diff --git a/manifests/kcp/workspace-authentication-configuration.yaml b/manifests/kcp/02-orgs/workspace-authentication-configuration.yaml
similarity index 100%
rename from manifests/kcp/workspace-authentication-configuration.yaml
rename to manifests/kcp/02-orgs/workspace-authentication-configuration.yaml
diff --git a/manifests/kcp/workspace-type-account.yaml b/manifests/kcp/02-orgs/workspace-type-account.yaml
similarity index 85%
rename from manifests/kcp/workspace-type-account.yaml
rename to manifests/kcp/02-orgs/workspace-type-account.yaml
index ed92def3..33b8027a 100644
--- a/manifests/kcp/workspace-type-account.yaml
+++ b/manifests/kcp/02-orgs/workspace-type-account.yaml
@@ -16,20 +16,20 @@ spec:
 {{- end }}
   defaultChildWorkspaceType:
     name: account
-    path: root
+    path: root:orgs
   limitAllowedChildren:
     types:
       - name: account
-        path: root
+        path: root:orgs
   limitAllowedParents:
     types:
       - name: org
-        path: root
+        path: root:orgs
       - name: account
-        path: root
+        path: root:orgs
   extend:
     with:
       - name: universal
         path: root
       - name: security
-        path: root
+        path: root:orgs
diff --git a/manifests/kcp/workspace-type-fga.yaml b/manifests/kcp/02-orgs/workspace-type-fga.yaml
similarity index 100%
rename from manifests/kcp/workspace-type-fga.yaml
rename to manifests/kcp/02-orgs/workspace-type-fga.yaml
diff --git a/manifests/kcp/workspace-type-org.yaml b/manifests/kcp/02-orgs/workspace-type-org.yaml
similarity index 90%
rename from manifests/kcp/workspace-type-org.yaml
rename to manifests/kcp/02-orgs/workspace-type-org.yaml
index 591f9d85..9509ae89 100644
--- a/manifests/kcp/workspace-type-org.yaml
+++ b/manifests/kcp/02-orgs/workspace-type-org.yaml
@@ -6,7 +6,7 @@ spec:
   extend:
     with:
     - name: security
-      path: root
+      path: root:orgs
   defaultAPIBindings:
     - export: core.platform-mesh.io
       path: root:platform-mesh-system
@@ -20,11 +20,11 @@ spec:
 {{- end }}
   defaultChildWorkspaceType:
     name: account
-    path: root
+    path: root:orgs
   limitAllowedChildren:
     types:
       - name: account
-        path: root
+        path: root:orgs
   limitAllowedParents:
     types:
       - name: orgs
diff --git a/manifests/kcp/workspace-type-orgs.yaml b/manifests/kcp/workspace-type-orgs.yaml
index 64fe661d..b31284f2 100644
--- a/manifests/kcp/workspace-type-orgs.yaml
+++ b/manifests/kcp/workspace-type-orgs.yaml
@@ -10,7 +10,7 @@ spec:
       path: root:platform-mesh-system
   defaultChildWorkspaceType:
     name: org
-    path: root
+    path: root:orgs
   extend:
     with:
       - name: universal
@@ -18,6 +18,6 @@ spec:
   limitAllowedChildren:
     types:
       - name: org
-        path: root
+        path: root:orgs
   authenticationConfigurations:
   - name: orgs-authentication
\ No newline at end of file
diff --git a/pkg/subroutines/defaults.go b/pkg/subroutines/defaults.go
index 97e44785..b175fb05 100644
--- a/pkg/subroutines/defaults.go
+++ b/pkg/subroutines/defaults.go
@@ -24,9 +24,10 @@ var AccountOperatorWorkspace = "root:platform-mesh-system"
 
 var DefaultProviderConnections = []corev1alpha1.ProviderConnection{
 	{
-		Path:      "root:platform-mesh-system",
-		Secret:    "account-operator-kubeconfig",
-		AdminAuth: ptr.To(true),
+		Path:          "root:platform-mesh-system",
+		Secret:        "account-operator-kubeconfig",
+		AdminAuth:     ptr.To(false),
+		APIExportName: ptr.To("core.platform-mesh.io"),
 	},
 	{
 		Path:      "root:platform-mesh-system",