diff --git a/bundles.yml b/bundles.yml
index 00bcb0f..53b970a 100644
--- a/bundles.yml
+++ b/bundles.yml
@@ -1,12 +1,12 @@
 schemaVersion: "1.0"
 bundles:
-- "nevisadmin-plugin-oauth:8.2405.2.0"
-- "nevisadmin-plugin-authcloud:8.2405.2.0"
-- "nevisadmin-plugin-nevisidm:8.2405.2.0"
-- "nevisadmin-plugin-mobile-auth:8.2405.2.0"
-- "nevisadmin-plugin-fido2:8.2405.2.0"
-- "nevisadmin-plugin-nevisdp:8.2405.2.0"
-- "nevisadmin-plugin-nevisauth:8.2405.2.0"
-- "nevisadmin-plugin-nevisproxy:8.2405.2.0"
-- "nevisadmin-plugin-nevisdetect:8.2405.2.0"
 - "nevisadmin-plugin-base-generation:8.2405.2.0"
+- "nevisadmin-plugin-oauth:8.2405.2.0"
+- "nevisadmin-plugin-nevisdetect:8.2405.2.0"
+- "nevisadmin-plugin-nevisauth:8.2405.2.0"
+- "nevisadmin-plugin-nevisdp:8.2405.2.0"
+- "nevisadmin-plugin-nevisproxy:8.2405.2.0"
+- "nevisadmin-plugin-mobile-auth:8.2405.2.0"
+- "nevisadmin-plugin-nevisidm:8.2405.2.0"
+- "nevisadmin-plugin-fido2:8.2405.2.0"
+- "nevisadmin-plugin-authcloud:8.2405.2.0"
diff --git a/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip b/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip
index abeafde..6d9f315 100644
Binary files a/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip and b/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip differ
diff --git a/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip b/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip
index abeafde..6d9f315 100644
Binary files a/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip and b/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip differ
diff --git a/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy b/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
index 5ab52ed..34f41f7 100644
--- a/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
+++ b/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
@@ -13,22 +13,17 @@ try {
 
   response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])
 
-  if (! notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].contains('${var.operations-unitExtId}') )
+  // we take the first one, if there is no profile in the operations unit
+  def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
+    .split(',').find{pairstr -> pairstr.split("\\\\")[1]  == "${var.operations-unitExtId}" } 
+    ?: notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',')[0]
+
+  if (! unitAndProfileExtidPar.contains('${var.operations-unitExtId}') )
   {
-    LOG.warn("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has not operations profile")
-    response.setResult('error');
-    return
-  }
-
-
-  notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',').eachWithIndex { pairstr, i ->
-    pair = pairstr.split("\\\\")
-    if (pair[1] == "${var.operations-unitExtId}") {
-        response.setSessionAttribute('operationsProfileExtId', pair[0])
-        LOG.warn(pair[0] + " userprofileExtid has the wanted unitExtId " + pair[1])
-    }
+    LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
   }
 
+  response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])
   response.setResult('ok');  
 
 } catch(Exception ex) {
diff --git a/patterns/50d6c91ace65f52fa56d7113_rolePermissionsFile/agov-rolesMapping.properties b/patterns/50d6c91ace65f52fa56d7113_rolePermissionsFile/agov-rolesMapping.properties
index 24b3097..1413524 100644
--- a/patterns/50d6c91ace65f52fa56d7113_rolePermissionsFile/agov-rolesMapping.properties
+++ b/patterns/50d6c91ace65f52fa56d7113_rolePermissionsFile/agov-rolesMapping.properties
@@ -1,8 +1,8 @@
 # -- base admin roles (AGOV specific role definition)
 # ------------------------------------------------------
 
-## user administrator (reduced rightd; CLIENT, UNIT)
-nevisIdm.UserAdmin=ApplicationView,AuthorizationSearch,AuthorizationApplView,AuthorizationClientView,AuthorizationUnitView,AuthorizationView,ClientSearch,ClientView,CredentialChangeState,CredentialCreate,CredentialSearch,CredentialView,EntityAttributeAccessOverride,ProfileCreate,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitSearch,UnitView,UserCreate,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,CollectionView,GenerateReport,SearchResultsExport,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView
+## user administrator (reduced rightd; CLIENT, UNIT and only URL ticket creation allowed)
+nevisIdm.UserAdmin=ApplicationView,AuthorizationSearch,AuthorizationApplView,AuthorizationClientView,AuthorizationUnitView,AuthorizationView,ClientSearch,ClientView,CredentialChangeState.14,CredentialCreate.14,CredentialSearch,CredentialView,EntityAttributeAccessOverride,ProfileCreate,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitSearch,UnitView,UserCreate,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,CollectionView,GenerateReport,SearchResultsExport,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView
 
 ## user and unit administrator (same as above + unit mgmt; CLIENT, UNIT)
 nevisIdm.UserAndUnitAdmin=ApplicationView,AuthorizationSearch,AuthorizationApplView,AuthorizationClientView,AuthorizationUnitView,AuthorizationView,ClientSearch,ClientView,CredentialChangeState,CredentialCreate,CredentialSearch,CredentialView,EntityAttributeAccessOverride,ProfileCreate,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitCreate,UnitDelete,UnitModify,UnitSearch,UnitView,UserCreate,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,CollectionView,GenerateReport,SearchResultsExport,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView
diff --git a/patterns/6df66943ca713eed2a25d935_labels/labels.zip b/patterns/6df66943ca713eed2a25d935_labels/labels.zip
index 983af44..222abc8 100644
Binary files a/patterns/6df66943ca713eed2a25d935_labels/labels.zip and b/patterns/6df66943ca713eed2a25d935_labels/labels.zip differ
diff --git a/patterns/6df66943ca713eed2a25d935_template/webdata.zip b/patterns/6df66943ca713eed2a25d935_template/webdata.zip
index f2f78aa..b78edf2 100644
Binary files a/patterns/6df66943ca713eed2a25d935_template/webdata.zip and b/patterns/6df66943ca713eed2a25d935_template/webdata.zip differ
diff --git a/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip b/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip
index 983af44..222abc8 100644
Binary files a/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip and b/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip differ
diff --git a/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip b/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip
index f2f78aa..b78edf2 100644
Binary files a/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip and b/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip differ
diff --git a/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip b/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip
index 983af44..222abc8 100644
Binary files a/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip and b/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip differ
diff --git a/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip b/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip
index f2f78aa..b78edf2 100644
Binary files a/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip and b/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip differ
diff --git a/patterns/ExternalIngressSettings_f86835f0958316e9fd505e0a.yml b/patterns/ExternalIngressSettings_f86835f0958316e9fd505e0a.yml
new file mode 100644
index 0000000..b2e9afa
--- /dev/null
+++ b/patterns/ExternalIngressSettings_f86835f0958316e9fd505e0a.yml
@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "f86835f0958316e9fd505e0a"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.GenericIngressSettings"
+  name: "ExternalIngressSettings"
+  label: "Operations"
+  properties:
+    annotations: "var://externalingresssettings-annotations"
+    ingressClassName: "var://externalingresssettings-class-name"
diff --git a/patterns/InternalIngressSettings_627ae22025e4d3bd7654239e.yml b/patterns/InternalIngressSettings_627ae22025e4d3bd7654239e.yml
new file mode 100644
index 0000000..c3ba3ea
--- /dev/null
+++ b/patterns/InternalIngressSettings_627ae22025e4d3bd7654239e.yml
@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "627ae22025e4d3bd7654239e"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.GenericIngressSettings"
+  name: "InternalIngressSettings"
+  label: "Admin"
+  properties:
+    annotations: "var://internalingresssettings-annotations"
+    ingressClassName: "var://internalingresssettings-class-name"
diff --git a/patterns/NevisIdmRoleRequiredPolicy_3ccfece140b4bb464b3b7f51.yml b/patterns/NevisIdmRoleRequiredPolicy_3ccfece140b4bb464b3b7f51.yml
new file mode 100644
index 0000000..5ec433f
--- /dev/null
+++ b/patterns/NevisIdmRoleRequiredPolicy_3ccfece140b4bb464b3b7f51.yml
@@ -0,0 +1,16 @@
+schemaVersion: "1.0"
+pattern:
+  id: "3ccfece140b4bb464b3b7f51"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.AuthorizationPolicy"
+  name: "NevisIdmRoleRequiredPolicy"
+  properties:
+    requiredRoles:
+    - "nevisIdm.Helpdesk"
+    - "nevisIdm.TemplateAdmin"
+    - "nevisIdm.UserAndUnitAdmin"
+    - "nevisIdm.AppAdmin"
+    - "nevisIdm.UserAdmin"
+    - "nevisIdm.AppOwner"
+    - "nevisIdm.EnterpriseRoleAdmin"
+    - "nevisIdm.ClientRoot"
+    forbiddenRoles: "nevisIdm.Root"
diff --git a/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml b/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml
new file mode 100644
index 0000000..bda5066
--- /dev/null
+++ b/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml
@@ -0,0 +1,7 @@
+schemaVersion: "1.0"
+pattern:
+  id: "9c6ad44795320a7adec1ccde"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
+  name: "Security Response Headers"
+  properties:
+    responseHeaders: "var://security-response-headers-response-headers"
diff --git a/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml b/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
index 095e288..15f7032 100644
--- a/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
+++ b/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
@@ -10,6 +10,8 @@ pattern:
     addresses: "var://virtual_host_idmadmin-frontend-addresses"
     defaultEntry: "/nevisidm/admin/"
     resources: "res://1200a58c76686d520c21edb0#resources"
+    securityHeaders: "custom"
     addons:
     - "pattern://58ece0328f5bf4d78e1a82d2"
     - "pattern://076ce5c5440843a23150b386"
+    - "pattern://9c6ad44795320a7adec1ccde"
diff --git a/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml b/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
index 45547eb..20d0bf4 100644
--- a/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
+++ b/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
@@ -11,7 +11,9 @@ pattern:
     defaultEntry: "/nevisidm/admin/"
     resources: "res://39ecde9a0d101628fed3e3be#resources"
     requireClientCert: "disabled"
+    securityHeaders: "custom"
     addons:
     - "pattern://58ece0328f5bf4d78e1a82d2"
     - "pattern://076ce5c5440843a23150b386"
     - "pattern://d9c194064d834ad41843ff4e"
+    - "pattern://9c6ad44795320a7adec1ccde"
diff --git a/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml b/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
index 7e1814c..9c1beca 100644
--- a/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
+++ b/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
@@ -15,3 +15,5 @@ pattern:
     - "pattern://271d024334021208b71ac80a"
     selfAdmin: "disabled"
     apiAccess: "disabled"
+    addons:
+    - "pattern://3ccfece140b4bb464b3b7f51"
diff --git a/patterns/nevisProxy_Instance_IDM_3bc06037962ad13be0a3a95d.yml b/patterns/nevisProxy_Instance_IDM_3bc06037962ad13be0a3a95d.yml
index 8ce2789..63d8f3c 100644
--- a/patterns/nevisProxy_Instance_IDM_3bc06037962ad13be0a3a95d.yml
+++ b/patterns/nevisProxy_Instance_IDM_3bc06037962ad13be0a3a95d.yml
@@ -10,3 +10,4 @@ pattern:
     - "pattern://1200a58c76686d520c21edb0"
     addons:
     - "pattern://31ae68f6cc8ade7258adce8d"
+    - "pattern://627ae22025e4d3bd7654239e"
diff --git a/patterns/operations_nevisProxy_Instance_bd83dfbd467e8211ffe71d28.yml b/patterns/operations_nevisProxy_Instance_bd83dfbd467e8211ffe71d28.yml
index 93dd8a0..ea6e54a 100644
--- a/patterns/operations_nevisProxy_Instance_bd83dfbd467e8211ffe71d28.yml
+++ b/patterns/operations_nevisProxy_Instance_bd83dfbd467e8211ffe71d28.yml
@@ -10,3 +10,4 @@ pattern:
     - "pattern://39ecde9a0d101628fed3e3be"
     addons:
     - "pattern://31ae68f6cc8ade7258adce8d"
+    - "pattern://f86835f0958316e9fd505e0a"
diff --git a/variables.yml b/variables.yml
index 1166bae..a196329 100644
--- a/variables.yml
+++ b/variables.yml
@@ -50,13 +50,6 @@ variables:
       secretPreserving: true
     value: null
     requireOverloading: true
-  cert-login-root-ca:
-    className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
-    parameters:
-      required: false
-      syntax: "YAML"
-    value: null
-    requireOverloading: true
   cert-login-template-parameters:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
     parameters:
@@ -64,6 +57,21 @@ variables:
       syntax: "YAML"
     value: "caFile.pem"
     requireOverloading: true
+  externalingresssettings-annotations:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      separators:
+      - ":"
+      switchedSeparators: []
+    value: null
+    requireOverloading: true
+  externalingresssettings-class-name:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
+    parameters:
+      minRequired: 0
+      maxAllowed: 1
+    value: "nginx"
+    requireOverloading: true
   greenmail-backend-addresses:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
     parameters:
@@ -307,6 +315,21 @@ variables:
       maxAllowed: 1
     value: "nginx"
     requireOverloading: true
+  internalingresssettings-annotations:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      separators:
+      - ":"
+      switchedSeparators: []
+    value: null
+    requireOverloading: true
+  internalingresssettings-class-name:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
+    parameters:
+      minRequired: 0
+      maxAllowed: 1
+    value: "nginx"
+    requireOverloading: true
   nevisauth-log-settings-log-levels:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
     parameters:
@@ -724,6 +747,16 @@ variables:
       format: "^[^\\s,]*$"
     value: "https://op.agov-d.azure.adnovum.net/SAML2/ACS/"
     requireOverloading: true
+  security-response-headers-response-headers:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      minRequired: 1
+      separators:
+      - ":"
+      switchedSeparators: []
+    value:
+    - X-Content-Type-Options: "nosniff"
+    requireOverloading: true
   technical_trust_store-additional-trusted-certificates:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
     parameters: