diff --git a/packages/auth/src/middleware/authenticated.js b/packages/auth/src/middleware/authenticated.js
index 34ed0ec186..5d9056b19a 100644
--- a/packages/auth/src/middleware/authenticated.js
+++ b/packages/auth/src/middleware/authenticated.js
@@ -43,6 +43,7 @@ module.exports = (noAuthPatterns = [], opts) => {
       // this is an internal request, no user made it
       if (apiKey && apiKey === env.INTERNAL_API_KEY) {
         ctx.isAuthenticated = true
+        ctx.internal = true
       } else if (authCookie) {
         try {
           const db = database.getDB(StaticDatabases.GLOBAL.name)
diff --git a/packages/builder/src/pages/builder/portal/manage/users/index.svelte b/packages/builder/src/pages/builder/portal/manage/users/index.svelte
index d88577c91b..0c136574d7 100644
--- a/packages/builder/src/pages/builder/portal/manage/users/index.svelte
+++ b/packages/builder/src/pages/builder/portal/manage/users/index.svelte
@@ -22,6 +22,7 @@
   const schema = {
     email: {},
     developmentAccess: { displayName: "Development Access", type: "boolean" },
+    adminAccess: { displayName: "Admin Access", type: "boolean" },
     // role: { type: "options" },
     group: {},
     // access: {},
@@ -36,6 +37,7 @@
       ...user,
       group: ["All users"],
       developmentAccess: user.builder.global,
+      adminAccess: user.admin.global,
     }))
 
   let createUserModal
diff --git a/packages/worker/src/api/routes/admin/email.js b/packages/worker/src/api/routes/admin/email.js
index d3d0d4faae..a36dc5de91 100644
--- a/packages/worker/src/api/routes/admin/email.js
+++ b/packages/worker/src/api/routes/admin/email.js
@@ -2,6 +2,7 @@ const Router = require("@koa/router")
 const controller = require("../../controllers/admin/email")
 const { EmailTemplatePurpose } = require("../../../constants")
 const joiValidator = require("../../../middleware/joi-validator")
+const adminOnly = require("../../../middleware/adminOnly")
 const Joi = require("joi")
 
 const router = Router()
@@ -21,6 +22,7 @@ function buildEmailSendValidation() {
 router.post(
   "/api/admin/email/send",
   buildEmailSendValidation(),
+  adminOnly,
   controller.sendEmail
 )
 
diff --git a/packages/worker/src/api/routes/admin/users.js b/packages/worker/src/api/routes/admin/users.js
index 1e7461fd26..6a6654f5e6 100644
--- a/packages/worker/src/api/routes/admin/users.js
+++ b/packages/worker/src/api/routes/admin/users.js
@@ -54,16 +54,9 @@ router
     buildUserSaveValidation(),
     controller.save
   )
-  .get("/api/admin/users", controller.fetch)
-  .post("/api/admin/users/init", controller.adminUser)
-  .get("/api/admin/users/self", controller.getSelf)
-  .post(
-    "/api/admin/users/self",
-    buildUserSaveValidation(true),
-    controller.updateSelf
-  )
+  .get("/api/admin/users", adminOnly, controller.fetch)
   .delete("/api/admin/users/:id", adminOnly, controller.destroy)
-  .get("/api/admin/users/:id", controller.find)
+  .get("/api/admin/users/:id", adminOnly, controller.find)
   .get("/api/admin/roles/:appId")
   .post(
     "/api/admin/users/invite",
@@ -71,10 +64,18 @@ router
     buildInviteValidation(),
     controller.invite
   )
+  // non-admin endpoints
+  .post(
+    "/api/admin/users/self",
+    buildUserSaveValidation(true),
+    controller.updateSelf
+  )
   .post(
     "/api/admin/users/invite/accept",
     buildInviteAcceptValidation(),
     controller.inviteAccept
   )
+  .post("/api/admin/users/init", controller.adminUser)
+  .get("/api/admin/users/self", controller.getSelf)
 
 module.exports = router
diff --git a/packages/worker/src/middleware/adminOnly.js b/packages/worker/src/middleware/adminOnly.js
index 507fbda9a2..8f56eb7943 100644
--- a/packages/worker/src/middleware/adminOnly.js
+++ b/packages/worker/src/middleware/adminOnly.js
@@ -1,5 +1,5 @@
 module.exports = async (ctx, next) => {
-  if (!ctx.user || !ctx.user.admin || !ctx.user.admin.global) {
+  if (!ctx.internal && (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) {
     ctx.throw(403, "Admin user only endpoint.")
   }
   return next()