diff --git a/patterns/1f0702aaabef60a615abf41f_resources/resources.zip b/patterns/1f0702aaabef60a615abf41f_resources/resources.zip
index e7d8fdc..493ab27 100644
Binary files a/patterns/1f0702aaabef60a615abf41f_resources/resources.zip and b/patterns/1f0702aaabef60a615abf41f_resources/resources.zip differ
diff --git a/patterns/204c22beaccdfd22727af378_labels/labels.zip b/patterns/204c22beaccdfd22727af378_labels/labels.zip
index 12b3833..94422af 100644
Binary files a/patterns/204c22beaccdfd22727af378_labels/labels.zip and b/patterns/204c22beaccdfd22727af378_labels/labels.zip differ
diff --git a/patterns/204c22beaccdfd22727af378_template/webdata.zip b/patterns/204c22beaccdfd22727af378_template/webdata.zip
index 0eca79f..75523c0 100644
Binary files a/patterns/204c22beaccdfd22727af378_template/webdata.zip and b/patterns/204c22beaccdfd22727af378_template/webdata.zip differ
diff --git a/patterns/2cdd910036aa06b102863a4f_scriptFile/checkLoa.gy b/patterns/2cdd910036aa06b102863a4f_scriptFile/checkLoa.gy
index 5f56cba..dc2bc6c 100644
--- a/patterns/2cdd910036aa06b102863a4f_scriptFile/checkLoa.gy
+++ b/patterns/2cdd910036aa06b102863a4f_scriptFile/checkLoa.gy
@@ -2,9 +2,8 @@ import org.codehaus.groovy.runtime.StackTraceUtils
 import groovy.xml.XmlSlurper
 
 def getUserAGOVLoiRoles() {
-  // set attibutes from DTO: -> AGOVaq
-  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
+  // we take the roles from actualRoles
+  return request.getActualRoles().findAll { role -> role.startsWith('AGOV-Loi.') }.collect({ role -> role.substring(9) })
 }
 
 def getUserAGOVRecoveryRoles() {
@@ -141,6 +140,11 @@ try {
     LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
 
     session.setAttribute('contextClassRefToSet', 'urn:qa.agov.ch:names:tc:ac:classes:100')
+
+    // if the account has no profile, we must not return address or svnr
+    session.setAttribute('agov.appAddressRequired', 'false')
+    session.setAttribute('agov.appSvnrAllowed', 'false')
+
     response.setResult('ok')
     return
   }
@@ -158,24 +162,33 @@ try {
 
 
   for (String role : getUserAGOVLoiRoles()) {
-  if (role.startsWith('level')) {
-    def roleLevel = role.substring(5)
-    int roleLevelNumber = Integer.parseInt(roleLevel)
-    if (highestRoleLevelNumber == 0) {
-      highestRoleLevelNumber = roleLevelNumber
-    }
-    if (highestRoleLevelNumber< roleLevelNumber) { 
-      highestRoleLevelNumber=roleLevelNumber 
+    if (role.startsWith('level')) {
+      def roleLevel = role.substring(5)
+      int roleLevelNumber = Integer.parseInt(roleLevel)
+      if (highestRoleLevelNumber< roleLevelNumber) { 
+        highestRoleLevelNumber=roleLevelNumber 
+      } 
     } 
-  } 
-  } 
-  LOG.debug('CheckLoa: Highest role Level' + highestRoleLevelNumber.toString() +' contextclassref' + requestedRoleLevelNumber.toString()) 
-  LOG.debug('CheckLoa: Compare' + (highestRoleLevelNumber>=requestedRoleLevelNumber)) 
+  }
+
+  LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString()) 
+  LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber)) 
 
   //set attribute Actual Role Level
   session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
   LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
 
+
+  // Best Token Available only if account's AQlevel is high enough
+  if ((session.getAttribute('agov.appAddressRequired') == 'true') && (highestRoleLevelNumber < 200)) {
+     LOG.debug("Best Token: Address requested but account has to low AQ (${highestRoleLevelNumber})") 
+     session.setAttribute('agov.appAddressRequired', 'false')
+  }
+  if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (highestRoleLevelNumber < 400)) {
+     LOG.debug("Best Token: SVNr requested but account has to low AQ (${highestRoleLevelNumber})") 
+     session.setAttribute('agov.appSvnrAllowed', 'false')
+  }
+
   if (highestRoleLevelNumber > 0) {
     // set attribute contextClassRefToSet
     session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
diff --git a/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip b/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
index 12b3833..94422af 100644
Binary files a/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip and b/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip differ
diff --git a/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip b/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
index 0eca79f..75523c0 100644
Binary files a/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip and b/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip differ