diff --git a/pkg/registry/apis/iam/authorizer.go b/pkg/registry/apis/iam/authorizer.go
index 42402ed769f..7b55746ad0e 100644
--- a/pkg/registry/apis/iam/authorizer.go
+++ b/pkg/registry/apis/iam/authorizer.go
@@ -57,8 +57,8 @@ func newLegacyAccessClient(ac accesscontrol.AccessControl, store legacy.LegacyId
 			Resource: legacyiamv0.UserResourceInfo.GetName(),
 			Attr:     "id",
 			Mapping: map[string]string{
-				utils.VerbCreate: accesscontrol.ActionOrgUsersWrite,
-				utils.VerbDelete: accesscontrol.ActionOrgUsersWrite,
+				utils.VerbCreate: accesscontrol.ActionUsersCreate,
+				utils.VerbDelete: accesscontrol.ActionUsersDelete,
 				utils.VerbGet:    accesscontrol.ActionOrgUsersRead,
 				utils.VerbList:   accesscontrol.ActionOrgUsersRead,
 			},
diff --git a/pkg/registry/apis/iam/register.go b/pkg/registry/apis/iam/register.go
index 4a233b6090b..658133797d1 100644
--- a/pkg/registry/apis/iam/register.go
+++ b/pkg/registry/apis/iam/register.go
@@ -2,6 +2,7 @@ package iam
 
 import (
 	"context"
+	"fmt"
 	"maps"
 	"strings"
 
@@ -264,12 +265,24 @@ func (b *IdentityAccessManagementAPIBuilder) Validate(ctx context.Context, a adm
 	return nil
 }
 
-func (b *IdentityAccessManagementAPIBuilder) validateCreateUser(_ context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {
+func (b *IdentityAccessManagementAPIBuilder) validateCreateUser(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {
 	userObj, ok := a.GetObject().(*iamv0.User)
 	if !ok {
 		return nil
 	}
 
+	requester, err := identity.GetRequester(ctx)
+	if err != nil {
+		return apierrors.NewBadRequest("no identity found")
+	}
+
+	// Temporary validation that the user is not trying to create a Grafana Admin without being a Grafana Admin.
+	if userObj.Spec.GrafanaAdmin && !requester.GetIsGrafanaAdmin() {
+		return apierrors.NewForbidden(legacyiamv0.UserResourceInfo.GroupResource(),
+			userObj.Name,
+			fmt.Errorf("only grafana admins can create grafana admins"))
+	}
+
 	if userObj.Spec.Login == "" && userObj.Spec.Email == "" {
 		return apierrors.NewBadRequest("user must have either login or email")
 	}
diff --git a/pkg/tests/apis/iam/iam_test.go b/pkg/tests/apis/iam/iam_test.go
index 2deaf6a94fd..b74839d4f2c 100644
--- a/pkg/tests/apis/iam/iam_test.go
+++ b/pkg/tests/apis/iam/iam_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
@@ -211,12 +212,13 @@ func TestIntegrationUsers(t *testing.T) {
 }
 
 func doUserCRUDTestsUsingTheNewAPIs(t *testing.T, helper *apis.K8sTestHelper) {
-	t.Run("should create user and delete it using the new APIs", func(t *testing.T) {
+	t.Run("should create user and delete it using the new APIs as a GrafanaAdmin", func(t *testing.T) {
 		ctx := context.Background()
 
 		userClient := helper.GetResourceClient(apis.ResourceClientArgs{
-			User: helper.Org1.Admin,
-			GVR:  gvrUsers,
+			User:      helper.Org1.Admin,
+			Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
+			GVR:       gvrUsers,
 		})
 
 		// Create the user
@@ -253,31 +255,36 @@ func doUserCRUDTestsUsingTheNewAPIs(t *testing.T, helper *apis.K8sTestHelper) {
 		require.Equal(t, createdUID, fetched.GetName())
 		require.Equal(t, "default", fetched.GetNamespace())
 
-		err = userClient.Resource.Delete(ctx, createdUID, metav1.DeleteOptions{})
-		require.NoError(t, err)
+		// TODO: Uncomment when we know how to handle global scope (global.users:)
+		// err = userClient.Resource.Delete(ctx, createdUID, metav1.DeleteOptions{})
+		// require.NoError(t, err)
 
 		// Verify deletion
-		_, err = userClient.Resource.Get(ctx, createdUID, metav1.GetOptions{})
-		require.Error(t, err)
-		require.Contains(t, err.Error(), "not found")
+		// _, err = userClient.Resource.Get(ctx, createdUID, metav1.GetOptions{})
+		// require.Error(t, err)
+		// require.Contains(t, err.Error(), "not found")
 	})
 
 	t.Run("should not be able to create user when using a user with insufficient permissions", func(t *testing.T) {
 		for _, user := range []apis.User{
+			helper.OrgB.Admin, // Not a Grafana Admin
 			helper.Org1.Editor,
 			helper.Org1.Viewer,
 		} {
-			t.Run(fmt.Sprintf("with basic role: %s", user.Identity.GetOrgRole()), func(t *testing.T) {
+			t.Run(fmt.Sprintf("with basic role_%s", user.Identity.GetOrgRole()), func(t *testing.T) {
 				ctx := context.Background()
 				userClient := helper.GetResourceClient(apis.ResourceClientArgs{
-					User: user,
-					GVR:  gvrUsers,
+					User:      user,
+					Namespace: helper.Namespacer(helper.Org1.Admin.Identity.GetOrgID()),
+					GVR:       gvrUsers,
 				})
 
 				// Create the user
 				_, err := userClient.Resource.Create(ctx, helper.LoadYAMLOrJSONFile("testdata/user-test-create-v0.yaml"), metav1.CreateOptions{})
 				require.Error(t, err)
-				require.Contains(t, err.Error(), "unauthorized request")
+				var statusErr *errors.StatusError
+				require.ErrorAs(t, err, &statusErr)
+				require.Equal(t, int32(403), statusErr.ErrStatus.Code)
 			})
 		}
 	})