Organization admin access - global-121/121-platform GitHub Wiki

The 121 API-endpoints are protected by specific, program-specific permissions on one hand (see Roles and permissions in the 121 Platform User Manual), and an "isAdmin" user-attribute on the other hand, which is valid across programs and protects sensitive endpoints.

Additionally, there is the "isOrganizationalAdmin" user-attribute, which also runs across programs, but has limited access compared to "isAdmin". It is meant for an account-manager, so they are able to do "user-management related" things.

Note: Via the API, users can only be created with "isOrganizationalAdmin=false". When needed, the user can subsequently be updated to "isOrganizationalAdmin=true", by an "isAdmin"-user.

Note: In practice "isAdmin"-users should also have the "isOrganizationAdmin"-attribute. This is not enforced in code, but is expected to be handled in each database.