feat: policies on aggregates (#799)

* feat: move pw policy * feat: default pw complexity policy * fix: org password complexity policy * fix: org password complexity policy * fix: pw complexity policy with setup * fix: age and lockout policies on aggregates * fix: migration * fix: org iam policy * fix: org iam policy * fix: org iam policy * fix: tests * fix: policy request * fix: merge master * fix(console): policies frontend (#817) * fix policy build * fix: age, complexity, lockout policies * fix: ready return err of setup not done * fix: fix remove policies in spoolers * fix: fix remove policies in spoolers * feat(console): policy settings for iam and org (#824) * fix policy build * fix: age, complexity, lockout policies * fix pwd complexity * policy remove action * add imports * fix accounts card, enable mgmt login policy * lint * add iam policy to admin * toasts, i18n, show default * routing, i18n * reset policy, toast i18n, cleanup, routing * policy delete permission * lint style * delete iam policy * delete non project from grid list, i18n * lint ts, style * fix: remove instead delete * feat(console): delete external idp from user (#835) * dialog i18n, delete column and function * dialog i18n * fix rm button * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fix: revert env, rename policy, remove comments * fix: lowercase sich * fix: pr requests * Update internal/iam/repository/eventsourcing/eventstore_test.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: tests * fix: tests * fix(console): policies (#839) * fix: nil pointer on get userdata (#815) * fix: external login (#818) * fix: external login * fix: external login * feat(console): delete user (#819) * add action col to user table, i18n * delete user from detail component * lint * fix(console): cleanup user detail and member components, user/me redirect, permission guards, filter, org policy guard, user table, scss cleanup (#808) * fix: remove user.write guard for filtering * border color * fix user routing from member tables * idp detail layout * generic contact component * fix redirect to auth user, user grant disable * disable policy action without permission, i18n * user-create flex fix, contact ng-content * rm unused styles * sidenav divider * lint * chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console (#806) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump @angular/cli from 10.1.3 to 10.1.4 in /console Bumps [@angular/cli](https://github.com/angular/angular-cli) from 10.1.3 to 10.1.4. - [Release notes](https://github.com/angular/angular-cli/releases) - [Commits](https://github.com/angular/angular-cli/compare/v10.1.3...v10.1.4) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @angular/language-service from 10.1.3 to 10.1.4 in /console (#805) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump @angular/language-service in /console Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 10.1.3 to 10.1.4. - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/10.1.4/packages/language-service) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console (#804) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump codelyzer from 6.0.0 to 6.0.1 in /console Bumps [codelyzer](https://github.com/mgechev/codelyzer) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/mgechev/codelyzer/releases) - [Changelog](https://github.com/mgechev/codelyzer/blob/master/CHANGELOG.md) - [Commits](https://github.com/mgechev/codelyzer/commits/6.0.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @angular-devkit/build-angular from 0.1000.8 to 0.1001.4 in /console (#803) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps-dev): bump @angular-devkit/build-angular in /console Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1000.8 to 0.1001.4. - [Release notes](https://github.com/angular/angular-cli/releases) - [Commits](https://github.com/angular/angular-cli/commits) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Max Peintner <max@caos.ch> * chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console (#802) * fix: user session with external login (#797) * fix: user session with external login * fix: tests * fix: tests * fix: change idp config name * fix(container): stop copying / and instead only copy zitadel (#691) * chore: stop copying / and instead only copy zitadel * Update Dockerfile * Update release.yml * enable anchors debug * fix(container): don't copy alpine content into scratch execpt pwd * chore: remove need step * merge master * chore(deps): bump uuid from 8.3.0 to 8.3.1 in /console Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.0 to 8.3.1. - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/master/CHANGELOG.md) - [Commits](https://github.com/uuidjs/uuid/compare/v8.3.0...v8.3.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * create memberstable as common component * iam member cleanup * iam + org m table, user table service user avatar * toast config * fix selection emitter * fix project grant table width * project grant members refactor * theme optimizations * member table col delete * lint * fix table row color * refactor grey color * lint scss * org list redirect on click, fix user table undef * refresh table after grant add Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> * fix(console): intercept navigator.language, set browser lang as default for user without explicit setting, user table outline, member create dialog import (#820) * i18n interceptor, set language to browser lang * nullcheck * rm external idp log * fix module imports, rm user displayname from i18n * Update console/src/assets/i18n/de.json Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fix: delete external idps from users (#822) * fix(console): permission regex, account switcher null check, restrict app and member create access (#821) * fix member table disable, gerneal regexp * fix user session card, app disable * memberships max count * fix policy permissions * permission check for member add dialog * lint * rm accounts log * rm id regex * fix: handle usermemberships on project and project grant delete (#825) * fix: go handler Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch> * fix: tests * fix: not needed error handling Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Florian Forster <florian@caos.ch>
2025-08-11 19:17:32 +00:00 · 2020-10-15 10:27:13 +02:00
parent adb24a52fc
commit fbb30840f1
248 changed files with 23960 additions and 13843 deletions
--- a/internal/org/repository/eventsourcing/eventstore.go
+++ b/internal/org/repository/eventsourcing/eventstore.go
@@ -27,7 +27,6 @@ type OrgEventstore struct {
 	idGenerator           id.Generator
 	verificationAlgorithm crypto.EncryptionAlgorithm
 	verificationGenerator crypto.Generator
-	defaultOrgIamPolicy   *org_model.OrgIAMPolicy
 	verificationValidator func(domain string, token string, verifier string, checkType http_utils.CheckType) error
 	secretCrypto          crypto.Crypto
 }
@@ -39,9 +38,6 @@ type OrgConfig struct {
 }

 func StartOrg(conf OrgConfig, defaults systemdefaults.SystemDefaults) *OrgEventstore {
-	policy := defaults.DefaultPolicies.OrgIam
-	policy.Default = true
-	policy.IamDomain = conf.IAMDomain
 	verificationAlg, err := crypto.NewAESCrypto(defaults.DomainVerification.VerificationKey)
 	logging.Log("EVENT-aZ22d").OnError(err).Panic("cannot create verificationAlgorithm for domain verification")
 	verificationGen := crypto.NewEncryptionGenerator(defaults.DomainVerification.VerificationGenerator, verificationAlg)
@@ -57,7 +53,6 @@ func StartOrg(conf OrgConfig, defaults systemdefaults.SystemDefaults) *OrgEvents
 		verificationValidator: http_utils.ValidateDomain,
 		IAMDomain:             conf.IAMDomain,
 		IamID:                 defaults.IamID,
-		defaultOrgIamPolicy:   &policy,
 		secretCrypto:          aesCrypto,
 	}
 }
@@ -464,22 +459,18 @@ func (es *OrgEventstore) RemoveOrgMember(ctx context.Context, member *org_model.
 	return es_sdk.Push(ctx, es.PushAggregates, repoMember.AppendEvents, orgAggregate)
 }

-func (es *OrgEventstore) GetDefaultOrgIAMPolicy(ctx context.Context) *org_model.OrgIAMPolicy {
-	return es.defaultOrgIamPolicy
-}
-
-func (es *OrgEventstore) GetOrgIAMPolicy(ctx context.Context, orgID string) (*org_model.OrgIAMPolicy, error) {
+func (es *OrgEventstore) GetOrgIAMPolicy(ctx context.Context, orgID string) (*iam_model.OrgIAMPolicy, error) {
 	existingOrg, err := es.OrgByID(ctx, org_model.NewOrg(orgID))
-	if err != nil && !errors.IsNotFound(err) {
+	if err != nil {
 		return nil, err
 	}
-	if existingOrg != nil && existingOrg.OrgIamPolicy != nil {
-		return existingOrg.OrgIamPolicy, nil
+	if existingOrg.OrgIamPolicy == nil {
+		return nil, errors.ThrowNotFound(nil, "EVENT-3F9sf", "Errors.Org.OrgIAM.NotExisting")
 	}
-	return es.defaultOrgIamPolicy, nil
+	return existingOrg.OrgIamPolicy, nil
 }

-func (es *OrgEventstore) AddOrgIAMPolicy(ctx context.Context, policy *org_model.OrgIAMPolicy) (*org_model.OrgIAMPolicy, error) {
+func (es *OrgEventstore) AddOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
 	existingOrg, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
 	if err != nil {
 		return nil, err
@@ -488,7 +479,7 @@ func (es *OrgEventstore) AddOrgIAMPolicy(ctx context.Context, policy *org_model.
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-7Usj3", "Errors.Org.PolicyAlreadyExists")
 	}
 	repoOrg := model.OrgFromModel(existingOrg)
-	repoPolicy := model.OrgIAMPolicyFromModel(policy)
+	repoPolicy := iam_es_model.OrgIAMPolicyFromModel(policy)
 	orgAggregate := OrgIAMPolicyAddedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoPolicy)
 	if err != nil {
 		return nil, err
@@ -498,10 +489,10 @@ func (es *OrgEventstore) AddOrgIAMPolicy(ctx context.Context, policy *org_model.
 		return nil, err
 	}

-	return model.OrgIAMPolicyToModel(repoOrg.OrgIamPolicy), nil
+	return iam_es_model.OrgIAMPolicyToModel(repoOrg.OrgIAMPolicy), nil
 }

-func (es *OrgEventstore) ChangeOrgIAMPolicy(ctx context.Context, policy *org_model.OrgIAMPolicy) (*org_model.OrgIAMPolicy, error) {
+func (es *OrgEventstore) ChangeOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
 	existingOrg, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
 	if err != nil {
 		return nil, err
@@ -510,7 +501,7 @@ func (es *OrgEventstore) ChangeOrgIAMPolicy(ctx context.Context, policy *org_mod
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-8juSd", "Errors.Org.PolicyNotExisting")
 	}
 	repoOrg := model.OrgFromModel(existingOrg)
-	repoPolicy := model.OrgIAMPolicyFromModel(policy)
+	repoPolicy := iam_es_model.OrgIAMPolicyFromModel(policy)
 	orgAggregate := OrgIAMPolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoPolicy)
 	if err != nil {
 		return nil, err
@@ -520,7 +511,7 @@ func (es *OrgEventstore) ChangeOrgIAMPolicy(ctx context.Context, policy *org_mod
 		return nil, err
 	}

-	return model.OrgIAMPolicyToModel(repoOrg.OrgIamPolicy), nil
+	return iam_es_model.OrgIAMPolicyToModel(repoOrg.OrgIAMPolicy), nil
 }

 func (es *OrgEventstore) RemoveOrgIAMPolicy(ctx context.Context, orgID string) error {
@@ -543,7 +534,7 @@ func (es *OrgEventstore) AddIDPConfig(ctx context.Context, idp *iam_model.IDPCon
 	if idp == nil || !idp.IsValid(true) {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Ms89d", "Errors.Org.IdpInvalid")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(idp.AggregateID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(idp.AggregateID))
 	if err != nil {
 		return nil, err
 	}
@@ -557,7 +548,7 @@ func (es *OrgEventstore) AddIDPConfig(ctx context.Context, idp *iam_model.IDPCon
 		idp.OIDCConfig.IDPConfigID = id
 		err = idp.OIDCConfig.CryptSecret(es.secretCrypto)
 	}
-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	repoIdp := iam_es_model.IDPConfigFromModel(idp)

 	addAggregate := IDPConfigAddedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoIdp)
@@ -575,14 +566,14 @@ func (es *OrgEventstore) ChangeIDPConfig(ctx context.Context, idp *iam_model.IDP
 	if idp == nil || !idp.IsValid(false) {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Mslo9", "Errors.Org.IdpInvalid")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(idp.AggregateID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(idp.AggregateID))
 	if err != nil {
 		return nil, err
 	}
-	if _, i := existing.GetIDP(idp.IDPConfigID); i == nil {
+	if _, i := org.GetIDP(idp.IDPConfigID); i == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Aji8e", "Errors.Org.IdpNotExisting")
 	}
-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	repoIdp := iam_es_model.IDPConfigFromModel(idp)

 	iamAggregate := IDPConfigChangedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoIdp)
@@ -600,14 +591,14 @@ func (es *OrgEventstore) PrepareRemoveIDPConfig(ctx context.Context, idp *iam_mo
 	if idp.IDPConfigID == "" {
 		return nil, nil, errors.ThrowPreconditionFailed(nil, "EVENT-Wz7sD", "Errors.Org.IDMissing")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(idp.AggregateID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(idp.AggregateID))
 	if err != nil {
 		return nil, nil, err
 	}
-	if _, i := existing.GetIDP(idp.IDPConfigID); i == nil {
+	if _, i := org.GetIDP(idp.IDPConfigID); i == nil {
 		return nil, nil, errors.ThrowPreconditionFailed(nil, "EVENT-Smiu8", "Errors.Org.IdpNotExisting")
 	}
-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	repoIdp := iam_es_model.IDPConfigFromModel(idp)
 	provider := new(iam_es_model.IDPProvider)
 	if repoOrg.LoginPolicy != nil {
@@ -632,15 +623,15 @@ func (es *OrgEventstore) DeactivateIDPConfig(ctx context.Context, orgID, idpID s
 	if idpID == "" {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Smk8d", "Errors.Org.IDMissing")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(orgID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(orgID))
 	if err != nil {
 		return nil, err
 	}
 	idp := &iam_model.IDPConfig{IDPConfigID: idpID}
-	if _, app := existing.GetIDP(idp.IDPConfigID); app == nil {
+	if _, app := org.GetIDP(idp.IDPConfigID); app == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Amk8d", "Errors.Org.IdpNotExisting")
 	}
-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	repoIdp := iam_es_model.IDPConfigFromModel(idp)

 	iamAggregate := IDPConfigDeactivatedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoIdp)
@@ -658,15 +649,15 @@ func (es *OrgEventstore) ReactivateIDPConfig(ctx context.Context, orgID, idpID s
 	if idpID == "" {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Xm8df", "Errors.Org.IDMissing")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(orgID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(orgID))
 	if err != nil {
 		return nil, err
 	}
 	idp := &iam_model.IDPConfig{IDPConfigID: idpID}
-	if _, i := existing.GetIDP(idp.IDPConfigID); i == nil {
+	if _, i := org.GetIDP(idp.IDPConfigID); i == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Qls0f", "Errors.Org.IdpNotExisting")
 	}
-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	repoIdp := iam_es_model.IDPConfigFromModel(idp)

 	iamAggregate := IDPConfigReactivatedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoIdp)
@@ -684,12 +675,12 @@ func (es *OrgEventstore) ChangeIDPOIDCConfig(ctx context.Context, config *iam_mo
 	if config == nil || !config.IsValid(false) {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Qs789", "Errors.Org.OIDCConfigInvalid")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(config.AggregateID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(config.AggregateID))
 	if err != nil {
 		return nil, err
 	}
 	var idp *iam_model.IDPConfig
-	if _, idp = existing.GetIDP(config.IDPConfigID); idp == nil {
+	if _, idp = org.GetIDP(config.IDPConfigID); idp == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-pso0s", "Errors.Org.IdpNoExisting")
 	}
 	if idp.Type != iam_model.IDPConfigTypeOIDC {
@@ -700,7 +691,7 @@ func (es *OrgEventstore) ChangeIDPOIDCConfig(ctx context.Context, config *iam_mo
 	} else {
 		config.ClientSecret = nil
 	}
-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	repoConfig := iam_es_model.OIDCIDPConfigFromModel(config)

 	iamAggregate := OIDCIDPConfigChangedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoConfig)
@@ -718,12 +709,12 @@ func (es *OrgEventstore) AddLoginPolicy(ctx context.Context, policy *iam_model.L
 	if policy == nil || !policy.IsValid() {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Sjkl9", "Errors.Org.LoginPolicy.Invalid")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
 	if err != nil {
 		return nil, err
 	}

-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	repoLoginPolicy := iam_es_model.LoginPolicyFromModel(policy)

 	addAggregate := LoginPolicyAddedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoLoginPolicy)
@@ -738,16 +729,16 @@ func (es *OrgEventstore) ChangeLoginPolicy(ctx context.Context, policy *iam_mode
 	if policy == nil || !policy.IsValid() {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.Org.LoginPolicy.Invalid")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
 	if err != nil {
 		return nil, err
 	}

-	if existing.LoginPolicy == nil {
+	if org.LoginPolicy == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Lso02", "Errors.Org.LoginPolicy.NotExisting")
 	}

-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	repoLoginPolicy := iam_es_model.LoginPolicyFromModel(policy)

 	addAggregate := LoginPolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoLoginPolicy)
@@ -762,11 +753,11 @@ func (es *OrgEventstore) RemoveLoginPolicy(ctx context.Context, policy *iam_mode
 	if policy == nil || !policy.IsValid() {
 		return errors.ThrowPreconditionFailed(nil, "EVENT-O0s9e", "Errors.Org.LoginPolicy.Invalid")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
 	if err != nil {
 		return err
 	}
-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)

 	addAggregate := LoginPolicyRemovedAggregate(es.Eventstore.AggregateCreator(), repoOrg)
 	return es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
@@ -787,17 +778,17 @@ func (es *OrgEventstore) AddIDPProviderToLoginPolicy(ctx context.Context, provid
 	if provider == nil || !provider.IsValid() {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Sjd8e", "Errors.Org.IdpProviderInvalid")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(provider.AggregateID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(provider.AggregateID))
 	if err != nil {
 		return nil, err
 	}
-	if existing.LoginPolicy == nil {
+	if org.LoginPolicy == nil {
 		return nil, errors.ThrowAlreadyExists(nil, "EVENT-sk9fW", "Errors.Org.LoginPolicy.NotExisting")
 	}
-	if _, m := existing.LoginPolicy.GetIdpProvider(provider.IdpConfigID); m != nil {
+	if _, m := org.LoginPolicy.GetIdpProvider(provider.IdpConfigID); m != nil {
 		return nil, errors.ThrowAlreadyExists(nil, "EVENT-Lso9f", "Errors.Org.LoginPolicy.IdpProviderAlreadyExisting")
 	}
-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	repoProvider := iam_es_model.IDPProviderFromModel(provider)

 	addAggregate := LoginPolicyIDPProviderAddedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoProvider, es.IamID)
@@ -815,14 +806,14 @@ func (es *OrgEventstore) PrepareRemoveIDPProviderFromLoginPolicy(ctx context.Con
 	if provider == nil || !provider.IsValid() {
 		return nil, nil, errors.ThrowPreconditionFailed(nil, "EVENT-Esi8c", "Errors.IdpProviderInvalid")
 	}
-	existing, err := es.OrgByID(ctx, org_model.NewOrg(provider.AggregateID))
+	org, err := es.OrgByID(ctx, org_model.NewOrg(provider.AggregateID))
 	if err != nil {
 		return nil, nil, err
 	}
-	if _, m := existing.LoginPolicy.GetIdpProvider(provider.IdpConfigID); m == nil {
+	if _, m := org.LoginPolicy.GetIdpProvider(provider.IdpConfigID); m == nil {
 		return nil, nil, errors.ThrowPreconditionFailed(nil, "EVENT-29skr", "Errors.IAM.LoginPolicy.IdpProviderNotExisting")
 	}
-	repoOrg := model.OrgFromModel(existing)
+	repoOrg := model.OrgFromModel(org)
 	providerID := &iam_es_model.IDPProviderID{provider.IdpConfigID}
 	providerAggregates, err := LoginPolicyIDPProviderRemovedAggregate(ctx, es.Eventstore.AggregateCreator(), repoOrg, providerID, cascade)
 	if err != nil {
@@ -838,3 +829,184 @@ func (es *OrgEventstore) RemoveIDPProviderFromLoginPolicy(ctx context.Context, p
 	}
 	return es_sdk.PushAggregates(ctx, es.PushAggregates, repoOrg.AppendEvents, agg)
 }
+
+func (es *OrgEventstore) AddPasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	if policy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Sjkl9", "Errors.Org.PasswordComplexityPolicy.Invalid")
+	}
+
+	if err := policy.IsValid(); err != nil {
+		return nil, err
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return nil, err
+	}
+
+	repoOrg := model.OrgFromModel(org)
+	repoPasswordComplexityPolicy := iam_es_model.PasswordComplexityPolicyFromModel(policy)
+
+	addAggregate := PasswordComplexityPolicyAddedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoPasswordComplexityPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordComplexityPolicyToModel(repoOrg.PasswordComplexityPolicy), nil
+}
+
+func (es *OrgEventstore) ChangePasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) (*iam_model.PasswordComplexityPolicy, error) {
+	if policy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-r5Hd", "Errors.Org.PasswordComplexityPolicy.Empty")
+	}
+	if err := policy.IsValid(); err != nil {
+		return nil, err
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return nil, err
+	}
+
+	if org.PasswordComplexityPolicy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-v6Hdr", "Errors.Org.PasswordComplexityPolicy.NotExisting")
+	}
+
+	repoOrg := model.OrgFromModel(org)
+	repoPasswordComplexityPolicy := iam_es_model.PasswordComplexityPolicyFromModel(policy)
+
+	addAggregate := PasswordComplexityPolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoPasswordComplexityPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordComplexityPolicyToModel(repoOrg.PasswordComplexityPolicy), nil
+}
+
+func (es *OrgEventstore) RemovePasswordComplexityPolicy(ctx context.Context, policy *iam_model.PasswordComplexityPolicy) error {
+	if policy == nil || policy.AggregateID == "" {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-3Ghs8", "Errors.Org.PasswordComplexityPolicy.Invalid")
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return err
+	}
+	repoOrg := model.OrgFromModel(org)
+
+	addAggregate := PasswordComplexityPolicyRemovedAggregate(es.Eventstore.AggregateCreator(), repoOrg)
+	return es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+}
+
+func (es *OrgEventstore) AddPasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Sjkl9", "Errors.Org.PasswordAgePolicy.Invalid")
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return nil, err
+	}
+
+	repoOrg := model.OrgFromModel(org)
+	repoPasswordAgePolicy := iam_es_model.PasswordAgePolicyFromModel(policy)
+
+	addAggregate := PasswordAgePolicyAddedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoPasswordAgePolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordAgePolicyToModel(repoOrg.PasswordAgePolicy), nil
+}
+
+func (es *OrgEventstore) ChangePasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) (*iam_model.PasswordAgePolicy, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-r5Hd", "Errors.Org.PasswordAgePolicy.Empty")
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return nil, err
+	}
+
+	if org.PasswordAgePolicy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-v6Hdr", "Errors.Org.PasswordAgePolicy.NotExisting")
+	}
+
+	repoOrg := model.OrgFromModel(org)
+	repoPasswordAgePolicy := iam_es_model.PasswordAgePolicyFromModel(policy)
+
+	addAggregate := PasswordAgePolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoPasswordAgePolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordAgePolicyToModel(repoOrg.PasswordAgePolicy), nil
+}
+
+func (es *OrgEventstore) RemovePasswordAgePolicy(ctx context.Context, policy *iam_model.PasswordAgePolicy) error {
+	if policy == nil || policy.AggregateID == "" {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-3Ghs8", "Errors.Org.PasswordAgePolicy.Invalid")
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return err
+	}
+	repoOrg := model.OrgFromModel(org)
+
+	addAggregate := PasswordAgePolicyRemovedAggregate(es.Eventstore.AggregateCreator(), repoOrg)
+	return es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+}
+
+func (es *OrgEventstore) AddPasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-6Zdk9", "Errors.Org.PasswordLockoutPolicy.Invalid")
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return nil, err
+	}
+
+	repoOrg := model.OrgFromModel(org)
+	repoPasswordLockoutPolicy := iam_es_model.PasswordLockoutPolicyFromModel(policy)
+
+	addAggregate := PasswordLockoutPolicyAddedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoPasswordLockoutPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordLockoutPolicyToModel(repoOrg.PasswordLockoutPolicy), nil
+}
+
+func (es *OrgEventstore) ChangePasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) (*iam_model.PasswordLockoutPolicy, error) {
+	if policy == nil || policy.AggregateID == "" {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-lp0Sf", "Errors.Org.PasswordLockoutPolicy.Empty")
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return nil, err
+	}
+
+	if org.PasswordLockoutPolicy == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-3Fks9", "Errors.Org.PasswordLockoutPolicy.NotExisting")
+	}
+
+	repoOrg := model.OrgFromModel(org)
+	repoPasswordLockoutPolicy := iam_es_model.PasswordLockoutPolicyFromModel(policy)
+
+	addAggregate := PasswordLockoutPolicyChangedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoPasswordLockoutPolicy)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.PasswordLockoutPolicyToModel(repoOrg.PasswordLockoutPolicy), nil
+}
+
+func (es *OrgEventstore) RemovePasswordLockoutPolicy(ctx context.Context, policy *iam_model.PasswordLockoutPolicy) error {
+	if policy == nil || policy.AggregateID == "" {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-6Hls0", "Errors.Org.PasswordLockoutPolicy.Invalid")
+	}
+	org, err := es.OrgByID(ctx, org_model.NewOrg(policy.AggregateID))
+	if err != nil {
+		return err
+	}
+	repoOrg := model.OrgFromModel(org)
+
+	addAggregate := PasswordLockoutPolicyRemovedAggregate(es.Eventstore.AggregateCreator(), repoOrg)
+	return es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, addAggregate)
+}
--- a/internal/org/repository/eventsourcing/eventstore_mock_test.go
+++ b/internal/org/repository/eventsourcing/eventstore_mock_test.go
@@ -41,7 +41,7 @@ func GetMockChangesOrgOK(ctrl *gomock.Controller) *OrgEventstore {

 	}
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateIDApp", Sequence: 1, AggregateType: repo_model.OrgAggregate, Data: data},
+		{AggregateID: "AggregateIDApp", Sequence: 1, AggregateType: repo_model.OrgAggregate, Data: data},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
@@ -63,7 +63,7 @@ func GetMockChangesOrgWithCrypto(ctrl *gomock.Controller) *OrgEventstore {
 	}
 	data, _ := json.Marshal(org)
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: data},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: data},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
@@ -77,9 +77,9 @@ func GetMockChangesOrgWithOIDCIdp(ctrl *gomock.Controller) *OrgEventstore {
 	idpData, _ := json.Marshal(iam_es_model.IDPConfig{IDPConfigID: "IDPConfigID", Name: "Name"})
 	oidcData, _ := json.Marshal(iam_es_model.OIDCIDPConfig{IDPConfigID: "IDPConfigID", ClientID: "ClientID"})
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: orgData},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.IDPConfigAdded, Data: idpData},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.OIDCIDPConfigAdded, Data: oidcData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: orgData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.IDPConfigAdded, Data: idpData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.OIDCIDPConfigAdded, Data: oidcData},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
@@ -93,9 +93,63 @@ func GetMockChangesOrgWithLoginPolicy(ctrl *gomock.Controller) *OrgEventstore {
 	loginPolicy, _ := json.Marshal(iam_es_model.LoginPolicy{AllowRegister: true, AllowExternalIdp: true, AllowUsernamePassword: true})
 	idpData, _ := json.Marshal(iam_es_model.IDPProvider{IDPConfigID: "IDPConfigID", Type: int32(iam_model.IDPProviderTypeSystem)})
 	events := []*es_models.Event{
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: orgData},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.LoginPolicyAdded, Data: loginPolicy},
-		&es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: model.LoginPolicyIDPProviderAdded, Data: idpData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: orgData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.LoginPolicyAdded, Data: loginPolicy},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.LoginPolicyIDPProviderAdded, Data: idpData},
+	}
+	mockEs := mock.NewMockEventstore(ctrl)
+	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
+	mockEs.EXPECT().AggregateCreator().Return(es_models.NewAggregateCreator("TEST"))
+	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
+	return GetMockedEventstore(ctrl, mockEs)
+}
+
+func GetMockChangesOrgWithPasswordComplexityPolicy(ctrl *gomock.Controller) *OrgEventstore {
+	orgData, _ := json.Marshal(model.Org{Name: "MusterOrg"})
+	passwordComplexityPolicy, _ := json.Marshal(iam_es_model.PasswordComplexityPolicy{
+		MinLength:    10,
+		HasLowercase: true,
+		HasUppercase: true,
+		HasSymbol:    true,
+		HasNumber:    true,
+	})
+	events := []*es_models.Event{
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: orgData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.PasswordComplexityPolicyAdded, Data: passwordComplexityPolicy},
+	}
+	mockEs := mock.NewMockEventstore(ctrl)
+	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
+	mockEs.EXPECT().AggregateCreator().Return(es_models.NewAggregateCreator("TEST"))
+	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
+	return GetMockedEventstore(ctrl, mockEs)
+}
+
+func GetMockChangesOrgWithPasswordLockoutPolicy(ctrl *gomock.Controller) *OrgEventstore {
+	orgData, _ := json.Marshal(model.Org{Name: "MusterOrg"})
+	passwordLockoutPolicy, _ := json.Marshal(iam_es_model.PasswordLockoutPolicy{
+		MaxAttempts:         10,
+		ShowLockOutFailures: true,
+	})
+	events := []*es_models.Event{
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: orgData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.PasswordLockoutPolicyAdded, Data: passwordLockoutPolicy},
+	}
+	mockEs := mock.NewMockEventstore(ctrl)
+	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
+	mockEs.EXPECT().AggregateCreator().Return(es_models.NewAggregateCreator("TEST"))
+	mockEs.EXPECT().PushAggregates(gomock.Any(), gomock.Any()).Return(nil)
+	return GetMockedEventstore(ctrl, mockEs)
+}
+
+func GetMockChangesOrgWithPasswordAgePolicy(ctrl *gomock.Controller) *OrgEventstore {
+	orgData, _ := json.Marshal(model.Org{Name: "MusterOrg"})
+	passwordAgePolicy, _ := json.Marshal(iam_es_model.PasswordAgePolicy{
+		MaxAgeDays:     10,
+		ExpireWarnDays: 10,
+	})
+	events := []*es_models.Event{
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.OrgAdded, Data: orgData},
+		{AggregateID: "AggregateID", Sequence: 1, Type: model.PasswordAgePolicyAdded, Data: passwordAgePolicy},
 	}
 	mockEs := mock.NewMockEventstore(ctrl)
 	mockEs.EXPECT().FilterEvents(gomock.Any(), gomock.Any()).Return(events, nil)
--- a/internal/org/repository/eventsourcing/eventstore_test.go
+++ b/internal/org/repository/eventsourcing/eventstore_test.go
@@ -1656,11 +1656,15 @@ func TestChangesOrg(t *testing.T) {
 				if err != nil {
 				}
 			}
-			if !tt.res.wantErr && result.LastSequence != tt.res.changes.LastSequence && org.Name != tt.res.org.Name {
-				t.Errorf("got wrong result name: expected: %v, actual: %v ", tt.res.changes.LastSequence, result.LastSequence)
-			}
-			if tt.res.wantErr && !tt.res.errFunc(err) {
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
 				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.LastSequence != tt.res.changes.LastSequence && org.Name != tt.res.org.Name {
+				t.Errorf("got wrong result name: expected: %v, actual: %v ", tt.res.changes.LastSequence, result.LastSequence)
 			}
 		})
 	}
@@ -1749,25 +1753,28 @@ func TestAddIdpConfiguration(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result, err := tt.args.es.AddIDPConfig(tt.args.ctx, tt.args.idp)
-
-			if !tt.res.wantErr && result.IDPConfigID == "" {
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.IDPConfigID == "" {
 				t.Errorf("result has no id")
 			}
-			if !tt.res.wantErr && result.OIDCConfig.IDPConfigID == "" {
+			if result.OIDCConfig.IDPConfigID == "" {
 				t.Errorf("result has no id")
 			}
-			if !tt.res.wantErr && result.OIDCConfig == nil && result.OIDCConfig.ClientSecret == nil {
+			if result.OIDCConfig == nil && result.OIDCConfig.ClientSecret == nil {
 				t.Errorf("result has no client secret")
 			}
-			if !tt.res.wantErr && result.Name != tt.res.result.Name {
+			if result.Name != tt.res.result.Name {
 				t.Errorf("got wrong result key: expected: %v, actual: %v ", tt.res.result.Name, result.Name)
 			}
-			if !tt.res.wantErr && result.OIDCConfig.ClientID != tt.res.result.OIDCConfig.ClientID {
+			if result.OIDCConfig.ClientID != tt.res.result.OIDCConfig.ClientID {
 				t.Errorf("got wrong result key: expected: %v, actual: %v ", tt.res.result.OIDCConfig.ClientID, result.OIDCConfig.ClientID)
 			}
-			if tt.res.wantErr && !tt.res.errFunc(err) {
-				t.Errorf("got wrong err: %v ", err)
-			}
 		})
 	}
 }
@@ -1863,19 +1870,22 @@ func TestChangeIdpConfiguration(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result, err := tt.args.es.ChangeIDPConfig(tt.args.ctx, tt.args.idp)
-
-			if !tt.res.wantErr && result.AggregateID == "" {
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.AggregateID == "" {
 				t.Errorf("result has no id")
 			}
-			if !tt.res.wantErr && result.IDPConfigID != tt.res.result.IDPConfigID {
+			if result.IDPConfigID != tt.res.result.IDPConfigID {
 				t.Errorf("got wrong result IdpConfigID: expected: %v, actual: %v ", tt.res.result.IDPConfigID, result.IDPConfigID)
 			}
-			if !tt.res.wantErr && result.Name != tt.res.result.Name {
+			if result.Name != tt.res.result.Name {
 				t.Errorf("got wrong result name: expected: %v, actual: %v ", tt.res.result.Name, result.Name)
 			}
-			if tt.res.wantErr && !tt.res.errFunc(err) {
-				t.Errorf("got wrong err: %v ", err)
-			}
 		})
 	}
 }
@@ -2050,19 +2060,22 @@ func TestDeactivateIdpConfiguration(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result, err := tt.args.es.DeactivateIDPConfig(tt.args.ctx, tt.args.idp.AggregateID, tt.args.idp.IDPConfigID)
-
-			if !tt.res.wantErr && result.AggregateID == "" {
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.AggregateID == "" {
 				t.Errorf("result has no id")
 			}
-			if !tt.res.wantErr && result.IDPConfigID != tt.res.result.IDPConfigID {
+			if result.IDPConfigID != tt.res.result.IDPConfigID {
 				t.Errorf("got wrong result IDPConfigID: expected: %v, actual: %v ", tt.res.result.IDPConfigID, result.IDPConfigID)
 			}
-			if !tt.res.wantErr && result.State != tt.res.result.State {
+			if result.State != tt.res.result.State {
 				t.Errorf("got wrong result state: expected: %v, actual: %v ", tt.res.result.State, result.State)
 			}
-			if tt.res.wantErr && !tt.res.errFunc(err) {
-				t.Errorf("got wrong err: %v ", err)
-			}
 		})
 	}
 }
@@ -2157,19 +2170,22 @@ func TestReactivateIdpConfiguration(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result, err := tt.args.es.ReactivateIDPConfig(tt.args.ctx, tt.args.idp.AggregateID, tt.args.idp.IDPConfigID)
-
-			if !tt.res.wantErr && result.AggregateID == "" {
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.AggregateID == "" {
 				t.Errorf("result has no id")
 			}
-			if !tt.res.wantErr && result.IDPConfigID != tt.res.result.IDPConfigID {
+			if result.IDPConfigID != tt.res.result.IDPConfigID {
 				t.Errorf("got wrong result IDPConfigID: expected: %v, actual: %v ", tt.res.result.IDPConfigID, result.IDPConfigID)
 			}
-			if !tt.res.wantErr && result.State != tt.res.result.State {
+			if result.State != tt.res.result.State {
 				t.Errorf("got wrong result state: expected: %v, actual: %v ", tt.res.result.State, result.State)
 			}
-			if tt.res.wantErr && !tt.res.errFunc(err) {
-				t.Errorf("got wrong err: %v ", err)
-			}
 		})
 	}
 }
@@ -2267,19 +2283,22 @@ func TestChangeOIDCIDPConfig(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result, err := tt.args.es.ChangeIDPOIDCConfig(tt.args.ctx, tt.args.config)
-
-			if !tt.res.wantErr && result.AggregateID == "" {
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.AggregateID == "" {
 				t.Errorf("result has no id")
 			}
-			if !tt.res.wantErr && result.IDPConfigID != tt.res.result.IDPConfigID {
+			if result.IDPConfigID != tt.res.result.IDPConfigID {
 				t.Errorf("got wrong result AppID: expected: %v, actual: %v ", tt.res.result.IDPConfigID, result.IDPConfigID)
 			}
-			if !tt.res.wantErr && result.ClientID != tt.res.result.ClientID {
+			if result.ClientID != tt.res.result.ClientID {
 				t.Errorf("got wrong result responsetype: expected: %v, actual: %v ", tt.res.result.ClientID, result.ClientID)
 			}
-			if tt.res.wantErr && !tt.res.errFunc(err) {
-				t.Errorf("got wrong err: %v ", err)
-			}
 		})
 	}
 }
@@ -2431,19 +2450,22 @@ func TestChangeLoginPolicy(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result, err := tt.args.es.ChangeLoginPolicy(tt.args.ctx, tt.args.policy)
-
-			if !tt.res.wantErr && result.AllowRegister != tt.res.result.AllowRegister {
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.AllowRegister != tt.res.result.AllowRegister {
 				t.Errorf("got wrong result AllowRegister: expected: %v, actual: %v ", tt.res.result.AllowRegister, result.AllowRegister)
 			}
-			if !tt.res.wantErr && result.AllowUsernamePassword != tt.res.result.AllowUsernamePassword {
+			if result.AllowUsernamePassword != tt.res.result.AllowUsernamePassword {
 				t.Errorf("got wrong result AllowUsernamePassword: expected: %v, actual: %v ", tt.res.result.AllowUsernamePassword, result.AllowUsernamePassword)
 			}
-			if !tt.res.wantErr && result.AllowExternalIdp != tt.res.result.AllowExternalIdp {
+			if result.AllowExternalIdp != tt.res.result.AllowExternalIdp {
 				t.Errorf("got wrong result AllowExternalIDP: expected: %v, actual: %v ", tt.res.result.AllowExternalIdp, result.AllowExternalIdp)
 			}
-			if tt.res.wantErr && !tt.res.errFunc(err) {
-				t.Errorf("got wrong err: %v ", err)
-			}
 		})
 	}
 }
@@ -2603,16 +2625,19 @@ func TestAddIdpProviderToLoginPolicy(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result, err := tt.args.es.AddIDPProviderToLoginPolicy(tt.args.ctx, tt.args.provider)
-
-			if !tt.res.wantErr && result.IdpConfigID != tt.res.result.IdpConfigID {
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.IdpConfigID != tt.res.result.IdpConfigID {
 				t.Errorf("got wrong result IDPConfigID: expected: %v, actual: %v ", tt.res.result.IdpConfigID, result.IdpConfigID)
 			}
-			if !tt.res.wantErr && result.Type != tt.res.result.Type {
+			if result.Type != tt.res.result.Type {
 				t.Errorf("got wrong result Type: expected: %v, actual: %v ", tt.res.result.Type, result.Type)
 			}
-			if tt.res.wantErr && !tt.res.errFunc(err) {
-				t.Errorf("got wrong err: %v ", err)
-			}
 		})
 	}
 }
@@ -2705,3 +2730,766 @@ func TestRemoveIdpProviderFromLoginPolicy(t *testing.T) {
 		})
 	}
 }
+
+func TestAddPasswordComplexityPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.PasswordComplexityPolicy
+	}
+	type res struct {
+		result  *iam_model.PasswordComplexityPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add password complexity policy, ok",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot:   es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MinLength:    10,
+					HasLowercase: true,
+					HasUppercase: true,
+					HasSymbol:    true,
+					HasNumber:    true,
+				},
+			},
+			res: res{
+				result: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot:   es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MinLength:    10,
+					HasLowercase: true,
+					HasUppercase: true,
+					HasSymbol:    true,
+					HasNumber:    true,
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "existing org not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MinLength:  10,
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.AddPasswordComplexityPolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.MinLength != tt.res.result.MinLength {
+				t.Errorf("got wrong result MinLength: expected: %v, actual: %v ", tt.res.result.MinLength, result.MinLength)
+			}
+			if result.HasLowercase != tt.res.result.HasLowercase {
+				t.Errorf("got wrong result HasLowercase: expected: %v, actual: %v ", tt.res.result.HasLowercase, result.HasLowercase)
+			}
+			if result.HasUppercase != tt.res.result.HasUppercase {
+				t.Errorf("got wrong result HasUppercase: expected: %v, actual: %v ", tt.res.result.HasUppercase, result.HasUppercase)
+			}
+			if result.HasNumber != tt.res.result.HasNumber {
+				t.Errorf("got wrong result HasNumber: expected: %v, actual: %v ", tt.res.result.HasNumber, result.HasNumber)
+			}
+			if result.HasSymbol != tt.res.result.HasSymbol {
+				t.Errorf("got wrong result HasSymbol: expected: %v, actual: %v ", tt.res.result.HasSymbol, result.HasSymbol)
+			}
+		})
+	}
+}
+
+func TestChangePasswordComplexityPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.PasswordComplexityPolicy
+	}
+	type res struct {
+		result  *iam_model.PasswordComplexityPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change password complexity policy, ok",
+			args: args{
+				es:  GetMockChangesOrgWithPasswordComplexityPolicy(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot:   es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MinLength:    5,
+					HasLowercase: false,
+					HasUppercase: false,
+					HasSymbol:    false,
+					HasNumber:    false,
+				},
+			},
+			res: res{
+				result: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot:   es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MinLength:    5,
+					HasLowercase: false,
+					HasUppercase: false,
+					HasSymbol:    false,
+					HasNumber:    false,
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "existing iam not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MinLength:  10,
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.ChangePasswordComplexityPolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.MinLength != tt.res.result.MinLength {
+				t.Errorf("got wrong result MinLength: expected: %v, actual: %v ", tt.res.result.MinLength, result.MinLength)
+			}
+			if result.HasLowercase != tt.res.result.HasLowercase {
+				t.Errorf("got wrong result HasLowercase: expected: %v, actual: %v ", tt.res.result.HasLowercase, result.HasLowercase)
+			}
+			if result.HasUppercase != tt.res.result.HasUppercase {
+				t.Errorf("got wrong result HasUppercase: expected: %v, actual: %v ", tt.res.result.HasUppercase, result.HasUppercase)
+			}
+			if result.HasNumber != tt.res.result.HasNumber {
+				t.Errorf("got wrong result HasNumber: expected: %v, actual: %v ", tt.res.result.HasNumber, result.HasNumber)
+			}
+			if result.HasSymbol != tt.res.result.HasSymbol {
+				t.Errorf("got wrong result HasSymbol: expected: %v, actual: %v ", tt.res.result.HasSymbol, result.HasSymbol)
+			}
+		})
+	}
+}
+
+func TestRemovePasswordComplexityPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.PasswordComplexityPolicy
+	}
+	type res struct {
+		result  *iam_model.PasswordComplexityPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "remove password compelxity policy, ok",
+			args: args{
+				es:  GetMockChangesOrgWithPasswordComplexityPolicy(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordComplexityPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.args.es.RemovePasswordComplexityPolicy(tt.args.ctx, tt.args.policy)
+
+			if !tt.res.wantErr && err != nil {
+				t.Errorf("got wrong result should not get err: %v", err)
+			}
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestAddPasswordAgePolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.PasswordAgePolicy
+	}
+	type res struct {
+		result  *iam_model.PasswordAgePolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add password age policy, ok",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordAgePolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAgeDays:     10,
+					ExpireWarnDays: 10,
+				},
+			},
+			res: res{
+				result: &iam_model.PasswordAgePolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAgeDays:     10,
+					ExpireWarnDays: 10,
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordAgePolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing org not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordAgePolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAgeDays:     10,
+					ExpireWarnDays: 10,
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.AddPasswordAgePolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.MaxAgeDays != tt.res.result.MaxAgeDays {
+				t.Errorf("got wrong result MaxAgeDays: expected: %v, actual: %v ", tt.res.result.MaxAgeDays, result.MaxAgeDays)
+			}
+			if result.ExpireWarnDays != tt.res.result.ExpireWarnDays {
+				t.Errorf("got wrong result.ExpireWarnDays: expected: %v, actual: %v ", tt.res.result.ExpireWarnDays, result.ExpireWarnDays)
+			}
+		})
+	}
+}
+
+func TestChangePasswordAgePolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.PasswordAgePolicy
+	}
+	type res struct {
+		result  *iam_model.PasswordAgePolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change password age policy, ok",
+			args: args{
+				es:  GetMockChangesOrgWithPasswordAgePolicy(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordAgePolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAgeDays:     5,
+					ExpireWarnDays: 5,
+				},
+			},
+			res: res{
+				result: &iam_model.PasswordAgePolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAgeDays:     5,
+					ExpireWarnDays: 5,
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordAgePolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordAgePolicy{
+					ObjectRoot:     es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAgeDays:     10,
+					ExpireWarnDays: 10,
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.ChangePasswordAgePolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.MaxAgeDays != tt.res.result.MaxAgeDays {
+				t.Errorf("got wrong result MaxAgeDays: expected: %v, actual: %v ", tt.res.result.MaxAgeDays, result.MaxAgeDays)
+			}
+			if result.ExpireWarnDays != tt.res.result.ExpireWarnDays {
+				t.Errorf("got wrong result.ExpireWarnDays: expected: %v, actual: %v ", tt.res.result.ExpireWarnDays, result.ExpireWarnDays)
+			}
+		})
+	}
+}
+
+func TestRemovePasswordAgePolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.PasswordAgePolicy
+	}
+	type res struct {
+		result  *iam_model.PasswordAgePolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "remove password age policy, ok",
+			args: args{
+				es:  GetMockChangesOrgWithPasswordAgePolicy(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordAgePolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordAgePolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordAgePolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.args.es.RemovePasswordAgePolicy(tt.args.ctx, tt.args.policy)
+
+			if !tt.res.wantErr && err != nil {
+				t.Errorf("got wrong result should not get err: %v", err)
+			}
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func TestAddPasswordLockoutPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.PasswordLockoutPolicy
+	}
+	type res struct {
+		result  *iam_model.PasswordLockoutPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add password lockout policy, ok",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot:          es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAttempts:         10,
+					ShowLockOutFailures: true,
+				},
+			},
+			res: res{
+				result: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot:          es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAttempts:         10,
+					ShowLockOutFailures: true,
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing org not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot:          es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAttempts:         10,
+					ShowLockOutFailures: true,
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.AddPasswordLockoutPolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.MaxAttempts != tt.res.result.MaxAttempts {
+				t.Errorf("got wrong result MaxAttempts: expected: %v, actual: %v ", tt.res.result.MaxAttempts, result.MaxAttempts)
+			}
+			if result.ShowLockOutFailures != tt.res.result.ShowLockOutFailures {
+				t.Errorf("got wrong result.ShowLockOutFailures: expected: %v, actual: %v ", tt.res.result.ShowLockOutFailures, result.ShowLockOutFailures)
+			}
+		})
+	}
+}
+
+func TestChangePasswordLockoutPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.PasswordLockoutPolicy
+	}
+	type res struct {
+		result  *iam_model.PasswordLockoutPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change password lockout policy, ok",
+			args: args{
+				es:  GetMockChangesOrgWithPasswordLockoutPolicy(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot:          es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAttempts:         5,
+					ShowLockOutFailures: false,
+				},
+			},
+			res: res{
+				result: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot:          es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAttempts:         5,
+					ShowLockOutFailures: false,
+				},
+			},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot:          es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+					MaxAttempts:         10,
+					ShowLockOutFailures: true,
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := tt.args.es.ChangePasswordLockoutPolicy(tt.args.ctx, tt.args.policy)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if result.MaxAttempts != tt.res.result.MaxAttempts {
+				t.Errorf("got wrong result MaxAttempts: expected: %v, actual: %v ", tt.res.result.MaxAttempts, result.MaxAttempts)
+			}
+			if result.ShowLockOutFailures != tt.res.result.ShowLockOutFailures {
+				t.Errorf("got wrong result.ShowLockOutFailures: expected: %v, actual: %v ", tt.res.result.ShowLockOutFailures, result.ShowLockOutFailures)
+			}
+		})
+	}
+}
+
+func TestRemovePasswordLockoutPolicy(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	type args struct {
+		es     *OrgEventstore
+		ctx    context.Context
+		policy *iam_model.PasswordLockoutPolicy
+	}
+	type res struct {
+		result  *iam_model.PasswordLockoutPolicy
+		wantErr bool
+		errFunc func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "remove password lockout policy, ok",
+			args: args{
+				es:  GetMockChangesOrgWithPasswordLockoutPolicy(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{},
+		},
+		{
+			name: "invalid policy",
+			args: args{
+				es:  GetMockChangesOrgOK(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot: es_models.ObjectRoot{Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "existing iam not found",
+			args: args{
+				es:  GetMockChangesOrgNoEvents(ctrl),
+				ctx: authz.NewMockContext("orgID", "userID"),
+				policy: &iam_model.PasswordLockoutPolicy{
+					ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 0},
+				},
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsNotFound,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.args.es.RemovePasswordLockoutPolicy(tt.args.ctx, tt.args.policy)
+
+			if !tt.res.wantErr && err != nil {
+				t.Errorf("got wrong result should not get err: %v", err)
+			}
+			if tt.res.wantErr && !tt.res.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
--- a/internal/org/repository/eventsourcing/model/org.go
+++ b/internal/org/repository/eventsourcing/model/org.go
@@ -20,11 +20,14 @@ type Org struct {
 	Name  string `json:"name,omitempty"`
 	State int32  `json:"-"`

-	Domains      []*OrgDomain              `json:"-"`
-	Members      []*OrgMember              `json:"-"`
-	OrgIamPolicy *OrgIAMPolicy             `json:"-"`
-	LoginPolicy  *iam_es_model.LoginPolicy `json:"-"`
-	IDPs         []*iam_es_model.IDPConfig `json:"-"`
+	Domains                  []*OrgDomain                           `json:"-"`
+	Members                  []*OrgMember                           `json:"-"`
+	OrgIAMPolicy             *iam_es_model.OrgIAMPolicy             `json:"-"`
+	IDPs                     []*iam_es_model.IDPConfig              `json:"-"`
+	LoginPolicy              *iam_es_model.LoginPolicy              `json:"-"`
+	PasswordComplexityPolicy *iam_es_model.PasswordComplexityPolicy `json:"-"`
+	PasswordAgePolicy        *iam_es_model.PasswordAgePolicy        `json:"-"`
+	PasswordLockoutPolicy    *iam_es_model.PasswordLockoutPolicy    `json:"-"`
 }

 func OrgFromModel(org *org_model.Org) *Org {
@@ -40,11 +43,20 @@ func OrgFromModel(org *org_model.Org) *Org {
 		IDPs:       idps,
 	}
 	if org.OrgIamPolicy != nil {
-		converted.OrgIamPolicy = OrgIAMPolicyFromModel(org.OrgIamPolicy)
+		converted.OrgIAMPolicy = iam_es_model.OrgIAMPolicyFromModel(org.OrgIamPolicy)
 	}
 	if org.LoginPolicy != nil {
 		converted.LoginPolicy = iam_es_model.LoginPolicyFromModel(org.LoginPolicy)
 	}
+	if org.PasswordComplexityPolicy != nil {
+		converted.PasswordComplexityPolicy = iam_es_model.PasswordComplexityPolicyFromModel(org.PasswordComplexityPolicy)
+	}
+	if org.PasswordAgePolicy != nil {
+		converted.PasswordAgePolicy = iam_es_model.PasswordAgePolicyFromModel(org.PasswordAgePolicy)
+	}
+	if org.PasswordLockoutPolicy != nil {
+		converted.PasswordLockoutPolicy = iam_es_model.PasswordLockoutPolicyFromModel(org.PasswordLockoutPolicy)
+	}
 	return converted
 }

@@ -57,12 +69,21 @@ func OrgToModel(org *Org) *org_model.Org {
 		Members:    OrgMembersToModel(org.Members),
 		IDPs:       iam_es_model.IDPConfigsToModel(org.IDPs),
 	}
-	if org.OrgIamPolicy != nil {
-		converted.OrgIamPolicy = OrgIAMPolicyToModel(org.OrgIamPolicy)
+	if org.OrgIAMPolicy != nil {
+		converted.OrgIamPolicy = iam_es_model.OrgIAMPolicyToModel(org.OrgIAMPolicy)
 	}
 	if org.LoginPolicy != nil {
 		converted.LoginPolicy = iam_es_model.LoginPolicyToModel(org.LoginPolicy)
 	}
+	if org.PasswordComplexityPolicy != nil {
+		converted.PasswordComplexityPolicy = iam_es_model.PasswordComplexityPolicyToModel(org.PasswordComplexityPolicy)
+	}
+	if org.PasswordAgePolicy != nil {
+		converted.PasswordAgePolicy = iam_es_model.PasswordAgePolicyToModel(org.PasswordAgePolicy)
+	}
+	if org.PasswordLockoutPolicy != nil {
+		converted.PasswordLockoutPolicy = iam_es_model.PasswordLockoutPolicyToModel(org.PasswordLockoutPolicy)
+	}
 	return converted
 }

@@ -164,6 +185,24 @@ func (o *Org) AppendEvent(event *es_models.Event) (err error) {
 		err = o.appendAddIdpProviderToLoginPolicyEvent(event)
 	case LoginPolicyIDPProviderRemoved:
 		err = o.appendRemoveIdpProviderFromLoginPolicyEvent(event)
+	case PasswordComplexityPolicyAdded:
+		err = o.appendAddPasswordComplexityPolicyEvent(event)
+	case PasswordComplexityPolicyChanged:
+		err = o.appendChangePasswordComplexityPolicyEvent(event)
+	case PasswordComplexityPolicyRemoved:
+		o.appendRemovePasswordComplexityPolicyEvent(event)
+	case PasswordAgePolicyAdded:
+		err = o.appendAddPasswordAgePolicyEvent(event)
+	case PasswordAgePolicyChanged:
+		err = o.appendChangePasswordAgePolicyEvent(event)
+	case PasswordAgePolicyRemoved:
+		o.appendRemovePasswordAgePolicyEvent(event)
+	case PasswordLockoutPolicyAdded:
+		err = o.appendAddPasswordLockoutPolicyEvent(event)
+	case PasswordLockoutPolicyChanged:
+		err = o.appendChangePasswordLockoutPolicyEvent(event)
+	case PasswordLockoutPolicyRemoved:
+		o.appendRemovePasswordLockoutPolicyEvent(event)
 	}
 	if err != nil {
 		return err
--- a/internal/org/repository/eventsourcing/model/org_iam_policy.go
+++ b/internal/org/repository/eventsourcing/model/org_iam_policy.go
@@ -1,72 +1,24 @@
 package model

 import (
-	"encoding/json"
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
-	org_model "github.com/caos/zitadel/internal/org/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 )

-type OrgIAMPolicy struct {
-	models.ObjectRoot
-
-	Description           string `json:"description,omitempty"`
-	State                 int32  `json:"-"`
-	UserLoginMustBeDomain bool   `json:"userLoginMustBeDomain"`
-}
-
-func OrgIAMPolicyToModel(policy *OrgIAMPolicy) *org_model.OrgIAMPolicy {
-	return &org_model.OrgIAMPolicy{
-		ObjectRoot:            policy.ObjectRoot,
-		State:                 org_model.PolicyState(policy.State),
-		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-	}
-}
-
-func OrgIAMPolicyFromModel(policy *org_model.OrgIAMPolicy) *OrgIAMPolicy {
-	return &OrgIAMPolicy{
-		ObjectRoot:            policy.ObjectRoot,
-		State:                 int32(policy.State),
-		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-	}
-}
-
 func (o *Org) appendAddOrgIAMPolicyEvent(event *es_models.Event) error {
-	o.OrgIamPolicy = new(OrgIAMPolicy)
-	err := o.OrgIamPolicy.SetData(event)
+	o.OrgIAMPolicy = new(iam_es_model.OrgIAMPolicy)
+	err := o.OrgIAMPolicy.SetData(event)
 	if err != nil {
 		return err
 	}
-	o.OrgIamPolicy.ObjectRoot.CreationDate = event.CreationDate
+	o.OrgIAMPolicy.ObjectRoot.CreationDate = event.CreationDate
 	return nil
 }

 func (o *Org) appendChangeOrgIAMPolicyEvent(event *es_models.Event) error {
-	return o.OrgIamPolicy.SetData(event)
+	return o.OrgIAMPolicy.SetData(event)
 }

 func (o *Org) appendRemoveOrgIAMPolicyEvent() {
-	o.OrgIamPolicy = nil
-}
-
-func (p *OrgIAMPolicy) Changes(changed *OrgIAMPolicy) map[string]interface{} {
-	changes := make(map[string]interface{}, 2)
-
-	if changed.Description != p.Description {
-		changes["description"] = changed.Description
-	}
-	if changed.UserLoginMustBeDomain != p.UserLoginMustBeDomain {
-		changes["userLoginMustBeDomain"] = changed.UserLoginMustBeDomain
-	}
-
-	return changes
-}
-
-func (p *OrgIAMPolicy) SetData(event *es_models.Event) error {
-	err := json.Unmarshal(event.Data, p)
-	if err != nil {
-		return errors.ThrowInternal(err, "EVENT-7JS9d", "unable to unmarshal data")
-	}
-	return nil
+	o.OrgIAMPolicy = nil
 }
--- a/internal/org/repository/eventsourcing/model/password_age_policy.go
+++ b/internal/org/repository/eventsourcing/model/password_age_policy.go
@@ -0,0 +1,24 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func (o *Org) appendAddPasswordAgePolicyEvent(event *es_models.Event) error {
+	o.PasswordAgePolicy = new(iam_es_model.PasswordAgePolicy)
+	err := o.PasswordAgePolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	o.PasswordAgePolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (o *Org) appendChangePasswordAgePolicyEvent(event *es_models.Event) error {
+	return o.PasswordAgePolicy.SetData(event)
+}
+
+func (o *Org) appendRemovePasswordAgePolicyEvent(event *es_models.Event) {
+	o.PasswordAgePolicy = nil
+}
--- a/internal/org/repository/eventsourcing/model/password_age_policy_test.go
+++ b/internal/org/repository/eventsourcing/model/password_age_policy_test.go
@@ -0,0 +1,86 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestAppendAddPasswordAgePolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordAgePolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add password age policy event",
+			args: args{
+				org:    &Org{},
+				policy: &iam_es_model.PasswordAgePolicy{MaxAgeDays: 10},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordAgePolicy: &iam_es_model.PasswordAgePolicy{MaxAgeDays: 10}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddPasswordAgePolicyEvent(tt.args.event)
+			if tt.result.PasswordAgePolicy.MaxAgeDays != tt.args.org.PasswordAgePolicy.MaxAgeDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordAgePolicy.MaxAgeDays, tt.args.org.PasswordAgePolicy.MaxAgeDays)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordAgePolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordAgePolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change password age policy event",
+			args: args{
+				org: &Org{PasswordAgePolicy: &iam_es_model.PasswordAgePolicy{
+					MaxAgeDays: 10,
+				}},
+				policy: &iam_es_model.PasswordAgePolicy{MaxAgeDays: 5, ExpireWarnDays: 10},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordAgePolicy: &iam_es_model.PasswordAgePolicy{
+				MaxAgeDays:     5,
+				ExpireWarnDays: 10,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangePasswordAgePolicyEvent(tt.args.event)
+			if tt.result.PasswordAgePolicy.MaxAgeDays != tt.args.org.PasswordAgePolicy.MaxAgeDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordAgePolicy.MaxAgeDays, tt.args.org.PasswordAgePolicy.MaxAgeDays)
+			}
+			if tt.result.PasswordAgePolicy.ExpireWarnDays != tt.args.org.PasswordAgePolicy.ExpireWarnDays {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordAgePolicy.ExpireWarnDays, tt.args.org.PasswordAgePolicy.ExpireWarnDays)
+			}
+		})
+	}
+}
--- a/internal/org/repository/eventsourcing/model/password_complexity_policy.go
+++ b/internal/org/repository/eventsourcing/model/password_complexity_policy.go
@@ -0,0 +1,24 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func (o *Org) appendAddPasswordComplexityPolicyEvent(event *es_models.Event) error {
+	o.PasswordComplexityPolicy = new(iam_es_model.PasswordComplexityPolicy)
+	err := o.PasswordComplexityPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	o.PasswordComplexityPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (o *Org) appendChangePasswordComplexityPolicyEvent(event *es_models.Event) error {
+	return o.PasswordComplexityPolicy.SetData(event)
+}
+
+func (o *Org) appendRemovePasswordComplexityPolicyEvent(event *es_models.Event) {
+	o.PasswordComplexityPolicy = nil
+}
--- a/internal/org/repository/eventsourcing/model/password_complexity_policy_test.go
+++ b/internal/org/repository/eventsourcing/model/password_complexity_policy_test.go
@@ -0,0 +1,86 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestAppendAddPasswordComplexityPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordComplexityPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add password complexity policy event",
+			args: args{
+				org:    &Org{},
+				policy: &iam_es_model.PasswordComplexityPolicy{MinLength: 10},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordComplexityPolicy: &iam_es_model.PasswordComplexityPolicy{MinLength: 10}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddPasswordComplexityPolicyEvent(tt.args.event)
+			if tt.result.PasswordComplexityPolicy.MinLength != tt.args.org.PasswordComplexityPolicy.MinLength {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordComplexityPolicy.MinLength, tt.args.org.PasswordComplexityPolicy.MinLength)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordComplexityPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordComplexityPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change password complexity policy event",
+			args: args{
+				org: &Org{PasswordComplexityPolicy: &iam_es_model.PasswordComplexityPolicy{
+					MinLength: 10,
+				}},
+				policy: &iam_es_model.PasswordComplexityPolicy{MinLength: 5, HasLowercase: true},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordComplexityPolicy: &iam_es_model.PasswordComplexityPolicy{
+				MinLength:    5,
+				HasLowercase: true,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangePasswordComplexityPolicyEvent(tt.args.event)
+			if tt.result.PasswordComplexityPolicy.MinLength != tt.args.org.PasswordComplexityPolicy.MinLength {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordComplexityPolicy.MinLength, tt.args.org.PasswordComplexityPolicy.MinLength)
+			}
+			if tt.result.PasswordComplexityPolicy.HasLowercase != tt.args.org.PasswordComplexityPolicy.HasLowercase {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordComplexityPolicy.HasLowercase, tt.args.org.PasswordComplexityPolicy.HasLowercase)
+			}
+		})
+	}
+}
--- a/internal/org/repository/eventsourcing/model/password_lockout_policy.go
+++ b/internal/org/repository/eventsourcing/model/password_lockout_policy.go
@@ -0,0 +1,24 @@
+package model
+
+import (
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+func (o *Org) appendAddPasswordLockoutPolicyEvent(event *es_models.Event) error {
+	o.PasswordLockoutPolicy = new(iam_es_model.PasswordLockoutPolicy)
+	err := o.PasswordLockoutPolicy.SetData(event)
+	if err != nil {
+		return err
+	}
+	o.PasswordLockoutPolicy.ObjectRoot.CreationDate = event.CreationDate
+	return nil
+}
+
+func (o *Org) appendChangePasswordLockoutPolicyEvent(event *es_models.Event) error {
+	return o.PasswordLockoutPolicy.SetData(event)
+}
+
+func (o *Org) appendRemovePasswordLockoutPolicyEvent(event *es_models.Event) {
+	o.PasswordLockoutPolicy = nil
+}
--- a/internal/org/repository/eventsourcing/model/password_lockout_policy_test.go
+++ b/internal/org/repository/eventsourcing/model/password_lockout_policy_test.go
@@ -0,0 +1,86 @@
+package model
+
+import (
+	"encoding/json"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestAppendAddPasswordLockoutPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordLockoutPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append add password age policy event",
+			args: args{
+				org:    &Org{},
+				policy: &iam_es_model.PasswordLockoutPolicy{MaxAttempts: 10},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{MaxAttempts: 10}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendAddPasswordLockoutPolicyEvent(tt.args.event)
+			if tt.result.PasswordLockoutPolicy.MaxAttempts != tt.args.org.PasswordLockoutPolicy.MaxAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordLockoutPolicy.MaxAttempts, tt.args.org.PasswordLockoutPolicy.MaxAttempts)
+			}
+		})
+	}
+}
+
+func TestAppendChangePasswordLockoutPolicyEvent(t *testing.T) {
+	type args struct {
+		org    *Org
+		policy *iam_es_model.PasswordLockoutPolicy
+		event  *es_models.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result *Org
+	}{
+		{
+			name: "append change password age policy event",
+			args: args{
+				org: &Org{PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{
+					MaxAttempts: 10,
+				}},
+				policy: &iam_es_model.PasswordLockoutPolicy{MaxAttempts: 5, ShowLockOutFailures: true},
+				event:  &es_models.Event{},
+			},
+			result: &Org{PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{
+				MaxAttempts:         5,
+				ShowLockOutFailures: true,
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.policy != nil {
+				data, _ := json.Marshal(tt.args.policy)
+				tt.args.event.Data = data
+			}
+			tt.args.org.appendChangePasswordLockoutPolicyEvent(tt.args.event)
+			if tt.result.PasswordLockoutPolicy.MaxAttempts != tt.args.org.PasswordLockoutPolicy.MaxAttempts {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordLockoutPolicy.MaxAttempts, tt.args.org.PasswordLockoutPolicy.MaxAttempts)
+			}
+			if tt.result.PasswordLockoutPolicy.ShowLockOutFailures != tt.args.org.PasswordLockoutPolicy.ShowLockOutFailures {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result.PasswordLockoutPolicy.ShowLockOutFailures, tt.args.org.PasswordLockoutPolicy.ShowLockOutFailures)
+			}
+		})
+	}
+}
--- a/internal/org/repository/eventsourcing/model/types.go
+++ b/internal/org/repository/eventsourcing/model/types.go
@@ -51,4 +51,16 @@ const (
 	LoginPolicyIDPProviderAdded          models.EventType = "org.policy.login.idpprovider.added"
 	LoginPolicyIDPProviderRemoved        models.EventType = "org.policy.login.idpprovider.removed"
 	LoginPolicyIDPProviderCascadeRemoved models.EventType = "org.policy.login.idpprovider.cascade.removed"
+
+	PasswordComplexityPolicyAdded   models.EventType = "org.policy.password.complexity.added"
+	PasswordComplexityPolicyChanged models.EventType = "org.policy.password.complexity.changed"
+	PasswordComplexityPolicyRemoved models.EventType = "org.policy.password.complexity.removed"
+
+	PasswordAgePolicyAdded   models.EventType = "org.policy.password.age.added"
+	PasswordAgePolicyChanged models.EventType = "org.policy.password.age.changed"
+	PasswordAgePolicyRemoved models.EventType = "org.policy.password.age.removed"
+
+	PasswordLockoutPolicyAdded   models.EventType = "org.policy.password.lockout.added"
+	PasswordLockoutPolicyChanged models.EventType = "org.policy.password.lockout.changed"
+	PasswordLockoutPolicyRemoved models.EventType = "org.policy.password.lockout.removed"
 )
--- a/internal/org/repository/eventsourcing/org_iam_policy.go
+++ b/internal/org/repository/eventsourcing/org_iam_policy.go
@@ -2,13 +2,14 @@ package eventsourcing

 import (
 	"context"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"

 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
 )

-func OrgIAMPolicyAddedAggregate(aggCreator *es_models.AggregateCreator, org *model.Org, policy *model.OrgIAMPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+func OrgIAMPolicyAddedAggregate(aggCreator *es_models.AggregateCreator, org *model.Org, policy *iam_es_model.OrgIAMPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
 	return func(ctx context.Context) (*es_models.Aggregate, error) {
 		if policy == nil {
 			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-i9sJS", "Errors.Internal")
@@ -21,7 +22,7 @@ func OrgIAMPolicyAddedAggregate(aggCreator *es_models.AggregateCreator, org *mod
 	}
 }

-func OrgIAMPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, org *model.Org, policy *model.OrgIAMPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+func OrgIAMPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, org *model.Org, policy *iam_es_model.OrgIAMPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
 	return func(ctx context.Context) (*es_models.Aggregate, error) {
 		if policy == nil {
 			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-9Ksie", "Errors.Internal")
@@ -30,7 +31,7 @@ func OrgIAMPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, org *m
 		if err != nil {
 			return nil, err
 		}
-		changes := org.OrgIamPolicy.Changes(policy)
+		changes := org.OrgIAMPolicy.Changes(policy)
 		if len(changes) == 0 {
 			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Js6Vs", "Errors.NoChangesFound")
 		}
--- a/internal/org/repository/eventsourcing/org_iam_policy_test.go
+++ b/internal/org/repository/eventsourcing/org_iam_policy_test.go
@@ -2,6 +2,7 @@ package eventsourcing

 import (
 	"context"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 	"testing"

 	"github.com/caos/zitadel/internal/api/authz"
@@ -20,7 +21,7 @@ func TestOrgIamPolicyAddedAggregates(t *testing.T) {
 		ctx        context.Context
 		aggCreator *es_models.AggregateCreator
 		org        *model.Org
-		policy     *model.OrgIAMPolicy
+		policy     *iam_es_model.OrgIAMPolicy
 	}
 	tests := []struct {
 		name string
@@ -48,8 +49,7 @@ func TestOrgIamPolicyAddedAggregates(t *testing.T) {
 						Sequence:    5,
 					},
 				},
-				policy: &model.OrgIAMPolicy{
-					Description:           "description",
+				policy: &iam_es_model.OrgIAMPolicy{
 					UserLoginMustBeDomain: true,
 				},
 			},
@@ -90,7 +90,7 @@ func TestOrgIamPolicyChangedAggregates(t *testing.T) {
 		ctx        context.Context
 		aggCreator *es_models.AggregateCreator
 		org        *model.Org
-		policy     *model.OrgIAMPolicy
+		policy     *iam_es_model.OrgIAMPolicy
 	}
 	tests := []struct {
 		name string
@@ -117,13 +117,11 @@ func TestOrgIamPolicyChangedAggregates(t *testing.T) {
 						AggregateID: "sdaf",
 						Sequence:    5,
 					},
-					OrgIamPolicy: &model.OrgIAMPolicy{
-						Description:           "description",
+					OrgIAMPolicy: &iam_es_model.OrgIAMPolicy{
 						UserLoginMustBeDomain: true,
 					},
 				},
-				policy: &model.OrgIAMPolicy{
-					Description:           "description",
+				policy: &iam_es_model.OrgIAMPolicy{
 					UserLoginMustBeDomain: false,
 				},
 			},
@@ -143,13 +141,11 @@ func TestOrgIamPolicyChangedAggregates(t *testing.T) {
 						AggregateID: "sdaf",
 						Sequence:    5,
 					},
-					OrgIamPolicy: &model.OrgIAMPolicy{
-						Description:           "description",
+					OrgIAMPolicy: &iam_es_model.OrgIAMPolicy{
 						UserLoginMustBeDomain: true,
 					},
 				},
-				policy: &model.OrgIAMPolicy{
-					Description:           "description",
+				policy: &iam_es_model.OrgIAMPolicy{
 					UserLoginMustBeDomain: true,
 				},
 			},
@@ -204,8 +200,7 @@ func TestOrgIamPolicyRemovedAggregates(t *testing.T) {
 						AggregateID: "sdaf",
 						Sequence:    5,
 					},
-					OrgIamPolicy: &model.OrgIAMPolicy{
-						Description:           "description",
+					OrgIAMPolicy: &iam_es_model.OrgIAMPolicy{
 						UserLoginMustBeDomain: true,
 					},
 				},
--- a/internal/org/repository/eventsourcing/password_age_policy.go
+++ b/internal/org/repository/eventsourcing/password_age_policy.go
@@ -0,0 +1,76 @@
+package eventsourcing
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+func PasswordAgePolicyAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, policy *iam_es_model.PasswordAgePolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Hms9d", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		validationQuery := es_models.NewSearchQuery().
+			AggregateTypeFilter(model.OrgAggregate).
+			AggregateIDFilter(existing.AggregateID)
+
+		validation := checkExistingPasswordAgePolicyValidation()
+		agg.SetPrecondition(validationQuery, validation)
+		return agg.AppendEvent(model.PasswordAgePolicyAdded, policy)
+	}
+}
+
+func PasswordAgePolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, policy *iam_es_model.PasswordAgePolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-3Gms0f", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		changes := existing.PasswordAgePolicy.Changes(policy)
+		if len(changes) == 0 {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Ls0rs", "Errors.NoChangesFound")
+		}
+		return agg.AppendEvent(model.PasswordAgePolicyChanged, changes)
+	}
+}
+
+func PasswordAgePolicyRemovedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if existing == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4Gsk9", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.PasswordAgePolicyRemoved, nil)
+	}
+}
+
+func checkExistingPasswordAgePolicyValidation() func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		existing := false
+		for _, event := range events {
+			switch event.Type {
+			case model.PasswordAgePolicyAdded:
+				existing = true
+			case model.PasswordAgePolicyRemoved:
+				existing = false
+			}
+		}
+		if existing {
+			return errors.ThrowPreconditionFailed(nil, "EVENT-2Fjs0", "Errors.Org.PasswordAgePolicy.AlreadyExists")
+		}
+		return nil
+	}
+}
--- a/internal/org/repository/eventsourcing/password_age_policy_test.go
+++ b/internal/org/repository/eventsourcing/password_age_policy_test.go
@@ -0,0 +1,258 @@
+package eventsourcing
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestPasswordAgePolicyAddedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		new        *iam_es_model.PasswordAgePolicy
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add password age policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+				},
+				new: &iam_es_model.PasswordAgePolicy{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAgeDays: 10,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordAgePolicyAdded},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "password age policy config nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   &model.Org{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}},
+				new:        nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordAgePolicyAddedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+		})
+	}
+}
+
+func TestPasswordAgePolicyChangedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		new        *iam_es_model.PasswordAgePolicy
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change password age policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					PasswordAgePolicy: &iam_es_model.PasswordAgePolicy{
+						ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					},
+				},
+				new: &iam_es_model.PasswordAgePolicy{
+					ObjectRoot:     models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAgeDays:     5,
+					ExpireWarnDays: 5,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordAgePolicyChanged},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "password age policy config nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   &model.Org{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}},
+				new:        nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordAgePolicyChangedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if !tt.res.wantErr && agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+		})
+	}
+}
+
+func TestPasswordAgePolicyRemovedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "remove password age policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					PasswordAgePolicy: &iam_es_model.PasswordAgePolicy{
+						ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					},
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordAgePolicyRemoved},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordAgePolicyRemovedAggregate(tt.args.aggCreator, tt.args.existing)(tt.args.ctx)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+			}
+		})
+	}
+}
--- a/internal/org/repository/eventsourcing/password_complexity_policy.go
+++ b/internal/org/repository/eventsourcing/password_complexity_policy.go
@@ -0,0 +1,76 @@
+package eventsourcing
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+func PasswordComplexityPolicyAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, policy *iam_es_model.PasswordComplexityPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-F8iso", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		validationQuery := es_models.NewSearchQuery().
+			AggregateTypeFilter(model.OrgAggregate).
+			AggregateIDFilter(existing.AggregateID)
+
+		validation := checkExistingPasswordComplexityPolicyValidation()
+		agg.SetPrecondition(validationQuery, validation)
+		return agg.AppendEvent(model.PasswordComplexityPolicyAdded, policy)
+	}
+}
+
+func PasswordComplexityPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, policy *iam_es_model.PasswordComplexityPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-2dFT5", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		changes := existing.PasswordComplexityPolicy.Changes(policy)
+		if len(changes) == 0 {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Smk8d", "Errors.NoChangesFound")
+		}
+		return agg.AppendEvent(model.PasswordComplexityPolicyChanged, changes)
+	}
+}
+
+func PasswordComplexityPolicyRemovedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if existing == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-Lso9f", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.PasswordComplexityPolicyRemoved, nil)
+	}
+}
+
+func checkExistingPasswordComplexityPolicyValidation() func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		existing := false
+		for _, event := range events {
+			switch event.Type {
+			case model.PasswordComplexityPolicyAdded:
+				existing = true
+			case model.PasswordComplexityPolicyRemoved:
+				existing = false
+			}
+		}
+		if existing {
+			return errors.ThrowPreconditionFailed(nil, "EVENT-5Fjs8", "Errors.Org.PasswordComplexityPolicy.AlreadyExists")
+		}
+		return nil
+	}
+}
--- a/internal/org/repository/eventsourcing/password_complexity_policy_test.go
+++ b/internal/org/repository/eventsourcing/password_complexity_policy_test.go
@@ -0,0 +1,258 @@
+package eventsourcing
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestPasswordComplexityPolicyAddedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		new        *iam_es_model.PasswordComplexityPolicy
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add password complexity polciy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+				},
+				new: &iam_es_model.PasswordComplexityPolicy{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					MinLength:  10,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordComplexityPolicyAdded},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "password complexity policy config nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   &model.Org{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}},
+				new:        nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordComplexityPolicyAddedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+		})
+	}
+}
+
+func TestPasswordComplexityPolicyChangedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		new        *iam_es_model.PasswordComplexityPolicy
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change password complexity policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					PasswordComplexityPolicy: &iam_es_model.PasswordComplexityPolicy{
+						ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					},
+				},
+				new: &iam_es_model.PasswordComplexityPolicy{
+					ObjectRoot:   models.ObjectRoot{AggregateID: "AggregateID"},
+					MinLength:    5,
+					HasLowercase: true,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordComplexityPolicyChanged},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "password complexity policy config nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   &model.Org{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}},
+				new:        nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordComplexityPolicyChangedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+		})
+	}
+}
+
+func TestPasswordComplexityPolicyRemovedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "remove password complexity policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					PasswordComplexityPolicy: &iam_es_model.PasswordComplexityPolicy{
+						ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					},
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordComplexityPolicyRemoved},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordComplexityPolicyRemovedAggregate(tt.args.aggCreator, tt.args.existing)(tt.args.ctx)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if !tt.res.wantErr && len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+			}
+		})
+	}
+}
--- a/internal/org/repository/eventsourcing/password_lockout_policy.go
+++ b/internal/org/repository/eventsourcing/password_lockout_policy.go
@@ -0,0 +1,76 @@
+package eventsourcing
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+func PasswordLockoutPolicyAddedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, policy *iam_es_model.PasswordLockoutPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-4Tfi9", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		validationQuery := es_models.NewSearchQuery().
+			AggregateTypeFilter(model.OrgAggregate).
+			AggregateIDFilter(existing.AggregateID)
+
+		validation := checkExistingPasswordLockoutPolicyValidation()
+		agg.SetPrecondition(validationQuery, validation)
+		return agg.AppendEvent(model.PasswordLockoutPolicyAdded, policy)
+	}
+}
+
+func PasswordLockoutPolicyChangedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, policy *iam_es_model.PasswordLockoutPolicy) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if policy == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-5lf9s", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		changes := existing.PasswordLockoutPolicy.Changes(policy)
+		if len(changes) == 0 {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-1dj9G", "Errors.NoChangesFound")
+		}
+		return agg.AppendEvent(model.PasswordLockoutPolicyChanged, changes)
+	}
+}
+
+func PasswordLockoutPolicyRemovedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if existing == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-6Hsl0", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.PasswordLockoutPolicyRemoved, nil)
+	}
+}
+
+func checkExistingPasswordLockoutPolicyValidation() func(...*es_models.Event) error {
+	return func(events ...*es_models.Event) error {
+		existing := false
+		for _, event := range events {
+			switch event.Type {
+			case model.PasswordLockoutPolicyAdded:
+				existing = true
+			case model.PasswordLockoutPolicyRemoved:
+				existing = false
+			}
+		}
+		if existing {
+			return errors.ThrowPreconditionFailed(nil, "EVENT-2Dfl0", "Errors.Org.PasswordLockoutPolicy.AlreadyExists")
+		}
+		return nil
+	}
+}
--- a/internal/org/repository/eventsourcing/password_lockout_policy_test.go
+++ b/internal/org/repository/eventsourcing/password_lockout_policy_test.go
@@ -0,0 +1,258 @@
+package eventsourcing
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+	"testing"
+)
+
+func TestPasswordLockoutPolicyAddedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		new        *iam_es_model.PasswordLockoutPolicy
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "add password lockout polciy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+				},
+				new: &iam_es_model.PasswordLockoutPolicy{
+					ObjectRoot:  models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAttempts: 10,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordLockoutPolicyAdded},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "password lockout policy config nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   &model.Org{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}},
+				new:        nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordLockoutPolicyAddedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+		})
+	}
+}
+
+func TestPasswordLockoutPolicyChangedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		new        *iam_es_model.PasswordLockoutPolicy
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "change password lockout policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{
+						ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					},
+				},
+				new: &iam_es_model.PasswordLockoutPolicy{
+					ObjectRoot:          models.ObjectRoot{AggregateID: "AggregateID"},
+					MaxAttempts:         5,
+					ShowLockOutFailures: true,
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordLockoutPolicyChanged},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "password lockout policy config nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   &model.Org{ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"}},
+				new:        nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordLockoutPolicyChangedAggregate(tt.args.aggCreator, tt.args.existing, tt.args.new)(tt.args.ctx)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if !tt.res.wantErr && agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+				if agg.Events[i].Data == nil {
+					t.Errorf("should have data in event")
+				}
+			}
+		})
+	}
+}
+
+func TestPasswordLockoutPolicyRemovedAggregate(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		existing   *model.Org
+		aggCreator *models.AggregateCreator
+	}
+	type res struct {
+		eventLen   int
+		eventTypes []models.EventType
+		wantErr    bool
+		errFunc    func(err error) bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "remove password lockout policy",
+			args: args{
+				ctx: authz.NewMockContext("orgID", "userID"),
+				existing: &model.Org{
+					ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					PasswordLockoutPolicy: &iam_es_model.PasswordLockoutPolicy{
+						ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
+					},
+				},
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				eventLen:   1,
+				eventTypes: []models.EventType{model.PasswordLockoutPolicyRemoved},
+			},
+		},
+		{
+			name: "existing org nil",
+			args: args{
+				ctx:        authz.NewMockContext("orgID", "userID"),
+				existing:   nil,
+				aggCreator: models.NewAggregateCreator("Test"),
+			},
+			res: res{
+				wantErr: true,
+				errFunc: caos_errs.IsPreconditionFailed,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			agg, err := PasswordLockoutPolicyRemovedAggregate(tt.args.aggCreator, tt.args.existing)(tt.args.ctx)
+			if (tt.res.wantErr && !tt.res.errFunc(err)) || (err != nil && !tt.res.wantErr) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.wantErr && tt.res.errFunc(err) {
+				return
+			}
+			if len(agg.Events) != tt.res.eventLen {
+				t.Errorf("got wrong event len: expected: %v, actual: %v ", tt.res.eventLen, len(agg.Events))
+			}
+			for i := 0; i < tt.res.eventLen; i++ {
+				if agg.Events[i].Type != tt.res.eventTypes[i] {
+					t.Errorf("got wrong event type: expected: %v, actual: %v ", tt.res.eventTypes[i], agg.Events[i].Type.String())
+				}
+			}
+		})
+	}
+}