diff --git a/src/organisation/router.py b/src/organisation/router.py
index 3f4fcbc..cd1cdb8 100644
--- a/src/organisation/router.py
+++ b/src/organisation/router.py
@@ -292,8 +292,9 @@ async def get_users(org_model: org_model_root_claim_query_dependency):
 )
 async def add_user_to_org(
 	db: db_dependency,
-	org_model: org_model_root_claim_body_dependency,
+	org_model: org_model_body_dependency,
 	user_model: user_model_body_dependency,
+	su: super_admin_dependency,
 	request_model: OrgPostUserRequest,
 ):
 	"""
diff --git a/test/test_auth_root.py b/test/test_auth_root.py
index e67bc6a..e068a55 100644
--- a/test/test_auth_root.py
+++ b/test/test_auth_root.py
@@ -71,26 +71,6 @@ async def test_get_org_users_auth_root(no_su_client: AsyncClient):
 	assert "Must be the org's root user" in resp.json()["detail"]
 
 
-@pytest.mark.anyio
-async def test_post_org_user_auth_root(no_su_client: AsyncClient, db_session):
-	db_session.add(
-		User(
-			email="user@test.org",
-			first_name="User",
-			last_name="Test",
-			oidc_id="abcd-efgh-ijkl-1234",
-		)
-	)
-	db_session.flush()
-
-	resp = await no_su_client.post(
-		"/org/user", json={"organisation_id": 2, "user_id": 2}
-	)
-	assert resp.status_code != 422
-	assert resp.status_code == 401
-	assert "Must be the org's root user" in resp.json()["detail"]
-
-
 @pytest.mark.anyio
 async def test_get_org_groups_auth_root(no_su_client: AsyncClient):
 	resp = await no_su_client.get("/org/groups?org_id=2")
diff --git a/test/test_auth_su.py b/test/test_auth_su.py
index 18319a4..1243796 100644
--- a/test/test_auth_su.py
+++ b/test/test_auth_su.py
@@ -67,7 +67,7 @@ async def test_post_service_auth_su(no_su_client: AsyncClient):
 
 
 @pytest.mark.anyio
-async def test_post_perm_success(no_su_client: AsyncClient, db_session):
+async def test_post_perm_auth_su(no_su_client: AsyncClient, db_session):
 	resp = await no_su_client.post(
 		"/iam/permission",
 		json={"service_id": 1, "resource": "test_resource", "action": "create"},
@@ -75,3 +75,23 @@ async def test_post_perm_success(no_su_client: AsyncClient, db_session):
 	assert resp.status_code != 422
 	assert resp.status_code == 401
 	assert resp.json()["detail"] == "Must be super admin"
+
+
+@pytest.mark.anyio
+async def test_post_org_user_auth_su(no_su_client: AsyncClient, db_session):
+	db_session.add(
+		User(
+			email="user@test.org",
+			first_name="User",
+			last_name="Test",
+			oidc_id="abcd-efgh-ijkl-1234",
+		)
+	)
+	db_session.flush()
+
+	resp = await no_su_client.post(
+		"/org/user", json={"organisation_id": 1, "user_id": 2}
+	)
+	assert resp.status_code != 422
+	assert resp.status_code == 401
+	assert "Must be super admin" in resp.json()["detail"]