts: 10,
+				}},
+				policy: &PasswordLockoutPolicy{MaxAttempts: 5},
+				event:  &es_models.Event{},
+			},
+			result: &IAM{DefaultPasswordLockoutPolicy: &PasswordLockoutPolicy{
+				MaxAttempts: 5,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.iam.appendChangePasswordLockoutPolicyEvent(tt.args.event)
+			if tt.result.DefaultPasswordLockoutPolicy.MaxAttempts != tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.DefaultPasswordLockoutPolicy.MaxAttempts, tt.args.iam.DefaultPasswordLockoutPolicy.MaxAttempts)
+			}
+		})
+	}
+}

internal/iam/repository/eventsourcing/model/types.go

@@ -30,4 +30,16 @@ const (
 	LoginPolicyIDPProviderAdded          models.EventType = "iam.policy.login.idpprovider.added"
 	LoginPolicyIDPProviderRemoved        models.EventType = "iam.policy.login.idpprovider.removed"
 	LoginPolicyIDPProviderCascadeRemoved models.EventType = "iam.policy.login.idpprovider.cascade.removed"
+
+	PasswordComplexityPolicyAdded   models.EventType = "iam.policy.password.complexity.added"
+	PasswordComplexityPolicyChanged models.EventType = "iam.policy.password.complexity.changed"
+
+	PasswordAgePolicyAdded   models.EventType = "iam.policy.password.age.added"
+	PasswordAgePolicyChanged models.EventType = "iam.policy.password.age.changed"
+
+	PasswordLockoutPolicyAdded   models.EventType = "iam.policy.password.lockout.added"
+	PasswordLockoutPolicyChanged models.EventType = "iam.policy.password.lockout.changed"
+
+	OrgIAMPolicyAdded   models.EventType = "iam.policy.org.iam.added"
+	OrgIAMPolicyChanged models.EventType = "iam.policy.org.iam.changed"
 )

internal/iam/repository/view/model/org_iam_policy.go

@@ -0,0 +1,78 @@
+package model
+
+import (
+	"encoding/json"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+	"time"
+
+	es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/logging"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/iam/model"
+)
+
+const (
+	OrgIAMPolicyKeyAggregateID = "aggregate_id"
+)
+
+type OrgIAMPolicyView struct {
+	AggregateID  string    `json:"-" gorm:"column:aggregate_id;primary_key"`
+	CreationDate time.Time `json:"-" gorm:"column:creation_date"`
+	ChangeDate   time.Time `json:"-" gorm:"column:change_date"`
+	State        int32     `json:"-" gorm:"column:org_iam_policy_state"`
+
+	UserLoginMustBeDomain bool `json:"userLoginMustBeDomain" gorm:"column:user_login_must_be_domain"`
+	Default               bool `json:"-" gorm:"-"`
+
+	Sequence uint64 `json:"-" gorm:"column:sequence"`
+}
+
+func OrgIAMViewFromModel(policy *model.OrgIAMPolicyView) *OrgIAMPolicyView {
+	return &OrgIAMPolicyView{
+		AggregateID:           policy.AggregateID,
+		Sequence:              policy.Sequence,
+		CreationDate:          policy.CreationDate,
+		ChangeDate:            policy.ChangeDate,
+		Default:               policy.Default,
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+	}
+}
+
+func OrgIAMViewToModel(policy *OrgIAMPolicyView) *model.OrgIAMPolicyView {
+	return &model.OrgIAMPolicyView{
+		AggregateID:           policy.AggregateID,
+		Sequence:              policy.Sequence,
+		CreationDate:          policy.CreationDate,
+		ChangeDate:            policy.ChangeDate,
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+		Default:               policy.Default,
+	}
+}
+
+func (i *OrgIAMPolicyView) AppendEvent(event *models.Event) (err error) {
+	i.Sequence = event.Sequence
+	i.ChangeDate = event.CreationDate
+	switch event.Type {
+	case es_model.OrgIAMPolicyAdded, org_es_model.OrgIAMPolicyAdded:
+		i.setRootData(event)
+		i.CreationDate = event.CreationDate
+		err = i.SetData(event)
+	case es_model.OrgIAMPolicyChanged, org_es_model.OrgIAMPolicyChanged:
+		err = i.SetData(event)
+	}
+	return err
+}
+
+func (r *OrgIAMPolicyView) setRootData(event *models.Event) {
+	r.AggregateID = event.AggregateID
+}
+
+func (r *OrgIAMPolicyView) SetData(event *models.Event) error {
+	if err := json.Unmarshal(event.Data, r); err != nil {
+		logging.Log("EVEN-Dmi9g").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(err, "MODEL-Hs8uf", "Could not unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/view/model/org_iam_policy_query.go

@@ -0,0 +1,59 @@
+package model
+
+import (
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+type OrgIAMPolicySearchRequest iam_model.OrgIAMPolicySearchRequest
+type OrgIAMPolicySearchQuery iam_model.OrgIAMPolicySearchQuery
+type OrgIAMPolicySearchKey iam_model.OrgIAMPolicySearchKey
+
+func (req OrgIAMPolicySearchRequest) GetLimit() uint64 {
+	return req.Limit
+}
+
+func (req OrgIAMPolicySearchRequest) GetOffset() uint64 {
+	return req.Offset
+}
+
+func (req OrgIAMPolicySearchRequest) GetSortingColumn() repository.ColumnKey {
+	if req.SortingColumn == iam_model.OrgIAMPolicySearchKeyUnspecified {
+		return nil
+	}
+	return OrgIAMPolicySearchKey(req.SortingColumn)
+}
+
+func (req OrgIAMPolicySearchRequest) GetAsc() bool {
+	return req.Asc
+}
+
+func (req OrgIAMPolicySearchRequest) GetQueries() []repository.SearchQuery {
+	result := make([]repository.SearchQuery, len(req.Queries))
+	for i, q := range req.Queries {
+		result[i] = OrgIAMPolicySearchQuery{Key: q.Key, Value: q.Value, Method: q.Method}
+	}
+	return result
+}
+
+func (req OrgIAMPolicySearchQuery) GetKey() repository.ColumnKey {
+	return OrgIAMPolicySearchKey(req.Key)
+}
+
+func (req OrgIAMPolicySearchQuery) GetMethod() global_model.SearchMethod {
+	return req.Method
+}
+
+func (req OrgIAMPolicySearchQuery) GetValue() interface{} {
+	return req.Value
+}
+
+func (key OrgIAMPolicySearchKey) ToColumnName() string {
+	switch iam_model.OrgIAMPolicySearchKey(key) {
+	case iam_model.OrgIAMPolicySearchKeyAggregateID:
+		return OrgIAMPolicyKeyAggregateID
+	default:
+		return ""
+	}
+}

internal/iam/repository/view/model/password_age_policy.go

@@ -0,0 +1,81 @@
+package model
+
+import (
+	"encoding/json"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+	"time"
+
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/logging"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/iam/model"
+)
+
+const (
+	PasswordAgeKeyAggregateID = "aggregate_id"
+)
+
+type PasswordAgePolicyView struct {
+	AggregateID  string    `json:"-" gorm:"column:aggregate_id;primary_key"`
+	CreationDate time.Time `json:"-" gorm:"column:creation_date"`
+	ChangeDate   time.Time `json:"-" gorm:"column:change_date"`
+	State        int32     `json:"-" gorm:"column:age_policy_state"`
+
+	MaxAgeDays     uint64 `json:"maxAgeDays" gorm:"column:max_age_days"`
+	ExpireWarnDays uint64 `json:"expireWarnDays" gorm:"column:expire_warn_days"`
+	Default        bool   `json:"-" gorm:"-"`
+
+	Sequence uint64 `json:"-" gorm:"column:sequence"`
+}
+
+func PasswordAgeViewFromModel(policy *model.PasswordAgePolicyView) *PasswordAgePolicyView {
+	return &PasswordAgePolicyView{
+		AggregateID:    policy.AggregateID,
+		Sequence:       policy.Sequence,
+		CreationDate:   policy.CreationDate,
+		ChangeDate:     policy.ChangeDate,
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		Default:        policy.Default,
+	}
+}
+
+func PasswordAgeViewToModel(policy *PasswordAgePolicyView) *model.PasswordAgePolicyView {
+	return &model.PasswordAgePolicyView{
+		AggregateID:    policy.AggregateID,
+		Sequence:       policy.Sequence,
+		CreationDate:   policy.CreationDate,
+		ChangeDate:     policy.ChangeDate,
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		Default:        policy.Default,
+	}
+}
+
+func (i *PasswordAgePolicyView) AppendEvent(event *models.Event) (err error) {
+	i.Sequence = event.Sequence
+	i.ChangeDate = event.CreationDate
+	switch event.Type {
+	case iam_es_model.PasswordAgePolicyAdded, org_es_model.PasswordAgePolicyAdded:
+		i.setRootData(event)
+		i.CreationDate = event.CreationDate
+		err = i.SetData(event)
+	case iam_es_model.PasswordAgePolicyChanged, org_es_model.PasswordAgePolicyChanged:
+		err = i.SetData(event)
+	}
+	return err
+}
+
+func (r *PasswordAgePolicyView) setRootData(event *models.Event) {
+	r.AggregateID = event.AggregateID
+}
+
+func (r *PasswordAgePolicyView) SetData(event *models.Event) error {
+	if err := json.Unmarshal(event.Data, r); err != nil {
+		logging.Log("EVEN-gH9os").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(err, "MODEL-Hs8uf", "Could not unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/view/model/password_age_policy_query.go

@@ -0,0 +1,59 @@
+package model
+
+import (
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+type PasswordAgePolicySearchRequest iam_model.PasswordAgePolicySearchRequest
+type PasswordAgePolicySearchQuery iam_model.PasswordAgePolicySearchQuery
+type PasswordAgePolicySearchKey iam_model.PasswordAgePolicySearchKey
+
+func (req PasswordAgePolicySearchRequest) GetLimit() uint64 {
+	return req.Limit
+}
+
+func (req PasswordAgePolicySearchRequest) GetOffset() uint64 {
+	return req.Offset
+}
+
+func (req PasswordAgePolicySearchRequest) GetSortingColumn() repository.ColumnKey {
+	if req.SortingColumn == iam_model.PasswordAgePolicySearchKeyUnspecified {
+		return nil
+	}
+	return PasswordAgePolicySearchKey(req.SortingColumn)
+}
+
+func (req PasswordAgePolicySearchRequest) GetAsc() bool {
+	return req.Asc
+}
+
+func (req PasswordAgePolicySearchRequest) GetQueries() []repository.SearchQuery {
+	result := make([]repository.SearchQuery, len(req.Queries))
+	for i, q := range req.Queries {
+		result[i] = PasswordAgePolicySearchQuery{Key: q.Key, Value: q.Value, Method: q.Method}
+	}
+	return result
+}
+
+func (req PasswordAgePolicySearchQuery) GetKey() repository.ColumnKey {
+	return PasswordAgePolicySearchKey(req.Key)
+}
+
+func (req PasswordAgePolicySearchQuery) GetMethod() global_model.SearchMethod {
+	return req.Method
+}
+
+func (req PasswordAgePolicySearchQuery) GetValue() interface{} {
+	return req.Value
+}
+
+func (key PasswordAgePolicySearchKey) ToColumnName() string {
+	switch iam_model.PasswordAgePolicySearchKey(key) {
+	case iam_model.PasswordAgePolicySearchKeyAggregateID:
+		return PasswordAgeKeyAggregateID
+	default:
+		return ""
+	}
+}

internal/iam/repository/view/model/password_complexity_policy.go

@@ -0,0 +1,90 @@
+package model
+
+import (
+	"encoding/json"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+	"time"
+
+	es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/logging"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/iam/model"
+)
+
+const (
+	PasswordComplexityKeyAggregateID = "aggregate_id"
+)
+
+type PasswordComplexityPolicyView struct {
+	AggregateID  string    `json:"-" gorm:"column:aggregate_id;primary_key"`
+	CreationDate time.Time `json:"-" gorm:"column:creation_date"`
+	ChangeDate   time.Time `json:"-" gorm:"column:change_date"`
+	State        int32     `json:"-" gorm:"column:complexity_policy_state"`
+
+	MinLength    uint64 `json:"minLength" gorm:"column:min_length"`
+	HasLowercase bool   `json:"hasLowercase" gorm:"column:has_lowercase"`
+	HasUppercase bool   `json:"hasUppercase" gorm:"column:has_uppercase"`
+	HasSymbol    bool   `json:"hasSymbol" gorm:"column:has_symbol"`
+	HasNumber    bool   `json:"hasNumber" gorm:"column:has_number"`
+	Default      bool   `json:"-" gorm:"-"`
+
+	Sequence uint64 `json:"-" gorm:"column:sequence"`
+}
+
+func PasswordComplexityViewFromModel(policy *model.PasswordComplexityPolicyView) *PasswordComplexityPolicyView {
+	return &PasswordComplexityPolicyView{
+		AggregateID:  policy.AggregateID,
+		Sequence:     policy.Sequence,
+		CreationDate: policy.CreationDate,
+		ChangeDate:   policy.ChangeDate,
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasSymbol:    policy.HasSymbol,
+		HasNumber:    policy.HasNumber,
+		Default:      policy.Default,
+	}
+}
+
+func PasswordComplexityViewToModel(policy *PasswordComplexityPolicyView) *model.PasswordComplexityPolicyView {
+	return &model.PasswordComplexityPolicyView{
+		AggregateID:  policy.AggregateID,
+		Sequence:     policy.Sequence,
+		CreationDate: policy.CreationDate,
+		ChangeDate:   policy.ChangeDate,
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasSymbol:    policy.HasSymbol,
+		HasNumber:    policy.HasNumber,
+		Default:      policy.Default,
+	}
+}
+
+func (i *PasswordComplexityPolicyView) AppendEvent(event *models.Event) (err error) {
+	i.Sequence = event.Sequence
+	i.ChangeDate = event.CreationDate
+	switch event.Type {
+	case es_model.PasswordComplexityPolicyAdded, org_es_model.PasswordComplexityPolicyAdded:
+		i.setRootData(event)
+		i.CreationDate = event.CreationDate
+		err = i.SetData(event)
+	case es_model.PasswordComplexityPolicyChanged, org_es_model.PasswordComplexityPolicyChanged:
+		err = i.SetData(event)
+	}
+	return err
+}
+
+func (r *PasswordComplexityPolicyView) setRootData(event *models.Event) {
+	r.AggregateID = event.AggregateID
+}
+
+func (r *PasswordComplexityPolicyView) SetData(event *models.Event) error {
+	if err := json.Unmarshal(event.Data, r); err != nil {
+		logging.Log("EVEN-Dmi9g").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(err, "MODEL-Hs8uf", "Could not unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/view/model/password_complexity_policy_query.go

@@ -0,0 +1,59 @@
+package model
+
+import (
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+type PasswordComplexityPolicySearchRequest iam_model.PasswordComplexityPolicySearchRequest
+type PasswordComplexityPolicySearchQuery iam_model.PasswordComplexityPolicySearchQuery
+type PasswordComplexityPolicySearchKey iam_model.PasswordComplexityPolicySearchKey
+
+func (req PasswordComplexityPolicySearchRequest) GetLimit() uint64 {
+	return req.Limit
+}
+
+func (req PasswordComplexityPolicySearchRequest) GetOffset() uint64 {
+	return req.Offset
+}
+
+func (req PasswordComplexityPolicySearchRequest) GetSortingColumn() repository.ColumnKey {
+	if req.SortingColumn == iam_model.PasswordComplexityPolicySearchKeyUnspecified {
+		return nil
+	}
+	return PasswordComplexityPolicySearchKey(req.SortingColumn)
+}
+
+func (req PasswordComplexityPolicySearchRequest) GetAsc() bool {
+	return req.Asc
+}
+
+func (req PasswordComplexityPolicySearchRequest) GetQueries() []repository.SearchQuery {
+	result := make([]repository.SearchQuery, len(req.Queries))
+	for i, q := range req.Queries {
+		result[i] = PasswordComplexityPolicySearchQuery{Key: q.Key, Value: q.Value, Method: q.Method}
+	}
+	return result
+}
+
+func (req PasswordComplexityPolicySearchQuery) GetKey() repository.ColumnKey {
+	return PasswordComplexityPolicySearchKey(req.Key)
+}
+
+func (req PasswordComplexityPolicySearchQuery) GetMethod() global_model.SearchMethod {
+	return req.Method
+}
+
+func (req PasswordComplexityPolicySearchQuery) GetValue() interface{} {
+	return req.Value
+}
+
+func (key PasswordComplexityPolicySearchKey) ToColumnName() string {
+	switch iam_model.PasswordComplexityPolicySearchKey(key) {
+	case iam_model.PasswordComplexityPolicySearchKeyAggregateID:
+		return PasswordComplexityKeyAggregateID
+	default:
+		return ""
+	}
+}

internal/iam/repository/view/model/password_lockout_policy.go

@@ -0,0 +1,81 @@
+package model
+
+import (
+	"encoding/json"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+	"time"
+
+	es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/logging"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/iam/model"
+)
+
+const (
+	PasswordLockoutKeyAggregateID = "aggregate_id"
+)
+
+type PasswordLockoutPolicyView struct {
+	AggregateID  string    `json:"-" gorm:"column:aggregate_id;primary_key"`
+	CreationDate time.Time `json:"-" gorm:"column:creation_date"`
+	ChangeDate   time.Time `json:"-" gorm:"column:change_date"`
+	State        int32     `json:"-" gorm:"column:lockout_policy_state"`
+
+	MaxAttempts         uint64 `json:"maxAttempts" gorm:"column:max_attempts"`
+	ShowLockOutFailures bool   `json:"showLockOutFailures" gorm:"column:show_lockout_failures"`
+	Default             bool   `json:"-" gorm:"-"`
+
+	Sequence uint64 `json:"-" gorm:"column:sequence"`
+}
+
+func PasswordLockoutViewFromModel(policy *model.PasswordLockoutPolicyView) *PasswordLockoutPolicyView {
+	return &PasswordLockoutPolicyView{
+		AggregateID:         policy.AggregateID,
+		Sequence:            policy.Sequence,
+		CreationDate:        policy.CreationDate,
+		ChangeDate:          policy.ChangeDate,
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+		Default:             policy.Default,
+	}
+}
+
+func PasswordLockoutViewToModel(policy *PasswordLockoutPolicyView) *model.PasswordLockoutPolicyView {
+	return &model.PasswordLockoutPolicyView{
+		AggregateID:         policy.AggregateID,
+		Sequence:            policy.Sequence,
+		CreationDate:        policy.CreationDate,
+		ChangeDate:          policy.ChangeDate,
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+		Default:             policy.Default,
+	}
+}
+
+func (i *PasswordLockoutPolicyView) AppendEvent(event *models.Event) (err error) {
+	i.Sequence = event.Sequence
+	i.ChangeDate = event.CreationDate
+	switch event.Type {
+	case es_model.PasswordLockoutPolicyAdded, org_es_model.PasswordLockoutPolicyAdded:
+		i.setRootData(event)
+		i.CreationDate = event.CreationDate
+		err = i.SetData(event)
+	case es_model.PasswordLockoutPolicyChanged, org_es_model.PasswordLockoutPolicyChanged:
+		err = i.SetData(event)
+	}
+	return err
+}
+
+func (r *PasswordLockoutPolicyView) setRootData(event *models.Event) {
+	r.AggregateID = event.AggregateID
+}
+
+func (r *PasswordLockoutPolicyView) SetData(event *models.Event) error {
+	if err := json.Unmarshal(event.Data, r); err != nil {
+		logging.Log("EVEN-gHls0").WithError(err).Error("could not unmarshal event data")
+		return caos_errs.ThrowInternal(err, "MODEL-Hs8uf", "Could not unmarshal data")
+	}
+	return nil
+}

internal/iam/repository/view/model/password_lockout_policy_query.go

@@ -0,0 +1,59 @@
+package model
+
+import (
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+type PasswordLockoutPolicySearchRequest iam_model.PasswordLockoutPolicySearchRequest
+type PasswordLockoutPolicySearchQuery iam_model.PasswordLockoutPolicySearchQuery
+type PasswordLockoutPolicySearchKey iam_model.PasswordLockoutPolicySearchKey
+
+func (req PasswordLockoutPolicySearchRequest) GetLimit() uint64 {
+	return req.Limit
+}
+
+func (req PasswordLockoutPolicySearchRequest) GetOffset() uint64 {
+	return req.Offset
+}
+
+func (req PasswordLockoutPolicySearchRequest) GetSortingColumn() repository.ColumnKey {
+	if req.SortingColumn == iam_model.PasswordLockoutPolicySearchKeyUnspecified {
+		return nil
+	}
+	return PasswordLockoutPolicySearchKey(req.SortingColumn)
+}
+
+func (req PasswordLockoutPolicySearchRequest) GetAsc() bool {
+	return req.Asc
+}
+
+func (req PasswordLockoutPolicySearchRequest) GetQueries() []repository.SearchQuery {
+	result := make([]repository.SearchQuery, len(req.Queries))
+	for i, q := range req.Queries {
+		result[i] = PasswordLockoutPolicySearchQuery{Key: q.Key, Value: q.Value, Method: q.Method}
+	}
+	return result
+}
+
+func (req PasswordLockoutPolicySearchQuery) GetKey() repository.ColumnKey {
+	return PasswordLockoutPolicySearchKey(req.Key)
+}
+
+func (req PasswordLockoutPolicySearchQuery) GetMethod() global_model.SearchMethod {
+	return req.Method
+}
+
+func (req PasswordLockoutPolicySearchQuery) GetValue() interface{} {
+	return req.Value
+}
+
+func (key PasswordLockoutPolicySearchKey) ToColumnName() string {
+	switch iam_model.PasswordLockoutPolicySearchKey(key) {
+	case iam_model.PasswordLockoutPolicySearchKeyAggregateID:
+		return PasswordLockoutKeyAggregateID
+	default:
+		return ""
+	}
+}

internal/iam/repository/view/org_iam_policy_view.go

@@ -0,0 +1,32 @@
+package view
+
+import (
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+	"github.com/jinzhu/gorm"
+)
+
+func GetOrgIAMPolicyByAggregateID(db *gorm.DB, table, aggregateID string) (*model.OrgIAMPolicyView, error) {
+	policy := new(model.OrgIAMPolicyView)
+	userIDQuery := &model.OrgIAMPolicySearchQuery{Key: iam_model.OrgIAMPolicySearchKeyAggregateID, Value: aggregateID, Method: global_model.SearchMethodEquals}
+	query := repository.PrepareGetByQuery(table, userIDQuery)
+	err := query(db, policy)
+	if caos_errs.IsNotFound(err) {
+		return nil, caos_errs.ThrowNotFound(nil, "VIEW-5fi9s", "Errors.IAM.OrgIAMPolicy.NotExisting")
+	}
+	return policy, err
+}
+
+func PutOrgIAMPolicy(db *gorm.DB, table string, policy *model.OrgIAMPolicyView) error {
+	save := repository.PrepareSave(table)
+	return save(db, policy)
+}
+
+func DeleteOrgIAMPolicy(db *gorm.DB, table, aggregateID string) error {
+	delete := repository.PrepareDeleteByKey(table, model.OrgIAMPolicySearchKey(iam_model.OrgIAMPolicySearchKeyAggregateID), aggregateID)
+
+	return delete(db)
+}

internal/iam/repository/view/password_age_policy_view.go

@@ -0,0 +1,32 @@
+package view
+
+import (
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+	"github.com/jinzhu/gorm"
+)
+
+func GetPasswordAgePolicyByAggregateID(db *gorm.DB, table, aggregateID string) (*model.PasswordAgePolicyView, error) {
+	policy := new(model.PasswordAgePolicyView)
+	userIDQuery := &model.PasswordAgePolicySearchQuery{Key: iam_model.PasswordAgePolicySearchKeyAggregateID, Value: aggregateID, Method: global_model.SearchMethodEquals}
+	query := repository.PrepareGetByQuery(table, userIDQuery)
+	err := query(db, policy)
+	if caos_errs.IsNotFound(err) {
+		return nil, caos_errs.ThrowNotFound(nil, "VIEW-Lso0cs", "Errors.IAM.PasswordAgePolicy.NotExisting")
+	}
+	return policy, err
+}
+
+func PutPasswordAgePolicy(db *gorm.DB, table string, policy *model.PasswordAgePolicyView) error {
+	save := repository.PrepareSave(table)
+	return save(db, policy)
+}
+
+func DeletePasswordAgePolicy(db *gorm.DB, table, aggregateID string) error {
+	delete := repository.PrepareDeleteByKey(table, model.PasswordAgePolicySearchKey(iam_model.PasswordAgePolicySearchKeyAggregateID), aggregateID)
+
+	return delete(db)
+}

internal/iam/repository/view/password_complexity_policy_view.go

@@ -0,0 +1,32 @@
+package view
+
+import (
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+	"github.com/jinzhu/gorm"
+)
+
+func GetPasswordComplexityPolicyByAggregateID(db *gorm.DB, table, aggregateID string) (*model.PasswordComplexityPolicyView, error) {
+	policy := new(model.PasswordComplexityPolicyView)
+	userIDQuery := &model.PasswordComplexityPolicySearchQuery{Key: iam_model.PasswordComplexityPolicySearchKeyAggregateID, Value: aggregateID, Method: global_model.SearchMethodEquals}
+	query := repository.PrepareGetByQuery(table, userIDQuery)
+	err := query(db, policy)
+	if caos_errs.IsNotFound(err) {
+		return nil, caos_errs.ThrowNotFound(nil, "VIEW-Lso0cs", "Errors.IAM.PasswordComplexityPolicy.NotExisting")
+	}
+	return policy, err
+}
+
+func PutPasswordComplexityPolicy(db *gorm.DB, table string, policy *model.PasswordComplexityPolicyView) error {
+	save := repository.PrepareSave(table)
+	return save(db, policy)
+}
+
+func DeletePasswordComplexityPolicy(db *gorm.DB, table, aggregateID string) error {
+	delete := repository.PrepareDeleteByKey(table, model.PasswordComplexityPolicySearchKey(iam_model.PasswordComplexityPolicySearchKeyAggregateID), aggregateID)
+
+	return delete(db)
+}

internal/iam/repository/view/password_lockout_policy_view.go

@@ -0,0 +1,32 @@
+package view
+
+import (
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_model "github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/internal/view/repository"
+	"github.com/jinzhu/gorm"
+)
+
+func GetPasswordLockoutPolicyByAggregateID(db *gorm.DB, table, aggregateID string) (*model.PasswordLockoutPolicyView, error) {
+	policy := new(model.PasswordLockoutPolicyView)
+	userIDQuery := &model.PasswordLockoutPolicySearchQuery{Key: iam_model.PasswordLockoutPolicySearchKeyAggregateID, Value: aggregateID, Method: global_model.SearchMethodEquals}
+	query := repository.PrepareGetByQuery(table, userIDQuery)
+	err := query(db, policy)
+	if caos_errs.IsNotFound(err) {
+		return nil, caos_errs.ThrowNotFound(nil, "VIEW-Lso0cs", "Errors.IAM.PasswordLockoutPolicy.NotExisting")
+	}
+	return policy, err
+}
+
+func PutPasswordLockoutPolicy(db *gorm.DB, table string, policy *model.PasswordLockoutPolicyView) error {
+	save := repository.PrepareSave(table)
+	return save(db, policy)
+}
+
+func DeletePasswordLockoutPolicy(db *gorm.DB, table, aggregateID string) error {
+	delete := repository.PrepareDeleteByKey(table, model.PasswordLockoutPolicySearchKey(iam_model.PasswordLockoutPolicySearchKeyAggregateID), aggregateID)
+
+	return delete(db)
+}

internal/management/repository/eventsourcing/eventstore/org.go

@@ -86,8 +86,19 @@ func (repo *OrgRepository) ReactivateOrg(ctx context.Context, id string) (*org_m
 	return repo.OrgEventstore.ReactivateOrg(ctx, id)
 }
 
-func (repo *OrgRepository) GetMyOrgIamPolicy(ctx context.Context) (*org_model.OrgIAMPolicy, error) {
-	return repo.OrgEventstore.GetOrgIAMPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+func (repo *OrgRepository) GetMyOrgIamPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error) {
+	policy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+		if err != nil {
+			return nil, err
+		}
+		policy.Default = true
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.OrgIAMViewToModel(policy), err
 }
 
 func (repo *OrgRepository) SearchMyOrgDomains(ctx context.Context, request *org_model.OrgDomainSearchRequest) (*org_model.OrgDomainSearchResponse, error) {
@@ -306,6 +317,15 @@ func (repo *OrgRepository) GetLoginPolicy(ctx context.Context) (*iam_model.Login
 	return iam_es_model.LoginPolicyViewToModel(policy), err
 }
 
+func (repo *OrgRepository) GetDefaultLoginPolicy(ctx context.Context) (*iam_model.LoginPolicyView, error) {
+	policy, err := repo.View.LoginPolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	policy.Default = true
+	return iam_es_model.LoginPolicyViewToModel(policy), err
+}
+
 func (repo *OrgRepository) AddLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error) {
 	policy.AggregateID = authz.GetCtxData(ctx).OrgID
 	return repo.OrgEventstore.AddLoginPolicy(ctx, policy)
@@ -380,3 +400,126 @@ func (repo *OrgRepository) RemoveIDPProviderFromIdpProvider(ctx context.Context,
 	}
 	return sdk.PushAggregates(ctx, repo.Eventstore.PushAggregates, nil, aggregates...)
 }
+
+func (repo *OrgRepository) GetPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error) {
+	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+		if err != nil {
+			return nil, err
+		}
+		policy.Default = true
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordComplexityViewToModel(policy), err
+}
+
+func (repo *OrgRepository) GetDefaultPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error) {
+	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	policy.Default = true
+	return iam_es_model.PasswordComplexityViewToModel(policy), err
+}
+
+func (repo *OrgRepository) AddPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	policy.AggregateID = authz.GetCtxData(ctx).OrgID
+	return repo.OrgEventstore.AddPasswordComplexityPolicy(ctx, policy)
+}
+
+func (repo *OrgRepository) ChangePasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	policy.AggregateID = authz.GetCtxData(ctx).OrgID
+	return repo.OrgEventstore.ChangePasswordComplexityPolicy(ctx, policy)
+}
+
+func (repo *OrgRepository) RemovePasswordComplexityPolicy(ctx context.Context) error {
+	policy := &iam_model.PasswordComplexityPolicy{ObjectRoot: models.ObjectRoot{
+		AggregateID: authz.GetCtxData(ctx).OrgID,
+	}}
+	return repo.OrgEventstore.RemovePasswordComplexityPolicy(ctx, policy)
+}
+
+func (repo *OrgRepository) GetPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error) {
+	policy, err := repo.View.PasswordAgePolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.PasswordAgePolicyByAggregateID(repo.SystemDefaults.IamID)
+		if err != nil {
+			return nil, err
+		}
+		policy.Default = true
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordAgeViewToModel(policy), err
+}
+
+func (repo *OrgRepository) GetDefaultPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error) {
+	policy, err := repo.View.PasswordAgePolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	policy.Default = true
+	return iam_es_model.PasswordAgeViewToModel(policy), err
+}
+
+func (repo *OrgRepository) AddPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	policy.AggregateID = authz.GetCtxData(ctx).OrgID
+	return repo.OrgEventstore.AddPasswordAgePolicy(ctx, policy)
+}
+
+func (repo *OrgRepository) ChangePasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	policy.AggregateID = authz.GetCtxData(ctx).OrgID
+	return repo.OrgEventstore.ChangePasswordAgePolicy(ctx, policy)
+}
+
+func (repo *OrgRepository) RemovePasswordAgePolicy(ctx context.Context) error {
+	policy := &iam_model.PasswordAgePolicy{ObjectRoot: models.ObjectRoot{
+		AggregateID: authz.GetCtxData(ctx).OrgID,
+	}}
+	return repo.OrgEventstore.RemovePasswordAgePolicy(ctx, policy)
+}
+
+func (repo *OrgRepository) GetPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) {
+	policy, err := repo.View.PasswordLockoutPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.PasswordLockoutPolicyByAggregateID(repo.SystemDefaults.IamID)
+		if err != nil {
+			return nil, err
+		}
+		policy.Default = true
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordLockoutViewToModel(policy), err
+}
+
+func (repo *OrgRepository) GetDefaultPasswordLockoutPolicy(ctx context.Context) (*iam_model.PasswordLockoutPolicyView, error) {
+	policy, err := repo.View.PasswordLockoutPolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	policy.Default = true
+	return iam_es_model.PasswordLockoutViewToModel(policy), err
+}
+
+func (repo *OrgRepository) AddPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	policy.AggregateID = authz.GetCtxData(ctx).OrgID
+	return repo.OrgEventstore.AddPasswordLockoutPolicy(ctx, policy)
+}
+
+func (repo *OrgRepository) ChangePasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	policy.AggregateID = authz.GetCtxData(ctx).OrgID
+	return repo.OrgEventstore.ChangePasswordLockoutPolicy(ctx, policy)
+}
+
+func (repo *OrgRepository) RemovePasswordLockoutPolicy(ctx context.Context) error {
+	policy := &iam_model.PasswordLockoutPolicy{ObjectRoot: models.ObjectRoot{
+		AggregateID: authz.GetCtxData(ctx).OrgID,
+	}}
+	return repo.OrgEventstore.RemovePasswordLockoutPolicy(ctx, policy)
+}

internal/management/repository/eventsourcing/eventstore/policy.go

@@ -1,48 +0,0 @@
-package eventstore
-
-import (
-	"context"
-
-	"github.com/caos/zitadel/internal/api/authz"
-	pol_model "github.com/caos/zitadel/internal/policy/model"
-	pol_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
-)
-
-type PolicyRepo struct {
-	PolicyEvents *pol_event.PolicyEventstore
-	//view      *view.View
-}
-
-func (repo *PolicyRepo) CreatePasswordComplexityPolicy(ctx context.Context, policy *pol_model.PasswordComplexityPolicy) (*pol_model.PasswordComplexityPolicy, error) {
-	return repo.PolicyEvents.CreatePasswordComplexityPolicy(ctx, policy)
-}
-func (repo *PolicyRepo) GetPasswordComplexityPolicy(ctx context.Context) (*pol_model.PasswordComplexityPolicy, error) {
-	ctxData := authz.GetCtxData(ctx)
-	return repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, ctxData.OrgID)
-}
-func (repo *PolicyRepo) GetDefaultPasswordComplexityPolicy(ctx context.Context) (*pol_model.PasswordComplexityPolicy, error) {
-	return repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, "0")
-}
-func (repo *PolicyRepo) UpdatePasswordComplexityPolicy(ctx context.Context, policy *pol_model.PasswordComplexityPolicy) (*pol_model.PasswordComplexityPolicy, error) {
-	return repo.PolicyEvents.UpdatePasswordComplexityPolicy(ctx, policy)
-}
-func (repo *PolicyRepo) CreatePasswordAgePolicy(ctx context.Context, policy *pol_model.PasswordAgePolicy) (*pol_model.PasswordAgePolicy, error) {
-	return repo.PolicyEvents.CreatePasswordAgePolicy(ctx, policy)
-}
-func (repo *PolicyRepo) GetPasswordAgePolicy(ctx context.Context) (*pol_model.PasswordAgePolicy, error) {
-	ctxData := authz.GetCtxData(ctx)
-	return repo.PolicyEvents.GetPasswordAgePolicy(ctx, ctxData.OrgID)
-}
-func (repo *PolicyRepo) UpdatePasswordAgePolicy(ctx context.Context, policy *pol_model.PasswordAgePolicy) (*pol_model.PasswordAgePolicy, error) {
-	return repo.PolicyEvents.UpdatePasswordAgePolicy(ctx, policy)
-}
-func (repo *PolicyRepo) CreatePasswordLockoutPolicy(ctx context.Context, policy *pol_model.PasswordLockoutPolicy) (*pol_model.PasswordLockoutPolicy, error) {
-	return repo.PolicyEvents.CreatePasswordLockoutPolicy(ctx, policy)
-}
-func (repo *PolicyRepo) GetPasswordLockoutPolicy(ctx context.Context) (*pol_model.PasswordLockoutPolicy, error) {
-	ctxData := authz.GetCtxData(ctx)
-	return repo.PolicyEvents.GetPasswordLockoutPolicy(ctx, ctxData.OrgID)
-}
-func (repo *PolicyRepo) UpdatePasswordLockoutPolicy(ctx context.Context, policy *pol_model.PasswordLockoutPolicy) (*pol_model.PasswordLockoutPolicy, error) {
-	return repo.PolicyEvents.UpdatePasswordLockoutPolicy(ctx, policy)
-}

internal/management/repository/eventsourcing/eventstore/user.go

@@ -5,6 +5,7 @@ import (
 	es_int "github.com/caos/zitadel/internal/eventstore"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	es_sdk "github.com/caos/zitadel/internal/eventstore/sdk"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 	usr_grant_event "github.com/caos/zitadel/internal/usergrant/repository/eventsourcing"
 
 	"github.com/caos/logging"
@@ -15,7 +16,6 @@ import (
 	"github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
 	global_model "github.com/caos/zitadel/internal/model"
 	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
-	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	usr_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/user/repository/view/model"
@@ -26,7 +26,6 @@ type UserRepo struct {
 	es_int.Eventstore
 	SearchLimit     uint64
 	UserEvents      *usr_event.UserEventstore
-	PolicyEvents    *policy_event.PolicyEventstore
 	OrgEvents       *org_event.OrgEventstore
 	UserGrantEvents *usr_grant_event.UserGrantEventStore
 	View            *view.View
@@ -62,15 +61,23 @@ func (repo *UserRepo) UserByID(ctx context.Context, id string) (*usr_model.UserV
 }
 
 func (repo *UserRepo) CreateUser(ctx context.Context, user *usr_model.User) (*usr_model.User, error) {
-	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if err != nil && caos_errs.IsNotFound(err) {
+		pwPolicy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(pwPolicy)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if err != nil && errors.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	return repo.UserEvents.CreateUser(ctx, user, pwPolicy, orgPolicy)
+	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
+	return repo.UserEvents.CreateUser(ctx, user, pwPolicyView, orgPolicyView)
 }
 
 func (repo *UserRepo) RegisterUser(ctx context.Context, user *usr_model.User, resourceOwner string) (*usr_model.User, error) {
@@ -78,15 +85,23 @@ func (repo *UserRepo) RegisterUser(ctx context.Context, user *usr_model.User, re
 	if resourceOwner != "" {
 		policyResourceOwner = resourceOwner
 	}
-	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, policyResourceOwner)
+	pwPolicy, err := repo.View.PasswordComplexityPolicyByAggregateID(policyResourceOwner)
+	if err != nil && caos_errs.IsNotFound(err) {
+		pwPolicy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(pwPolicy)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if err != nil && errors.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	return repo.UserEvents.RegisterUser(ctx, user, pwPolicy, orgPolicy, resourceOwner)
+	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
+	return repo.UserEvents.RegisterUser(ctx, user, pwPolicyView, orgPolicyView, resourceOwner)
 }
 
 func (repo *UserRepo) DeactivateUser(ctx context.Context, id string) (*usr_model.User, error) {
@@ -107,11 +122,15 @@ func (repo *UserRepo) UnlockUser(ctx context.Context, id string) (*usr_model.Use
 
 func (repo *UserRepo) RemoveUser(ctx context.Context, id string) error {
 	aggregates := make([]*es_models.Aggregate, 0)
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if err != nil && errors.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return err
 	}
-	user, agg, err := repo.UserEvents.PrepareRemoveUser(ctx, id, orgPolicy)
+	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
+	user, agg, err := repo.UserEvents.PrepareRemoveUser(ctx, id, orgPolicyView)
 	if err != nil {
 		return err
 	}
@@ -198,11 +217,15 @@ func (repo *UserRepo) UserMfas(ctx context.Context, userID string) ([]*usr_model
 }
 
 func (repo *UserRepo) SetOneTimePassword(ctx context.Context, password *usr_model.Password) (*usr_model.Password, error) {
-	policy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	policy, err := repo.View.PasswordComplexityPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if err != nil && caos_errs.IsNotFound(err) {
+		policy, err = repo.View.PasswordComplexityPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return nil, err
 	}
-	return repo.UserEvents.SetOneTimePassword(ctx, policy, password)
+	pwPolicyView := iam_es_model.PasswordComplexityViewToModel(policy)
+	return repo.UserEvents.SetOneTimePassword(ctx, pwPolicyView, password)
 }
 
 func (repo *UserRepo) RequestSetPassword(ctx context.Context, id string, notifyType usr_model.NotificationType) error {
@@ -291,11 +314,15 @@ func (repo *UserRepo) ChangeProfile(ctx context.Context, profile *usr_model.Prof
 }
 
 func (repo *UserRepo) ChangeUsername(ctx context.Context, userID, userName string) error {
-	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(authz.GetCtxData(ctx).OrgID)
+	if err != nil && errors.IsNotFound(err) {
+		orgPolicy, err = repo.View.OrgIAMPolicyByAggregateID(repo.SystemDefaults.IamID)
+	}
 	if err != nil {
 		return err
 	}
-	return repo.UserEvents.ChangeUsername(ctx, userID, userName, orgPolicy)
+	orgPolicyView := iam_es_model.OrgIAMViewToModel(orgPolicy)
+	return repo.UserEvents.ChangeUsername(ctx, userID, userName, orgPolicyView)
 }
 
 func (repo *UserRepo) EmailByID(ctx context.Context, userID string) (*usr_model.Email, error) {

internal/management/repository/eventsourcing/handler/handler.go

@@ -36,23 +36,39 @@ type EventstoreRepos struct {
 
 func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, eventstore eventstore.Eventstore, repos EventstoreRepos, defaults systemdefaults.SystemDefaults) []query.Handler {
 	return []query.Handler{
-		&Project{handler: handler{view, bulkLimit, configs.cycleDuration("Project"), errorCount}, eventstore: eventstore},
-		&ProjectGrant{handler: handler{view, bulkLimit, configs.cycleDuration("ProjectGrant"), errorCount}, eventstore: eventstore, projectEvents: repos.ProjectEvents, orgEvents: repos.OrgEvents},
-		&ProjectRole{handler: handler{view, bulkLimit, configs.cycleDuration("ProjectRole"), errorCount}, projectEvents: repos.ProjectEvents},
-		&ProjectMember{handler: handler{view, bulkLimit, configs.cycleDuration("ProjectMember"), errorCount}, userEvents: repos.UserEvents},
-		&ProjectGrantMember{handler: handler{view, bulkLimit, configs.cycleDuration("ProjectGrantMember"), errorCount}, userEvents: repos.UserEvents},
-		&Application{handler: handler{view, bulkLimit, configs.cycleDuration("Application"), errorCount}, projectEvents: repos.ProjectEvents},
-		&User{handler: handler{view, bulkLimit, configs.cycleDuration("User"), errorCount}, eventstore: eventstore, orgEvents: repos.OrgEvents},
-		&UserGrant{handler: handler{view, bulkLimit, configs.cycleDuration("UserGrant"), errorCount}, projectEvents: repos.ProjectEvents, userEvents: repos.UserEvents, orgEvents: repos.OrgEvents},
+		&Project{handler: handler{view, bulkLimit, configs.cycleDuration("Project"), errorCount},
+			eventstore: eventstore},
+		&ProjectGrant{handler: handler{view, bulkLimit, configs.cycleDuration("ProjectGrant"), errorCount},
+			eventstore: eventstore, projectEvents: repos.ProjectEvents, orgEvents: repos.OrgEvents},
+		&ProjectRole{handler: handler{view, bulkLimit, configs.cycleDuration("ProjectRole"), errorCount},
+			projectEvents: repos.ProjectEvents},
+		&ProjectMember{handler: handler{view, bulkLimit, configs.cycleDuration("ProjectMember"), errorCount},
+			userEvents: repos.UserEvents},
+		&ProjectGrantMember{handler: handler{view, bulkLimit, configs.cycleDuration("ProjectGrantMember"), errorCount},
+			userEvents: repos.UserEvents},
+		&Application{handler: handler{view, bulkLimit, configs.cycleDuration("Application"), errorCount},
+			projectEvents: repos.ProjectEvents},
+		&User{handler: handler{view, bulkLimit, configs.cycleDuration("User"), errorCount},
+			eventstore: eventstore, orgEvents: repos.OrgEvents, iamEvents: repos.IamEvents, iamID: defaults.IamID},
+		&UserGrant{handler: handler{view, bulkLimit, configs.cycleDuration("UserGrant"), errorCount},
+			projectEvents: repos.ProjectEvents, userEvents: repos.UserEvents, orgEvents: repos.OrgEvents},
 		&Org{handler: handler{view, bulkLimit, configs.cycleDuration("Org"), errorCount}},
-		&OrgMember{handler: handler{view, bulkLimit, configs.cycleDuration("OrgMember"), errorCount}, userEvents: repos.UserEvents},
+		&OrgMember{handler: handler{view, bulkLimit, configs.cycleDuration("OrgMember"), errorCount},
+			userEvents: repos.UserEvents},
 		&OrgDomain{handler: handler{view, bulkLimit, configs.cycleDuration("OrgDomain"), errorCount}},
-		&UserMembership{handler: handler{view, bulkLimit, configs.cycleDuration("UserMembership"), errorCount}, orgEvents: repos.OrgEvents, projectEvents: repos.ProjectEvents},
+		&UserMembership{handler: handler{view, bulkLimit, configs.cycleDuration("UserMembership"), errorCount},
+			orgEvents: repos.OrgEvents, projectEvents: repos.ProjectEvents},
 		&MachineKeys{handler: handler{view, bulkLimit, configs.cycleDuration("MachineKeys"), errorCount}},
 		&IDPConfig{handler: handler{view, bulkLimit, configs.cycleDuration("IDPConfig"), errorCount}},
 		&LoginPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("LoginPolicy"), errorCount}},
-		&IDPProvider{handler: handler{view, bulkLimit, configs.cycleDuration("IDPProvider"), errorCount}, systemDefaults: defaults, iamEvents: repos.IamEvents, orgEvents: repos.OrgEvents},
-		&ExternalIDP{handler: handler{view, bulkLimit, configs.cycleDuration("ExternalIDP"), errorCount}, systemDefaults: defaults, iamEvents: repos.IamEvents, orgEvents: repos.OrgEvents},
+		&IDPProvider{handler: handler{view, bulkLimit, configs.cycleDuration("IDPProvider"), errorCount},
+			systemDefaults: defaults, iamEvents: repos.IamEvents, orgEvents: repos.OrgEvents},
+		&ExternalIDP{handler: handler{view, bulkLimit, configs.cycleDuration("ExternalIDP"), errorCount},
+			systemDefaults: defaults, iamEvents: repos.IamEvents, orgEvents: repos.OrgEvents},
+		&PasswordComplexityPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("PasswordComplexityPolicy"), errorCount}},
+		&PasswordAgePolicy{handler: handler{view, bulkLimit, configs.cycleDuration("PasswordAgePolicy"), errorCount}},
+		&PasswordLockoutPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("PasswordLockoutPolicy"), errorCount}},
+		&OrgIAMPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("OrgIAMPolicy"), errorCount}},
 	}
 }