diff --git a/tutorials/3-2-env-setting.tf b/tutorials/3-2-env-setting.tf
index 1ca4398..6784dac 100644
--- a/tutorials/3-2-env-setting.tf
+++ b/tutorials/3-2-env-setting.tf
@@ -46,7 +46,7 @@ resource "bytebase_policy" "data_source_query_policy_prod" {
   type       = "DATA_SOURCE_QUERY"
 
   data_source_query_policy {
-    restriction  = "FALLBACK" # or DISALLOW or RESTRICTION_UNSPECIFIED
+    restriction  = "RESTRICTION_UNSPECIFIED" # or DISALLOW or FALLBACK
     disallow_ddl = true
     disallow_dml = true
   }
diff --git a/tutorials/3-settings.tf b/tutorials/3-settings.tf
deleted file mode 100644
index b305811..0000000
--- a/tutorials/3-settings.tf
+++ /dev/null
@@ -1,72 +0,0 @@
-# Environment Settings
-resource "bytebase_setting" "environments" {
-  name = "settings/ENVIRONMENT"
-
-  environment_setting {
-    environment {
-      id        = "test"
-      title     = "Test"
-      protected = false
-    }
-    environment {
-      id        = "prod"
-      title     = "Prod"
-      protected = true
-    }
-  }
-}
-
-# Step 1: Workspace profile configuration
-resource "bytebase_setting" "workspace_profile" {
-  name = "settings/WORKSPACE_PROFILE"
-
-  workspace_profile {
-    disallow_signup          = true
-    domains                  = ["example.com"]
-    enforce_identity_domain  = false
-    external_url             = "https://valid-just-tadpole.ngrok-free.app"
-  }
-}
-
-# Step 2: Approval flow settings
-resource "bytebase_setting" "approval_flow" {
-  name = "settings/WORKSPACE_APPROVAL"
-
-  approval_flow {
-    rules {
-      flow {
-        title       = "Project Owner → DBA → Admin"
-        description = "Need DBA and workspace admin approval"
-
-        steps { role = "roles/projectOwner" }
-        steps { role = "roles/workspaceDBA" }
-        steps { role = "roles/workspaceAdmin" }
-      }
-      conditions {
-        source = "DML"
-        level  = "MODERATE"
-      }
-      conditions {
-        source = "DDL"
-        level  = "HIGH"
-      }
-    }
-  }
-}
-
-# Step 3: Risk management policies
-resource "bytebase_risk" "dml_moderate" {
-  title     = "DML Moderate Risk"
-  source    = "DML"
-  level     = 200
-  active    = true
-  condition = "environment_id == \"prod\" && affected_rows >= 100"
-}
-
-resource "bytebase_risk" "ddl_high" {
-  title     = "DDL High Risk"
-  source    = "DDL"
-  level     = 300
-  active    = true
-  condition = "environment_id == \"prod\""
-}
\ No newline at end of file
diff --git a/tutorials/4-user-iam.tf b/tutorials/4-user-iam.tf
deleted file mode 100644
index 7c70718..0000000
--- a/tutorials/4-user-iam.tf
+++ /dev/null
@@ -1,182 +0,0 @@
-# Create users and groups
-resource "bytebase_user" "workspace_admin" {
-  email = "admin@example.com"
-  title = "Workspace Admin"
-  type  = "USER"
-}
-
-resource "bytebase_user" "tf_service_account" {
-  email = "tf@service.bytebase.com"
-  title = "Terraform Service Account"
-  type  = "SERVICE_ACCOUNT"
-}
-
-resource "bytebase_user" "workspace_dba1" {
-  email = "dba@example.com"
-  title = "Database Administrator 1"
-  type  = "USER"
-}
-
-resource "bytebase_user" "workspace_dba2" {
-  email = "dba2@example.com"
-  title = "Database Administrator 2"
-  type  = "USER"
-}
-
-resource "bytebase_user" "dev1" {
-  email = "dev1@example.com"
-  title = "Developer 1"
-  type  = "USER"
-}
-
-resource "bytebase_user" "dev2" {
-  email = "dev2@example.com"
-  title = "Developer 2"
-  type  = "USER"
-}
-
-resource "bytebase_user" "dev3" {
-  email = "dev3@example.com"
-  title = "Developer 3"
-  type  = "USER"
-}
-
-resource "bytebase_user" "qa1" {
-  email = "qa1@example.com"
-  title = "QA Tester 1"
-  type  = "USER"
-}
-
-resource "bytebase_user" "qa2" {
-  email = "qa2@example.com"
-  title = "QA Tester 2"
-  type  = "USER"
-}
-
-# Create groups
-resource "bytebase_group" "developers" {
-  email       = "developers@example.com"
-  title       = "Developer Team"
-  description = "Group for all developers"
-  
-  members {
-    member = "users/${bytebase_user.dev1.email}"
-    role   = "OWNER"
-  }
-  
-  members {
-    member = "users/${bytebase_user.dev2.email}"
-    role   = "MEMBER"
-  }
-  
-  members {
-    member = "users/${bytebase_user.dev3.email}"
-    role   = "MEMBER"
-  }
-}
-
-resource "bytebase_group" "qa" {
-  email       = "qa@example.com"
-  title       = "QA Team"
-  description = "Group for all QA testers"
-  
-  members {
-    member = "users/${bytebase_user.qa1.email}"
-    role   = "OWNER"
-  }
-  
-  members {
-    member = "users/${bytebase_user.qa2.email}"
-    role   = "MEMBER"
-  }
-}
-
-resource "bytebase_iam_policy" "workspace_iam" {
-  depends_on = [
-    bytebase_user.workspace_admin,
-    bytebase_user.tf_service_account,
-    bytebase_user.workspace_dba1,
-    bytebase_user.workspace_dba2,
-    bytebase_group.qa
-  ]
-
-  parent = "workspaces/-"
-
-  iam_policy {
-
-    binding {
-      role = "roles/workspaceAdmin"
-      members = [
-        format("user:%s", bytebase_user.workspace_admin.email),
-        format("user:%s", bytebase_user.tf_service_account.email),
-      ]
-    }
-
-    binding {
-      role = "roles/workspaceDBA"
-      members = [
-        format("user:%s", bytebase_user.workspace_dba1.email),
-        format("user:%s", bytebase_user.workspace_dba2.email)
-      ]
-    }
-
-    binding {
-      role = "roles/workspaceMember"
-      members = [
-        format("user:%s", bytebase_user.dev1.email),
-        format("user:%s", bytebase_user.dev2.email),
-        format("user:%s", bytebase_user.dev3.email)
-      ]
-    }
-
-    binding {
-      role = "roles/projectViewer"
-      members = [
-        format("group:%s", bytebase_group.qa.email),
-      ]
-    }
-  }
-}
-
-resource "bytebase_iam_policy" "project_iam" {
-  depends_on = [
-    bytebase_group.developers,
-    bytebase_user.workspace_dba1,
-    bytebase_user.workspace_dba2
-  ]
-
-  parent = bytebase_project.project-two.name
-
-  iam_policy {
-
-    binding {
-      role = "roles/projectOwner"
-      members = [
-        format("user:%s", bytebase_user.workspace_dba1.email),
-        format("user:%s", bytebase_user.workspace_dba2.email)
-      ]
-    }
-
-    binding {
-      role = "roles/projectDeveloper"
-      members = [
-        "allUsers",
-        format("group:%s", bytebase_group.developers.email)
-      ]
-    }
-
-    binding {
-      role = "roles/sqlEditorUser"
-      members = [
-        format("group:%s", bytebase_group.developers.email)
-      ]
-      condition {
-        database         = "instances/prod-sample-instance/databases/hr_prod"
-        schema           = "public"
-        tables           = ["employee","department"]
-        expire_timestamp = "2027-07-10T16:17:49Z"
-      }
-    }
-
-  }
-}
\ No newline at end of file
diff --git a/tutorials/5-user-iam.tf b/tutorials/5-user-iam.tf
index 0c1aa90..a6c98b0 100644
--- a/tutorials/5-user-iam.tf
+++ b/tutorials/5-user-iam.tf
@@ -175,7 +175,7 @@ resource "bytebase_iam_policy" "project_iam" {
       condition {
         database         = "instances/prod-sample-instance/databases/hr_prod"
         schema           = "public"
-        tables           = ["employee","department"]
+        tables           = ["employee","salary"]
         expire_timestamp = "2027-07-10T16:17:49Z"
       }
     }