the API endpoint that you use to grant another user access to a thing would check whether the calling user has the correct admin permission