Difference between organisation_admin and role admin within organisation

[oharsta]

SURF Access representative role maps to the OrgAdmin (for institutions) in SURF Access UI. The SURF Access representative role is a formal role on SURF level that is assigned by the ICP (Instellingscontactpersoon) via Mijn SURF.

• Therefore, it should not be possible by the SURF Access representative to assign the OrgAdmin role within SURF Access.
• For non institution admins, it's possible to assign admin roles on same level

Some backend endpoint are protected with isSuperUser || isInstitutionAdmin. The latter looks only if the user has the entitlements from the IdentityProvider and subsequently 403 are thrown when a regular admin (e.g. a user who has accepted an invitation with the role admin) tries to access this endpoint. For example looking at the details of an enabled application which also fetches the policies. The institution_admin is allowed to access this, but a regular admin not

• Describe what the differences (if any) are for institution admins and regular admins and align implementation
• Do we allow for non institution admins to become regular admins? And approve connection requests etcetera.
• Align permissions in backend and frontend too prevent 403 thrown