The owning organization or user should already have full admin on all endpoints.

Malicious apps and attackers should not.