When a users access any "get all" route the results should only return information the user has access to, for example within the users organization.
An exception to this is system administrators can receive all information.
#86 and #87 need to be implemented before this can be done.
