Organization admin access - global-121/121-platform GitHub Wiki

This page contains a description of Organization admin access.

121 endpoints are protected by permissions on one hand, which are program-specific (see Roles and permissions in the 121 Platform User Manual), and an "isAdmin" user attribute on the other hand, which is valid across programs and protects endpoints that only admins should call.

Additionally, 121 now has the "isOrganizationalAdmin" user attribute, which also runs across programs, but has limited access compared to "isAdmin". It is meant for an account manager user. Specifically, it protects:

• POST /users (so the account manager can create additional users her/himself)
  • Note that this endpoint can only create users with "isOrganizationalAdmin"=false. Where needed, the user can subsequently be updated to "isOrganizationalAdmin"=true using the PATCH /users/:userId endpoint, which is "isAdmin"-protected.
• PATCH /users/password (so the account manager can reset a password for a user her/himself)
• POST /programs
• PATCH programs/:programId/registrations

Note that in practice "isAdmin" users should also have "isOrganizationAdmin"=true, as otherwise they do not have access to above endpoints. This is not enforced in code, but is expected to be handled in database. That was handled at release via a one-time migration.