diff --git a/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip b/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip
index 6d9f315..8286ebe 100644
Binary files a/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip and b/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip differ
diff --git a/patterns/24cbc652d3166c8374eda3cd_authStatesFile/UpdateUserIfNeeded.xml b/patterns/24cbc652d3166c8374eda3cd_authStatesFile/UpdateUserIfNeeded.xml
index 11534e4..af42d8a 100644
--- a/patterns/24cbc652d3166c8374eda3cd_authStatesFile/UpdateUserIfNeeded.xml
+++ b/patterns/24cbc652d3166c8374eda3cd_authStatesFile/UpdateUserIfNeeded.xml
@@ -2,10 +2,10 @@
 	<ResultCond name="emailaddressDidntChange,givennameDidntChange,surnameDidntChange,languageDidntChange" next="${state.done}"/>
 	<ResultCond name="default" next="${state.entry}_Update"/>
 	<Response value="AUTH_ERROR"/>
-	<property name="condition:emailaddressDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', 'missing').equals(sess.get('ch.nevis.idm.User.email')) }"/>
-	<property name="condition:givennameDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', 'missing').equals(sess.get('ch.nevis.idm.User.firstName')) }"/>
-	<property name="condition:surnameDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', 'missing').equals(sess.get('ch.nevis.idm.User.lastName')) }"/>
-	<property name="condition:languageDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance', 'missing').equals(sess.get('ch.nevis.idm.User.language')) }"/>
+	<property name="condition:emailaddressDidntChange" value="#{ !sess.containsKey('idp.email') or sess.get('idp.email').equals(sess.get('ch.nevis.idm.User.email')) }"/>
+	<property name="condition:givennameDidntChange" value="#{ !sess.containsKey('idp.firstName') or sess.get('idp.firstName').equals(sess.get('ch.nevis.idm.User.firstName')) }"/>
+	<property name="condition:surnameDidntChange" value="#{ !sess.containsKey('idp.lastName') or sess.get('idp.lastName').equals(sess.get('ch.nevis.idm.User.lastName')) }"/>
+	<property name="condition:languageDidntChange" value="#{ !sess.containsKey('idp.language') or sess.get('idp.language').equals(sess.get('ch.nevis.idm.User.language')) }"/>
 </AuthState>
 <AuthState name="${state.entry}_Update" class="ch.nevis.idm.authstate.IdmSetPropertiesState" final="false" resumeState="false">
 	<ResultCond name="emailExists" next="${state.entry}_AuditError"/>
diff --git a/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip b/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip
index 6d9f315..8286ebe 100644
Binary files a/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip and b/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip differ
diff --git a/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy b/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
index 34f41f7..cc8fe93 100644
--- a/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
+++ b/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
@@ -1,10 +1,10 @@
 try {
   def s = request.getAuthSession(true)
 
-  LOG.info("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
-  LOG.info("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")
-
+  LOG.debug("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
+  LOG.debug("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")
 
+  // set operation's account extId and profile extid
   if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'] == null || notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'] == null) {
     LOG.error("[OPACCESS] User ${notes['saml.assertion.subject']} tried to access without operations account or profile")
     response.setResult('error');
@@ -13,6 +13,20 @@ try {
 
   response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])
 
+  // extract additional attributes from assertion in session
+  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname']) {
+    response.setSessionAttribute('idp.firstName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'])
+  }
+  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']) {
+    response.setSessionAttribute('idp.lastName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'])
+  }
+  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) {
+    response.setSessionAttribute('idp.email', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'])
+  }
+  if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance']) {
+    response.setSessionAttribute('idp.language', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance'])
+  }
+
   // we take the first one, if there is no profile in the operations unit
   def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
     .split(',').find{pairstr -> pairstr.split("\\\\")[1]  == "${var.operations-unitExtId}" } 
@@ -22,8 +36,21 @@ try {
   {
     LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
   }
-
   response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])
+
+  // ad role based on agov aq level
+  def acrToRoleMap = [ 'urn:qa.agov.ch:names:tc:ac:classes:100':'AGOV-Loi.level100',
+    'urn:qa.agov.ch:names:tc:ac:classes:200':'AGOV-Loi.level200',
+    'urn:qa.agov.ch:names:tc:ac:classes:300':'AGOV-Loi.level300',
+    'urn:qa.agov.ch:names:tc:ac:classes:400':'AGOV-Loi.level400',
+    'urn:qa.agov.ch:names:tc:ac:classes:500':'AGOV-Loi.level500'
+  ]
+
+  if (acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']?='none']) {
+    response.addActualRole(acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']])
+  }
+
+
   response.setResult('ok');  
 
 } catch(Exception ex) {
diff --git a/patterns/6df66943ca713eed2a25d935_labels/labels.zip b/patterns/6df66943ca713eed2a25d935_labels/labels.zip
index 222abc8..a979d99 100644
Binary files a/patterns/6df66943ca713eed2a25d935_labels/labels.zip and b/patterns/6df66943ca713eed2a25d935_labels/labels.zip differ
diff --git a/patterns/6df66943ca713eed2a25d935_template/webdata.zip b/patterns/6df66943ca713eed2a25d935_template/webdata.zip
index b78edf2..16f39bb 100644
Binary files a/patterns/6df66943ca713eed2a25d935_template/webdata.zip and b/patterns/6df66943ca713eed2a25d935_template/webdata.zip differ
diff --git a/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip b/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip
index 222abc8..a979d99 100644
Binary files a/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip and b/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip differ
diff --git a/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip b/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip
index b78edf2..16f39bb 100644
Binary files a/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip and b/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip differ
diff --git a/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip b/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip
index 222abc8..a979d99 100644
Binary files a/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip and b/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip differ
diff --git a/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip b/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip
index b78edf2..16f39bb 100644
Binary files a/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip and b/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip differ
diff --git a/patterns/AgovAq300AuthorizationPolicy_088e03c92ee8a5168b030e9e.yml b/patterns/AgovAq300AuthorizationPolicy_088e03c92ee8a5168b030e9e.yml
new file mode 100644
index 0000000..14d06b0
--- /dev/null
+++ b/patterns/AgovAq300AuthorizationPolicy_088e03c92ee8a5168b030e9e.yml
@@ -0,0 +1,10 @@
+schemaVersion: "1.0"
+pattern:
+  id: "088e03c92ee8a5168b030e9e"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.AuthorizationPolicy"
+  name: "AgovAq300AuthorizationPolicy"
+  properties:
+    requiredRoles:
+    - "AGOV-Loi.level300"
+    - "AGOV-Loi.level400"
+    - "AGOV-Loi.level500"
diff --git a/patterns/ArtReporting_4da72abf93d79d0698250e39.yml b/patterns/ArtReporting_4da72abf93d79d0698250e39.yml
index 12e3aec..1d99a9c 100644
--- a/patterns/ArtReporting_4da72abf93d79d0698250e39.yml
+++ b/patterns/ArtReporting_4da72abf93d79d0698250e39.yml
@@ -10,6 +10,7 @@ pattern:
     realm:
     - "pattern://7518c6cc61e47eec6322ae17"
     addons:
+    - "pattern://088e03c92ee8a5168b030e9e"
     - "pattern://ae3127e7a6869fea8b850ad9"
     backends: "var://artreporting-backend-addresses"
     hostnameCheck: "disabled"
diff --git a/patterns/IDM_Prune_Operations_Accounts_Job_b4ede97e934bb0fc17c60976.yml b/patterns/IDM_Prune_Operations_Accounts_Job_b4ede97e934bb0fc17c60976.yml
new file mode 100644
index 0000000..b560e70
--- /dev/null
+++ b/patterns/IDM_Prune_Operations_Accounts_Job_b4ede97e934bb0fc17c60976.yml
@@ -0,0 +1,30 @@
+schemaVersion: "1.0"
+pattern:
+  id: "b4ede97e934bb0fc17c60976"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMGenericBatchJob"
+  name: "IDM Prune Operations Accounts Job"
+  label: "Batch"
+  notes: "Archive accounts after 30d of disabling and delete them after a year (335d\
+    \ later)\nruns daily at 01:30"
+  properties:
+    job: "<bean id=\"pruneOperationsAccountsJob\"  class=\"org.springframework.scheduling.quartz.JobDetailFactoryBean\"\
+      >\n    <property name=\"description\" value=\"Archive and delete obsolete shadow\
+      \ accounts\"/>\n    <property name=\"jobClass\" value=\"ch.nevis.idm.batch.jobs.UpdateUserStateJob\"\
+      />\n    <property name=\"durability\" value=\"true\"/>\n    <property name=\"\
+      jobDataMap\">\n        <bean class=\"org.quartz.JobDataMap\">\n            <constructor-arg>\n\
+      \                <map>\n                    <entry key=\"daysNoActivity\" value=\"\
+      -1\"/>\n                    <entry key=\"considerUsersNeverLoggedIn\" value=\"\
+      true\"/>\n                    <entry key=\"sendWarning\" value=\"false\"/>\n\
+      \                    <entry key=\"daysGracePeriod\" value=\"1\"/>\n        \
+      \            <entry key=\"daysStatusDisabled\" value=\"30\"/>\n            \
+      \        <entry key=\"daysStatusArchived\" value=\"335\"/>\n               \
+      \     <entry key=\"disableOutdatedUsers\" value=\"true\"/>\n               \
+      \     <entry key=\"disableNotYetActiveUsers\" value=\"false\"/>\n          \
+      \          <entry key=\"excludeTechnicalUsers\" value=\"true\"/>\n         \
+      \           <entry key=\"restrictToClients\" value=\"d9a334a6-b6f5-4982-a24e-13ae095a60fa\"\
+      />\n                </map>\n            </constructor-arg>\n        </bean>\n\
+      \    </property>\n</bean>\n"
+    trigger: "<bean id=\"pruneOperationsAccountsJobTrigger\" class=\"org.springframework.scheduling.quartz.CronTriggerFactoryBean\"\
+      >\n    <property name=\"description\" value=\"Archive and delete obsolete operations\
+      \ accounts\"/>\n    <property name=\"jobDetail\" ref=\"pruneOperationsAccountsJob\"\
+      />\n    <property name=\"cronExpression\" value=\"30 1 0 * * ?\"/>\n</bean>"
diff --git a/patterns/IDM_Prune_Shadow_Accounts_Job_3600b7d00b6427226e451f8d.yml b/patterns/IDM_Prune_Shadow_Accounts_Job_3600b7d00b6427226e451f8d.yml
index 9126f13..d4597b0 100644
--- a/patterns/IDM_Prune_Shadow_Accounts_Job_3600b7d00b6427226e451f8d.yml
+++ b/patterns/IDM_Prune_Shadow_Accounts_Job_3600b7d00b6427226e451f8d.yml
@@ -4,6 +4,8 @@ pattern:
   className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMGenericBatchJob"
   name: "IDM Prune Shadow Accounts Job"
   label: "Batch"
+  notes: "Archive accounts after 15d of disabling and delete them after 100 days\n\
+    runs daily at 00:30"
   properties:
     job: "<bean id=\"pruneShadowAccountsJob\"  class=\"org.springframework.scheduling.quartz.JobDetailFactoryBean\"\
       >\n    <property name=\"description\" value=\"Archive and delete obsolete shadow\
diff --git a/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml b/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
index 48c361c..1e51026 100644
--- a/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
+++ b/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
@@ -5,7 +5,8 @@ pattern:
   name: "nevisIDM Custom Property verificationTransactionId"
   properties:
     propertyName: "verificationTransactionId"
+    uniquenessScope: "ABSOLUTE"
     clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
     maxLength: "50"
-    accessModify: "READ_WRITE"
+    accessModify: "READ_ONLY"
     accessCreate: "READ_WRITE"
diff --git a/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml b/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
index 7e1814c..adb3b95 100644
--- a/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
+++ b/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
@@ -15,3 +15,5 @@ pattern:
     - "pattern://271d024334021208b71ac80a"
     selfAdmin: "disabled"
     apiAccess: "disabled"
+    addons:
+    - "pattern://088e03c92ee8a5168b030e9e"
diff --git a/patterns/nevisIDM_batch_641ac4edf0c17383d3c0ea38.yml b/patterns/nevisIDM_batch_641ac4edf0c17383d3c0ea38.yml
index 475b846..75d9149 100644
--- a/patterns/nevisIDM_batch_641ac4edf0c17383d3c0ea38.yml
+++ b/patterns/nevisIDM_batch_641ac4edf0c17383d3c0ea38.yml
@@ -26,3 +26,4 @@ pattern:
     - "pattern://3600b7d00b6427226e451f8d"
     - "pattern://50d6c91ace65f52fa56d7113"
     - "pattern://f4e909fcaf0ae3f6effb28ae"
+    - "pattern://b4ede97e934bb0fc17c60976"