feat: policies on aggregates (#799)

* feat: move pw policy * feat: default pw complexity policy * fix: org password complexity policy * fix: org password complexity policy * fix: pw complexity policy with setup * fix: age and lockout policies on aggregates * fix: migration * fix: org iam policy * fix: org iam policy * fix: org iam policy * fix: tests * fix: policy request * fix: merge master * fix(console): policies frontend (#817) * fix policy build * fix: age, complexity, lockout policies * fix: ready return err of setup not done * fix: fix remove policies in spoolers * fix: fix remove policies in spoolers * feat(console): policy settings for iam and org (#824) * fix policy build * fix: age, complexity, lockout policies * fix pwd complexity * policy remove action * add imports * fix accounts card, enable mgmt login policy * lint * add iam policy to admin * toasts, i18n, show default * routing, i18n * reset policy, toast i18n, cleanup, routing * policy delete permission * lint style * delete iam policy * delete non project from grid list, i18n * lint ts, style * fix: remove instead delete * feat(console): delete external idp from user (#835) * dialog i18n, delete column and function * dialog i18n * fix rm button * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fix: revert env, rename policy, remove comments * fix: lowercase sich * fix: pr requests * Update internal/iam/repository/eventsourcing/eventstore_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: tests * fix: tests * fix(console): policies (#839) * fix: nil pointer on get userdata (#815) * fix: external login (#818) * fix: external login * fix: external login * feat(console): delete user (#819) * add action col to user table, i18n * delete user from detail component * lint * fix(console): cleanup user detail and member components, user/me redirect, permission guards, filter, org policy guard, user table, scss cleanup (#808) * fix: remove user.write guard for filtering * border color * fix user routing from member tables * idp detail layout * generic contact component * fix redirect to auth user, user grant disable * disable policy action without permission, i18n * user-create flex fix, contact ng-content * rm unused styles * sidenav divider * lint * chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console (#806) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console Bumps [@angular/cli](https://github.com/angular/angular-cli) from 10.1.3 to 10.1.4. - [Release notes](https://github.com/angular/angular-cli/releases) - [Commits](https://github.com/angular/angular-cli/compare/v10.1.3...v10.1.4) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @angular/language-service from 10.1.3 to 10.1.4 in /console (#805) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump @angular/language-service in /console Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 10.1.3 to 10.1.4. - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/10.1.4/packages/language-service) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console (#804) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console Bumps [codelyzer](https://github.com/mgechev/codelyzer) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/mgechev/codelyzer/releases) - [Changelog](https://github.com/mgechev/codelyzer/blob/master/CHANGELOG.md) - [Commits](https://github.com/mgechev/codelyzer/commits/6.0.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @angular-devkit/build-angular from 0.1000.8 to 0.1001.4 in /console (#803) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump @angular-devkit/build-angular in /console Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1000.8 to 0.1001.4. - [Release notes](https://github.com/angular/angular-cli/releases) - [Commits](https://github.com/angular/angular-cli/commits) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Max Peintner <max@caos.ch> * chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console (#802) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.0 to 8.3.1. - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/master/CHANGELOG.md) - [Commits](https://github.com/uuidjs/uuid/compare/v8.3.0...v8.3.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * create memberstable as common component * iam member cleanup * iam + org m table, user table service user avatar * toast config * fix selection emitter * fix project grant table width * project grant members refactor * theme optimizations * member table col delete * lint * fix table row color * refactor grey color * lint scss * org list redirect on click, fix user table undef * refresh table after grant add Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> * fix(console): intercept navigator.language, set browser lang as default for user without explicit setting, user table outline, member create dialog import (#820) * i18n interceptor, set language to browser lang * nullcheck * rm external idp log * fix module imports, rm user displayname from i18n * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fix: delete external idps from users (#822) * fix(console): permission regex, account switcher null check, restrict app and member create access (#821) * fix member table disable, gerneal regexp * fix user session card, app disable * memberships max count * fix policy permissions * permission check for member add dialog * lint * rm accounts log * rm id regex * fix: handle usermemberships on project and project grant delete (#825) * fix: go handler Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> * fix: tests * fix: not needed error handling Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch>
2025-08-12 03:57:32 +00:00 · 2020-10-15 10:27:13 +02:00
parent adb24a52fc
commit fbb30840f1
248 changed files with 23960 additions and 13843 deletions
--- a/internal/api/grpc/management/login_policy.go
+++ b/internal/api/grpc/management/login_policy.go
@@ -14,16 +14,24 @@ func (s *Server) GetLoginPolicy(ctx context.Context, _ *empty.Empty) (*managemen
 	return loginPolicyViewFromModel(result), nil
 }

-func (s *Server) CreateLoginPolicy(ctx context.Context, policy *management.LoginPolicyAdd) (*management.LoginPolicy, error) {
-	result, err := s.org.AddLoginPolicy(ctx, loginPolicyAddToModel(policy))
+func (s *Server) GetDefaultLoginPolicy(ctx context.Context, _ *empty.Empty) (*management.LoginPolicyView, error) {
+	result, err := s.org.GetDefaultLoginPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return loginPolicyViewFromModel(result), nil
+}
+
+func (s *Server) CreateLoginPolicy(ctx context.Context, policy *management.LoginPolicyRequest) (*management.LoginPolicy, error) {
+	result, err := s.org.AddLoginPolicy(ctx, loginPolicyRequestToModel(policy))
 	if err != nil {
 		return nil, err
 	}
 	return loginPolicyFromModel(result), nil
 }

-func (s *Server) UpdateLoginPolicy(ctx context.Context, policy *management.LoginPolicy) (*management.LoginPolicy, error) {
-	result, err := s.org.ChangeLoginPolicy(ctx, loginPolicyToModel(policy))
+func (s *Server) UpdateLoginPolicy(ctx context.Context, policy *management.LoginPolicyRequest) (*management.LoginPolicy, error) {
+	result, err := s.org.ChangeLoginPolicy(ctx, loginPolicyRequestToModel(policy))
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/login_policy_converter.go
+++ b/internal/api/grpc/management/login_policy_converter.go
@@ -1,18 +1,13 @@
 package management

 import (
+	"github.com/caos/logging"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
 )

-func loginPolicyAddToModel(policy *management.LoginPolicyAdd) *iam_model.LoginPolicy {
-	return &iam_model.LoginPolicy{
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowExternalIdp:      policy.AllowExternalIdp,
-		AllowRegister:         policy.AllowRegister,
-	}
-}
-func loginPolicyToModel(policy *management.LoginPolicy) *iam_model.LoginPolicy {
+func loginPolicyRequestToModel(policy *management.LoginPolicyRequest) *iam_model.LoginPolicy {
 	return &iam_model.LoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
@@ -21,19 +16,35 @@ func loginPolicyToModel(policy *management.LoginPolicy) *iam_model.LoginPolicy {
 }

 func loginPolicyFromModel(policy *iam_model.LoginPolicy) *management.LoginPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-2Fsm8").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-3Flo0").OnError(err).Debug("date parse failed")
+
 	return &management.LoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
 	}
 }

 func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *management.LoginPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-5Tsm8").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-8dJgs").OnError(err).Debug("date parse failed")
+
 	return &management.LoginPolicyView{
 		Default:               policy.Default,
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIDP,
 		AllowRegister:         policy.AllowRegister,
+		CreationDate:          creationDate,
+		ChangeDate:            changeDate,
 	}
 }

--- a/internal/api/grpc/management/org.go
+++ b/internal/api/grpc/management/org.go
@@ -98,10 +98,10 @@ func (s *Server) OrgChanges(ctx context.Context, changesRequest *management.Chan
 	return orgChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
 }

-func (s *Server) GetMyOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *management.OrgIamPolicy, err error) {
+func (s *Server) GetMyOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *management.OrgIamPolicyView, err error) {
 	policy, err := s.org.GetMyOrgIamPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return orgIamPolicyFromModel(policy), err
+	return orgIamPolicyViewFromModel(policy), err
 }
--- a/internal/api/grpc/management/org_converter.go
+++ b/internal/api/grpc/management/org_converter.go
@@ -2,6 +2,7 @@ package management

 import (
 	"encoding/json"
+	iam_model "github.com/caos/zitadel/internal/iam/model"

 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
@@ -227,10 +228,8 @@ func orgChangesToMgtAPI(changes *org_model.OrgChanges) (_ []*management.Change)
 	return result
 }

-func orgIamPolicyFromModel(policy *org_model.OrgIAMPolicy) *management.OrgIamPolicy {
-	return &management.OrgIamPolicy{
-		OrgId:                 policy.AggregateID,
-		Description:           policy.Description,
+func orgIamPolicyViewFromModel(policy *iam_model.OrgIAMPolicyView) *management.OrgIamPolicyView {
+	return &management.OrgIamPolicyView{
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
 		Default:               policy.Default,
 	}
--- a/internal/api/grpc/management/password_age_policy.go
+++ b/internal/api/grpc/management/password_age_policy.go
@@ -0,0 +1,44 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicyView, error) {
+	result, err := s.org.GetPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyViewFromModel(result), nil
+}
+
+func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicyView, error) {
+	result, err := s.org.GetDefaultPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyViewFromModel(result), nil
+}
+
+func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyRequest) (*management.PasswordAgePolicy, error) {
+	result, err := s.org.AddPasswordAgePolicy(ctx, passwordAgePolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyFromModel(result), nil
+}
+
+func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyRequest) (*management.PasswordAgePolicy, error) {
+	result, err := s.org.ChangePasswordAgePolicy(ctx, passwordAgePolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyFromModel(result), nil
+}
+
+func (s *Server) RemovePasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	err := s.org.RemovePasswordAgePolicy(ctx)
+	return &empty.Empty{}, err
+}
--- a/internal/api/grpc/management/password_age_policy_converter.go
+++ b/internal/api/grpc/management/password_age_policy_converter.go
@@ -0,0 +1,46 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordAgePolicyRequestToModel(policy *management.PasswordAgePolicyRequest) *iam_model.PasswordAgePolicy {
+	return &iam_model.PasswordAgePolicy{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+	}
+}
+
+func passwordAgePolicyFromModel(policy *iam_model.PasswordAgePolicy) *management.PasswordAgePolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-bMd9o").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-jFs89").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordAgePolicy{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		CreationDate:   changeDate,
+		ChangeDate:     creationDate,
+	}
+}
+
+func passwordAgePolicyViewFromModel(policy *iam_model.PasswordAgePolicyView) *management.PasswordAgePolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-4Bms9").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-6Hmlo").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordAgePolicyView{
+		Default:        policy.Default,
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		ChangeDate:     changeDate,
+		CreationDate:   creationDate,
+	}
+}
--- a/internal/api/grpc/management/password_complexity_policy.go
+++ b/internal/api/grpc/management/password_complexity_policy.go
@@ -0,0 +1,44 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicyView, error) {
+	result, err := s.org.GetPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyViewFromModel(result), nil
+}
+
+func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicyView, error) {
+	result, err := s.org.GetDefaultPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyViewFromModel(result), nil
+}
+
+func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) (*management.PasswordComplexityPolicy, error) {
+	result, err := s.org.AddPasswordComplexityPolicy(ctx, passwordComplexityPolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyFromModel(result), nil
+}
+
+func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) (*management.PasswordComplexityPolicy, error) {
+	result, err := s.org.ChangePasswordComplexityPolicy(ctx, passwordComplexityPolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordComplexityPolicyFromModel(result), nil
+}
+
+func (s *Server) RemovePasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	err := s.org.RemovePasswordComplexityPolicy(ctx)
+	return &empty.Empty{}, err
+}
--- a/internal/api/grpc/management/password_complexity_policy_converter.go
+++ b/internal/api/grpc/management/password_complexity_policy_converter.go
@@ -0,0 +1,55 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordComplexityPolicyRequestToModel(policy *management.PasswordComplexityPolicyRequest) *iam_model.PasswordComplexityPolicy {
+	return &iam_model.PasswordComplexityPolicy{
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasSymbol:    policy.HasSymbol,
+		HasNumber:    policy.HasNumber,
+	}
+}
+
+func passwordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicy) *management.PasswordComplexityPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-5Gslo").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-Bmd9e").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordComplexityPolicy{
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasSymbol:    policy.HasSymbol,
+		HasNumber:    policy.HasNumber,
+		CreationDate: changeDate,
+		ChangeDate:   creationDate,
+	}
+}
+
+func passwordComplexityPolicyViewFromModel(policy *iam_model.PasswordComplexityPolicyView) *management.PasswordComplexityPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-wmi8f").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-dmOp0").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordComplexityPolicyView{
+		Default:      policy.Default,
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasSymbol:    policy.HasSymbol,
+		HasNumber:    policy.HasNumber,
+		CreationDate: changeDate,
+		ChangeDate:   creationDate,
+	}
+}
--- a/internal/api/grpc/management/password_lockout_policy.go
+++ b/internal/api/grpc/management/password_lockout_policy.go
@@ -0,0 +1,44 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicyView, error) {
+	result, err := s.org.GetPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyViewFromModel(result), nil
+}
+
+func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicyView, error) {
+	result, err := s.org.GetDefaultPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyViewFromModel(result), nil
+}
+
+func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) (*management.PasswordLockoutPolicy, error) {
+	result, err := s.org.AddPasswordLockoutPolicy(ctx, passwordLockoutPolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyFromModel(result), nil
+}
+
+func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) (*management.PasswordLockoutPolicy, error) {
+	result, err := s.org.ChangePasswordLockoutPolicy(ctx, passwordLockoutPolicyRequestToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return passwordLockoutPolicyFromModel(result), nil
+}
+
+func (s *Server) RemovePasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	err := s.org.RemovePasswordLockoutPolicy(ctx)
+	return &empty.Empty{}, err
+}
--- a/internal/api/grpc/management/password_lockout_policy_converter.go
+++ b/internal/api/grpc/management/password_lockout_policy_converter.go
@@ -0,0 +1,46 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func passwordLockoutPolicyRequestToModel(policy *management.PasswordLockoutPolicyRequest) *iam_model.PasswordLockoutPolicy {
+	return &iam_model.PasswordLockoutPolicy{
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockoutFailure,
+	}
+}
+
+func passwordLockoutPolicyFromModel(policy *iam_model.PasswordLockoutPolicy) *management.PasswordLockoutPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-bMd9o").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-jFs89").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordLockoutPolicy{
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		CreationDate:       changeDate,
+		ChangeDate:         creationDate,
+	}
+}
+
+func passwordLockoutPolicyViewFromModel(policy *iam_model.PasswordLockoutPolicyView) *management.PasswordLockoutPolicyView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-4Bms9").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-6Hmlo").OnError(err).Debug("date parse failed")
+
+	return &management.PasswordLockoutPolicyView{
+		Default:            policy.Default,
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		ChangeDate:         changeDate,
+		CreationDate:       creationDate,
+	}
+}
--- a/internal/api/grpc/management/policy.go
+++ b/internal/api/grpc/management/policy.go
@@ -1,112 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyCreate) (*management.PasswordComplexityPolicy, error) {
-	policyresp, err := s.policy.CreatePasswordComplexityPolicy(ctx, passwordComplexityPolicyCreateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordComplexityPolicyFromModel(policyresp), nil
-}
-
-func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicy, error) {
-	policy, err := s.policy.GetPasswordComplexityPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordComplexityPolicyFromModel(policy), nil
-}
-
-func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicy, error) {
-	policy, err := s.policy.GetDefaultPasswordComplexityPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordComplexityPolicyFromModel(policy), nil
-}
-
-func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyUpdate) (*management.PasswordComplexityPolicy, error) {
-	policyresp, err := s.policy.UpdatePasswordComplexityPolicy(ctx, passwordComplexityPolicyUpdateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordComplexityPolicyFromModel(policyresp), nil
-}
-
-func (s *Server) DeletePasswordComplexityPolicy(ctx context.Context, ID *management.PasswordComplexityPolicyID) (*empty.Empty, error) {
-	return nil, errors.ThrowUnimplemented(nil, "GRPC-skw3f", "Not implemented")
-}
-
-func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyCreate) (*management.PasswordAgePolicy, error) {
-	policyresp, err := s.policy.CreatePasswordAgePolicy(ctx, passwordAgePolicyCreateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordAgePolicyFromModel(policyresp), nil
-}
-
-func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicy, error) {
-	policy, err := s.policy.GetPasswordAgePolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordAgePolicyFromModel(policy), nil
-}
-
-func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyUpdate) (*management.PasswordAgePolicy, error) {
-	policyresp, err := s.policy.UpdatePasswordAgePolicy(ctx, passwordAgePolicyUpdateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordAgePolicyFromModel(policyresp), nil
-}
-
-func (s *Server) DeletePasswordAgePolicy(ctx context.Context, ID *management.PasswordAgePolicyID) (*empty.Empty, error) {
-	return nil, errors.ThrowUnimplemented(nil, "GRPC-plo67", "Not implemented")
-}
-
-func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyCreate) (*management.PasswordLockoutPolicy, error) {
-	policyresp, err := s.policy.CreatePasswordLockoutPolicy(ctx, passwordLockoutPolicyCreateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordLockoutPolicyFromModel(policyresp), nil
-}
-
-func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicy, error) {
-	policy, err := s.policy.GetPasswordLockoutPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordLockoutPolicyFromModel(policy), nil
-}
-
-func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyUpdate) (*management.PasswordLockoutPolicy, error) {
-	policyresp, err := s.policy.UpdatePasswordLockoutPolicy(ctx, passwordLockoutPolicyUpdateToModel(policy))
-	if err != nil {
-		return nil, err
-	}
-
-	return passwordLockoutPolicyFromModel(policyresp), nil
-}
-
-func (s *Server) DeletePasswordLockoutPolicy(ctx context.Context, ID *management.PasswordLockoutPolicyID) (*empty.Empty, error) {
-	return nil, errors.ThrowUnimplemented(nil, "GRPC-GHkd9", "Not implemented")
-}
--- a/internal/api/grpc/management/policy_age_converter.go
+++ b/internal/api/grpc/management/policy_age_converter.go
@@ -1,68 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-
-	"github.com/caos/zitadel/internal/eventstore/models"
-	"github.com/caos/zitadel/internal/policy/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func passwordAgePolicyFromModel(policy *model.PasswordAgePolicy) *management.PasswordAgePolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-6ILdB").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-ngUzJ").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.PasswordAgePolicy{
-		Id:             policy.AggregateID,
-		CreationDate:   creationDate,
-		ChangeDate:     changeDate,
-		Sequence:       policy.Sequence,
-		Description:    policy.Description,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		MaxAgeDays:     policy.MaxAgeDays,
-		IsDefault:      policy.AggregateID == "",
-	}
-}
-
-func passwordAgePolicyToModel(policy *management.PasswordAgePolicy) *model.PasswordAgePolicy {
-	creationDate, err := ptypes.Timestamp(policy.CreationDate)
-	logging.Log("GRPC-2QSfU").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.Timestamp(policy.ChangeDate)
-	logging.Log("GRPC-LdU91").OnError(err).Debug("unable to parse timestamp")
-
-	return &model.PasswordAgePolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID:  policy.Id,
-			CreationDate: creationDate,
-			ChangeDate:   changeDate,
-			Sequence:     policy.Sequence,
-		},
-		Description:    policy.Description,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		MaxAgeDays:     policy.MaxAgeDays,
-	}
-}
-
-func passwordAgePolicyCreateToModel(policy *management.PasswordAgePolicyCreate) *model.PasswordAgePolicy {
-	return &model.PasswordAgePolicy{
-		Description:    policy.Description,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		MaxAgeDays:     policy.MaxAgeDays,
-	}
-}
-
-func passwordAgePolicyUpdateToModel(policy *management.PasswordAgePolicyUpdate) *model.PasswordAgePolicy {
-	return &model.PasswordAgePolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: policy.Id,
-		},
-		Description:    policy.Description,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		MaxAgeDays:     policy.MaxAgeDays,
-	}
-}
--- a/internal/api/grpc/management/policy_complexity_converter.go
+++ b/internal/api/grpc/management/policy_complexity_converter.go
@@ -1,81 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-
-	"github.com/golang/protobuf/ptypes"
-
-	"github.com/caos/zitadel/internal/eventstore/models"
-	"github.com/caos/zitadel/internal/policy/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *management.PasswordComplexityPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-cQRHE").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-PVA1c").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.PasswordComplexityPolicy{
-		Id:           policy.AggregateID,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Description:  policy.Description,
-		Sequence:     policy.Sequence,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-		IsDefault:    policy.AggregateID == "",
-	}
-}
-
-func passwordComplexityPolicyToModel(policy *management.PasswordComplexityPolicy) *model.PasswordComplexityPolicy {
-	creationDate, err := ptypes.Timestamp(policy.CreationDate)
-	logging.Log("GRPC-asmEZ").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.Timestamp(policy.ChangeDate)
-	logging.Log("GRPC-MCE4o").OnError(err).Debug("unable to parse timestamp")
-
-	return &model.PasswordComplexityPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID:  policy.Id,
-			CreationDate: creationDate,
-			ChangeDate:   changeDate,
-			Sequence:     policy.Sequence,
-		},
-		Description:  policy.Description,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-	}
-}
-
-func passwordComplexityPolicyCreateToModel(policy *management.PasswordComplexityPolicyCreate) *model.PasswordComplexityPolicy {
-	return &model.PasswordComplexityPolicy{
-		Description:  policy.Description,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-	}
-}
-
-func passwordComplexityPolicyUpdateToModel(policy *management.PasswordComplexityPolicyUpdate) *model.PasswordComplexityPolicy {
-	return &model.PasswordComplexityPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: policy.Id,
-		},
-		Description:  policy.Description,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-	}
-}
--- a/internal/api/grpc/management/policy_lockout_converter.go
+++ b/internal/api/grpc/management/policy_lockout_converter.go
@@ -1,70 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-
-	"github.com/golang/protobuf/ptypes"
-
-	"github.com/caos/zitadel/internal/eventstore/models"
-	"github.com/caos/zitadel/internal/policy/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func passwordLockoutPolicyFromModel(policy *model.PasswordLockoutPolicy) *management.PasswordLockoutPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-JRSbT").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-1sizr").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.PasswordLockoutPolicy{
-		Id:                  policy.AggregateID,
-		CreationDate:        creationDate,
-		ChangeDate:          changeDate,
-		Sequence:            policy.Sequence,
-		Description:         policy.Description,
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockOutFailures,
-		IsDefault:           policy.AggregateID == "",
-	}
-}
-
-func passwordLockoutPolicyToModel(policy *management.PasswordLockoutPolicy) *model.PasswordLockoutPolicy {
-	creationDate, err := ptypes.Timestamp(policy.CreationDate)
-	logging.Log("GRPC-8a511").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.Timestamp(policy.ChangeDate)
-	logging.Log("GRPC-2rdGv").OnError(err).Debug("unable to parse timestamp")
-
-	return &model.PasswordLockoutPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID:  policy.Id,
-			CreationDate: creationDate,
-			ChangeDate:   changeDate,
-			Sequence:     policy.Sequence,
-		},
-		Description: policy.Description,
-
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockOutFailures,
-	}
-}
-
-func passwordLockoutPolicyCreateToModel(policy *management.PasswordLockoutPolicyCreate) *model.PasswordLockoutPolicy {
-	return &model.PasswordLockoutPolicy{
-		Description:         policy.Description,
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockOutFailures,
-	}
-}
-
-func passwordLockoutPolicyUpdateToModel(policy *management.PasswordLockoutPolicyUpdate) *model.PasswordLockoutPolicy {
-	return &model.PasswordLockoutPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: policy.Id,
-		},
-		Description:         policy.Description,
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockOutFailures,
-	}
-}
--- a/internal/api/grpc/management/server.go
+++ b/internal/api/grpc/management/server.go
@@ -19,7 +19,6 @@ var _ management.ManagementServiceServer = (*Server)(nil)

 type Server struct {
 	project        repository.ProjectRepository
-	policy         repository.PolicyRepository
 	org            repository.OrgRepository
 	user           repository.UserRepository
 	usergrant      repository.UserGrantRepository
@@ -35,7 +34,6 @@ type Config struct {
 func CreateServer(repo repository.Repository, sd systemdefaults.SystemDefaults) *Server {
 	return &Server{
 		project:        repo,
-		policy:         repo,
 		org:            repo,
 		user:           repo,
 		usergrant:      repo,