diff --git a/internal/authorization/schema.openfga b/internal/authorization/schema.openfga
index c6834ded1..7ca85c7a1 100644
--- a/internal/authorization/schema.openfga
+++ b/internal/authorization/schema.openfga
@@ -14,9 +14,9 @@ type role
 
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-    
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
+
 type group
  relations
     define privileged: [privileged]
@@ -24,61 +24,61 @@ type group
 
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
 
 type identity
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-  
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
+
 type scheme
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged
-    
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
+
 type client
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
 
 type provider
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
 
 type rule
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit
 
 # need to model how to assign applications for the login UI, if copying current model or adjusting it
 type application
  relations
     define privileged: [privileged]
-    
+
     define can_create: [user, role#assignee, group#member] or admin from privileged
     define can_delete: [user, role#assignee, group#member] or admin from privileged
-    define can_edit: [user, role#assignee, group#member] or admin from privileged
-    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged 
+    define can_edit: [user, role#assignee, group#member] or admin from privileged or can_delete
+    define can_view: [user, user:*, role#assignee, group#member] or admin from privileged or can_edit