...
This controller allows for creating org chart teams entries and assigning their hierarchy. Changes are only allowed if the authenticated user is an administrator or is a member of an ancestor (parent, parent of parent, etc) team of the team being updated. If the parent is being changed then the authenticated user needs to belong to the new parent team (or an ancestor) as well.
GET /odata/OrganizationTeamHierarchies(id)
...
This controller provides read/write access to User (=> employee/personnel) records. Changes are only allowed if the authenticated user is an administrator or member of a team that is an ancestor of one of the teams the user belongs to. Only administrators can change the SecurityLevel property; a change to this by a non-administrator will fail with a 400 return code.
GET /odata/Users(id)
Retrieve the User object for the given id.
...
Get all accessible user objects. Administrators can see all users but otherwise only users in teams managed by teams that are descendants of the teams for the authenticated user will be visible.
...