diff --git a/notify-bc-lb/src/controllers/administrator.controller.ts b/notify-bc-lb/src/controllers/administrator.controller.ts
index 4c59b8cbf..e776c7061 100644
--- a/notify-bc-lb/src/controllers/administrator.controller.ts
+++ b/notify-bc-lb/src/controllers/administrator.controller.ts
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// file ported
 import {authenticate} from '@loopback/authentication';
 import {ApplicationConfig, CoreBindings, inject, service} from '@loopback/core';
 import {
@@ -178,7 +179,6 @@ export class AdministratorController extends BaseController {
   }
 
   @authenticate('anonymous')
-  // start: ported
   @post('/administrators/login', {
     responses: {
       '200': {
@@ -254,7 +254,6 @@ export class AdministratorController extends BaseController {
     }
     return this.administratorRepository.count(where, undefined);
   }
-  // end: ported
 
   @get('/administrators', {
     responses: {
@@ -311,7 +310,6 @@ export class AdministratorController extends BaseController {
     );
   }
 
-  // start: ported
   @patch('/administrators/{id}', {
     responses: {
       '204': {
@@ -368,7 +366,6 @@ export class AdministratorController extends BaseController {
       undefined,
     );
   }
-  // end: ported
 
   @del('/administrators/{id}', {
     responses: {
diff --git a/src/api/administrators/administrators.controller.ts b/src/api/administrators/administrators.controller.ts
index a9623797d..146232b60 100644
--- a/src/api/administrators/administrators.controller.ts
+++ b/src/api/administrators/administrators.controller.ts
@@ -19,6 +19,7 @@ import {
   ApiTags,
 } from '@nestjs/swagger';
 import { genSalt, hash } from 'bcryptjs';
+import { omit } from 'lodash';
 import { FilterQuery } from 'mongoose';
 import { AuthnStrategy, Role } from 'src/auth/constants';
 import { UserProfile } from 'src/auth/dto/user-profile.dto';
@@ -70,7 +71,7 @@ export class AdministratorsController {
   })
   count(@Req() req, @JsonQuery('where') where?: FilterQuery<Administrator>) {
     if (req?.user?.authnStrategy === AuthnStrategy.AccessToken) {
-      where = { and: [where ?? {}, { id: req.user.securityId }] };
+      where = { $and: [where ?? {}, { id: req.user.securityId }] };
     }
     return this.administratorsService.count(where);
   }
@@ -295,24 +296,65 @@ export class AdministratorsController {
     return this.administratorsService.update(id, updateAdministratorDto, req);
   }
 
-  @Post()
-  @Roles(Role.SuperAdmin)
-  create(@Body() createAdministratorDto: CreateAdministratorDto, @Req() req) {
-    return this.administratorsService.create(createAdministratorDto, req);
+  @Get(':id')
+  findOne(@Param('id') id: string, @Req() req): Promise<Administrator> {
+    if (
+      req.user.authnStrategy === AuthnStrategy.AccessToken &&
+      req.user.securityId !== id
+    ) {
+      throw new HttpException(undefined, HttpStatus.FORBIDDEN);
+    }
+    return this.administratorsService.findOne(id);
   }
 
-  @Get()
-  findAll() {
-    return this.administratorsService.findAll();
+  @Delete(':id')
+  async remove(@Param('id') id: string, @Req() req) {
+    if (
+      req.user.authnStrategy === AuthnStrategy.AccessToken &&
+      req.user.securityId !== id
+    ) {
+      throw new HttpException(undefined, HttpStatus.FORBIDDEN);
+    }
+    await this.accessTokenService.removeAll({ userId: id });
+    await this.userCredentialService.removeAll({ userId: id });
+    this.administratorsService.remove(id);
   }
 
-  @Get(':id')
-  findOne(@Param('id') id: string) {
-    return this.administratorsService.findOne(id);
+  @Post()
+  @Roles(Role.SuperAdmin)
+  async signUp(
+    @Body() createAdministratorDto: CreateAdministratorDto,
+    @Req() req,
+  ): Promise<Administrator> {
+    const savedUser = (
+      await this.administratorsService.create(
+        omit(createAdministratorDto, 'password'),
+        req,
+      )
+    ).toJSON();
+    await this.createCredential(savedUser.id, req, {
+      password: createAdministratorDto.password,
+    });
+    return savedUser;
   }
 
-  @Delete(':id')
-  remove(@Param('id') id: string) {
-    return this.administratorsService.remove(id);
+  @Get()
+  @ApiFilterJsonQuery()
+  @ApiOkResponse({
+    description: 'Array of Administrator model instances',
+    type: [Administrator],
+  })
+  findAll(
+    @JsonQuery('filter')
+    filter: FilterDto<Administrator>,
+    @Req() req,
+  ) {
+    if (req.user.authnStrategy === AuthnStrategy.AccessToken) {
+      filter = filter ?? {};
+      filter.where = {
+        $and: [filter.where ?? {}, { id: req.user.securityId }],
+      };
+    }
+    return this.administratorsService.findAll(filter);
   }
 }
diff --git a/src/api/common/base.service.ts b/src/api/common/base.service.ts
index eb76c2fc4..404eafcce 100644
--- a/src/api/common/base.service.ts
+++ b/src/api/common/base.service.ts
@@ -122,7 +122,7 @@ export class BaseService<T> {
     return this.findOneAndReplace(updateDto, { _id }, req, upsert);
   }
 
-  findOneAndReplace(
+  async findOneAndReplace(
     updateDto,
     filter: FilterQuery<T> | null,
     req: (Request & { user?: any }) | null,
@@ -132,12 +132,19 @@ export class BaseService<T> {
       updateDto.updatedBy = req.user;
       updateDto.updated = new Date();
     }
-    return this.model
+    const res = await this.model
       .findOneAndUpdate(filter, updateDto, {
         upsert,
         new: true,
+        includeResultMetadata: true,
       })
       .exec();
+    if (upsert && !res.lastErrorObject.updatedExisting) {
+      await this.model.findByIdAndUpdate(res.value._id, {
+        createdBy: req.user,
+      });
+    }
+    return res.value;
   }
 
   remove(id: string) {