Organization Administrator Manages User Role Assignments Within Their Organization

• Given a user authenticated as an Organization Administrator, when they navigate to user management, then they see all users within their organization with their current role assignments
• Given an Organization Administrator assigns a role to a user, when the assignment is saved, then the User Role Repository is updated and the affected user's next session reflects the new role
• Given an Organization Administrator assigns a role, when the change is persisted, then the affected user's cached role data is invalidated so stale permissions are not used
• Given an Organization Administrator attempts to assign a global admin role, when they submit the assignment, then the system rejects the action with an appropriate error message
• Given an Organization Administrator revokes a user's role, when the revocation is saved, then the user's next session no longer has access to the revoked role's features
• Given an Organization Administrator is scoped to Organization A, when they access user management, then they cannot view or modify users from Organization B

Organizations need to manage volunteer and staff role changes independently without requiring platform-level support intervention. An organization administrator's ability to self-manage role assignments reduces onboarding time for new coordinators and peer mentors, and ensures that departing volunteers have their access revoked promptly in accordance with GDPR data minimization requirements. This is especially important for NHF with 1,400 local associations whose membership rosters change frequently.

• Role Authorization Service service
• User Role Repository data
• Permission Guard service
• Role Config Store data