Maybe I’m missing something.
But it seems like that in order for an agent to be able to add users/organizations without a ticket, that they need admin access to the users/organizations.
But with admin access they are also able to set a user to Admin.
Admin-Rights to not exist for Organizations, but especially “shared organization” is a potential data security issue which you don’t want to hand to everyone.
As for users/customers: You can do that with normal agent right.
The only thing you can’t do at that point is resetting a password or changing rights