diff --git a/.env b/.env
index 907caec3..47693076 100644
--- a/.env
+++ b/.env
@@ -17,7 +17,7 @@ COMPOSE_PROJECT_NAME=resop
 
 IMAGE_BUILD_TAG=dev
 
-APP_NB_USERS=10
+APP_NB_USERS=15
 APP_NB_AVAILABILITIES=3
 APP_SLOT_INTERVAL="+2 hours"
 
@@ -35,3 +35,7 @@ APP_SECRET=782bb8b0aeb47de4ea870794e79d82cd
 # IMPORTANT: You MUST configure your server version, either here or in config/packages/doctrine.yaml
 DATABASE_URL=postgresql://resop:postgrespwd@postgres/resop?serverVersion=11&charset=utf8
 ###< doctrine/doctrine-bundle ###
+
+###> symfony/mailer ###
+MAILER_DSN=smtp://mailcatcher:25
+###< symfony/mailer ###
diff --git a/.env.test b/.env.test
index 47001204..69562c40 100644
--- a/.env.test
+++ b/.env.test
@@ -5,3 +5,4 @@ SYMFONY_DEPRECATIONS_HELPER=disabled
 DATABASE_URL=postgresql://resop:postgrespwd@postgres/resop-test?serverVersion=11&charset=utf8
 PANTHER_CHROME_ARGUMENTS="--headless --no-sandbox"
 PANTHER_APP_ENV=panther
+APP_SLOT_INTERVAL="+2 hours"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 51364301..1ceee53a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,7 +22,7 @@ jobs:
             -   name: Get the version
                 id: vars
                 run: |
-                    echo ::set-output name=BUILD_TAG::$(git describe --tags)
+                    echo ::set-output name=BUILD_TAG::$(git describe --tags --always)
                     echo ::set-output name=CI_COMMIT_REF_SLUG::${GITHUB_REF#refs/*/}
 
             -   name: Pull existing Docker image
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8e6dd74b..ed221c5c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,6 +19,7 @@ env:
     APP_DEBUG: 0
     DATABASE_SERVER_VERSION: 11 # update service "postgresql" if this value change
     PANTHER_CHROME_DRIVER_BINARY: /usr/bin/chromedriver
+    MAILER_DSN: smtp://localhost:25
 
 jobs:
     php:
@@ -32,6 +33,11 @@ jobs:
                     - 5432:5432
                 # needed because the postgres container does not provide a healthcheck
                 options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
+            mailcatcher:
+                image: tophfr/mailcatcher:0.6.5
+                ports:
+                    - 1080:80
+                    - 25:25
 
         steps:
             - name: set DATABASE_URL environment variable
@@ -72,7 +78,7 @@ jobs:
               if: always()
 
             - name: Install composer dependencies
-              run: composer install --no-progress --no-suggest --prefer-dist --optimize-autoloader
+              run: composer install --no-progress --prefer-dist --optimize-autoloader
 
             - name: Cache node_modules
               uses: actions/cache@v1
@@ -133,6 +139,7 @@ jobs:
             - name: Run Behat tests
               run: |
                   bin/post-install-test.sh
+                  sed -i 's#http://mailcatcher#http://localhost:1080#' behat.yml.dist
                   vendor/bin/behat --format=progress --out=std --format=junit --out=var/behat --tags '~@javascript'
               if: always()
 
diff --git a/Makefile b/Makefile
index 351d8138..67690faf 100644
--- a/Makefile
+++ b/Makefile
@@ -35,14 +35,13 @@ build-prod:
 	docker build -t resop:latest -f docker/php-flex/Dockerfile .
 
 start-db:
-	$(DOCKER_COMPOSE_UP) traefik postgres adminer
+	$(DOCKER_COMPOSE_UP) traefik postgres adminer mailcatcher
 	docker-compose run --rm wait -c postgres:5432
 
 start-php:
 	$(DOCKER_COMPOSE_UP_RECREATE) traefik nginx fpm
 	docker-compose run --rm wait -c fpm:9000,nginx:80
-	@echo -n "\nStack started with success:\nhttp://resop.vcap.me:7500/login => user1@resop.com : 01/01/1990"
-	@echo -n "\nhttp://resop.vcap.me:7500/organizations/login => DT75 : covid19\n"
+	@echo -n "\nStack started with success: http://resop.vcap.me:7500/\nuser102@resop.com : covid19\nadmin101@resop.com : covid19\nsuper_admin1@resop.com : covid19\n"
 
 start: init-db start-php
 
@@ -130,6 +129,7 @@ test-coverage:
 	bin/tools sh -c "COVERAGE=true vendor/bin/behat --format=progress"
 
 move-test-profiler:
+	@echo "You must set 'profiler: { collect: true }' in config/packages/test/web_profiler.yaml in order to use this command"
 	bin/tools sh -c "rm -rf var/cache/dev/profiler && mkdir -p var/cache/dev && cp -R var/cache/test/profiler var/cache/dev/profiler"
 	@echo "Done : http://resop.vcap.me:7500/_profiler/search?limit=10"
 
diff --git a/assets/css/login.scss b/assets/css/login.scss
index af0b7c8e..5d500a67 100644
--- a/assets/css/login.scss
+++ b/assets/css/login.scss
@@ -2,16 +2,6 @@
 
 $xs: 380px;
 
-@media (min-width: 360px) and (max-width: map-get($grid-breakpoints, "sm")) {
-  .form-inline {
-    .form-control {
-      display: inline-block;
-      width: auto;
-      vertical-align: middle;
-    }
-  }
-}
-
 body.login {
   .navbar-and-body {
     background-image: url(../img/login-background.jpg);
diff --git a/assets/js/_planning-missions.js b/assets/js/_planning-missions.js
index cfd92dbf..0b1b019b 100644
--- a/assets/js/_planning-missions.js
+++ b/assets/js/_planning-missions.js
@@ -16,11 +16,11 @@ function setSlotMisssion(mission, $slot) {
   missionsText += ' ';
 
   // User part
-  let url = Routing.generate('app_user_availability_mission_modal', { id: mission.id });
+  let url = Routing.generate('app_user_availability_mission_modal', { mission: mission.id });
 
   if (window.location.pathname.indexOf('organizations') >= 0 && !!mission?.organization?.id) {
     // Organization part
-    url = Routing.generate('app_organization_mission_modal', { organization: mission.organization.id, id: mission.id });
+    url = Routing.generate('app_organization_mission_modal', { organization: mission.organization.id, mission: mission.id });
   }
 
   missionsText += $(`<button type="button" class="btn btn-link" data-toggle="ajax-modal" data-href="${url}">`).text(mission.name)[0].outerHTML;
diff --git a/assets/js/fos_js_routes.json b/assets/js/fos_js_routes.json
index 31815131..c727826a 100644
--- a/assets/js/fos_js_routes.json
+++ b/assets/js/fos_js_routes.json
@@ -1 +1 @@
-{"base_url":"","routes":{"app_user_availability_mission_modal":{"tokens":[["text","\/modal"],["variable","\/","\\d+","id",true],["text","\/user\/availability\/missions"]],"defaults":[],"requirements":{"id":"\\d+"},"hosttokens":[],"methods":["GET"],"schemes":[]},"app_organization_mission_modal":{"tokens":[["text","\/modal"],["variable","\/","\\d+","id",true],["text","\/missions"],["variable","\/","\\d+","organization",true],["text","\/organizations"]],"defaults":[],"requirements":{"id":"\\d+","organization":"\\d+"},"hosttokens":[],"methods":["GET"],"schemes":[]},"app_organization_mission_find_by_filters":{"tokens":[["text","\/missions\/find"],["variable","\/","\\d+","organization",true],["text","\/organizations"]],"defaults":[],"requirements":{"organization":"\\d+"},"hosttokens":[],"methods":["GET"],"schemes":[]}},"prefix":"","host":"localhost","port":"","scheme":"http","locale":[]}
\ No newline at end of file
+{"base_url":"","routes":{"app_user_availability_mission_modal":{"tokens":[["text","\/modal"],["variable","\/","\\d+","mission",true],["text","\/user\/availability\/missions"]],"defaults":[],"requirements":{"mission":"\\d+"},"hosttokens":[],"methods":["GET"],"schemes":[]},"app_organization_mission_modal":{"tokens":[["text","\/modal"],["variable","\/","\\d+","mission",true],["text","\/missions"],["variable","\/","\\d+","organization",true],["text","\/organizations"]],"defaults":[],"requirements":{"mission":"\\d+","organization":"\\d+"},"hosttokens":[],"methods":["GET"],"schemes":[]},"app_organization_mission_find_by_filters":{"tokens":[["text","\/missions\/find"],["variable","\/","\\d+","organization",true],["text","\/organizations"]],"defaults":[],"requirements":{"organization":"\\d+"},"hosttokens":[],"methods":["GET"],"schemes":[]}},"prefix":"","host":"localhost","port":"","scheme":"http","locale":[]}
\ No newline at end of file
diff --git a/behat.yml.dist b/behat.yml.dist
index 44791dda..0082daac 100644
--- a/behat.yml.dist
+++ b/behat.yml.dist
@@ -6,14 +6,18 @@ default:
                 - App\Tests\Behat\DatabaseContext
                 - App\Tests\Behat\FixturesContext
                 - App\Tests\Behat\OrganizationPlanningContext
+                - App\Tests\Behat\ResetPasswordContext
                 - App\Tests\Behat\SecurityContext
                 - App\Tests\Behat\TraversingContext
                 - App\Tests\Behat\UserPlanningContext
+                - App\Tests\Behat\MailsContext
                 - Behat\MinkExtension\Context\MinkContext
                 - PantherExtension\Context\PantherContext
-                - PantherExtension\Context\WaitContext:
+                - PantherExtension\Context\WaitContext
     extensions:
-        PantherExtension\Extension\PantherExtension: ~
+        Alex\MailCatcher\Behat\MailCatcherExtension\Extension:
+            url: http://mailcatcher
+            purge_before_scenario: true
         Behat\MinkExtension:
             browser_name: chrome
             default_session: symfony
@@ -28,3 +32,4 @@ default:
             kernel:
                 environment: test
                 debug: true
+        PantherExtension\Extension\PantherExtension: ~
diff --git a/composer.json b/composer.json
index 8b4d42ba..8d11e8e9 100644
--- a/composer.json
+++ b/composer.json
@@ -26,6 +26,7 @@
     "symfony/form": "5.*",
     "symfony/framework-bundle": "5.*",
     "symfony/intl": "5.*",
+    "symfony/mailer": "5.*",
     "symfony/monolog-bundle": "^3.5",
     "symfony/security-bundle": "5.*",
     "symfony/serializer-pack": "^1.0",
@@ -35,10 +36,12 @@
     "symfony/validator": "5.*",
     "symfony/webpack-encore-bundle": "^1.7",
     "symfony/yaml": "5.*",
+    "symfonycasts/reset-password-bundle": "^1.1",
     "twig/cache-extension": "^1.4",
     "twig/intl-extra": "^3.0"
   },
   "require-dev": {
+    "alexandresalome/mailcatcher": "^1.3",
     "behat/behat": "^3.6",
     "dama/doctrine-test-bundle": "^6.3",
     "escapestudios/symfony2-coding-standard": "^3.11",
diff --git a/composer.lock b/composer.lock
index ca38b36e..f4518e9b 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "031141cc5c61ebd3544843de579c300c",
+    "content-hash": "00871b4f5c207526155666ae1a674511",
     "packages": [
         {
             "name": "beberlei/assert",
@@ -1667,6 +1667,64 @@
             ],
             "time": "2020-07-30T16:57:33+00:00"
         },
+        {
+            "name": "egulias/email-validator",
+            "version": "2.1.23",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/egulias/EmailValidator.git",
+                "reference": "5fa792ad1853ae2bc60528dd3e5cbf4542d3c1df"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/egulias/EmailValidator/zipball/5fa792ad1853ae2bc60528dd3e5cbf4542d3c1df",
+                "reference": "5fa792ad1853ae2bc60528dd3e5cbf4542d3c1df",
+                "shasum": ""
+            },
+            "require": {
+                "doctrine/lexer": "^1.0.1",
+                "php": ">=5.5",
+                "symfony/polyfill-intl-idn": "^1.10"
+            },
+            "require-dev": {
+                "dominicsayers/isemail": "^3.0.7",
+                "phpunit/phpunit": "^4.8.36|^7.5.15",
+                "satooshi/php-coveralls": "^1.0.1"
+            },
+            "suggest": {
+                "ext-intl": "PHP Internationalization Libraries are required to use the SpoofChecking validation"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.1.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Egulias\\EmailValidator\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Eduardo Gulias Davis"
+                }
+            ],
+            "description": "A library for validating emails against several RFCs",
+            "homepage": "https://github.com/egulias/EmailValidator",
+            "keywords": [
+                "email",
+                "emailvalidation",
+                "emailvalidator",
+                "validation",
+                "validator"
+            ],
+            "time": "2020-10-31T20:37:35+00:00"
+        },
         {
             "name": "friendsofsymfony/jsrouting-bundle",
             "version": "2.6.0",
@@ -4504,6 +4562,155 @@
             ],
             "time": "2020-10-24T12:01:57+00:00"
         },
+        {
+            "name": "symfony/mailer",
+            "version": "v5.1.8",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/mailer.git",
+                "reference": "fa5cc9f894a5d082e7e46bfdd44f5dd83529f0ba"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/mailer/zipball/fa5cc9f894a5d082e7e46bfdd44f5dd83529f0ba",
+                "reference": "fa5cc9f894a5d082e7e46bfdd44f5dd83529f0ba",
+                "shasum": ""
+            },
+            "require": {
+                "egulias/email-validator": "^2.1.10",
+                "php": ">=7.2.5",
+                "psr/log": "~1.0",
+                "symfony/event-dispatcher": "^4.4|^5.0",
+                "symfony/mime": "^4.4|^5.0",
+                "symfony/polyfill-php80": "^1.15",
+                "symfony/service-contracts": "^1.1|^2"
+            },
+            "conflict": {
+                "symfony/http-kernel": "<4.4"
+            },
+            "require-dev": {
+                "symfony/amazon-mailer": "^4.4|^5.0",
+                "symfony/google-mailer": "^4.4|^5.0",
+                "symfony/http-client-contracts": "^1.1|^2",
+                "symfony/mailchimp-mailer": "^4.4|^5.0",
+                "symfony/mailgun-mailer": "^4.4|^5.0",
+                "symfony/messenger": "^4.4|^5.0",
+                "symfony/postmark-mailer": "^4.4|^5.0",
+                "symfony/sendgrid-mailer": "^4.4|^5.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\Mailer\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Symfony Mailer Component",
+            "homepage": "https://symfony.com",
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2020-10-24T12:01:57+00:00"
+        },
+        {
+            "name": "symfony/mime",
+            "version": "v5.1.8",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/mime.git",
+                "reference": "f5485a92c24d4bcfc2f3fc648744fb398482ff1b"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/mime/zipball/f5485a92c24d4bcfc2f3fc648744fb398482ff1b",
+                "reference": "f5485a92c24d4bcfc2f3fc648744fb398482ff1b",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.2.5",
+                "symfony/polyfill-intl-idn": "^1.10",
+                "symfony/polyfill-mbstring": "^1.0",
+                "symfony/polyfill-php80": "^1.15"
+            },
+            "conflict": {
+                "symfony/mailer": "<4.4"
+            },
+            "require-dev": {
+                "egulias/email-validator": "^2.1.10",
+                "symfony/dependency-injection": "^4.4|^5.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\Mime\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "A library to manipulate MIME messages",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "mime",
+                "mime-type"
+            ],
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2020-10-24T12:01:57+00:00"
+        },
         {
             "name": "symfony/monolog-bridge",
             "version": "v5.1.8",
@@ -4878,6 +5085,90 @@
             ],
             "time": "2020-10-23T14:02:19+00:00"
         },
+        {
+            "name": "symfony/polyfill-intl-idn",
+            "version": "v1.20.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/polyfill-intl-idn.git",
+                "reference": "3b75acd829741c768bc8b1f84eb33265e7cc5117"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/3b75acd829741c768bc8b1f84eb33265e7cc5117",
+                "reference": "3b75acd829741c768bc8b1f84eb33265e7cc5117",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.1",
+                "symfony/polyfill-intl-normalizer": "^1.10",
+                "symfony/polyfill-php72": "^1.10"
+            },
+            "suggest": {
+                "ext-intl": "For best performance"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-main": "1.20-dev"
+                },
+                "thanks": {
+                    "name": "symfony/polyfill",
+                    "url": "https://github.com/symfony/polyfill"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Polyfill\\Intl\\Idn\\": ""
+                },
+                "files": [
+                    "bootstrap.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Laurent Bassin",
+                    "email": "laurent@bassin.info"
+                },
+                {
+                    "name": "Trevor Rowbotham",
+                    "email": "trevor.rowbotham@pm.me"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "compatibility",
+                "idn",
+                "intl",
+                "polyfill",
+                "portable",
+                "shim"
+            ],
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2020-10-23T14:02:19+00:00"
+        },
         {
             "name": "symfony/polyfill-intl-normalizer",
             "version": "v1.20.0",
@@ -6976,6 +7267,52 @@
             ],
             "time": "2020-10-24T12:03:25+00:00"
         },
+        {
+            "name": "symfonycasts/reset-password-bundle",
+            "version": "v1.1.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/SymfonyCasts/reset-password-bundle.git",
+                "reference": "ac39892a5de861209cb7491e056a77a0b872e87d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/SymfonyCasts/reset-password-bundle/zipball/ac39892a5de861209cb7491e056a77a0b872e87d",
+                "reference": "ac39892a5de861209cb7491e056a77a0b872e87d",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.2",
+                "symfony/config": "^4.4 | ^5.0",
+                "symfony/dependency-injection": "^4.4 | ^5.0",
+                "symfony/http-kernel": "^4.4 | ^5.0"
+            },
+            "conflict": {
+                "doctrine/orm": "<2.7",
+                "symfony/framework-bundle": "<4.4",
+                "symfony/http-foundation": "<4.4"
+            },
+            "require-dev": {
+                "doctrine/doctrine-bundle": "^2.0.3",
+                "doctrine/orm": "^2.7",
+                "friendsofphp/php-cs-fixer": "^2.16",
+                "symfony/framework-bundle": "^4.4 | ^5.0",
+                "symfony/phpunit-bridge": "^5.0",
+                "vimeo/psalm": "^3.8"
+            },
+            "type": "symfony-bundle",
+            "autoload": {
+                "psr-4": {
+                    "SymfonyCasts\\Bundle\\ResetPassword\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "description": "Symfony bundle that adds password reset functionality.",
+            "time": "2020-04-18T00:37:02+00:00"
+        },
         {
             "name": "twig/cache-extension",
             "version": "v1.5.0",
@@ -7393,6 +7730,44 @@
         }
     ],
     "packages-dev": [
+        {
+            "name": "alexandresalome/mailcatcher",
+            "version": "v1.3.0",
+            "target-dir": "Alex/MailCatcher",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/alexandresalome/mailcatcher.git",
+                "reference": "eb708293f72d99581f52cc1caf27eb76d54c0b08"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/alexandresalome/mailcatcher/zipball/eb708293f72d99581f52cc1caf27eb76d54c0b08",
+                "reference": "eb708293f72d99581f52cc1caf27eb76d54c0b08",
+                "shasum": ""
+            },
+            "require": {
+                "ext-json": "*",
+                "php": ">=5.3.3",
+                "symfony/dom-crawler": "~2.3 || ~3.0 || ~4.0 || ~5.0"
+            },
+            "require-dev": {
+                "behat/behat": "~3.0",
+                "phpunit/phpunit": "~4.6",
+                "swiftmailer/swiftmailer": "~5.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-0": {
+                    "Alex\\MailCatcher": ""
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "description": "A library to access MailCatcher",
+            "time": "2020-08-04T14:58:27+00:00"
+        },
         {
             "name": "behat/behat",
             "version": "v3.8.0",
diff --git a/config/bootstrap.php b/config/bootstrap.php
index 4fbd83c6..9ebfc525 100644
--- a/config/bootstrap.php
+++ b/config/bootstrap.php
@@ -31,4 +31,3 @@
 $_SERVER['APP_ENV'] = $_ENV['APP_ENV'] = ($_SERVER['APP_ENV'] ?? $_ENV['APP_ENV'] ?? null) ?: 'dev';
 $_SERVER['APP_DEBUG'] = $_SERVER['APP_DEBUG'] ?? $_ENV['APP_DEBUG'] ?? 'prod' !== $_SERVER['APP_ENV'];
 $_SERVER['APP_DEBUG'] = $_ENV['APP_DEBUG'] = (int) $_SERVER['APP_DEBUG'] || filter_var($_SERVER['APP_DEBUG'], FILTER_VALIDATE_BOOLEAN) ? '1' : '0';
-
diff --git a/config/bundles.php b/config/bundles.php
index bf74bc74..794be998 100644
--- a/config/bundles.php
+++ b/config/bundles.php
@@ -21,4 +21,5 @@
     Misd\PhoneNumberBundle\MisdPhoneNumberBundle::class => ['all' => true],
     Symfony\Bundle\DebugBundle\DebugBundle::class => ['dev' => true, 'test' => true],
     FOS\JsRoutingBundle\FOSJsRoutingBundle::class => ['all' => true],
+    SymfonyCasts\Bundle\ResetPassword\SymfonyCastsResetPasswordBundle::class => ['all' => true],
 ];
diff --git a/config/packages/mailer.yaml b/config/packages/mailer.yaml
new file mode 100644
index 00000000..56a650d8
--- /dev/null
+++ b/config/packages/mailer.yaml
@@ -0,0 +1,3 @@
+framework:
+    mailer:
+        dsn: '%env(MAILER_DSN)%'
diff --git a/config/packages/reset_password.yaml b/config/packages/reset_password.yaml
new file mode 100644
index 00000000..52415a5c
--- /dev/null
+++ b/config/packages/reset_password.yaml
@@ -0,0 +1,3 @@
+symfonycasts_reset_password:
+    request_password_repository: App\Repository\ResetPasswordRequestRepository
+    throttle_limit: 60
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 475bb103..c32a27ab 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -5,42 +5,23 @@ security:
             entity:
                 class: App\Entity\User
 
-        organizations:
-            entity:
-                class: App\Entity\Organization
-
     encoders:
         Symfony\Component\Security\Core\User\UserInterface:
             algorithm: auto
 
+    role_hierarchy:
+        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ALLOWED_TO_SWITCH, ROLE_ORGANIZATION]
+
     firewalls:
         dev:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
 
-        organizations:
-            pattern: ^/organizations
-            anonymous: true
-            lazy: true
-            provider: organizations
-            guard:
-                authenticators:
-                    - App\Security\OrganizationLoginFormAuthenticator
-
-            logout:
-                path: app_organization_logout
-                target: app_organization_index
-
-            remember_me:
-                name: remember_me_organization
-                secret:   '%kernel.secret%'
-                lifetime: 604800 # 1 week in seconds
-                path:     /
-
         main:
             anonymous: true
             lazy: true
             provider: users
+            switch_user: true
             guard:
                 authenticators:
                     - App\Security\UserLoginFormAuthenticator
@@ -56,6 +37,9 @@ security:
                 path:     /
 
     access_control:
-        - { path: ^/(user\/new|login|organizations\/login)$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
-        - { path: ^/organizations, roles: ROLE_ORGANIZATION }
+        - { path: ^/user/new$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/reset-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/organizations/, roles: ROLE_ORGANIZATION }
+        - { path: ^/admin/, roles: ROLE_SUPER_ADMIN }
         - { path: ^/, roles: ROLE_USER }
diff --git a/config/routes.yaml b/config/routes.yaml
index 8af5e3ff..79cf0049 100644
--- a/config/routes.yaml
+++ b/config/routes.yaml
@@ -1,4 +1,9 @@
 # {organization} parameter is useless for the moment, but will be useful in ticket https://github.com/crf-devs/resop/issues/338
+_admin:
+    resource: ../src/Controller/Admin/
+    type: annotation
+    prefix: /admin
+
 _organizations:
     resource: ../src/Controller/Organization/
     type: annotation
diff --git a/config/services_test.yaml b/config/services_test.yaml
index 75c469d6..9e4924ec 100644
--- a/config/services_test.yaml
+++ b/config/services_test.yaml
@@ -7,7 +7,13 @@ services:
         resource: '../tests/Behat/*'
 
     App\Tests\Behat\FixturesContext:
-        $aliceFixturesLoader: '@hautelook_alice.loader'
+        arguments:
+            $aliceFixturesLoader: '@hautelook_alice.loader'
 
     App\Tests\Behat\TraversingContext:
-        $projectDir: '%kernel.project_dir%'
+        arguments:
+            $projectDir: '%kernel.project_dir%'
+
+    App\Tests\Behat\UserPlanningContext:
+        arguments:
+            $slotInterval: '%app.slot_interval%'
diff --git a/docker-compose.override.yml.dist b/docker-compose.override.yml.dist
index 482dcdab..6cc6d8bc 100644
--- a/docker-compose.override.yml.dist
+++ b/docker-compose.override.yml.dist
@@ -37,4 +37,9 @@ services:
     volumes:
       - postgres-data:/var/lib/postgresql/data:rw
 #    ports:
-#        - '5432:5432' # Uncomment if you need to access the DB from your host
+#      - '5432:5432' # Uncomment if you need to access the DB from your host
+
+#  mailcatcher:
+#    ports:
+#      - '1080:80' # Uncomment if you need to access the mails interface from your host
+#      - '1025:25' # Uncomment if you need to send mails from your host
diff --git a/docker-compose.yml b/docker-compose.yml
index 18da9a41..ad3d8f53 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -90,3 +90,10 @@ services:
       - NODE_ENV=dev
     volumes:
       - ./:/srv
+
+  mailcatcher:
+    image: tophfr/mailcatcher:0.6.5
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.port=80'
+      - 'traefik.frontend.rule=Host:mailcatcher.vcap.me'
diff --git a/docker/php-flex/Dockerfile b/docker/php-flex/Dockerfile
index def203a8..b179b3da 100644
--- a/docker/php-flex/Dockerfile
+++ b/docker/php-flex/Dockerfile
@@ -54,13 +54,13 @@ RUN set -eux; \
   \
   apk del .build-deps
 
-RUN curl https://getcomposer.org/composer-1.phar -o /usr/bin/composer \
+RUN curl https://getcomposer.org/composer-stable.phar -o /usr/bin/composer \
     && chmod +x /usr/bin/composer \
     && mkdir /.composer \
     && chown -R www-data:www-data /.composer \
     && setfacl -R -m o::rwX /.composer \
     && setfacl -dR -m o::rwX /.composer \
-    && su-exec www-data composer global require "hirak/prestissimo" "jderusse/composer-warmup" --prefer-dist --no-progress --no-suggest --classmap-authoritative \
+    && su-exec www-data composer global require "jderusse/composer-warmup" --prefer-dist --no-progress --classmap-authoritative \
     && su-exec www-data composer clear-cache -n
 
 RUN test -z "$DEBUG_TOOLS" || ( \
@@ -134,7 +134,7 @@ COPY --chown=www-data:www-data composer.* symfony.lock /srv/
 RUN chown -R www-data:www-data /srv
 USER www-data
 
-RUN composer install --no-dev --no-scripts --prefer-dist --no-suggest && composer clear-cache -n
+RUN composer install --no-dev --no-scripts --prefer-dist && composer clear-cache -n
 
 COPY --chown=www-data:www-data .env ./
 RUN composer dump-env prod && rm .env
diff --git a/docs/features-fr.md b/docs/features-fr.md
index fea104bd..c8190a38 100644
--- a/docs/features-fr.md
+++ b/docs/features-fr.md
@@ -60,7 +60,7 @@ Chaque `structure` (une Unité Locale, par exemple) peut :
 
 Identifiants de démo :
 
-* structure: `UL09`
+* structure: `admin201@resop.com`
 * mot de passe: `covid19`
 
 ### Planning
@@ -86,5 +86,36 @@ Les `structure parentes` (une Direction Territoriale, par exemple) peut :
 
 Identifiants de démo :
 
-* structure: `DT75`
+* structure: `admin101@resop.com`
 * mot de passe: `covid19`
+
+----
+
+# Espace admin
+
+L'interface d'administration permet de :
+
+- Se connecter à toutes les structures
+- Rendre un bénévole administrateur d'une structure
+- Se connecter en tant qu'un autre utilisateur
+
+Identifiants de démo :
+
+* structure: `super_admin1@resop.com`
+* mot de passe: `covid19`
+
+----
+
+# Installation
+
+Voir la partie [Usage in production](docs/technical.md) de la documentation technique pour installer l'application.
+
+## Super admin
+
+Le premier utilisateur créé sera automatiquement Super Admin de l'application et pourra nommer des administrateurs de structures.
+
+Il est possible de promouvoir un autre utilisateur en tant que super admin grâce à la commande:
+
+```bash
+bin/console app:admin-promote --email foobar@resop.com
+```
diff --git a/docs/technical.md b/docs/technical.md
index 3b199f15..da9f513d 100644
--- a/docs/technical.md
+++ b/docs/technical.md
@@ -97,6 +97,7 @@ The `*.vcap.me` domain names are binded on localhost. In order to use them offli
 
 - [http://resop.vcap.me:7500](http://resop.vcap.me:7500)
 - [http://adminer.vcap.me:7500](http://adminer.vcap.me:7500)
+- [http://mailcatcher.vcap.me:7500](http://mailcatcher.vcap.me:7500)
 - [http://traefik.vcap.me:7500](http://traefik.vcap.me:7500)
 
 Caution: the traefik proxy will only serve healthy containers. The api container can be unaccessible before the first healthcheck (5s).
@@ -137,12 +138,15 @@ Then, run `docker-compose up -d postgres`. The DB is now available on the `local
 If you want to load huge amount of data, for example to test the performances, run the following command in the fpm container:
 
 ```bash
-bin/tools sh -c "APP_NB_USERS=15 APP_NB_AVAILABILITIES=6 bin/console doctrine:fixtures:load --purge-with-truncate --no-interaction"
+bin/tools sh -c "APP_NB_USERS=20 APP_NB_AVAILABILITIES=6 bin/console doctrine:fixtures:load --purge-with-truncate --no-interaction"
 ```
 
-- APP_NB_USERS: number of users per organization (default: 10)
+- APP_NB_USERS: number of users per organization (default: 15)
 - APP_NB_AVAILABILITIES: number of days on which generating availabilities per user (default: 3)
 
+### Mails
+
+When using the default dev env, all mails are sent to the [mailcatcher](http://mailcatcher.vcap.me:7500) service.
 
 ### HTTPS
 
diff --git a/features/organization/assets.feature b/features/organization/assets.feature
index c4c1fa85..db50f14d 100644
--- a/features/organization/assets.feature
+++ b/features/organization/assets.feature
@@ -1,15 +1,10 @@
 Feature:
     In order to manage the assets in my organization,
-    As an organization,
+    As an admin of an organization,
     I must be able to list, edit and delete assets in my organization.
 
-    Scenario: As anonymous, I cannot list the assets from an organization
-        When I go to "/organizations/201/assets"
-        Then I should be on "/organizations/login"
-        And the response status code should be 200
-
-    Scenario: As an organization, I can list the assets from my organization
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of an organization, I can list the assets from my organization
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201"
         When I follow "Afficher la liste de mes véhicules"
         Then I should be on "/organizations/201/assets/"
@@ -20,8 +15,8 @@ Feature:
         And I should not see "7501"
         And I should not see "7710"
 
-    Scenario: As a parent organization, I can list the assets from my children organizations
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of a parent organization, I can list the assets from my children organizations
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201"
         When I follow "Modifier mes structures"
         Then I should be on "/organizations/201/children/"
@@ -35,81 +30,84 @@ Feature:
         And I should not see "7799"
         And I should not see "7710"
 
-    Scenario: As an organization, I cannot list the assets from an organization I don't have access to
-        Given I am authenticated as "DT75"
-        When I go to "/organizations/202/assets"
+    Scenario: As an admin of an organization, I cannot list the assets from an organization I don't have access to
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/202/assets/"
+        Then the response status code should be 403
+
+    Scenario: As an admin of a child organization, I cannot list the assets from the parent organization
+        Given I am authenticated as "admin204@resop.com"
+        When I go to "/organizations/202/assets/"
         Then the response status code should be 403
 
-    Scenario Outline: As an authenticated parent organization, I can add an asset on my organization or children organizations
+    Scenario Outline: As an admin of an organization, I can add an asset on my organization or children organizations
         Given I am authenticated as "<login>"
-        When I go to "/organizations/203/assets"
+        When I go to "<list_url>"
         And I follow "Ajouter un nouveau véhicule"
         Then the response status code should be 200
-        And I should be on "/organizations/203/assets/preAdd"
+        And I should be on "<preAdd_url>"
         When I select "VL" from "type"
         And I press "Continuer"
         Then the response status code should be 200
-        And I should be on "/organizations/203/assets/add"
-        When I fill in the following:
-            | commissionable_asset[name] | new vehicule |
+        And I should be on "<add_url>"
+        When I fill in "commissionable_asset[name]" with "new vehicule"
         And I press "Enregistrer"
+        Then I should be on "<list_url>"
+        And the response status code should be 200
         And I should see "Véhicule créé"
         And I should see "new vehicule"
         Examples:
-            | login    |
-#            todo: there is a bug when using parent organization: https://github.com/crf-devs/resop/issues/360
-#            | DT75     |
-            | UL 01-02 |
+            | login              | list_url                                      | preAdd_url                                          | add_url                                          |
+            | admin201@resop.com | /organizations/201/assets/?organizationId=203 | /organizations/201/assets/preAdd?organizationId=203 | /organizations/201/assets/add?organizationId=203 |
+            | admin204@resop.com | /organizations/204/assets/                    | /organizations/204/assets/preAdd                    | /organizations/204/assets/add                    |
 
     @javascript
-    Scenario: As an organization, I can display an asset modal
-        Given I am authenticated as "DT75"
-        When I go to "/organizations/203/assets"
+    Scenario: As an admin of an admin of an organization, I can display an asset modal
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/201/assets/"
         And I press "Afficher"
         And I wait for ".modal-show-asset-inner" to be visible
         Then I should see "Modifier"
         And I follow "Modifier"
-        Then I should be on "/organizations/201/assets/75012/edit?organizationId=203"
+        Then I should be on "/organizations/201/assets/75992/edit"
 
-    Scenario Outline: As an organization, I can update an asset from my organization or children organizations
+    Scenario Outline: As an admin of an organization, I can update an asset from my organization or children organizations
         Given I am authenticated as "<login>"
-        When I go to "/organizations/203/assets/75012/edit"
-        Then I should be on "/organizations/203/assets/75012/edit"
+        When I go to "<edit_url>"
+        Then I should be on "<edit_url>"
         And the response status code should be 200
-        And the "commissionable_asset_name" field should contain "75012"
-        When I fill in the following:
-            | commissionable_asset[name] | new name |
+        And the "commissionable_asset_name" field should contain "<name>"
+        When I fill in "commissionable_asset[name]" with "new name"
         And I press "Enregistrer"
-        Then I should be on "/organizations/203/assets/"
+        Then I should be on "<list_url>"
         And the response status code should be 200
         And I should see "Véhicule \"VPSP - new name\" mis à jour avec succès"
-        When I go to "/organizations/203/assets/75012/edit"
+        When I go to "<edit_url>"
         And the "commissionable_asset_name" field should contain "new name"
         Examples:
-            | login    |
-#            todo: there is a bug when using parent organization: https://github.com/crf-devs/resop/issues/360
-#            | DT75     |
-            | UL 01-02 |
+            | login              | name  | edit_url                             | list_url                                      |
+            | admin201@resop.com | 75012 | /organizations/201/assets/75012/edit | /organizations/201/assets/?organizationId=203 |
+            | admin204@resop.com | 77102 | /organizations/204/assets/77102/edit | /organizations/204/assets/                    |
 
-    Scenario: As a parent organization, I cannot update an asset from an organization I don't have access to
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of a parent organization, I cannot update an asset from an organization I don't have access to
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/organizations/202/assets/77992/edit"
         Then the response status code should be 403
 
     Scenario: As an admin of a child organization, I cannot update an asset on the parent organization
-        Given I am authenticated as "UL 01-02"
+        Given I am authenticated as "admin203@resop.com"
         When I go to "/organizations/201/assets/75992/edit"
         Then the response status code should be 403
 
-    Scenario: As a parent organization, I cannot update an invalid asset
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of a parent organization, I cannot update an invalid asset
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/organizations/201/assets/77102/edit"
         Then the response status code should be 404
 
     @javascript
-    Scenario: As a parent organization, I can delete an asset from my organization or children organizations
-        Given I am authenticated as "DT75"
-        And I go to "/organizations/203/assets/75012/edit"
+    Scenario: As an admin of a parent organization, I can delete an asset from my organization or children organizations
+        Given I am authenticated as "admin201@resop.com"
+        And I go to "/organizations/201/assets/75012/edit"
         When I follow "Supprimer"
         And I wait for "#delete-item-modal" to be visible
         Then I should see "Vous êtes sur le point de supprimer le véhicule suivant et toutes ses disponibilités : VPSP - 75012"
@@ -118,20 +116,25 @@ Feature:
         And I should see "Le véhicule a été supprimé avec succès."
         And I should not see "75012"
 
-    #https://github.com/crf-devs/resop/issues/348
-#    Scenario: As a parent organization, I cannot directly delete an asset from my organization
-#        Given I am authenticated as "john.doe@resop.com"
+#    https://github.com/crf-devs/resop/issues/348
+#    Scenario: As an admin of a parent organization, I cannot directly delete an asset from my organization
+#        Given I am authenticated as "admin201@resop.com"
 #        When I go to "/organizations/201/assets/75992/delete"
 #        Then the response status code should be 405
 
-    Scenario: As a parent organization, I cannot delete an asset from another organization
-        Given I am authenticated as "DT75"
-        When I go to "/organizations/202/assets"
+    Scenario: As an admin of a parent organization, I cannot delete an asset from another organization
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/202/assets/"
         Then the response status code should be 403
         When I go to "/organizations/202/assets/77992/delete"
         Then the response status code should be 403
 
-    Scenario: As a parent organization, I cannot access availability of an invalid asset
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of a parent organization, I cannot access availability of an invalid asset
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/201/availability/75012/2020-W10"
+        Then the response status code should be 404
+
+    Scenario: As an admin of an organization, I cannot access availability of an asset with a mismatched url
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/organizations/201/availability/75012/2020-W10"
         Then the response status code should be 404
diff --git a/features/organization/children.feature b/features/organization/children.feature
index a5de1fac..a6e0e7b2 100644
--- a/features/organization/children.feature
+++ b/features/organization/children.feature
@@ -1,36 +1,41 @@
 Feature:
     In order to manage my children organizations,
-    As a parent organization,
+    As an admin of a parent organization,
     I must be able to list, edit and create them.
 
-    Scenario: As anonymous, I cannot list the children of an organization
-        When I go to "/organizations/201/children/"
-        Then I should be on "/organizations/login"
-        And the response status code should be 200
-
-    Scenario: As a parent organization, I can list the children of my organization
-        Given I am authenticated as "DT75"
-        When I go to "/organizations"
+    Scenario: As an admin of a parent organization, I can list the children of my organization
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/201"
         Then I should see "Modifier mes structures"
         When I follow "Modifier mes structures"
         Then I should be on "/organizations/201/children/"
         And the response status code should be 200
         And I should see "UL 01-02"
 
-    Scenario: As an organization without children, I cannot list the children of my organization
-        Given I am authenticated as "UL 01-02"
+    Scenario: As an admin of an organization without children, I cannot list the children of my organization
+        Given I am authenticated as "admin203@resop.com"
         When I go to "/organizations/203"
         Then I should not see "Modifier mes structures"
         When I go to "/organizations/203/children/"
         And the response status code should be 403
 
-    Scenario: As anonymous, I cannot create an organization
-        When I go to "/organizations/201/children/new"
-        Then I should be on "/organizations/login"
-        And the response status code should be 200
+    Scenario: As an admin of an organization but without a password, I cannot list the children of my organization
+        Given I am authenticated as "admin203@resop.com"
+        When I go to "/organizations/203/children"
+        Then the response status code should be 403
+
+    Scenario Outline: As an admin of an organization, I cannot list the children of another organization
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "<url>"
+        Then the response status code should be 403
+        Examples:
+            | url                         |
+            | /organizations/202/children |
+            | /organizations/203/children |
+            | /organizations/204/children |
 
-    Scenario: As a parent organization, I can create an organization
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of a parent organization, I can create an organization
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/children/"
         When I follow "Ajouter une structure"
         Then I should be on "/organizations/201/children/new"
@@ -43,20 +48,20 @@ Feature:
         And I should see "La structure a été ajoutée avec succès."
         And I should see "Lorem ipsum"
 
-    Scenario: As a children organization, I cannot create an organization
-        Given I am authenticated as "UL 01-02"
+    Scenario: As an admin of a children organization, I cannot create an organization
+        Given I am authenticated as "admin203@resop.com"
         When I go to "/organizations/203"
         Then I should not see "Modifier mes structures"
         When I go to "/organizations/203/children/new"
         Then the response status code should be 403
 
-    Scenario: As anonymous, I cannot update an organization
-        When I go to "/organizations/201/children/203/edit"
-        Then I should be on "/organizations/login"
-        And the response status code should be 200
+    Scenario: As an admin of an organization, I cannot create an organization on another one
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/202/children/new"
+        Then the response status code should be 403
 
-    Scenario: As a parent organization, I can update my children organizations
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of a parent organization, I can update my children organizations
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/children/"
         When I follow "Modifier"
         Then I should be on "/organizations/201/children/203/edit"
@@ -70,7 +75,12 @@ Feature:
         And I should see "La structure a été mise à jour avec succès."
         And I should see "Lorem ipsum"
 
-    Scenario: As an organization, I cannot update an organization I don't have access to
-        Given I am authenticated as "DT75"
-        When I go to "/organizations/201/children/202/edit"
+    Scenario: As an admin of an organization, I cannot update an organization I don't have access to
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/201/children/204/edit"
+        Then the response status code should be 403
+
+    Scenario: As an admin of an organization, I cannot update my organization
+        Given I am authenticated as "admin203@resop.com"
+        When I go to "/organizations/201/children/203/edit"
         Then the response status code should be 403
diff --git a/features/organization/forecast.feature b/features/organization/forecast.feature
index 0ed7eac7..659be806 100644
--- a/features/organization/forecast.feature
+++ b/features/organization/forecast.feature
@@ -4,17 +4,13 @@ Feature:
     As an organization,
     I must be able to search for available users and assets.
 
-    Scenario: As anonymous, I cannot access to the forecast page
-        When I go to "/organizations/201/forecast/"
-        Then I should be on "/organizations/login"
-
     Scenario: As an authenticated children organization, I cannot use the forecast search form
-        Given I am authenticated as "UL 01-02"
-        When I go to "/organizations/201/forecast/"
+        Given I am authenticated as "admin204@resop.com"
+        When I go to "/organizations/202/forecast/"
         Then the response status code should be 403
 
     Scenario: As an authenticated parent organization, I can access the forecast search form
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/organizations/201"
         Then I should see "Projections"
         When I follow "Projections"
@@ -24,7 +20,7 @@ Feature:
 
     @javascript
     Scenario: As an authenticated parent organization, I can use the forecast search form
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/forecast/"
         When I click on "#availableRange"
         Then I wait for ".daterangepicker" to be visible
diff --git a/features/organization/home.feature b/features/organization/home.feature
new file mode 100644
index 00000000..cd71bc6b
--- /dev/null
+++ b/features/organization/home.feature
@@ -0,0 +1,41 @@
+@home
+Feature:
+    In order to manage an organization,
+    As an admin of an organization,
+    I must be able to log in to my organization.
+
+    Scenario: As anonymous, I cannot manage an organization
+        When I go to "/organizations/201"
+        Then I should be on "/login"
+        And the response status code should be 200
+
+    Scenario: As an admin of an organization, I can go to the homepage of my organization
+        Given I am authenticated as "admin201@resop.com"
+        And I am on the homepage
+        When I follow "DT75"
+        Then I should be on "/organizations/201"
+        And the response status code should be 200
+        And I should see "DT75"
+
+    Scenario Outline: As an admin of an organization but without a password, I cannot go to any page of my organization
+        Given I am authenticated as "admin203@resop.com"
+        When I go to "<url>"
+        Then the response status code should be 403
+        Examples:
+            | url                             |
+            | /organizations/203              |
+            | /organizations/203/children/new |
+            | /organizations/203/search       |
+            | /organizations/203/assets/      |
+            | /organizations/203/users/       |
+            | /organizations/203/planning     |
+
+    Scenario Outline: As an admin of an organization, I cannot go to the homepage of another organization
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "<url>"
+        Then the response status code should be 403
+        Examples:
+            | url                |
+            | /organizations/202 |
+            | /organizations/203 |
+            | /organizations/204 |
diff --git a/features/organization/login.feature b/features/organization/login.feature
deleted file mode 100644
index adcc44c5..00000000
--- a/features/organization/login.feature
+++ /dev/null
@@ -1,28 +0,0 @@
-@login
-Feature:
-    In order to manage my actions,
-    As an organization,
-    I must be able to log in.
-
-    Scenario: As anonymous, I cannot access to the homepage
-        When I go to "/organizations"
-        Then I should be on "/organizations/login"
-
-    Scenario Outline: As a registered organization, I can log in
-        Given I am on "/organizations/login"
-        When I select "<identifier>" from "identifier"
-        And I fill in "password" with "covid19"
-        And I press "Je me connecte"
-        Then the response status code should be 200
-        And I should be on "/organizations/<id>"
-        And I should see "<name>"
-        Examples:
-            | identifier | name            | id  |
-            | DT75       | DT75            | 201 |
-            | UL 01-02   | DT75 - UL 01-02 | 203 |
-
-    Scenario: As an authenticated organization, I can log out
-        Given I am authenticated as "UL 01-02"
-        And I am on "/organizations/"
-        When I follow "Déconnexion"
-        Then I should be on "/organizations/login"
diff --git a/features/organization/mission_type.feature b/features/organization/mission_type.feature
index 04418622..3532a8c0 100644
--- a/features/organization/mission_type.feature
+++ b/features/organization/mission_type.feature
@@ -4,13 +4,8 @@ Feature:
     As an organization,
     I must be able to list, edit and delete mission types.
 
-    Scenario: As anonymous, I cannot list mission types from an organization
-        When I go to "/organizations/201/mission_type/new"
-        Then I should be on "/organizations/login"
-        And the response status code should be 200
-
     Scenario: As an organization, I can list my mission types
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201"
         When I follow "Modifier les types de missions"
         Then I should be on "/organizations/201/mission_type/"
@@ -22,7 +17,7 @@ Feature:
 
     @javascript
     Scenario: As an organization, I can create a mission type
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/mission_type/"
         When I follow "Ajouter un nouveau type de mission"
         Then I should be on "/organizations/201/mission_type/new"
@@ -48,7 +43,7 @@ Feature:
 
     @javascript
     Scenario: As an organization, I cannot create a mission type with duplicate requirements
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/mission_type/"
         When I follow "Ajouter un nouveau type de mission"
         Then I should be on "/organizations/201/mission_type/new"
@@ -74,7 +69,7 @@ Feature:
 
     @javascript
     Scenario: As an organization, I can edit a mission type
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/mission_type/"
         When I follow "Modifier"
         Then I should be on "/organizations/201/mission_type/751/edit"
@@ -89,13 +84,13 @@ Feature:
         And I should see "CI Réseau BSPP"
 
     Scenario: As an organization, I cannot edit a mission type of another organization
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/mission_type/771/edit"
         Then the response status code should be 403
 
     @javascript
     Scenario: As an organization, I can delete a mission type
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/mission_type/"
         When I follow "Supprimer"
         And I wait for "#delete-item-modal" to be visible
@@ -106,7 +101,7 @@ Feature:
         And I should not see "Mission type DT75 1"
 
     Scenario: As an organization, I cannot delete a mission type of another organization
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/mission_type/771/delete"
         Then the response status code should be 403
 
diff --git a/features/organization/planning.feature b/features/organization/planning.feature
index fcc50d94..fb2a3cf8 100644
--- a/features/organization/planning.feature
+++ b/features/organization/planning.feature
@@ -5,43 +5,36 @@ Feature:
     As an organization
     I must have access to the planning and I can filter what is displayed.
 
-    Scenario: As an anonymous, I cannot access the planning
-        Given I go to "/organizations/201/planning/"
-        Then I should be on "/organizations/login"
-        And the response status code should be 200
-
     Scenario: As an organization, I have access to the planning and I can see my resources
-        Given I am authenticated as "UL 01-02"
-        And I am on "/organizations/203"
+        Given I am authenticated as "admin204@resop.com"
+        And I am on "/organizations/204"
         When I follow "Afficher les disponibilités de mes bénévoles pour la semaine prochaine"
         Then the response status code should be 200
-        And I should be on "/organizations/203/planning/"
-        And I should see "VPSP - 75012"
-        And I should see "VPSP - 75014"
-        And I should see "VL - 75016"
-        And I should see "VL - 75018"
+        And I should be on "/organizations/204/planning/"
+        And I should see "VPSP - 77102"
+        And I should see "VPSP - 77104"
+        And I should see "VL - 77106"
+        And I should see "VL - 77108"
         And I should not see "7599"
-        And I should not see "7799"
-        And I should not see "7710"
-        And I should see "Jane DOE"
+        And I should not see "7510"
+        And I should see "Chuck NORRIS"
+        And I should see "Freddy MERCURY"
         And I should not see "John DOE"
+        And I should not see "Jane DOE"
 
     Scenario: As an organization, I have access to the planning and I can see my resources' availability
-        Given I am authenticated as "UL 01-02"
-        And I am on "/organizations/203"
+        Given I am authenticated as "admin201@resop.com"
+        And I am on "/organizations/201"
         When I follow "Afficher les disponibilités de mes bénévoles pour la semaine prochaine"
-        Then the response status code should be 200
-        And availability of user "Jane DOE" should be "unknown" on "next monday" at 02:00
-        And availability of user "Jane DOE" should be "booked" on "next monday" at 06:00
-        And availability of user "Jane DOE" should be "available" on "next monday" at 10:00
-        And availability of user "Jane DOE" should be "locked" on "next monday" at 14:00
-        And availability of asset "VPSP - 75012" should be "unknown" on "tuesday next week" at 02:00
-        And availability of asset "VPSP - 75012" should be "locked" on "tuesday next week" at 06:00
-        And availability of asset "VPSP - 75012" should be "available" on "tuesday next week" at 10:00
-        And availability of asset "VPSP - 75012" should be "booked" on "tuesday next week" at 14:00
+        Then I should be on "/organizations/201/planning/"
+        And the response status code should be 200
+        And availability of user "John DOE" should be "locked" on "monday next week" at 02:00
+        And availability of user "John DOE" should be "unknown" on "monday next week" at 10:00
+        And availability of user "John DOE" should be "available" on "tuesday next week" at 10:00
+        And availability of asset "VPSP - 75992" should be "unknown" on "tuesday next week" at 02:00
 
     Scenario: As a parent organization, I have access to the planning of my children organizations
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201"
         When I follow "Afficher les disponibilités de mes bénévoles pour la semaine prochaine"
         Then the response status code should be 200
@@ -55,29 +48,28 @@ Feature:
         And I should be on "/organizations/201/planning/"
         And I should see "Jane DOE"
 
-    Scenario: As an organization, I can filter the resources displayed on planing
-        Given I am authenticated as "DT75"
+    Scenario: As an organization, I can filter the resources displayed on planning
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201/planning/"
         Then I should see "Jane DOE"
-        And I should see "John DOE"
+        And I should see "Jill DOE"
         And I should see "VPSP - 75992"
         And I should see "VL - 75996"
         When I select "VPSP" from "assetTypes[]"
         And I select "1" from "userPropertyFilters[vulnerable]"
         And I press "search-planning-button"
-        Then the response status code should be 200
-        And I should see "John DOE"
+        Then I should be on "/organizations/201/planning/"
+        And I should see "Jill DOE"
         And I should not see "Jane DOE"
         And I should see "VPSP - 75992"
         And I should not see "VL - 75996"
         And I select "0" from "userPropertyFilters[vulnerable]"
         And I press "search-planning-button"
-        Then the response status code should be 200
-        And I should not see "John DOE"
+        Then I should be on "/organizations/201/planning/"
+        And I should not see "Jill DOE"
         And I should see "Jane DOE"
-        When I fill in the following:
-            | hideUsers  | 1 |
-            | hideAssets | 1 |
+        When I check "hideUsers"
+        And I check "hideAssets"
         And I press "search-planning-button"
-        Then the response status code should be 200
+        Then I should be on "/organizations/201/planning/"
         And I should see "Aucune resource ne correspond à votre recherche"
diff --git a/features/organization/search.feature b/features/organization/search.feature
index 55d0bc4e..617194a0 100644
--- a/features/organization/search.feature
+++ b/features/organization/search.feature
@@ -4,12 +4,8 @@ Feature:
     As an organization
     I must be able to search users and assets
 
-    Scenario: As anonymous, I cannot access to the search page
-        When I go to "/organizations/201/search?query=foo"
-        Then I should be on "/organizations/login"
-
     Scenario Outline: As an authenticated parent organization, I can search for a user even in my children
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201"
         When I fill in "query" with " <search> "
         And I press "Rechercher"
@@ -20,62 +16,67 @@ Feature:
         And I should see "Aucun véhicule ne correspond à votre recherche."
         Examples:
             | search         | email              | identificationNumber |
-            | jOhN dOe reSOp | john.doe@resop.com | 990001A              |
-            | jAnE dOe reSOp | jane.doe@resop.com | 990002A              |
+            | jOhN dOe reSOp | admin201@resop.com | 990001A              |
+            | jAnE dOe reSOp | admin203@resop.com | 990002A              |
 
-    Scenario: As an authenticated children organization, I can search for a user in my organization
-        Given I am authenticated as "UL 01-02"
-        And I am on "/organizations/203"
-        When I fill in "query" with " jAnE dOe reSOp "
+    Scenario: As an admin of a children organization, I can search for a volunteer in my organization
+        Given I am authenticated as "admin204@resop.com"
+        And I am on "/organizations/204"
+        When I fill in "query" with " FrEdDy MeRcUrY reSOp "
         And I press "Rechercher"
-        Then I should be on "/organizations/203/search"
-        And I should see "Rechercher \"jAnE dOe reSOp\""
-        And I should see "990002A"
-        And I should see "jane.doe@resop.com"
+        Then I should be on "/organizations/204/search"
+        And the response status code should be 200
+        And I should see "Rechercher \"FrEdDy MeRcUrY reSOp\""
+        And I should see "990004A"
+        And I should see "admin204@resop.com"
         And I should see "Aucun véhicule ne correspond à votre recherche."
 
-    Scenario: As an authenticated organization, I cannot search for a user in another organization
-        Given I am authenticated as "UL 01-02"
-        And I am on "/organizations/203"
+    Scenario: As an admin of an organization, I cannot search for a user in another organization
+        Given I am authenticated as "admin201@resop.com"
+        And I am on "/organizations/201"
         When I fill in "query" with " cHuCk nOrRiS reSOp "
         And I press "Rechercher"
-        Then I should be on "/organizations/203/search"
+        Then I should be on "/organizations/201/search"
+        And the response status code should be 200
         And I should see "Rechercher \"cHuCk nOrRiS reSOp\""
         And I should see "Aucun bénévole ne correspond à votre recherche."
         And I should see "Aucun véhicule ne correspond à votre recherche."
 
-    Scenario Outline: As an authenticated parent organization, I can search for an asset even in my children
-        Given I am authenticated as "DT75"
+    Scenario Outline: As an admin of a parent organization, I can search for an asset even in my children
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201"
         When I fill in "query" with " <search> "
         And I press "Rechercher"
         Then I should be on "/organizations/201/search"
+        And the response status code should be 200
         And I should see "Rechercher \"<search>\""
         And I should see "<name>"
         And I should see "<type>"
         And I should see "Aucun bénévole ne correspond à votre recherche."
         Examples:
-            | search | name   | type |
-            | 75992  | 75992  | VPSP |
-            | 75012  | 75012  | VPSP |
+            | search | name  | type |
+            | 75992  | 75992 | VPSP |
+            | 75012  | 75012 | VPSP |
 
-    Scenario: As an authenticated children organization, I can search for a user in my organization
-        Given I am authenticated as "UL 01-02"
-        And I am on "/organizations/203"
+    Scenario: As an admin of a children organization, I can search for a user in my organization
+        Given I am authenticated as "admin201@resop.com"
+        And I am on "/organizations/201"
         When I fill in "query" with " 75012 "
         And I press "Rechercher"
-        Then I should be on "/organizations/203/search"
+        Then I should be on "/organizations/201/search"
+        And the response status code should be 200
         And I should see "Rechercher \"75012\""
         And I should see "VPSP"
         And I should see "75012"
         And I should see "Aucun bénévole ne correspond à votre recherche."
 
-    Scenario: As an authenticated organization, I cannot search for a user in another organization
-        Given I am authenticated as "UL 01-02"
-        And I am on "/organizations/203"
+    Scenario: As an admin of an organization, I cannot search for a user in another organization
+        Given I am authenticated as "admin201@resop.com"
+        And I am on "/organizations/201"
         When I fill in "query" with " 77282 "
         And I press "Rechercher"
-        Then I should be on "/organizations/203/search"
+        Then I should be on "/organizations/201/search"
+        And the response status code should be 200
         And I should see "Rechercher \"77282\""
         And I should see "Aucun bénévole ne correspond à votre recherche."
         And I should see "Aucun véhicule ne correspond à votre recherche."
diff --git a/features/organization/users.feature b/features/organization/users.feature
index 7b0fb07e..f8e68520 100644
--- a/features/organization/users.feature
+++ b/features/organization/users.feature
@@ -1,28 +1,23 @@
 @users
 Feature:
     In order to manage the users in my organization,
-    As an organization,
+    As an admin of an organization,
     I must be able to list, edit and delete users in my organization.
 
-    Scenario: As anonymous, I cannot list the users from an organization
-        When I go to "/organizations/1/users"
-        Then I should be on "/organizations/login"
-        And the response status code should be 200
-
-    Scenario: As an organization, I can list the users from my organization
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of an organization, I can list the users from my organization
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201"
         When I follow "Afficher la liste de mes bénévoles inscrits"
         Then I should be on "/organizations/201/users/"
         And the response status code should be 200
-        And I should see "john.doe@resop.com"
-        And I should not see "jane.doe@resop.com"
+        And I should see "admin201@resop.com"
+        And I should not see "admin203@resop.com"
         And I should not see "jill.doe@resop.com"
         And I should not see "chuck.norris@resop.com"
-        And I should not see "freddy.mercury@resop.com"
+        And I should not see "admin204@resop.com"
 
-    Scenario: As a parent organization, I can list the users from my children organizations
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of a parent organization, I can list the users from my children organizations
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/organizations/201"
         When I follow "Modifier mes structures"
         Then I should be on "/organizations/201/children/"
@@ -30,18 +25,20 @@ Feature:
         When I follow "Liste des bénévoles"
         Then I should be on "/organizations/201/users/?organizationId=203"
         And the response status code should be 200
-        And I should see "jane.doe@resop.com"
-        And I should not see "john.doe@resop.com"
+        And I should see "admin203@resop.com"
+        And I should see "jill.doe@resop.com"
+        And I should not see "admin201@resop.com"
         And I should not see "chuck.norris@resop.com"
+        And I should not see "admin204@resop.com"
 
     Scenario: As an admin of an organization, I cannot list the users from another organization
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/organizations/202/users"
         Then the response status code should be 403
 
     @javascript
-    Scenario: As an organization, I can display a user modal
-        Given I am authenticated as "DT75"
+    Scenario: As an admin of an organization, I can display a user modal
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/organizations/201/users/?organizationId=203"
         And I press "Afficher"
         And I wait for ".modal-show-user-inner" to be visible
@@ -49,14 +46,11 @@ Feature:
         And I follow "Modifier"
         Then I should be on "/organizations/201/users/102/edit"
 
-    Scenario Outline: As an organization, I can update a user from my organization or children organizations
+    Scenario Outline: As an admin of an organization, I can update a user from my organization or children organizations
         Given I am authenticated as "<login>"
         When I go to "<edit_url>"
+        Then I should be on "<edit_url>"
         And the response status code should be 200
-        And the "user_identificationNumber" field should contain "990002A"
-        And the "user_emailAddress" field should contain "jane.doe@resop.com"
-        And the "user_firstName" field should contain "Jane"
-        And the "user_lastName" field should contain "DOE"
         When I fill in the following:
             | user[identificationNumber]               | 999999A                 |
             | user[emailAddress]                       | john.bon.jovi@resop.com |
@@ -92,14 +86,18 @@ Feature:
         And the "user[properties][drivingLicence]" field should contain "0"
         And the "user[properties][occupation][choice]" field should contain "Pompier"
         Examples:
-            | login    | list_url                                     | edit_url                          |
-            | DT75     | /organizations/201/users/?organizationId=203 | /organizations/201/users/102/edit |
-            | UL 01-02 | /organizations/203/users/                    | /organizations/203/users/102/edit |
+            | login              | list_url                                     | edit_url                          |
+            | admin201@resop.com | /organizations/201/users/?organizationId=203 | /organizations/201/users/102/edit |
+            | admin204@resop.com | /organizations/204/users/                    | /organizations/204/users/104/edit |
 
-    Scenario: As an admin of an organization, I cannot update a user from another organizations
-        Given I am authenticated as "DT75"
-        When I go to "/organizations/204/users/103/edit"
-        Then the response status code should be 403
+    Scenario Outline: As an admin of an organization, I cannot update a user from another organizations
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "<url>"
+        Then the response status code should be 404
+        Examples:
+            | url                               |
+            | /organizations/201/users/104/edit |
+            | /organizations/201/users/105/edit |
 
     @javascript
     Scenario Outline: As an organization, I can delete a user from my organization or children organizations
@@ -111,25 +109,111 @@ Feature:
         When I press "Supprimer"
         Then I should be on "<list_url>"
         And I should see "Le bénévole a été supprimé avec succès."
-        And I should not see "jill.doe@resop.com"
+        And I should not see "jane.doe@resop.com"
         Examples:
-            | login    | list_url                                     | edit_url                          |
-            | DT75     | /organizations/201/users/?organizationId=203 | /organizations/201/users/102/edit |
-            | UL 01-02 | /organizations/203/users/                    | /organizations/203/users/102/edit |
+            | login              | list_url                                     | edit_url                          |
+            | admin201@resop.com | /organizations/201/users/?organizationId=203 | /organizations/201/users/102/edit |
 
+#    TODO: Waiting for https://github.com/crf-devs/resop/issues/348
 #    Scenario: As an admin of an organization, I cannot directly delete a user from my organization
-#        Given I am authenticated as "john.doe@resop.com"
+#        Given I am authenticated as "admin201@resop.com"
 #        When I go to "/organizations/201/users/3/delete?organizationId=203"
 #        Then the response status code should be 405
 
     Scenario: As an admin of an organization, I cannot delete a user from another organization
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/organizations/204/users"
         Then the response status code should be 403
         When I go to "/organizations/204/users/103/delete"
         Then the response status code should be 403
 
     Scenario: As an admin of an organization, I cannot access an invalid user
-        Given I am authenticated as "DT75"
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/organizations/201/users/108/edit"
         Then the response status code should be 404
+
+    Scenario: As an admin of an organization, I cannot access a user with a mismatched url
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/201/users/2/edit"
+        Then the response status code should be 404
+
+    @javascript
+    Scenario: As an admin of an organization, I can promote a user as admin of an organization and this user has admin privilege
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/201/users/?organizationId=203"
+        And I press "Afficher la fiche de Jill DOE"
+        And I wait for ".modal-show-user-inner" to be visible
+        And I follow "Promouvoir"
+        Then I should be on "/organizations/201/users/?organizationId=203"
+        And the response status code should be 200
+        And I should see "L'utilisateur \"Jill DOE\" a été promu administrateur de \"UL 01-02\" avec succès."
+        And I press "Afficher la fiche de Jill DOE"
+        And I wait for ".modal-show-user-inner" to be visible
+        And I should see "Révoquer"
+        And I follow "Déconnexion"
+        When I go to "/login"
+        And I fill in the following:
+            | user_login[identifier]      | jill.doe@resop.com |
+            | user_login[birthday][day]   | 01                 |
+            | user_login[birthday][month] | 01                 |
+            | user_login[birthday][year]  | 1990               |
+        And I press "Je me connecte"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "Vous devez renseigner votre mot de passe afin d'administrer votre structure"
+
+    @javascript
+    Scenario: As an admin of an organization, I can revoke a user admin privilege of an organization and this user doesn't have admin privilege anymore
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/201/users/?organizationId=203"
+        And I press "Afficher la fiche de Jill DOE"
+        And I wait for ".modal-show-user-inner" to be visible
+        And I follow "Révoquer"
+        Then I should be on "/organizations/201/users/?organizationId=203"
+        And the response status code should be 200
+        And I should see "Le privilège d'administrateur pour la structure \"UL 01-02\" de \"Jane DOE\" a été révoquée avec succès."
+        And I press "Afficher la fiche de Jill DOE"
+        And I wait for ".modal-show-user-inner" to be visible
+        And I should see "Promouvoir"
+        And I follow "Déconnexion"
+        When I go to "/login"
+        And I fill in the following:
+            | user_login[identifier]      | admin203@resop.com |
+            | user_login[birthday][day]   | 01                 |
+            | user_login[birthday][month] | 01                 |
+            | user_login[birthday][year]  | 1990               |
+        And I press "Je me connecte"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should not see "Vous devez renseigner votre mot de passe afin d'administrer votre structure"
+
+    @javascript
+    Scenario: As an admin of an organization, I cannot revoke my own admin privilege
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/organizations/201/users/"
+        And I press "Afficher la fiche de John DOE"
+        And I wait for ".modal-show-user-inner" to be visible
+        Then I should not see "Révoquer"
+        When I go to "/organizations/201/users/101/revoke"
+        And the response status code should be 403
+
+    Scenario: As a super-admin, I can impersonate a user
+        Given I am authenticated as "super.admin@resop.com"
+        When I go to "/organizations/201/users/"
+        Then I should see "Usurper l'identité"
+        When I follow "Usurper l'identité"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "Retour à l'admin"
+        And I should see "John DOE"
+
+    Scenario Outline: As a user or an admin of an organization, I cannot impersonate a user
+        Given I am authenticated as "<login>"
+        When I go to "/organizations/201/users/"
+        Then I should not see "Usurper l'identité"
+        When I go to "/?_switch_user=990004A"
+        Then the response status code should be 403
+        Examples:
+            | login              |
+            | admin201@resop.com |
+            | jill.doe@resop.com |
diff --git a/features/user/availabilities.feature b/features/user/availabilities.feature
index 3769e880..a235643a 100644
--- a/features/user/availabilities.feature
+++ b/features/user/availabilities.feature
@@ -1,15 +1,16 @@
 @availability
 Feature:
-    In order to fill in my availabilities
-    As a user
-    I must be able to create my account
+    In order to fill in my availabilities,
+    As a user,
+    I must be able to create my account.
 
     Scenario: As anonymous, I cannot go to user planning
         When I go to "/user/availability"
         Then I should be on "/login"
+        And the response status code should be 200
 
     Scenario: As authenticated user, I can navigate through the planning weeks
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin203@resop.com"
         And I am on "/"
         When I follow "Semaine prochaine"
         Then the url should match "/user/availability"
@@ -19,7 +20,7 @@ Feature:
         And the response status code should be 200
 
     Scenario Outline: As authenticated user, I cannot add an availability on a booked/locked slot
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/"
         When I follow "Semaine prochaine"
         Then the url should match "/user/availability"
@@ -33,7 +34,7 @@ Feature:
             | next week monday 8 am |
 
     Scenario Outline: As authenticated user, I can add and remove an availability at any free slot in the future
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin203@resop.com"
         And I am on "/"
         When I follow "Semaine prochaine"
         # TODO Check the full url /user/availability/2020-W18
@@ -59,7 +60,7 @@ Feature:
         And the availability checkbox "<time>" should be unchecked
         Examples:
             | time                      |
-            | next week monday 3 pm     |
+            | next week monday 6 pm     |
             | next week tuesday 8 am    |
             | next week wednesday 12 pm |
             | next week thursday 2pm    |
@@ -69,7 +70,7 @@ Feature:
             | next week sunday 10pm     |
 
     Scenario Outline: As authenticated user, I can remove an availability at any available slot in the future
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin203@resop.com"
         And I am on "/"
         When I follow "Semaine prochaine"
         Then the url should match "/user/availability"
@@ -86,4 +87,5 @@ Feature:
         And the availability checkbox "<time>" should be unchecked
         Examples:
             | time                    |
-            | tuesday next week 10 am |
+            | next week monday 10 am |
+            | next week monday 12 pm |
diff --git a/features/user/edit.feature b/features/user/edit.feature
index 7d630fd6..b5df5956 100644
--- a/features/user/edit.feature
+++ b/features/user/edit.feature
@@ -9,10 +9,10 @@ Feature:
         Then I should be on "/login"
 
     Scenario: As a user, I can see my account
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/user/edit"
         Then the "user[identificationNumber]" field should contain "990001A"
-        And the "user[emailAddress]" field should contain "john.doe@resop.com"
+        And the "user[emailAddress]" field should contain "admin201@resop.com"
         And the "user[firstName]" field should contain "John"
         And the "user[lastName]" field should contain "DOE"
         And the "user[phoneNumber]" field should contain "06 12 34 56 78"
@@ -26,7 +26,7 @@ Feature:
         And the "user[properties][occupation][choice]" field should contain "Pharmacien"
 
     Scenario: As a user, I cannot update my account with empty data
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/user/edit"
         When I fill in the following:
             | user[identificationNumber] |  |
@@ -44,7 +44,7 @@ Feature:
         And I should see "Cette valeur ne doit pas être nulle." in the "label[for=user_phoneNumber] .form-error-message" element
 
     Scenario: As a user, I cannot update my account with invalid data
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/user/edit"
         When I fill in the following:
             | user[identificationNumber] | invalid |
@@ -58,7 +58,7 @@ Feature:
         And I should see "Cette valeur n'est pas un numéro de téléphone valide." in the "label[for=user_phoneNumber] .form-error-message" element
 
     Scenario: As a user, I can update my account
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/user/edit"
         When I fill in the following:
             | user[identificationNumber]               | 899999A                |
@@ -95,7 +95,7 @@ Feature:
 
     @javascript
     Scenario: As a user, I can update my occupation with a free text
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/user/edit"
         When I check "Autre"
         Then I wait for "#user_properties_occupation_other" to be visible
@@ -108,7 +108,7 @@ Feature:
         And the "user[properties][occupation][other]" field should contain "Plombier"
 
     Scenario Outline: As a user, I can update my email and login using the new email
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/user/edit"
         When I fill in the following:
             | user[identificationNumber] | 899999A           |
@@ -117,12 +117,11 @@ Feature:
         And I press "Valider"
         Then I should be on "/"
         And I should see "Vos informations ont été mises à jour avec succès."
+        And I should see "NIVOL : 899999A"
         When I follow "Déconnexion"
         And I fill in the following:
-            | user_login[identifier]      | <login> |
-            | user_login[birthday][day]   | 01      |
-            | user_login[birthday][month] | 01      |
-            | user_login[birthday][year]  | 1990    |
+            | user_login[identifier] | <login> |
+            | user_login[password]   | covid19 |
         And I press "Je me connecte"
         Then I should be on "/"
         And I should see "NIVOL : 899999A"
diff --git a/features/user/login.feature b/features/user/login.feature
index 319928fc..2dd94a34 100644
--- a/features/user/login.feature
+++ b/features/user/login.feature
@@ -1,14 +1,42 @@
 @login
 Feature:
-    In order to fill in my availabilities
-    As a user
-    I must be able to log in
+    In order to fill in my availabilities,
+    As a user,
+    I must be able to log in.
 
-    Scenario: As anonymous, I cannot access to the homepage
+    Scenario: As anonymous, I cannot go to the homepage
         When I go to the homepage
         Then I should be on "/login"
+        And the response status code should be 200
 
-    Scenario Outline: As a registered user, I can log in
+    Scenario Outline: As a user with a password, I can log in with it
+        Given I am on "/login"
+        When I fill in the following:
+            | user_login[identifier] | <login> |
+            | user_login[password]   | covid19 |
+        And I press "Je me connecte"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "NIVOL : 990001A"
+        Examples:
+            | login              |
+            | admin201@resop.com |
+            | 990001A            |
+
+    Scenario Outline: As a user with a password, I cannot log in with an invalid one
+        Given I am on "/login"
+        When I fill in the following:
+            | user_login[identifier] | <login> |
+            | user_login[password]   | invalid |
+        And I press "Je me connecte"
+        Then I should be on "/login"
+        And I should see "Veuillez saisir un numéro NIVOL ou une adresse e-mail valide, ou la date de naissance ne corresponds pas à ce NIVOL/email."
+        Examples:
+            | login              |
+            | admin201@resop.com |
+            | 990001A            |
+
+    Scenario Outline: As a user with a password, I cannot log in with my birth date
         Given I am on "/login"
         When I fill in the following:
             | user_login[identifier]      | <login> |
@@ -16,18 +44,50 @@ Feature:
             | user_login[birthday][month] | 01      |
             | user_login[birthday][year]  | 1990    |
         And I press "Je me connecte"
-        Then I should be on "/"
-        And I should see "NIVOL : 990001A"
+        Then I should be on "/login"
+        And I should see "Veuillez saisir un numéro NIVOL ou une adresse e-mail valide, ou la date de naissance ne corresponds pas à ce NIVOL/email."
         Examples:
             | login              |
-            | john.doe@resop.com |
+            | admin201@resop.com |
             | 990001A            |
 
+    Scenario Outline: As a user without a password, I can log in with my birth date
+        Given I am on "/login"
+        When I fill in the following:
+            | user_login[identifier]      | <login> |
+            | user_login[birthday][day]   | 01      |
+            | user_login[birthday][month] | 01      |
+            | user_login[birthday][year]  | 1990    |
+        And I press "Je me connecte"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "NIVOL : <identificationNumber>"
+        Examples:
+            | login              | identificationNumber |
+            | admin203@resop.com | 990002A              |
+            | 990003A            | 990003A              |
+
+    Scenario Outline: As a user without a password, I cannot log in with an invalid birth date
+        Given I am on "/login"
+        When I fill in the following:
+            | user_login[identifier]      | <login> |
+            | user_login[birthday][day]   | 02      |
+            | user_login[birthday][month] | 02      |
+            | user_login[birthday][year]  | 1992    |
+        And I press "Je me connecte"
+        Then I should be on "/login"
+        And I should see "Veuillez saisir un numéro NIVOL ou une adresse e-mail valide, ou la date de naissance ne corresponds pas à ce NIVOL/email."
+        Examples:
+            | login              |
+            | admin203@resop.com |
+            | 990003A            |
+
     Scenario: As an authenticated user, I can log out
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin201@resop.com"
         And I am on "/"
         When I follow "Déconnexion"
         Then I should be on "/login"
+        And the response status code should be 200
 
     Scenario: As anonymous, when I try to log in with a non-existing account, I'm redirected to the registration page
         Given I am on "/login"
@@ -38,9 +98,11 @@ Feature:
             | user_login[birthday][year]  | 1990              |
         And I press "Je me connecte"
         Then I should be on "/user/new"
+        And the response status code should be 200
         And the "user_emailAddress" field should contain "invalid@resop.com"
 
     Scenario: As anonymous, I cannot log in with empty data
         Given I am on "/login"
         When I press "Je me connecte"
         Then I should be on "/user/new"
+        And the response status code should be 200
diff --git a/features/user/password.feature b/features/user/password.feature
new file mode 100644
index 00000000..d3a82c02
--- /dev/null
+++ b/features/user/password.feature
@@ -0,0 +1,105 @@
+@password
+Feature:
+    In order to update my password,
+    As a user,
+    I must be able to set my password.
+
+    Scenario: As anonymous, I cannot set a password
+        When I go to "/user/password"
+        Then I should be on "/login"
+        And the response status code should be 200
+
+    Scenario: As an admin of an organization with no password set, I see a warning
+        Given I am authenticated as "admin203@resop.com"
+        When I go to "/"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "Vous devez renseigner votre mot de passe afin d'administrer votre structure"
+
+    Scenario: As a user, I cannot set my password with empty data
+        Given I am authenticated as "admin203@resop.com"
+        And I am on "/user/password"
+        And I should not see a "input#user_password_currentPassword" element
+        When I fill in the following:
+            | user_password[plainPassword][first]  |  |
+            | user_password[plainPassword][second] |  |
+        And I press "Modifier mon mot de passe"
+        Then I should be on "/user/password"
+        And the response status code should be 400
+        And I should see "Cette valeur ne doit pas être vide." in the "label[for=user_password_plainPassword_first] .form-error-message" element
+
+    Scenario: As a user, I cannot set my password with invalid data
+        Given I am authenticated as "admin203@resop.com"
+        And I am on "/user/password"
+        And I should not see a "input#user_password_currentPassword" element
+        When I fill in the following:
+            | user_password[plainPassword][first]  | foo |
+            | user_password[plainPassword][second] | bar |
+        And I press "Modifier mon mot de passe"
+        Then I should be on "/user/password"
+        And the response status code should be 400
+        And I should see "Cette valeur n'est pas valide." in the "label[for=user_password_plainPassword_first] .form-error-message" element
+
+    Scenario Outline: As a user with a password, I cannot update it with an empty or invalid current one
+        Given I am authenticated as "admin201@resop.com"
+        And I am on "/user/password"
+        When I fill in the following:
+            | user_password[currentPassword]       | <value> |
+            | user_password[plainPassword][first]  | foo     |
+            | user_password[plainPassword][second] | foo     |
+        And I press "Modifier mon mot de passe"
+        Then I should be on "/user/password"
+        And the response status code should be 400
+        And I should see "<message>" in the "label[for=user_password_currentPassword] .form-error-message" element
+        Examples:
+            | value   | message                        |
+            |         | Cette valeur n'est pas valide. |
+            | invalid | Cette valeur n'est pas valide. |
+
+    Scenario Outline: As a user with a password, I can update it
+        Given I am authenticated as "admin201@resop.com"
+        And I am on "/user/password"
+        When I fill in the following:
+            | user_password[currentPassword]       | covid19 |
+            | user_password[plainPassword][first]  | covid20 |
+            | user_password[plainPassword][second] | covid20 |
+        And I press "Modifier mon mot de passe"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "Votre mot de passe a été mis à jour avec succès."
+        When I follow "Déconnexion"
+        And I fill in the following:
+            | user_login[identifier] | <login> |
+            | user_login[password]   | covid20 |
+        And I press "Je me connecte"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "NIVOL : 990001A"
+        Examples:
+            | login              |
+            | admin201@resop.com |
+            | 990001A            |
+
+    Scenario Outline: As a user without a password, I can set it
+        Given I am authenticated as "admin203@resop.com"
+        And I am on "/user/password"
+        And I should not see a "input#user_password_currentPassword" element
+        When I fill in the following:
+            | user_password[plainPassword][first]  | covid20 |
+            | user_password[plainPassword][second] | covid20 |
+        And I press "Modifier mon mot de passe"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "Votre mot de passe a été mis à jour avec succès."
+        When I follow "Déconnexion"
+        And I fill in the following:
+            | user_login[identifier] | <login> |
+            | user_login[password]   | covid20 |
+        And I press "Je me connecte"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "NIVOL : 990002A"
+        Examples:
+            | login              |
+            | admin203@resop.com |
+            | 990002A            |
diff --git a/features/user/register.feature b/features/user/register.feature
index 1a087b86..3ec5dede 100644
--- a/features/user/register.feature
+++ b/features/user/register.feature
@@ -1,13 +1,14 @@
 @register
 Feature:
-    In order to fill in my availabilities
-    As a user
-    I must be able to create my account
+    In order to fill in my availabilities,
+    As a user,
+    I must be able to create my account.
 
     Scenario: As authenticated user, I cannot create an account
-        Given I am authenticated as "john.doe@resop.com"
+        Given I am authenticated as "admin201@resop.com"
         When I go to "/user/new"
         Then I should be on "/"
+        And the response status code should be 200
 
     Scenario: As anonymous, I cannot create an account with already registered email address
         Given I am on "/user/new"
@@ -15,13 +16,13 @@ Feature:
             | user[identificationNumber] | 999999A            |
             | user[firstName]            | John               |
             | user[lastName]             | DOE                |
-            | user[emailAddress]         | john.doe@resop.com |
+            | user[emailAddress]         | admin201@resop.com |
             | user[phoneNumber]          | 0612345678         |
         And I select "UL 01-02" from "user[organization]"
         And I check "Maraudeur.se"
         And I press "Valider"
-        Then the response status code should be 400
-        And I should be on "/user/new"
+        Then I should be on "/user/new"
+        And the response status code should be 400
         And I should see "Cette valeur est déjà utilisée."
 
     Scenario: As anonymous, I cannot create an account with already registered identification number
@@ -35,8 +36,8 @@ Feature:
         And I select "UL 01-02" from "user[organization]"
         And I check "Maraudeur.se"
         And I press "Valider"
-        Then the response status code should be 400
-        And I should be on "/user/new"
+        Then I should be on "/user/new"
+        And the response status code should be 400
         And I should see "Cette valeur est déjà utilisée."
 
     Scenario: As anonymous, I can create an account with valid data
@@ -52,6 +53,7 @@ Feature:
         And I press "Valider"
         Then the response status code should be 200
         And I should be on "/"
+        And the response status code should be 200
         And I should see "Votre compte utilisateur a été créé avec succès."
         And I should see "Bienvenue, Archibald HADDOCK"
         And I should see "NIVOL : 999999A"
@@ -62,7 +64,7 @@ Feature:
         Then I should be on "/user/new"
         And the response status code should be 400
         And I should see "Cette valeur ne doit pas être vide." in the "label[for=user_identificationNumber] .form-error-message" element
-        And I should see "Cette valeur ne doit pas être nulle." in the "label[for=user_organization] .form-error-message" element
+        And I should see "Cette valeur n'est pas valide." in the "label[for=user_organization] .form-error-message" element
         And I should see "Cette valeur ne doit pas être vide." in the "label[for=user_firstName] .form-error-message" element
         And I should see "Cette valeur ne doit pas être vide." in the "label[for=user_lastName] .form-error-message" element
         And I should see "Cette valeur ne doit pas être vide." in the "label[for=user_emailAddress] .form-error-message" element
diff --git a/features/user/reset_password.feature b/features/user/reset_password.feature
new file mode 100644
index 00000000..89382f79
--- /dev/null
+++ b/features/user/reset_password.feature
@@ -0,0 +1,71 @@
+@reset_password
+Feature:
+    In order to reset my password,
+    As a user,
+    I must be able to request a token and reset my password.
+
+    Scenario: As a user, I cannot request a token
+        Given I am authenticated as "admin201@resop.com"
+        When I go to "/reset-password"
+        Then I should be on "/"
+        And the response status code should be 200
+
+    Scenario: As anonymous, I can request a token
+        When I go to "/"
+        Then I should be on "/login"
+        And the response status code should be 200
+        And I should see "J'ai oublié mon mot de passe"
+        When I follow "J'ai oublié mon mot de passe"
+        Then I should be on "/reset-password"
+        And the response status code should be 200
+        When I fill in "reset_password_request_form[emailAddress]" with "admin201@resop.com"
+        And I press "Valider"
+        Then I should be on "/reset-password/check-email"
+        And I should see "Un email vous a été envoyé contenant un lien vous permettant de réinitialiser mon mot de passe. Ce lien expirera dans 1 heure(s)."
+        And 1 mail should be sent
+        # TODO Check email content & link
+        Then I open mail with subject "J'ai oublié mon mot de passe"
+        And I click on the "#reset-password" link in mail
+        Then I should be on "/reset-password/reset"
+        Then I purge mails
+
+        # As anonymous, I cannot request a token if I already requested one in the configured time
+        Given I am on "/reset-password"
+        When I fill in "reset_password_request_form[emailAddress]" with "admin201@resop.com"
+        And I press "Valider"
+        Then I should be on "/reset-password"
+        And I should see "Vous avez déjà demandé la réinitialisation de votre mot de passe."
+        And 0 mail should be sent
+
+    Scenario: As a user, I cannot reset my password using a valid token
+        Given I am authenticated as "admin201@resop.com"
+        When I go to the reset password page of "admin201@resop.com"
+        Then I should be on "/"
+        And the response status code should be 200
+
+    Scenario: As anonymous, I can reset my password using a valid token
+        When I go to the reset password page of "admin201@resop.com"
+        Then I should be on "/reset-password/reset"
+        And the response status code should be 200
+        And I should see "Mot de passe"
+        And I should see "Confirmation"
+        When I fill in the following:
+            | change_password_form[plainPassword][first]  | test |
+            | change_password_form[plainPassword][second] | test |
+        And I press "Réinitialiser mon mot de passe"
+        Then I should be on "/login"
+        And the response status code should be 200
+        And I should see "Votre mot de passe a été mis à jour avec succès."
+        When I fill in the following:
+            | user_login[identifier] | 990001A |
+            | user_login[password]   | test    |
+        And I press "Je me connecte"
+        Then I should be on "/"
+        And the response status code should be 200
+        And I should see "NIVOL : 990001A"
+
+    Scenario: As anonymous, I cannot reset my password using a invalid token
+        When I go to "/reset-password/reset/invalid"
+        Then I should be on "/reset-password"
+        And the response status code should be 200
+        And I should see "Le lien de réinitialisation est invalide ou a expiré"
diff --git a/fixtures/organizations.yaml b/fixtures/organizations.yaml
index 5bc4b542..f53c5691 100644
--- a/fixtures/organizations.yaml
+++ b/fixtures/organizations.yaml
@@ -2,18 +2,14 @@ App\Entity\Organization:
   Organization.DT75:
     id: 201
     name: DT75
-    plainPassword: covid19
   Organization.DT77:
     id: 202
     name: DT77
-    plainPassword: covid19
   Organization.UL-01-02:
     id: 203
     name: UL 01-02
-    plainPassword: covid19
     parent: '@Organization.DT75'
   Organization.UL-DE-BRIE-ET-CHANTEREINE:
     id: 204
     name: UL DE BRIE ET CHANTEREINE
-    plainPassword: covid19
     parent: '@Organization.DT77'
diff --git a/fixtures/resetPasswordRequest.yaml b/fixtures/resetPasswordRequest.yaml
new file mode 100644
index 00000000..de1696c7
--- /dev/null
+++ b/fixtures/resetPasswordRequest.yaml
@@ -0,0 +1,3 @@
+App\Entity\ResetPasswordRequest:
+  ResetPasswordRequest.jane_doe:
+    __construct: ['@User.jane_doe', '<dateTimeImmutable("+1 hour")>', '102', '01GgM0q3lRa6pM2V/S+mZrJpACowPjKnNBlw4ipasOs=']
diff --git a/fixtures/userAvailabilities.yaml b/fixtures/userAvailabilities.yaml
index 376c3383..ecb47897 100644
--- a/fixtures/userAvailabilities.yaml
+++ b/fixtures/userAvailabilities.yaml
@@ -6,7 +6,7 @@ App\Entity\UserAvailability:
         - '<{app.slot_interval}>'
         - '@User.john_doe'
         - 'next monday <current()>:00'
-        - '<randomElement(["locked", "booked"])>'
+        - 'locked'
 
   # John DOE is available tuesday next week from 10:00 to 13:59
   UserAvailability.john_doe.next-week.tuesday.{10..12,2}:
diff --git a/fixtures/users.yaml b/fixtures/users.yaml
index a44acb62..c49918d2 100644
--- a/fixtures/users.yaml
+++ b/fixtures/users.yaml
@@ -1,34 +1,110 @@
+# This file is only used for tests.
+# See App\DataFixtures\ApplicationFixtures for dev data
 App\Entity\User:
+  # John DOE is admin of DT75. He is not volunteer.
+  # As organization admin, his password is required.
   User.john_doe:
     id: 101
     firstName: John
     lastName: DOE
     organization: '@Organization.DT75'
     identificationNumber: 990001A
-    emailAddress (unique): john.doe@resop.com
+    emailAddress: admin201@resop.com
+    plainPassword: covid19
     phoneNumber: '<phoneNumberObject("0612345678", "FR")>'
     birthday: '1990-01-01'
     skillSet: '<randomSkillSet()>'
     properties: {"occupation": "Pharmacien", "organizationOccupation": "Secouriste", "vulnerable": true, "fullyEquipped": true, "drivingLicence": true}
+    managedOrganizations: ['@Organization.DT75']
+
+  # Jane DOE is volunteer and admin of UL 01-02, an organization children of DT75 managed by John DOE.
+  # As organization admin, her password is required, but she didn't filled it yet.
   User.jane_doe:
     id: 102
     firstName: Jane
     lastName: DOE
     organization: '@Organization.UL-01-02'
     identificationNumber: 990002A
-    emailAddress (unique): jane.doe@resop.com
+    emailAddress: admin203@resop.com
     phoneNumber: '<phoneNumberObject("0612345678", "FR")>'
     birthday: '1990-01-01'
     skillSet: '<randomSkillSet()>'
     properties: {"occupation": "<randomElement(['Pharmacien', 'Pompier', 'Ambulancier.e', 'Logisticien', 'Infirmier.e'])>", "organizationOccupation": "Secouriste", "vulnerable": <boolean(50)>, "fullyEquipped": <boolean(50)>, "drivingLicence": <boolean(50)>}
-  User.chuck_norris:
+    managedOrganizations: ['@Organization.UL-01-02']
+
+  # Jill DOE is volunteer of UL 01-02, an organization children of DT75 managed by John DOE.
+  # As volunteer, she doesn't any password, and connects using her birth date.
+  User.jill_doe:
     id: 103
+    firstName: Jill
+    lastName: DOE
+    organization: '@Organization.UL-01-02'
+    identificationNumber: 990003A
+    emailAddress: jill.doe@resop.com
+    phoneNumber: '<phoneNumberObject("0612345678", "FR")>'
+    birthday: '1990-01-01'
+    skillSet: '<randomSkillSet()>'
+    properties: {"occupation": "Pompier", "organizationOccupation": "Secouriste", "vulnerable": true, "fullyEquipped": true, "drivingLicence": true}
+
+  # Freddy MERCURY is volunteer in Organization.UL-DE-BRIE-ET-CHANTEREINE, and admin of UL DE BRIE ET CHANTEREINE,
+  # an organization children of DT77 managed Lady GAGA.
+  # As organization admin, his password is required.
+  User.freddy_mercury:
+    id: 104
+    firstName: Freddy
+    lastName: MERCURY
+    organization: '@Organization.UL-DE-BRIE-ET-CHANTEREINE'
+    identificationNumber: 990004A
+    emailAddress: admin204@resop.com
+    plainPassword: covid19
+    phoneNumber: '<phoneNumberObject("0612345678", "FR")>'
+    birthday: '1990-01-01'
+    skillSet: '<randomSkillSet()>'
+    properties: {"occupation": "<randomElement(['Pharmacien', 'Pompier', 'Ambulancier.e', 'Logisticien', 'Infirmier.e'])>", "organizationOccupation": "Secouriste", "vulnerable": <boolean(50)>, "fullyEquipped": <boolean(50)>, "drivingLicence": <boolean(50)>}
+    managedOrganizations: ['@Organization.UL-DE-BRIE-ET-CHANTEREINE']
+
+  # Chuck NORRIS is volunteer in UL DE BRIE ET CHANTEREINE, an organization children of DT77 managed by Lady GAGA.
+  # Because he has a password, he has to connect using it.
+  User.chuck_norris:
+    id: 105
     firstName: Chuck
     lastName: NORRIS
     organization: '@Organization.UL-DE-BRIE-ET-CHANTEREINE'
-    identificationNumber: 990003A
-    emailAddress (unique): chuck.norris@resop.com
+    identificationNumber: 990005A
+    emailAddress: chuck.norris@resop.com
+    plainPassword: covid19
+    phoneNumber: '<phoneNumberObject("0612345678", "FR")>'
+    birthday: '1990-01-01'
+    skillSet: '<randomSkillSet()>'
+    properties: {"occupation": "<randomElement(['Pharmacien', 'Pompier', 'Ambulancier.e', 'Logisticien', 'Infirmier.e'])>", "organizationOccupation": "Secouriste", "vulnerable": <boolean(50)>, "fullyEquipped": <boolean(50)>, "drivingLicence": <boolean(50)>}
+
+  # Lady GAGA is admin of DT77. She is not volunteer.
+  # As organization admin, her password is required.
+  User.lady_gaga:
+    id: 106
+    firstName: Lady
+    lastName: GAGA
+    organization: '@Organization.DT77'
+    identificationNumber: 990006A
+    emailAddress: admin202@resop.com
+    plainPassword: covid19
+    phoneNumber: '<phoneNumberObject("0612345678", "FR")>'
+    birthday: '1990-01-01'
+    skillSet: '<randomSkillSet()>'
+    properties: {"occupation": "<randomElement(['Pharmacien', 'Pompier', 'Ambulancier.e', 'Logisticien', 'Infirmier.e'])>", "organizationOccupation": "Secouriste", "vulnerable": <boolean(50)>, "fullyEquipped": <boolean(50)>, "drivingLicence": <boolean(50)>}
+    managedOrganizations: ['@Organization.DT77']
+
+  # Super ADMIN is a super-admin, he can do whatever he wants.
+  User.super_admin:
+    id: 107
+    firstName: Super
+    lastName: ADMIN
+    organization: '@Organization.DT75'
+    identificationNumber: 990008A
+    emailAddress: super.admin@resop.com
+    plainPassword: covid19
     phoneNumber: '<phoneNumberObject("0612345678", "FR")>'
     birthday: '1990-01-01'
     skillSet: '<randomSkillSet()>'
     properties: {"occupation": "<randomElement(['Pharmacien', 'Pompier', 'Ambulancier.e', 'Logisticien', 'Infirmier.e'])>", "organizationOccupation": "Secouriste", "vulnerable": <boolean(50)>, "fullyEquipped": <boolean(50)>, "drivingLicence": <boolean(50)>}
+    roles: ['ROLE_SUPER_ADMIN']
diff --git a/src/Command/AdminPromoteCommand.php b/src/Command/AdminPromoteCommand.php
new file mode 100644
index 00000000..36490cc0
--- /dev/null
+++ b/src/Command/AdminPromoteCommand.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Command;
+
+use App\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class AdminPromoteCommand extends Command
+{
+    protected static $defaultName = 'app:admin-promote';
+
+    private EntityManagerInterface $em;
+
+    public function __construct(EntityManagerInterface $entityManager)
+    {
+        $this->em = $entityManager;
+
+        parent::__construct();
+    }
+
+    protected function configure(): void
+    {
+        $this
+            ->setDescription('Promote an user as a super admin')
+            ->addOption('email', null, InputOption::VALUE_REQUIRED, 'The user email address');
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $userRepository = $this->em->getRepository(User::class);
+
+        $email = $input->getOption('email');
+        if (!\is_string($email) || empty($email)) {
+            throw new \InvalidArgumentException('Bad email provided');
+        }
+
+        $user = $userRepository->findOneBy(['emailAddress' => $email]);
+        if (empty($user)) {
+            throw new \InvalidArgumentException('User not found');
+        }
+
+        $user->roles = array_unique(array_merge((array) $user->roles, ['ROLE_SUPER_ADMIN']));
+        $this->em->flush();
+
+        $output->writeln('User is now a super admin');
+
+        return 0;
+    }
+}
diff --git a/src/Command/LoadOrganizationsCommand.php b/src/Command/LoadOrganizationsCommand.php
index 36a45a4c..32f72245 100644
--- a/src/Command/LoadOrganizationsCommand.php
+++ b/src/Command/LoadOrganizationsCommand.php
@@ -10,7 +10,6 @@
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Style\SymfonyStyle;
-use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 
 class LoadOrganizationsCommand extends Command
 {
@@ -41,14 +40,11 @@ class LoadOrganizationsCommand extends Command
 
     private EntityManagerInterface $entityManager;
 
-    private EncoderFactoryInterface $encoders;
-
     private array $outputTable = [];
 
-    public function __construct(EntityManagerInterface $entityManager, EncoderFactoryInterface $encoders)
+    public function __construct(EntityManagerInterface $entityManager)
     {
         $this->entityManager = $entityManager;
-        $this->encoders = $encoders;
 
         parent::__construct();
     }
@@ -115,19 +111,10 @@ private function createOrganization(string $organizationName, Organization $pare
         $organization->name = $organizationName;
         $organization->parent = $parentOrganization;
 
-        $encoder = $this->encoders->getEncoder(Organization::class);
-        $plainPassword = $this->getPlainPassword();
-        $organization->setPassword($encoder->encodePassword($plainPassword, null));
-
         $this->entityManager->persist($organization);
 
-        $this->outputTable[] = [$organization->getName(), $plainPassword];
+        $this->outputTable[] = [$organization->getName()];
 
         return $organization;
     }
-
-    private function getPlainPassword(): string
-    {
-        return substr(sha1(random_bytes(6)), 0, 6);
-    }
 }
diff --git a/src/Controller/Admin/OrganizationsListController.php b/src/Controller/Admin/OrganizationsListController.php
new file mode 100644
index 00000000..45c66832
--- /dev/null
+++ b/src/Controller/Admin/OrganizationsListController.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Admin;
+
+use App\Repository\OrganizationRepository;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Annotation\Route;
+
+/**
+ * @Route("/organizations", name="app_admin_organizations", methods={"GET"})
+ */
+final class OrganizationsListController extends AbstractController
+{
+    public function __invoke(OrganizationRepository $organizationRepository): Response
+    {
+        return $this->render('admin/organizations.html.twig', [
+            'organizations' => $organizationRepository->findAllWithParent(),
+        ]);
+    }
+}
diff --git a/src/Controller/Organization/AbstractOrganizationController.php b/src/Controller/Organization/AbstractOrganizationController.php
index 9e22a2d1..3c9023ae 100644
--- a/src/Controller/Organization/AbstractOrganizationController.php
+++ b/src/Controller/Organization/AbstractOrganizationController.php
@@ -6,6 +6,7 @@
 
 use App\Entity\Organization;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 
 abstract class AbstractOrganizationController extends AbstractController
@@ -16,11 +17,13 @@ abstract class AbstractOrganizationController extends AbstractController
     protected function generateUrl(string $route, array $parameters = [], int $referenceType = UrlGeneratorInterface::ABSOLUTE_PATH): string
     {
         if (preg_match('/^app_organization_.*$/', $route)) {
-            /** @var Organization $user */
-            $user = $this->getUser();
+            /** @var Request $request */
+            $request = $this->get('request_stack')->getCurrentRequest();
+            /** @var Organization $currentOrganization */
+            $currentOrganization = $request->attributes->get('currentOrganization');
             $organization = $parameters['organization'] ?? null;
-            $parameters = array_merge($parameters, ['organization' => $user->getId()]);
-            if (null !== $organization && $user->getId() !== $organization) {
+            $parameters = array_merge($parameters, ['organization' => $currentOrganization->getId()]);
+            if (null !== $organization && $currentOrganization->getId() !== $organization) {
                 $parameters['organizationId'] = $organization;
             }
         }
diff --git a/src/Controller/Organization/AssetType/AssetTypeEditController.php b/src/Controller/Organization/AssetType/AssetTypeEditController.php
index 8ccbf967..5033fdbb 100644
--- a/src/Controller/Organization/AssetType/AssetTypeEditController.php
+++ b/src/Controller/Organization/AssetType/AssetTypeEditController.php
@@ -15,16 +15,13 @@
 
 /**
  * @Route("/new", name="app_organization_assetType_new", methods={"GET", "POST"})
- * @Route("/{id<\d+>}/edit", name="app_organization_assetType_edit", methods={"GET", "POST"})
- * @Security("is_granted('ROLE_PARENT_ORGANIZATION')")
+ * @Route("/{assetType<\d+>}/edit", name="app_organization_assetType_edit", methods={"GET", "POST"})
+ * @Security("organization.isParent() and (null === assetType or is_granted('ROLE_PARENT_ORGANIZATION', assetType.organization))")
  */
 class AssetTypeEditController extends AbstractOrganizationController
 {
-    public function __invoke(Request $request, ?AssetType $assetType): Response
+    public function __invoke(Request $request, Organization $organization, ?AssetType $assetType): Response
     {
-        /** @var Organization $organization */
-        $organization = $this->getUser();
-
         if (null === $assetType) {
             $assetType = new AssetType();
             $assetType->organization = $organization;
@@ -47,6 +44,7 @@ public function __invoke(Request $request, ?AssetType $assetType): Response
         return $this->render('organization/assetType/edit.html.twig', [
             'persistedKeys' => $persistedKeys,
             'form' => $form->createView(),
+            'organization' => $organization,
         ]);
     }
 }
diff --git a/src/Controller/Organization/AssetType/AssetTypeListController.php b/src/Controller/Organization/AssetType/AssetTypeListController.php
index 0334f4f6..c8f880a9 100644
--- a/src/Controller/Organization/AssetType/AssetTypeListController.php
+++ b/src/Controller/Organization/AssetType/AssetTypeListController.php
@@ -13,7 +13,7 @@
 
 /**
  * @Route(name="app_organization_assetType_list", methods={"GET"})
- * @Security("is_granted('ROLE_PARENT_ORGANIZATION')")
+ * @Security("organization.isParent()")
  */
 class AssetTypeListController extends AbstractController
 {
@@ -24,13 +24,11 @@ public function __construct(AssetTypeRepository $assetTypeRepository)
         $this->assetTypeRepository = $assetTypeRepository;
     }
 
-    public function __invoke(): Response
+    public function __invoke(Organization $organization): Response
     {
-        /** @var Organization $organization */
-        $organization = $this->getUser();
-
         return $this->render('organization/assetType/list.html.twig', [
             'assetTypes' => $this->assetTypeRepository->findByOrganization($organization),
+            'organization' => $organization,
         ]);
     }
 }
diff --git a/src/Controller/Organization/Children/EditController.php b/src/Controller/Organization/Children/EditController.php
index 36e1d196..816bb2f7 100644
--- a/src/Controller/Organization/Children/EditController.php
+++ b/src/Controller/Organization/Children/EditController.php
@@ -7,28 +7,27 @@
 use App\Controller\Organization\AbstractOrganizationController;
 use App\Entity\Organization;
 use App\Form\Type\OrganizationType;
-use App\Security\Voter\OrganizationVoter;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * @Route("/{object<\d+>}/edit", name="app_organization_edit", methods={"GET", "POST"})
- * @IsGranted(OrganizationVoter::CAN_MANAGE, subject="object")
+ * @Route("/{organizationToEdit<\d+>}/edit", name="app_organization_edit", methods={"GET", "POST"})
+ * @Security("organization.isParent() and !organizationToEdit.isParent() and is_granted('ROLE_PARENT_ORGANIZATION', organizationToEdit)")
  */
 class EditController extends AbstractOrganizationController
 {
-    public function __invoke(Request $request, Organization $object): Response
+    public function __invoke(Request $request, Organization $organizationToEdit): Response
     {
-        $form = $this->createForm(OrganizationType::class, $object);
+        $form = $this->createForm(OrganizationType::class, $organizationToEdit);
         $form->handleRequest($request);
 
         if ($form->isSubmitted() && $form->isValid()) {
             $flashMessage = 'La structure a été mise à jour avec succès.';
 
             $entityManager = $this->getDoctrine()->getManager();
-            $entityManager->persist($object);
+            $entityManager->persist($organizationToEdit);
             $entityManager->flush();
 
             $this->addFlash('success', $flashMessage);
@@ -39,7 +38,7 @@ public function __invoke(Request $request, Organization $object): Response
         return $this->render(
             'organization/edit.html.twig',
             [
-                'organization' => $object,
+                'organization' => $organizationToEdit,
                 'form' => $form->createView(),
             ]
         )->setStatusCode($form->isSubmitted() ? Response::HTTP_BAD_REQUEST : Response::HTTP_OK);
diff --git a/src/Controller/Organization/Children/ListController.php b/src/Controller/Organization/Children/ListController.php
index 8a7f95f6..9c164536 100644
--- a/src/Controller/Organization/Children/ListController.php
+++ b/src/Controller/Organization/Children/ListController.php
@@ -5,35 +5,21 @@
 namespace App\Controller\Organization\Children;
 
 use App\Entity\Organization;
-use App\Repository\OrganizationRepository;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
-use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 /**
  * @Route(name="app_organization_list", methods={"GET"})
+ * @Security("organization.isParent()")
  */
 class ListController extends AbstractController
 {
-    protected OrganizationRepository $organizationRepository;
-
-    public function __construct(OrganizationRepository $organizationRepository)
-    {
-        $this->organizationRepository = $organizationRepository;
-    }
-
-    public function __invoke(): Response
+    public function __invoke(Organization $organization): Response
     {
-        $organization = $this->getUser();
-        if (!$organization instanceof Organization || !$organization->isParent()) {
-            throw new AccessDeniedException();
-        }
-
-        $organizations = $this->organizationRepository->findBy(['parent' => $organization], ['name' => 'ASC']);
-
         return $this->render('organization/list.html.twig', [
-            'organizations' => $organizations,
+            'organization' => $organization,
         ]);
     }
 }
diff --git a/src/Controller/Organization/Children/NewController.php b/src/Controller/Organization/Children/NewController.php
index e6d5e57e..c73b507c 100644
--- a/src/Controller/Organization/Children/NewController.php
+++ b/src/Controller/Organization/Children/NewController.php
@@ -7,32 +7,28 @@
 use App\Controller\Organization\AbstractOrganizationController;
 use App\Entity\Organization;
 use App\Form\Type\OrganizationType;
-use App\Security\Voter\OrganizationVoter;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
  * @Route("/new", name="app_organization_new", methods={"GET", "POST"})
- * @IsGranted(OrganizationVoter::CAN_CREATE)
+ * @Security("organization.isParent()")
  */
 class NewController extends AbstractOrganizationController
 {
-    public function __invoke(Request $request): Response
+    public function __invoke(Request $request, Organization $organization): Response
     {
-        /** @var Organization $currentOrganization */
-        $currentOrganization = $this->getUser();
+        $child = new Organization();
+        $child->parent = $organization;
 
-        $organization = new Organization();
-        $organization->parent = $currentOrganization;
-
-        $form = $this->createForm(OrganizationType::class, $organization);
+        $form = $this->createForm(OrganizationType::class, $child);
         $form->handleRequest($request);
 
         if ($form->isSubmitted() && $form->isValid()) {
             $entityManager = $this->getDoctrine()->getManager();
-            $entityManager->persist($organization);
+            $entityManager->persist($child);
             $entityManager->flush();
 
             $this->addFlash('success', 'La structure a été ajoutée avec succès.');
@@ -43,7 +39,7 @@ public function __invoke(Request $request): Response
         return $this->render(
             'organization/edit.html.twig',
             [
-                'organization' => $organization,
+                'organization' => $child,
                 'form' => $form->createView(),
             ]
         )->setStatusCode($form->isSubmitted() ? Response::HTTP_BAD_REQUEST : Response::HTTP_OK);
diff --git a/src/Controller/Organization/CommissionableAsset/AssetAddController.php b/src/Controller/Organization/CommissionableAsset/AssetAddController.php
index 4093c514..d7f219b8 100644
--- a/src/Controller/Organization/CommissionableAsset/AssetAddController.php
+++ b/src/Controller/Organization/CommissionableAsset/AssetAddController.php
@@ -9,8 +9,7 @@
 use App\Entity\Organization;
 use App\Form\Type\CommissionableAssetType;
 use App\Repository\AssetTypeRepository;
-use App\Security\Voter\OrganizationVoter;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
@@ -18,7 +17,7 @@
 
 /**
  * @Route("/add", name="app_organization_asset_add", methods={"GET", "POST"})
- * @IsGranted(OrganizationVoter::CAN_MANAGE, subject="organization")
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
  */
 class AssetAddController extends AbstractOrganizationController
 {
@@ -33,7 +32,7 @@ public function __invoke(Request $request, Organization $organization): Response
     {
         $assetType = null;
         if ($request->query->has('type')) {
-            $assetType = $this->assetTypeRepository->findByOrganizationAndId($organization, (int) $request->query->get('type'));
+            $assetType = $this->assetTypeRepository->findByOrganizationAndId($organization, $request->query->getInt('type'));
         }
 
         if (null === $assetType) {
diff --git a/src/Controller/Organization/CommissionableAsset/AssetDeleteController.php b/src/Controller/Organization/CommissionableAsset/AssetDeleteController.php
index 14675c4c..a2d7b7b6 100644
--- a/src/Controller/Organization/CommissionableAsset/AssetDeleteController.php
+++ b/src/Controller/Organization/CommissionableAsset/AssetDeleteController.php
@@ -7,15 +7,14 @@
 use App\Controller\Organization\AbstractOrganizationController;
 use App\Entity\CommissionableAsset;
 use App\Repository\CommissionableAssetAvailabilityRepository;
-use App\Security\Voter\CommissionableAssetVoter;
 use Doctrine\ORM\EntityManagerInterface;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
  * @Route("/{asset<\d+>}/delete", name="app_organization_asset_delete", methods={"GET"})
- * @IsGranted(CommissionableAssetVoter::CAN_EDIT, subject="asset")
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', asset.organization)")
  */
 class AssetDeleteController extends AbstractOrganizationController
 {
diff --git a/src/Controller/Organization/CommissionableAsset/AssetEditController.php b/src/Controller/Organization/CommissionableAsset/AssetEditController.php
index fe964c71..9ac0d488 100644
--- a/src/Controller/Organization/CommissionableAsset/AssetEditController.php
+++ b/src/Controller/Organization/CommissionableAsset/AssetEditController.php
@@ -7,15 +7,14 @@
 use App\Controller\Organization\AbstractOrganizationController;
 use App\Entity\CommissionableAsset;
 use App\Form\Type\CommissionableAssetType;
-use App\Security\Voter\CommissionableAssetVoter;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
  * @Route("/{asset<\d+>}/edit", name="app_organization_asset_edit", methods={"GET", "POST"})
- * @IsGranted(CommissionableAssetVoter::CAN_EDIT, subject="asset")
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', asset.organization)")
  */
 class AssetEditController extends AbstractOrganizationController
 {
diff --git a/src/Controller/Organization/CommissionableAsset/AssetShowModalController.php b/src/Controller/Organization/CommissionableAsset/AssetShowModalController.php
index b8308240..7de28640 100644
--- a/src/Controller/Organization/CommissionableAsset/AssetShowModalController.php
+++ b/src/Controller/Organization/CommissionableAsset/AssetShowModalController.php
@@ -5,17 +5,21 @@
 namespace App\Controller\Organization\CommissionableAsset;
 
 use App\Entity\CommissionableAsset;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
  * @Route("/{asset<\d+>}/modal", name="app_organization_asset_show_modal", methods={"GET", "POST"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', asset.organization)")
  */
 class AssetShowModalController extends AbstractController
 {
     public function __invoke(CommissionableAsset $asset): Response
     {
-        return $this->render('organization/commissionable_asset/show-modal-content.html.twig', ['asset' => $asset]);
+        return $this->render('organization/commissionable_asset/show-modal-content.html.twig', [
+            'asset' => $asset,
+        ]);
     }
 }
diff --git a/src/Controller/Organization/CommissionableAsset/AssetsListController.php b/src/Controller/Organization/CommissionableAsset/AssetsListController.php
index 97c74c50..073800e2 100644
--- a/src/Controller/Organization/CommissionableAsset/AssetsListController.php
+++ b/src/Controller/Organization/CommissionableAsset/AssetsListController.php
@@ -7,8 +7,7 @@
 use App\Entity\Organization;
 use App\Form\Factory\OrganizationSelectorFormFactory;
 use App\Repository\CommissionableAssetRepository;
-use App\Security\Voter\OrganizationVoter;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -16,7 +15,7 @@
 
 /**
  * @Route(name="app_organization_assets", methods={"GET"})
- * @IsGranted(OrganizationVoter::CAN_MANAGE, subject="organization")
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
  */
 class AssetsListController extends AbstractController
 {
@@ -29,11 +28,8 @@ public function __construct(CommissionableAssetRepository $assetRepository, Orga
         $this->organizationSelectorFormFactory = $organizationSelectorFormFactory;
     }
 
-    public function __invoke(Request $request, Organization $organization): Response
+    public function __invoke(Request $request, Organization $organization, Organization $currentOrganization): Response
     {
-        /** @var Organization $currentOrganization */
-        $currentOrganization = $this->getUser();
-
         return $this->render(
             'organization/commissionable_asset/list.html.twig',
             [
diff --git a/src/Controller/Organization/CommissionableAsset/AvailabilityController.php b/src/Controller/Organization/CommissionableAsset/AvailabilityController.php
index 4a44a483..28cad1ad 100644
--- a/src/Controller/Organization/CommissionableAsset/AvailabilityController.php
+++ b/src/Controller/Organization/CommissionableAsset/AvailabilityController.php
@@ -12,12 +12,14 @@
 use App\Form\Type\AvailabilitiesDomainType;
 use App\Repository\CommissionableAssetAvailabilityRepository;
 use Doctrine\ORM\EntityManagerInterface;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
  * @Route("/{asset<\d+>}/availability/{week<\d{4}-W\d{2}>?}", name="app_organization_asset_availability", methods={"GET", "POST"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', asset.organization)")
  */
 final class AvailabilityController extends AbstractOrganizationController
 {
diff --git a/src/Controller/Organization/CommissionableAsset/AvailabilityMissionsFindController.php b/src/Controller/Organization/CommissionableAsset/AvailabilityMissionsFindController.php
index 38489100..305a0ce1 100644
--- a/src/Controller/Organization/CommissionableAsset/AvailabilityMissionsFindController.php
+++ b/src/Controller/Organization/CommissionableAsset/AvailabilityMissionsFindController.php
@@ -7,6 +7,7 @@
 use App\Controller\User\Availability\UserAvailabityControllerTrait;
 use App\Entity\CommissionableAsset;
 use App\Repository\MissionRepository;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -16,6 +17,7 @@
 /**
  * @Route("/{asset<\d+>}/availability/missions", name="app_organization_asset_availability_missions", methods={"GET"})
  * @Route("/{asset<\d+>}/availability/{week<\d{4}-W\d{2}>?}/missions", name="app_organization_asset_availability_missions_week", methods={"GET"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', asset.organization)")
  */
 class AvailabilityMissionsFindController extends AbstractController
 {
diff --git a/src/Controller/Organization/CommissionableAsset/PreAddAssetController.php b/src/Controller/Organization/CommissionableAsset/PreAddAssetController.php
index 24bef18a..25675af4 100644
--- a/src/Controller/Organization/CommissionableAsset/PreAddAssetController.php
+++ b/src/Controller/Organization/CommissionableAsset/PreAddAssetController.php
@@ -6,15 +6,14 @@
 
 use App\Entity\Organization;
 use App\Form\Type\PreAddAssetType;
-use App\Security\Voter\OrganizationVoter;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
  * @Route("/preAdd", name="app_organization_commissionable_pre_add_asset", methods={"GET"})
- * @IsGranted(OrganizationVoter::CAN_MANAGE, subject="organization")
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
  */
 class PreAddAssetController extends AbstractController
 {
@@ -22,7 +21,7 @@ public function __invoke(Organization $organization): Response
     {
         $form = $this->createForm(
             PreAddAssetType::class,
-            ['organizationId' => $organization->getId()],
+            ['organizationId' => $organization->id],
             ['organization' => $organization]
         )->createView();
 
diff --git a/src/Controller/Organization/DashboardController.php b/src/Controller/Organization/DashboardController.php
index 62634ae0..5f053e4d 100644
--- a/src/Controller/Organization/DashboardController.php
+++ b/src/Controller/Organization/DashboardController.php
@@ -4,19 +4,22 @@
 
 namespace App\Controller\Organization;
 
+use App\Entity\Organization;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * {organization} parameter is useless for the moment, but will be useful in ticket https://github.com/crf-devs/resop/issues/338
- *
  * @Route("/{organization<\d+>}", name="app_organization_dashboard", methods={"GET"})
+ * @Security("is_granted('ROLE_ORGANIZATION', organization)")
  */
 final class DashboardController extends AbstractController
 {
-    public function __invoke(): Response
+    public function __invoke(Organization $organization): Response
     {
-        return $this->render('organization/home.html.twig');
+        return $this->render('organization/home.html.twig', [
+            'organization' => $organization,
+        ]);
     }
 }
diff --git a/src/Controller/Organization/Forecast/PlanningForecastController.php b/src/Controller/Organization/Forecast/PlanningForecastController.php
index 2cad5241..5343edea 100644
--- a/src/Controller/Organization/Forecast/PlanningForecastController.php
+++ b/src/Controller/Organization/Forecast/PlanningForecastController.php
@@ -6,6 +6,7 @@
 
 use App\Domain\MissionTypeForecastDomain;
 use App\Domain\PlanningDomain;
+use App\Entity\Organization;
 use App\Form\Type\PlanningForecastType;
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -15,7 +16,7 @@
 
 /**
  * @Route(name="app_organization_forecast", methods={"GET"})
- * @Security("is_granted('ROLE_PARENT_ORGANIZATION')")
+ * @Security("organization.isParent()")
  */
 class PlanningForecastController extends AbstractController
 {
@@ -28,10 +29,10 @@ public function __construct(PlanningDomain $planningDomain, MissionTypeForecastD
         $this->missionTypeForecastDomain = $missionTypeForecastDomain;
     }
 
-    public function __invoke(Request $request): Response
+    public function __invoke(Request $request, Organization $organization): Response
     {
-        $form = $this->planningDomain->generateForm(PlanningForecastType::class);
-        $filters = $this->planningDomain->generateFilters($form);
+        $form = $this->planningDomain->generateForm($organization, PlanningForecastType::class);
+        $filters = $this->planningDomain->generateFilters($form, $organization);
 
         return $this->render('organization/forecast/forecast.html.twig', [
             'filters' => $filters,
diff --git a/src/Controller/Organization/IndexController.php b/src/Controller/Organization/IndexController.php
deleted file mode 100644
index 36a5a05a..00000000
--- a/src/Controller/Organization/IndexController.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Controller\Organization;
-
-use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\Routing\Annotation\Route;
-
-/**
- * @Route(name="app_organization_index", methods={"GET"})
- */
-final class IndexController extends AbstractOrganizationController
-{
-    public function __invoke(): Response
-    {
-        return $this->redirectToRoute('app_organization_dashboard');
-    }
-}
diff --git a/src/Controller/Organization/Mission/AddUserAjaxController.php b/src/Controller/Organization/Mission/AddUserAjaxController.php
index fb1d314c..78cc03b1 100644
--- a/src/Controller/Organization/Mission/AddUserAjaxController.php
+++ b/src/Controller/Organization/Mission/AddUserAjaxController.php
@@ -6,6 +6,7 @@
 
 use App\Entity\Mission;
 use App\Entity\User;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Response;
@@ -13,6 +14,7 @@
 
 /**
  * @Route("/{mission<\d+>}/users/add/{userToAdd<\d+>}", name="app_organization_mission_add_user", methods={"POST"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', mission.organization)")
  */
 class AddUserAjaxController extends AbstractController
 {
diff --git a/src/Controller/Organization/Mission/MissionController.php b/src/Controller/Organization/Mission/MissionController.php
index cbad0e11..1924e2f2 100644
--- a/src/Controller/Organization/Mission/MissionController.php
+++ b/src/Controller/Organization/Mission/MissionController.php
@@ -21,7 +21,6 @@
 
 /**
  * @Route("/")
- * @Security("is_granted('ROLE_PARENT_ORGANIZATION')")
  */
 class MissionController extends AbstractOrganizationController
 {
@@ -36,10 +35,11 @@ public function __construct(MissionRepository $missionRepository, PlanningDomain
 
     /**
      * @Route(name="app_organization_mission_index", methods={"GET"})
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
      */
-    public function index(): Response
+    public function index(Organization $organization): Response
     {
-        $form = $this->planningDomain->generateForm(MissionsSearchType::class);
+        $form = $this->planningDomain->generateForm($organization, MissionsSearchType::class);
         $filters = $form->getData();
 
         return $this->render('organization/mission/index.html.twig', [
@@ -51,10 +51,11 @@ public function index(): Response
 
     /**
      * @Route("/full", name="app_organization_mission_full_list", methods={"GET"})
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
      */
-    public function fullList(): Response
+    public function fullList(Organization $organization): Response
     {
-        $form = $this->planningDomain->generateForm(MissionsSearchType::class);
+        $form = $this->planningDomain->generateForm($organization, MissionsSearchType::class);
         $filters = $form->getData();
 
         return $this->render('organization/mission/list_full.html.twig', [
@@ -66,10 +67,11 @@ public function fullList(): Response
 
     /**
      * @Route("/full/export", name="app_organization_mission_full_list_export", methods={"GET"})
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
      */
-    public function fullListExport(MissionDomain $missionDomain): Response
+    public function fullListExport(Organization $organization, MissionDomain $missionDomain): Response
     {
-        $form = $this->planningDomain->generateForm(MissionsSearchType::class);
+        $form = $this->planningDomain->generateForm($organization, MissionsSearchType::class);
         $filters = $form->getData();
         $query = $this->missionRepository->findByFiltersQb($filters)->getQuery();
         $em = $this->getDoctrine()->getManager();
@@ -109,12 +111,10 @@ public function fullListExport(MissionDomain $missionDomain): Response
 
     /**
      * @Route("/new", name="app_organization_mission_new", methods={"GET","POST"})
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
      */
-    public function new(Request $request): Response
+    public function new(Request $request, Organization $organization): Response
     {
-        /** @var Organization $organization */
-        $organization = $this->getUser();
-
         $mission = new Mission();
         $mission->organization = $organization;
         $form = $this->createForm(MissionType::class, $mission);
@@ -136,7 +136,7 @@ public function new(Request $request): Response
 
     /**
      * @Route("/{id<\d+>}", name="app_organization_mission_show", methods={"GET"})
-     * @Security("mission.organization == user")
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', mission.organization)")
      */
     public function show(Mission $mission): Response
     {
@@ -147,7 +147,7 @@ public function show(Mission $mission): Response
 
     /**
      * @Route("/{id<\d+>}/edit", name="app_organization_mission_edit", methods={"GET","POST"})
-     * @Security("mission.organization == user")
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', mission.organization)")
      */
     public function edit(Request $request, Mission $mission): Response
     {
@@ -168,7 +168,7 @@ public function edit(Request $request, Mission $mission): Response
 
     /**
      * @Route("/{id<\d+>}/delete", name="app_organization_mission_delete", methods={"GET"})
-     * @Security("mission.organization == user")
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', mission.organization)")
      */
     public function delete(Mission $mission): RedirectResponse
     {
diff --git a/src/Controller/Organization/Mission/MissionModalController.php b/src/Controller/Organization/Mission/MissionModalController.php
index 335810fc..057db7a1 100644
--- a/src/Controller/Organization/Mission/MissionModalController.php
+++ b/src/Controller/Organization/Mission/MissionModalController.php
@@ -5,19 +5,23 @@
 namespace App\Controller\Organization\Mission;
 
 use App\Entity\Mission;
+use App\Entity\Organization;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * @Route("/{id<\d+>}/modal", name="app_organization_mission_modal", methods={"GET"}, options={"expose"=true})
+ * @Route("/{mission<\d+>}/modal", name="app_organization_mission_modal", methods={"GET"}, options={"expose"=true})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
  */
 class MissionModalController extends AbstractController
 {
-    public function __invoke(Mission $mission): Response
+    public function __invoke(Organization $organization, Mission $mission): Response
     {
         return $this->render('organization/mission/show-modal-content.html.twig', [
             'mission' => $mission,
+            'organization' => $organization,
         ]);
     }
 }
diff --git a/src/Controller/Organization/Mission/MissionsFindByFiltersController.php b/src/Controller/Organization/Mission/MissionsFindByFiltersController.php
index 6eb57c05..2a3547b0 100644
--- a/src/Controller/Organization/Mission/MissionsFindByFiltersController.php
+++ b/src/Controller/Organization/Mission/MissionsFindByFiltersController.php
@@ -5,13 +5,16 @@
 namespace App\Controller\Organization\Mission;
 
 use App\Domain\PlanningDomain;
+use App\Entity\Organization;
 use App\Repository\MissionRepository;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Serializer\SerializerInterface;
 
 /**
  * @Route("/find", name="app_organization_mission_find_by_filters", methods={"GET"}, options={"expose"=true})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
  */
 class MissionsFindByFiltersController
 {
@@ -26,10 +29,10 @@ public function __construct(PlanningDomain $planningDomain, MissionRepository $m
         $this->serializer = $serializer;
     }
 
-    public function __invoke(): JsonResponse
+    public function __invoke(Organization $organization): JsonResponse
     {
-        $form = $this->planningDomain->generateForm();
-        $filters = $this->planningDomain->generateFilters($form);
+        $form = $this->planningDomain->generateForm($organization);
+        $filters = $this->planningDomain->generateFilters($form, $organization);
 
         $data = $this->missionRepository->findByPlanningFilters($filters, $this->planningDomain->getAvailableResources($filters, true));
 
diff --git a/src/Controller/Organization/MissionType/MissionTypeController.php b/src/Controller/Organization/MissionType/MissionTypeController.php
index d35b1944..da140152 100644
--- a/src/Controller/Organization/MissionType/MissionTypeController.php
+++ b/src/Controller/Organization/MissionType/MissionTypeController.php
@@ -16,7 +16,6 @@
 
 /**
  * @Route("/")
- * @Security("is_granted('ROLE_PARENT_ORGANIZATION')")
  */
 class MissionTypeController extends AbstractOrganizationController
 {
@@ -29,11 +28,10 @@ public function __construct(MissionTypeRepository $missionTypeRepository)
 
     /**
      * @Route(name="app_organization_mission_type_index", methods={"GET"})
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
      */
-    public function index(): Response
+    public function index(Organization $organization): Response
     {
-        /** @var Organization $organization */
-        $organization = $this->getUser();
         $missionTypes = $this->missionTypeRepository->findByOrganization($organization);
 
         return $this->render('organization/mission_type/index.html.twig', [
@@ -43,12 +41,10 @@ public function index(): Response
 
     /**
      * @Route("/new", name="app_organization_mission_type_new", methods={"GET","POST"})
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
      */
-    public function new(Request $request): Response
+    public function new(Request $request, Organization $organization): Response
     {
-        /** @var Organization $organization */
-        $organization = $this->getUser();
-
         $missionType = new MissionType();
         $missionType->organization = $organization;
         $form = $this->createForm(MissionTypeType::class, $missionType);
@@ -70,7 +66,7 @@ public function new(Request $request): Response
 
     /**
      * @Route("/{id}/edit", name="app_organization_mission_type_edit", methods={"GET","POST"})
-     * @Security("missionType.organization == user")
+     * @Security("is_granted('ROLE_PARENT_ORGANIZATION', missionType.organization)")
      */
     public function edit(Request $request, MissionType $missionType): Response
     {
diff --git a/src/Controller/Organization/MissionType/MissionTypeDeleteController.php b/src/Controller/Organization/MissionType/MissionTypeDeleteController.php
index 9648ee0a..4c389200 100644
--- a/src/Controller/Organization/MissionType/MissionTypeDeleteController.php
+++ b/src/Controller/Organization/MissionType/MissionTypeDeleteController.php
@@ -14,7 +14,7 @@
 
 /**
  * @Route("/{id}/delete", name="app_organization_mission_type_delete", methods={"GET"})
- * @Security("missionType.organization == user")
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', missionType.organization)")
  */
 class MissionTypeDeleteController extends AbstractOrganizationController
 {
diff --git a/src/Controller/Organization/Planning/PlanningCheckLastUpdateController.php b/src/Controller/Organization/Planning/PlanningCheckLastUpdateController.php
index ba9e82e8..eb9e2789 100644
--- a/src/Controller/Organization/Planning/PlanningCheckLastUpdateController.php
+++ b/src/Controller/Organization/Planning/PlanningCheckLastUpdateController.php
@@ -5,12 +5,15 @@
 namespace App\Controller\Organization\Planning;
 
 use App\Domain\PlanningDomain;
+use App\Entity\Organization;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
  * @Route("/last-update", name="app_organization_planning_last_update", methods={"GET"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
  */
 class PlanningCheckLastUpdateController
 {
@@ -21,10 +24,10 @@ public function __construct(PlanningDomain $planningDomain)
         $this->planningDomain = $planningDomain;
     }
 
-    public function __invoke(Request $request): JsonResponse
+    public function __invoke(Request $request, Organization $currentOrganization): JsonResponse
     {
-        $form = $this->planningDomain->generateForm();
-        $filters = $this->planningDomain->generateFilters($form);
+        $form = $this->planningDomain->generateForm($currentOrganization);
+        $filters = $this->planningDomain->generateFilters($form, $currentOrganization);
 
         return new JsonResponse($this->planningDomain->generateLastUpdateAndCount($filters));
     }
diff --git a/src/Controller/Organization/Planning/PlanningController.php b/src/Controller/Organization/Planning/PlanningController.php
index d6d6b208..419817e1 100644
--- a/src/Controller/Organization/Planning/PlanningController.php
+++ b/src/Controller/Organization/Planning/PlanningController.php
@@ -10,6 +10,7 @@
 use App\Entity\Organization;
 use App\Repository\AssetTypeRepository;
 use Psr\Cache\CacheItemPoolInterface;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\Cache\CacheItem;
 use Symfony\Component\HttpFoundation\Request;
@@ -19,6 +20,7 @@
 
 /**
  * @Route(name="app_organization_planning", methods={"GET"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
  */
 class PlanningController extends AbstractController
 {
@@ -42,13 +44,10 @@ public function __construct(
         $this->cacheTwig = $cacheTwig;
     }
 
-    public function __invoke(Request $request, string $slotInterval): Response
+    public function __invoke(Request $request, Organization $organization, string $slotInterval): Response
     {
-        /** @var Organization $organization */
-        $organization = $this->getUser();
-
-        $form = $this->planningDomain->generateForm();
-        $filters = $this->planningDomain->generateFilters($form);
+        $form = $this->planningDomain->generateForm($organization);
+        $filters = $this->planningDomain->generateFilters($form, $organization);
 
         if (!isset($filters['from'], $filters['to'])) {
             // This may happen if the passed date is invalid. TODO check it before, the format must be 2020-03-30T00:00:00
@@ -77,6 +76,7 @@ public function __invoke(Request $request, string $slotInterval): Response
 
         return $this->render('organization/planning/planning.html.twig', [
             'filters' => $filters,
+            'organization' => $organization,
             'form' => $form->createView(),
             'periodCalculator' => $periodCalculator,
             'assetsTypes' => $assetTypes,
diff --git a/src/Controller/Organization/Planning/PlanningUpdateController.php b/src/Controller/Organization/Planning/PlanningUpdateController.php
index 0a94b945..c685e894 100644
--- a/src/Controller/Organization/Planning/PlanningUpdateController.php
+++ b/src/Controller/Organization/Planning/PlanningUpdateController.php
@@ -10,15 +10,16 @@
 use App\Repository\CommissionableAssetRepository;
 use App\Repository\UserAvailabilityRepository;
 use App\Repository\UserRepository;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Routing\Annotation\Route;
-use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 /**
  * @Route("/update/{action}", name="app_organization_planning_update", methods={"POST"})
+ * @Security("organization.isParent()")
  */
 class PlanningUpdateController extends AbstractController
 {
@@ -35,13 +36,8 @@ public function __construct(UserRepository $userRepository, CommissionableAssetR
         $this->assetAvailabilityRepository = $assetAvailabilityRepository;
     }
 
-    public function __invoke(Request $request, string $action): JsonResponse
+    public function __invoke(Request $request, Organization $organization, string $action): JsonResponse
     {
-        $organization = $this->getUser();
-        if (!($organization instanceof Organization) || !empty($organization->parent)) {
-            throw new AccessDeniedException('Organization is required and must not have a parent');
-        }
-
         try {
             $json = json_decode($request->getContent(), true, 512, \JSON_THROW_ON_ERROR);
         } catch (\Exception $e) {
diff --git a/src/Controller/Organization/SearchController.php b/src/Controller/Organization/SearchController.php
index c90c597d..c5e80ddf 100644
--- a/src/Controller/Organization/SearchController.php
+++ b/src/Controller/Organization/SearchController.php
@@ -8,22 +8,19 @@
 use App\Repository\CommissionableAssetRepository;
 use App\Repository\OrganizationRepository;
 use App\Repository\UserRepository;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * {organization} parameter is useless for the moment, but will be useful in ticket https://github.com/crf-devs/resop/issues/338
- *
  * @Route("/{organization<\d+>}/search", name="app_organization_search", methods={"GET"}, requirements={"id"="\d+"})
+ * @Security("is_granted('ROLE_ORGANIZATION', organization)")
  */
 final class SearchController extends AbstractOrganizationController
 {
-    public function __invoke(Request $request, UserRepository $userRepository, CommissionableAssetRepository $commissionableAssetRepository, OrganizationRepository $organizationRepository): Response
+    public function __invoke(Request $request, Organization $organization, UserRepository $userRepository, CommissionableAssetRepository $commissionableAssetRepository, OrganizationRepository $organizationRepository): Response
     {
-        /** @var Organization $organization */
-        $organization = $this->getUser();
-
         /** @var string $query */
         $query = preg_replace('/\s+/', ' ', trim((string) $request->query->get('query')));
         if (empty($query)) {
@@ -31,6 +28,7 @@ public function __invoke(Request $request, UserRepository $userRepository, Commi
         }
 
         return $this->render('organization/search.html.twig', [
+            'organization' => $organization,
             'query' => $query,
             'users' => $userRepository->search($organization, $query),
             'assets' => $commissionableAssetRepository->search($organization, $query),
diff --git a/src/Controller/Organization/Security/LoginController.php b/src/Controller/Organization/Security/LoginController.php
deleted file mode 100644
index 17777955..00000000
--- a/src/Controller/Organization/Security/LoginController.php
+++ /dev/null
@@ -1,47 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Controller\Organization\Security;
-
-use App\Controller\Organization\AbstractOrganizationController;
-use App\Entity\Organization;
-use App\Entity\User;
-use App\Repository\OrganizationRepository;
-use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\Routing\Annotation\Route;
-use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
-
-/**
- * @Route("/login", name="app_organization_login")
- */
-final class LoginController extends AbstractOrganizationController
-{
-    private AuthenticationUtils $authenticationUtils;
-    private OrganizationRepository $organizationRepository;
-
-    public function __construct(AuthenticationUtils $authenticationUtils, OrganizationRepository $organizationRepository)
-    {
-        $this->authenticationUtils = $authenticationUtils;
-        $this->organizationRepository = $organizationRepository;
-    }
-
-    public function __invoke(): Response
-    {
-        /** @var Organization|User|null $user */
-        $user = $this->getUser();
-        if (\is_object($user)) {
-            if ($user instanceof User) {
-                return $this->redirectToRoute('app_user_home');
-            }
-
-            return $this->redirectToRoute('app_organization_dashboard', ['organization' => $user->getId()]);
-        }
-
-        return $this->render('organization/login.html.twig', [
-            'organizations' => $this->organizationRepository->loadActiveOrganizations(),
-            'last_username' => $this->authenticationUtils->getLastUsername(),
-            'error' => $this->authenticationUtils->getLastAuthenticationError(),
-        ]);
-    }
-}
diff --git a/src/Controller/Organization/Security/LogoutController.php b/src/Controller/Organization/Security/LogoutController.php
deleted file mode 100644
index 77b6be24..00000000
--- a/src/Controller/Organization/Security/LogoutController.php
+++ /dev/null
@@ -1,20 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Controller\Organization\Security;
-
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
-use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\Routing\Annotation\Route;
-
-/**
- * @Route("/logout", name="app_organization_logout")
- */
-final class LogoutController extends AbstractController
-{
-    public function __invoke(): Response
-    {
-        throw new \LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.');
-    }
-}
diff --git a/src/Controller/Organization/User/AddToMissionModalController.php b/src/Controller/Organization/User/AddToMissionModalController.php
index 0a6bda1a..fad1be62 100644
--- a/src/Controller/Organization/User/AddToMissionModalController.php
+++ b/src/Controller/Organization/User/AddToMissionModalController.php
@@ -5,15 +5,18 @@
 namespace App\Controller\Organization\User;
 
 use App\Domain\PlanningDomain;
+use App\Entity\Organization;
 use App\Entity\User;
 use App\Form\Type\MissionsSearchType;
 use App\Repository\MissionRepository;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * @Route("/{userToAdd<\d+>}/missions/add/modal", name="app_organization_user_add_to_mission_modal", methods={"GET"})
+ * @Route("/{item<\d+>}/missions/add/modal", name="app_organization_user_add_to_mission_modal", methods={"GET"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', item.organization)")
  */
 class AddToMissionModalController extends AbstractController
 {
@@ -26,13 +29,13 @@ public function __construct(PlanningDomain $planningDomain, MissionRepository $m
         $this->missionRepository = $missionRepository;
     }
 
-    public function __invoke(User $userToAdd): Response
+    public function __invoke(User $item, Organization $organization): Response
     {
-        $form = $this->planningDomain->generateForm(MissionsSearchType::class);
+        $form = $this->planningDomain->generateForm($organization, MissionsSearchType::class);
         $filters = $form->getData();
 
         return $this->render('organization/mission/add-to-mission-modal-content.html.twig', [
-            'userToAdd' => $userToAdd,
+            'userToAdd' => $item,
             'filters' => $filters,
             'form' => $form->createView(),
             'missions' => $this->missionRepository->findByFilters($filters),
diff --git a/src/Controller/Organization/User/PromoteRevokeController.php b/src/Controller/Organization/User/PromoteRevokeController.php
new file mode 100644
index 00000000..a98fc0a5
--- /dev/null
+++ b/src/Controller/Organization/User/PromoteRevokeController.php
@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\Organization\User;
+
+use App\Controller\Organization\AbstractOrganizationController;
+use App\Entity\Organization;
+use App\Entity\User;
+use Doctrine\ORM\EntityManager;
+use Doctrine\ORM\EntityManagerInterface;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Annotation\Route;
+
+/**
+ * @Route("/{item<\d+>}/promote", name="app_organization_user_promote", methods={"GET"}, defaults={"promote"=true})
+ * @Route("/{item<\d+>}/revoke", name="app_organization_user_revoke", methods={"GET"}, defaults={"promote"=false})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', item.organization) and user !== item")
+ */
+class PromoteRevokeController extends AbstractOrganizationController
+{
+    /**
+     * @param EntityManager $entityManager
+     */
+    public function __invoke(EntityManagerInterface $entityManager, Organization $organization, User $item, bool $promote): Response
+    {
+        if ($promote) {
+            $item->addManagedOrganization($organization);
+            $this->addFlash('success', sprintf('L\'utilisateur "%s" a été promu administrateur de "%s" avec succès.', $item->getFullName(), $organization->getName()));
+        } else {
+            $item->removeManagedOrganization($organization);
+            $this->addFlash('success', sprintf('Le privilège d\'administrateur pour la structure "%s" de "%s" a été révoquée avec succès.', $organization->getName(), $item->getFullName()));
+        }
+        $entityManager->flush();
+
+        return $this->redirectToRoute('app_organization_user_list', ['organization' => $item->getNotNullOrganization()->id]);
+    }
+}
diff --git a/src/Controller/Organization/User/UserDeleteController.php b/src/Controller/Organization/User/UserDeleteController.php
index 1cf2f643..c6aaafaa 100644
--- a/src/Controller/Organization/User/UserDeleteController.php
+++ b/src/Controller/Organization/User/UserDeleteController.php
@@ -7,15 +7,14 @@
 use App\Controller\Organization\AbstractOrganizationController;
 use App\Entity\User;
 use App\Repository\UserAvailabilityRepository;
-use App\Security\Voter\UserVoter;
 use Doctrine\ORM\EntityManagerInterface;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * @Route("/{userToDelete<\d+>}/delete", name="app_organization_user_delete", methods={"GET"})
- * @IsGranted(UserVoter::CAN_EDIT, subject="userToDelete")
+ * @Route("/{item<\d+>}/delete", name="app_organization_user_delete", methods={"GET"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', item.organization)")
  */
 class UserDeleteController extends AbstractOrganizationController
 {
@@ -26,16 +25,16 @@ public function __construct(UserAvailabilityRepository $userAvailabilityReposito
         $this->userAvailabilityRepository = $userAvailabilityRepository;
     }
 
-    public function __invoke(EntityManagerInterface $entityManager, User $userToDelete): RedirectResponse
+    public function __invoke(EntityManagerInterface $entityManager, User $item): RedirectResponse
     {
         $entityManager->beginTransaction();
-        $this->userAvailabilityRepository->deleteByOwner($userToDelete);
-        $entityManager->remove($userToDelete);
+        $this->userAvailabilityRepository->deleteByOwner($item);
+        $entityManager->remove($item);
         $entityManager->flush();
         $entityManager->commit();
 
         $this->addFlash('success', 'Le bénévole a été supprimé avec succès.');
 
-        return $this->redirectToRoute('app_organization_user_list', ['organization' => $userToDelete->getNotNullOrganization()->id]);
+        return $this->redirectToRoute('app_organization_user_list', ['organization' => $item->getNotNullOrganization()->id]);
     }
 }
diff --git a/src/Controller/Organization/User/UserEditController.php b/src/Controller/Organization/User/UserEditController.php
index 1a41fb02..6597887c 100644
--- a/src/Controller/Organization/User/UserEditController.php
+++ b/src/Controller/Organization/User/UserEditController.php
@@ -7,36 +7,35 @@
 use App\Controller\Organization\AbstractOrganizationController;
 use App\Entity\User;
 use App\Form\Type\UserType;
-use App\Security\Voter\UserVoter;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * @Route("/{userToEdit<\d+>}/edit", name="app_organization_user_edit", methods={"GET", "POST"})
- * @IsGranted(UserVoter::CAN_EDIT, subject="userToEdit")
+ * @Route("/{item<\d+>}/edit", name="app_organization_user_edit", methods={"GET", "POST"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', item.organization)")
  */
 class UserEditController extends AbstractOrganizationController
 {
-    public function __invoke(Request $request, User $userToEdit): Response
+    public function __invoke(Request $request, User $item): Response
     {
         $form = $this
-            ->createForm(UserType::class, $userToEdit, ['display_type' => UserType::DISPLAY_ORGANIZATION])
+            ->createForm(UserType::class, $item, ['display_type' => UserType::DISPLAY_ORGANIZATION])
             ->handleRequest($request);
 
         if ($form->isSubmitted() && $form->isValid()) {
             $entityManager = $this->getDoctrine()->getManager();
-            $entityManager->persist($userToEdit);
+            $entityManager->persist($item);
             $entityManager->flush();
 
             $this->addFlash('success', 'Les informations ont été mises à jour avec succès.');
 
-            return $this->redirectToRoute('app_organization_user_list', ['organization' => $userToEdit->getNotNullOrganization()->id]);
+            return $this->redirectToRoute('app_organization_user_list', ['organization' => $item->getNotNullOrganization()->id]);
         }
 
         return $this->render('organization/user/edit.html.twig', [
-            'user' => $userToEdit,
+            'user' => $item,
             'form' => $form->createView(),
         ])->setStatusCode($form->isSubmitted() ? Response::HTTP_BAD_REQUEST : Response::HTTP_OK);
     }
diff --git a/src/Controller/Organization/User/UserListController.php b/src/Controller/Organization/User/UserListController.php
index ee3057d2..ada3e4b8 100644
--- a/src/Controller/Organization/User/UserListController.php
+++ b/src/Controller/Organization/User/UserListController.php
@@ -8,8 +8,7 @@
 use App\Form\Factory\OrganizationSelectorFormFactory;
 use App\Repository\OrganizationRepository;
 use App\Repository\UserRepository;
-use App\Security\Voter\OrganizationVoter;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -17,7 +16,7 @@
 
 /**
  * @Route(name="app_organization_user_list", methods={"GET"})
- * @IsGranted(OrganizationVoter::CAN_MANAGE, subject="organization")
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', organization)")
  */
 class UserListController extends AbstractController
 {
@@ -32,11 +31,8 @@ public function __construct(OrganizationRepository $organizationRepository, User
         $this->organizationSelectorFormFactory = $organizationSelectorFormFactory;
     }
 
-    public function __invoke(Request $request, Organization $organization): Response
+    public function __invoke(Request $request, Organization $organization, Organization $currentOrganization): Response
     {
-        /** @var Organization $currentOrganization */
-        $currentOrganization = $this->getUser();
-
         return $this->render(
             'organization/user/list.html.twig',
             [
diff --git a/src/Controller/Organization/User/UserMissionsListController.php b/src/Controller/Organization/User/UserMissionsListController.php
index 65cb41f8..924e2084 100644
--- a/src/Controller/Organization/User/UserMissionsListController.php
+++ b/src/Controller/Organization/User/UserMissionsListController.php
@@ -5,12 +5,14 @@
 namespace App\Controller\Organization\User;
 
 use App\Entity\User;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
  * @Route("/{item<\d+>}/missions", name="app_organization_user_missions_list", methods={"GET"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', user.organization)")
  */
 class UserMissionsListController extends AbstractController
 {
diff --git a/src/Controller/Organization/User/UserShowModalController.php b/src/Controller/Organization/User/UserShowModalController.php
index 69414a0b..fc5635d6 100644
--- a/src/Controller/Organization/User/UserShowModalController.php
+++ b/src/Controller/Organization/User/UserShowModalController.php
@@ -5,19 +5,21 @@
 namespace App\Controller\Organization\User;
 
 use App\Entity\User;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * @Route("/{userToShow<\d+>}/modal", name="app_organization_user_show_modal", methods={"GET"})
+ * @Route("/{item<\d+>}/modal", name="app_organization_user_show_modal", methods={"GET"})
+ * @Security("is_granted('ROLE_PARENT_ORGANIZATION', item.organization)")
  */
 class UserShowModalController extends AbstractController
 {
-    public function __invoke(User $userToShow): Response
+    public function __invoke(User $item): Response
     {
         return $this->render('organization/user/show-modal-content.html.twig', [
-            'user' => $userToShow,
+            'user' => $item,
         ]);
     }
 }
diff --git a/src/Controller/User/Account/CreateAccountController.php b/src/Controller/User/Account/CreateAccountController.php
index a2b4520c..eea7fc8a 100644
--- a/src/Controller/User/Account/CreateAccountController.php
+++ b/src/Controller/User/Account/CreateAccountController.php
@@ -6,6 +6,7 @@
 
 use App\Entity\User;
 use App\Form\Type\UserType;
+use App\Repository\UserRepository;
 use App\Security\UserAutomaticLoginHandler;
 use App\Security\UserLoginFormAuthenticator;
 use Doctrine\ORM\EntityManagerInterface;
@@ -23,15 +24,18 @@ final class CreateAccountController extends AbstractController
     private AuthenticationUtils $authenticationUtils;
     private EntityManagerInterface $entityManager;
     private UserAutomaticLoginHandler $automaticLoginHandler;
+    private UserRepository $userRepository;
 
     public function __construct(
         AuthenticationUtils $authenticationUtils,
         EntityManagerInterface $entityManager,
-        UserAutomaticLoginHandler $automaticLoginHandler
+        UserAutomaticLoginHandler $automaticLoginHandler,
+        UserRepository $userRepository
     ) {
         $this->authenticationUtils = $authenticationUtils;
         $this->entityManager = $entityManager;
         $this->automaticLoginHandler = $automaticLoginHandler;
+        $this->userRepository = $userRepository;
     }
 
     public function __invoke(Request $request): Response
@@ -46,12 +50,13 @@ public function __invoke(Request $request): Response
         $bdate = $request->getSession()->get(UserLoginFormAuthenticator::SECURITY_LAST_BIRTHDAY);
         if (!empty($bdate)) {
             $request->getSession()->remove(UserLoginFormAuthenticator::SECURITY_LAST_BIRTHDAY);
-            $user->setBirthday($bdate);
+            $user->birthday = $bdate;
         }
 
         $form = $this->createForm(UserType::class, $user)->handleRequest($request);
 
         if ($form->isSubmitted() && $form->isValid()) {
+            $this->userRepository->addUserRoles($user);
             $this->entityManager->persist($user);
             $this->entityManager->flush();
 
diff --git a/src/Controller/User/Account/EditAccountController.php b/src/Controller/User/Account/EditAccountController.php
index 720468de..3fb7aa22 100644
--- a/src/Controller/User/Account/EditAccountController.php
+++ b/src/Controller/User/Account/EditAccountController.php
@@ -26,12 +26,9 @@ public function __construct(EntityManagerInterface $entityManager)
 
     public function __invoke(Request $request): Response
     {
+        /** @var User $user */
         $user = $this->getUser();
 
-        if (!$user instanceof User) {
-            throw $this->createAccessDeniedException();
-        }
-
         $form = $this->createForm(UserType::class, $user)->handleRequest($request);
 
         if ($form->isSubmitted() && $form->isValid()) {
diff --git a/src/Controller/User/Account/PasswordController.php b/src/Controller/User/Account/PasswordController.php
new file mode 100644
index 00000000..b56aa8fe
--- /dev/null
+++ b/src/Controller/User/Account/PasswordController.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\User\Account;
+
+use App\Entity\User;
+use App\Form\Type\UserPasswordType;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
+
+/**
+ * @Route("/user/password", name="app_user_password", methods={"GET", "POST"})
+ */
+final class PasswordController extends AbstractController
+{
+    private EntityManagerInterface $entityManager;
+    private UserPasswordEncoderInterface $encoder;
+
+    public function __construct(EntityManagerInterface $entityManager, UserPasswordEncoderInterface $encoder)
+    {
+        $this->entityManager = $entityManager;
+        $this->encoder = $encoder;
+    }
+
+    public function __invoke(Request $request): Response
+    {
+        /** @var User $user */
+        $user = $this->getUser();
+
+        $form = $this->createForm(UserPasswordType::class, $user)->handleRequest($request);
+
+        if ($form->isSubmitted() && $form->isValid()) {
+            /** @var string $plainPassword */
+            $plainPassword = $user->plainPassword;
+            $user->setPassword($this->encoder->encodePassword($user, $plainPassword));
+            $user->eraseCredentials();
+
+            $this->entityManager->persist($user);
+            $this->entityManager->flush();
+
+            $this->addFlash('success', 'Votre mot de passe a été mis à jour avec succès.');
+
+            return $this->redirectToRoute('app_user_home');
+        }
+
+        return $this->render('user/password-form.html.twig', [
+            'form' => $form->createView(),
+        ])->setStatusCode($form->isSubmitted() ? Response::HTTP_BAD_REQUEST : Response::HTTP_OK);
+    }
+}
diff --git a/src/Controller/User/Availability/ManageAvailabilityController.php b/src/Controller/User/Availability/ManageAvailabilityController.php
index 3b45cdf3..fb408f7a 100644
--- a/src/Controller/User/Availability/ManageAvailabilityController.php
+++ b/src/Controller/User/Availability/ManageAvailabilityController.php
@@ -35,12 +35,8 @@ public function __construct(
 
     public function __invoke(Request $request, string $slotInterval): Response
     {
+        /** @var User $user */
         $user = $this->getUser();
-
-        if (!$user instanceof User) {
-            throw $this->createAccessDeniedException();
-        }
-
         [$start, $end] = $this->getDatesByWeek($request->attributes->get('week'));
 
         $blockedSlotsInterval = new \DateInterval('PT12H');
diff --git a/src/Controller/User/Availability/MissionModalController.php b/src/Controller/User/Availability/MissionModalController.php
index a7219941..d05c8ef6 100644
--- a/src/Controller/User/Availability/MissionModalController.php
+++ b/src/Controller/User/Availability/MissionModalController.php
@@ -11,7 +11,7 @@
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
- * @Route("/user/availability/missions/{id<\d+>}/modal", name="app_user_availability_mission_modal", methods={"GET"}, options={"expose"=true})
+ * @Route("/user/availability/missions/{mission<\d+>}/modal", name="app_user_availability_mission_modal", methods={"GET"}, options={"expose"=true})
  * @Security("mission.users.contains(user)")
  */
 class MissionModalController extends AbstractController
diff --git a/src/Controller/User/Availability/MissionsFindController.php b/src/Controller/User/Availability/MissionsFindController.php
index 7e713071..2857125a 100644
--- a/src/Controller/User/Availability/MissionsFindController.php
+++ b/src/Controller/User/Availability/MissionsFindController.php
@@ -31,11 +31,8 @@ public function __construct(MissionRepository $missionRepository, SerializerInte
 
     public function __invoke(Request $request): JsonResponse
     {
+        /** @var User $user */
         $user = $this->getUser();
-        if (!$user instanceof User) {
-            throw $this->createAccessDeniedException();
-        }
-
         [$start, $end] = $this->getDatesByWeek($request->attributes->get('week'));
 
         $data = $this->missionRepository->findByPlanningFilters(['from' => $start, 'to' => $end], [[(int) $user->getId()], []]);
diff --git a/src/Controller/User/Security/LoginController.php b/src/Controller/User/Security/LoginController.php
index b63d6314..a8a025cd 100644
--- a/src/Controller/User/Security/LoginController.php
+++ b/src/Controller/User/Security/LoginController.php
@@ -4,7 +4,6 @@
 
 namespace App\Controller\User\Security;
 
-use App\Entity\Organization;
 use App\Entity\User;
 use App\Form\Type\UserLoginType;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -27,14 +26,10 @@ public function __construct(AuthenticationUtils $authenticationUtils)
 
     public function __invoke(Session $session): Response
     {
-        /** @var Organization|User|null $user */
+        /** @var User|null $user */
         $user = $this->getUser();
         if (\is_object($user)) {
-            if ($user instanceof User) {
-                return $this->redirectToRoute('app_user_home');
-            }
-
-            return $this->redirectToRoute('app_organization_dashboard', ['organization' => $user->getId()]);
+            return $this->redirectToRoute('app_user_home');
         }
 
         $loginForm = $this->createForm(UserLoginType::class, [
diff --git a/src/Controller/User/Security/ResetPasswordController.php b/src/Controller/User/Security/ResetPasswordController.php
new file mode 100644
index 00000000..eb2194ac
--- /dev/null
+++ b/src/Controller/User/Security/ResetPasswordController.php
@@ -0,0 +1,201 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller\User\Security;
+
+use App\Entity\User;
+use App\Form\Type\ChangePasswordFormType;
+use App\Form\Type\ResetPasswordRequestFormType;
+use Symfony\Bridge\Twig\Mime\TemplatedEmail;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Mailer\MailerInterface;
+use Symfony\Component\Mime\Address;
+use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
+use Symfony\Contracts\Translation\TranslatorInterface;
+use SymfonyCasts\Bundle\ResetPassword\Controller\ResetPasswordControllerTrait;
+use SymfonyCasts\Bundle\ResetPassword\Exception\ExpiredResetPasswordTokenException;
+use SymfonyCasts\Bundle\ResetPassword\Exception\InvalidResetPasswordTokenException;
+use SymfonyCasts\Bundle\ResetPassword\Exception\ResetPasswordExceptionInterface;
+use SymfonyCasts\Bundle\ResetPassword\Exception\TooManyPasswordRequestsException;
+use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelperInterface;
+
+/**
+ * @Route("/reset-password")
+ */
+final class ResetPasswordController extends AbstractController
+{
+    use ResetPasswordControllerTrait;
+
+    private ResetPasswordHelperInterface $resetPasswordHelper;
+    private TranslatorInterface $translator;
+
+    public function __construct(ResetPasswordHelperInterface $resetPasswordHelper, TranslatorInterface $translator)
+    {
+        $this->resetPasswordHelper = $resetPasswordHelper;
+        $this->translator = $translator;
+    }
+
+    /**
+     * Display & process form to request a password reset.
+     *
+     * @Route("", name="app_forgot_password_request")
+     */
+    public function request(Request $request, MailerInterface $mailer): Response
+    {
+        if ($this->getUser() instanceof User) {
+            return $this->redirectToRoute('app_user_home');
+        }
+
+        $form = $this->createForm(ResetPasswordRequestFormType::class);
+        $form->handleRequest($request);
+
+        if ($form->isSubmitted() && $form->isValid()) {
+            return $this->processSendingPasswordResetEmail(
+                $form->get('emailAddress')->getData(),
+                $mailer
+            );
+        }
+
+        return $this->render('reset_password/request.html.twig', [
+            'form' => $form->createView(),
+        ]);
+    }
+
+    /**
+     * Confirmation page after a user has requested a password reset.
+     *
+     * @Route("/check-email", name="app_check_email")
+     */
+    public function checkEmail(): Response
+    {
+        if ($this->getUser() instanceof User) {
+            return $this->redirectToRoute('app_user_home');
+        }
+
+        // We prevent users from directly accessing this page
+        if (!$this->canCheckEmail()) {
+            return $this->redirectToRoute('app_forgot_password_request');
+        }
+
+        return $this->render('reset_password/check_email.html.twig', [
+            'tokenLifetime' => $this->resetPasswordHelper->getTokenLifetime(),
+        ]);
+    }
+
+    /**
+     * Validates and process the reset URL that the user clicked in their email.
+     *
+     * @Route("/reset/{token}", name="app_reset_password")
+     */
+    public function reset(Request $request, UserPasswordEncoderInterface $passwordEncoder, string $token = null): Response
+    {
+        if ($this->getUser() instanceof User) {
+            return $this->redirectToRoute('app_user_home');
+        }
+
+        if ($token) {
+            // We store the token in session and remove it from the URL, to avoid the URL being
+            // loaded in a browser and potentially leaking the token to 3rd party JavaScript.
+            $this->storeTokenInSession($token);
+
+            return $this->redirectToRoute('app_reset_password');
+        }
+
+        $token = $this->getTokenFromSession();
+        if (null === $token) {
+            throw $this->createNotFoundException('No reset password token found in the URL or in the session.');
+        }
+
+        try {
+            /** @var User $user */
+            $user = $this->resetPasswordHelper->validateTokenAndFetchUser($token);
+        } catch (ExpiredResetPasswordTokenException $e) {
+            $this->addFlash('error', $this->translator->trans('user.resetPassword.expired'));
+
+            return $this->redirectToRoute('app_forgot_password_request');
+        } catch (InvalidResetPasswordTokenException $e) {
+            $this->addFlash('error', $this->translator->trans('user.resetPassword.expired'));
+
+            return $this->redirectToRoute('app_forgot_password_request');
+        } catch (ResetPasswordExceptionInterface $e) {
+            $this->addFlash('error', $e->getReason());
+
+            return $this->redirectToRoute('app_forgot_password_request');
+        }
+
+        // The token is valid; allow the user to change their password.
+        $form = $this->createForm(ChangePasswordFormType::class);
+        $form->handleRequest($request);
+
+        if ($form->isSubmitted() && $form->isValid()) {
+            // A password reset token should be used only once, remove it.
+            $this->resetPasswordHelper->removeResetRequest($token);
+
+            // Encode the plain password, and set it.
+            $encodedPassword = $passwordEncoder->encodePassword(
+                $user,
+                $form->get('plainPassword')->getData()
+            );
+
+            $user->setPassword($encodedPassword);
+            $this->getDoctrine()->getManager()->flush();
+
+            // The session is cleaned up after the password has been changed.
+            $this->cleanSessionAfterReset();
+            $this->addFlash('success', $this->translator->trans('user.resetPassword.sucess'));
+
+            return $this->redirectToRoute('app_login');
+        }
+
+        return $this->render('reset_password/reset.html.twig', [
+            'resetForm' => $form->createView(),
+        ]);
+    }
+
+    private function processSendingPasswordResetEmail(string $emailFormData, MailerInterface $mailer): RedirectResponse
+    {
+        $user = $this->getDoctrine()->getRepository(User::class)->findOneBy([
+            'emailAddress' => $emailFormData,
+        ]);
+
+        // Marks that you are allowed to see the app_check_email page.
+        $this->setCanCheckEmailInSession();
+
+        // Do not reveal whether a user account was found or not.
+        if (!$user) {
+            return $this->redirectToRoute('app_check_email');
+        }
+
+        try {
+            $resetToken = $this->resetPasswordHelper->generateResetToken($user);
+        } catch (TooManyPasswordRequestsException $e) {
+            $this->addFlash('error', $this->translator->trans('user.resetPassword.tooMany'));
+
+            return $this->redirectToRoute('app_forgot_password_request');
+        } catch (ResetPasswordExceptionInterface $e) {
+            $this->addFlash('error', $e->getReason());
+
+            return $this->redirectToRoute('app_forgot_password_request');
+        }
+
+        $email = (new TemplatedEmail())
+            ->from(new Address($this->translator->trans('project.emailSender'), $this->translator->trans('project.name')))
+            ->to($user->getEmailAddress())
+            ->subject($this->translator->trans('user.passwordForgotten.title'))
+            ->htmlTemplate('reset_password/email.html.twig')
+            ->context([
+                'resetToken' => $resetToken,
+                'tokenLifetime' => $this->resetPasswordHelper->getTokenLifetime(),
+            ])
+        ;
+
+        $mailer->send($email);
+
+        return $this->redirectToRoute('app_check_email');
+    }
+}
diff --git a/src/DataFixtures/ApplicationFixtures.php b/src/DataFixtures/ApplicationFixtures.php
index c6a3ceb7..40970732 100644
--- a/src/DataFixtures/ApplicationFixtures.php
+++ b/src/DataFixtures/ApplicationFixtures.php
@@ -20,7 +20,6 @@
 use Doctrine\ORM\EntityManagerInterface;
 use Doctrine\Persistence\ObjectManager;
 use libphonenumber\PhoneNumberUtil;
-use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 use Symfony\Component\Validator\Validator\ValidatorInterface;
 
 final class ApplicationFixtures extends Fixture
@@ -36,6 +35,10 @@ final class ApplicationFixtures extends Fixture
     private const PERCENT_ASSET_AVAILABLE = 0.30;
     private const PERCENT_ASSET_PARTIALLY_AVAILABLE = 0.30;
 
+    private const USER_TYPE = 'user';
+    private const ADMIN_TYPE = 'admin';
+    private const SUPER_ADMIN_TYPE = 'super_admin';
+
     private const ORGANIZATIONS = [
         'DT75' => [
             'UL 01-02',
@@ -82,8 +85,6 @@ final class ApplicationFixtures extends Fixture
 
     private ValidatorInterface $validator;
 
-    private EncoderFactoryInterface $encoders;
-
     /** @var Organization[] */
     private array $organizations = [];
 
@@ -111,17 +112,15 @@ final class ApplicationFixtures extends Fixture
     private PhoneNumberUtil $phoneNumberUtil;
 
     public function __construct(
-        EncoderFactoryInterface $encoders,
         ValidatorInterface $validator,
         SkillSetDomain $skillSetDomain,
         SlotBookingGuesser $slotBookingGuesser,
         SlotAvailabilityGuesser $slotAvailabilityGuesser,
         PhoneNumberUtil $phoneNumberUtil,
         string $slotInterval,
-        int $nbUsers = null,
-        int $nbAvailabilities = null
+        int $nbUsers = 15,
+        ?int $nbAvailabilities = null
     ) {
-        $this->encoders = $encoders;
         $this->validator = $validator;
         $this->skillSetDomain = $skillSetDomain;
         $this->nbUsers = $nbUsers ?: random_int(10, 20);
@@ -246,16 +245,11 @@ private function loadMissionTypes(ObjectManager $manager): void
 
     private function loadOrganizations(ObjectManager $manager): void
     {
-        // Yield same password for all organizations.
-        // Password generation can be expensive and time consuming.
-        $encoder = $this->encoders->getEncoder(Organization::class);
-        $password = $encoder->encodePassword('covid19', null);
-
         foreach (self::ORGANIZATIONS as $parentName => $organizations) {
-            $this->addOrganization($this->makeOrganization($parentName, $password));
+            $this->addOrganization($this->makeOrganization($parentName));
 
             foreach ($organizations as $name) {
-                $this->addOrganization($this->makeOrganization($name, $password, $this->organizations[$parentName]));
+                $this->addOrganization($this->makeOrganization($name, $this->organizations[$parentName]));
             }
         }
 
@@ -306,41 +300,62 @@ private function loadCommissionableAssets(ObjectManager $manager): void
         $manager->flush();
     }
 
-    private function loadUsers(ObjectManager $manager): void
+    private function createUser(int $organizationUserNumber, Organization $organization = null, string $type = self::USER_TYPE): User
     {
-        $startIdNumber = 990000;
+        $organizationId = $organization ? $organization->getId() : 0;
         $firstNames = ['Audrey', 'Arnaud', 'Bastien', 'Beatrice', 'Benoit', 'Camille', 'Claire', 'Hugo', 'Fabien', 'Florian', 'Francis', 'Lilia', 'Lisa', 'Marie', 'Marine', 'Mathias', 'Mathieu', 'Michel', 'Nassim', 'Nathalie', 'Olivier', 'Pierre', 'Philippe', 'Sybille', 'Thomas', 'Tristan'];
         $lastNames = ['Bryant', 'Butler', 'Curry', 'Davis', 'Doncic', 'Durant', 'Embiid', 'Fournier', 'Grant', 'Gobert', 'Harden', 'Irving', 'James', 'Johnson', 'Jordan', 'Lilliard', 'Morant', 'Noah', 'Oneal', 'Parker', 'Pippen', 'Skywalker', 'Thompson', 'Westbrook'];
-        $occupations = ['Pharmacien', 'Pompier', 'Ambulancier.e', 'Logisticien', 'Infirmier.e'];
-
-        $x = 1;
+        $occupations = [null, 'Pharmacien', 'Pompier', 'Ambulancier.e', 'Logisticien', 'Infirmier.e'];
+        $organizationOcccupations = [null, 'Secouriste', 'DLUS', 'DLAS'];
         $availableSkillSet = $this->skillSetDomain->getSkillSet();
+
+        $user = new User();
+        $user->id = $organizationId * 100 + $organizationUserNumber;
+        $user->firstName = $firstNames[array_rand($firstNames)];
+        $user->lastName = $lastNames[array_rand($lastNames)];
+        $user->organization = $organization;
+
+        // e.g. 990001A
+        $user->setIdentificationNumber($user->id.'A');
+        $user->setEmailAddress($type.$user->id.'@resop.com');
+        $user->phoneNumber = $this->phoneNumberUtil->parse('0102030405', 'FR');
+        $user->birthday = '1990-01-01';
+        $user->properties = [
+            'organizationOccupation' => $organizationOcccupations[array_rand($organizationOcccupations)],
+            'fullyEquipped' => (bool) random_int(0, 1),
+            'drivingLicence' => (bool) random_int(0, 1),
+            'vulnerable' => (bool) random_int(0, 1),
+            'occupation' => $occupations[array_rand($occupations)],
+        ];
+        $user->skillSet = (array) array_rand($availableSkillSet, random_int(1, 3));
+
+        if (self::ADMIN_TYPE === $type || self::SUPER_ADMIN_TYPE === $type) {
+            // Set encoded password directly for performances on fixtures loading
+            // Plain password is: covid19
+            $user->password = '$argon2id$v=19$m=65536,t=4,p=1$cEjk39WnLC+QRVJfNI5nmw$eM0J3UZ75hwFJRGQmph2OiBGRzJU6/NGVWcj0j+WVYw';
+
+            if (null !== $organization) {
+                $user->addManagedOrganization($organization);
+            }
+        }
+
+        return $user;
+    }
+
+    private function loadUsers(ObjectManager $manager): void
+    {
+        $user = $this->createUser(1, null, self::SUPER_ADMIN_TYPE);
+        $user->roles[] = 'ROLE_SUPER_ADMIN';
+        $this->validateAndPersist($manager, $user);
+
         foreach ($this->organizations as $organization) {
-            for ($i = 0; $i < $this->nbUsers; ++$i) {
-                $user = new User();
-                $user->id = $i + 1;
-                $user->firstName = $firstNames[array_rand($firstNames)];
-                $user->lastName = $lastNames[array_rand($lastNames)];
-                $user->organization = $organization;
-
-                // e.g. 990001A
-                $user->setIdentificationNumber(str_pad(''.++$startIdNumber.'', 10, '0', \STR_PAD_LEFT).'A');
-                $user->setEmailAddress('user'.$x.'@resop.com');
-                $user->phoneNumber = $this->phoneNumberUtil->parse('0102030405', 'FR');
-                $user->birthday = '1990-01-01';
-                $user->properties = [
-                    'organizationOccupation' => 'Secouriste',
-                    'fullyEquipped' => (bool) random_int(0, 1),
-                    'drivingLicence' => (bool) random_int(0, 1),
-                    'vulnerable' => (bool) random_int(0, 1),
-                    'occupation' => $occupations[array_rand($occupations)],
-                ];
-                $user->skillSet = (array) array_rand($availableSkillSet, random_int(1, 3));
+            $user = $this->createUser(1, $organization, self::ADMIN_TYPE);
+            $this->validateAndPersist($manager, $user);
 
+            for ($i = 0; $i < $this->nbUsers; ++$i) {
+                $user = $this->createUser($i + 2, $organization);
                 $this->users[$organization->getParentOrganization()->id][] = $user;
-
                 $this->validateAndPersist($manager, $user);
-                ++$x;
             }
         }
 
@@ -538,16 +553,12 @@ private function closeInterval(\DateTimeImmutable $dateTime): \DateTimeInterface
         return $dateTime->add(\DateInterval::createFromDateString($this->slotInterval));
     }
 
-    private function makeOrganization(string $name, string $password = null, Organization $parent = null): Organization
+    private function makeOrganization(string $name, Organization $parent = null): Organization
     {
         $organization = new Organization();
         $organization->name = $name;
         $organization->parent = $parent;
 
-        if ($password) {
-            $organization->password = $password;
-        }
-
         return $organization;
     }
 
diff --git a/src/DataFixtures/Faker/Provider/DateTimeProvider.php b/src/DataFixtures/Faker/Provider/DateTimeProvider.php
new file mode 100644
index 00000000..82c9cda4
--- /dev/null
+++ b/src/DataFixtures/Faker/Provider/DateTimeProvider.php
@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\DataFixtures\Faker\Provider;
+
+class DateTimeProvider
+{
+    public function dateTimeImmutable(string $time): \DateTimeImmutable
+    {
+        return new \DateTimeImmutable($time);
+    }
+}
diff --git a/src/Domain/PlanningDomain.php b/src/Domain/PlanningDomain.php
index dbcf6b83..69b62374 100644
--- a/src/Domain/PlanningDomain.php
+++ b/src/Domain/PlanningDomain.php
@@ -18,6 +18,7 @@
 use App\Repository\UserRepository;
 use Symfony\Component\Form\FormFactoryInterface;
 use Symfony\Component\Form\FormInterface;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\Security\Core\Security;
 
@@ -58,28 +59,18 @@ public function __construct(
         $this->missionTypeRepository = $missionTypeRepository;
     }
 
-    public function generateForm(string $formType = PlanningSearchType::class): FormInterface
+    public function generateForm(Organization $organization, string $formType = PlanningSearchType::class): FormInterface
     {
-        $organization = $this->security->getUser();
+        /** @var Request $request */
         $request = $this->requestStack->getCurrentRequest();
-
-        if (!$organization instanceof Organization) {
-            throw new \LogicException();
-        }
-
         $form = $this->formFactory->createNamed('', $formType, ['organization' => $organization], ['method' => 'GET', 'attr' => ['autocomplete' => 'off']]);
         $form->handleRequest($request);
 
         return $form;
     }
 
-    public function generateFilters(FormInterface $form): array
+    public function generateFilters(FormInterface $form, Organization $organization): array
     {
-        $organization = $this->security->getUser();
-        if (!$organization instanceof Organization) {
-            throw new \LogicException('Bad user type');
-        }
-
         $filters = $form->getData();
 
         // $filters['organizations'] is an ArrayCollection
diff --git a/src/Entity/Organization.php b/src/Entity/Organization.php
index 8b7f6287..b924376b 100644
--- a/src/Entity/Organization.php
+++ b/src/Entity/Organization.php
@@ -4,7 +4,6 @@
 
 namespace App\Entity;
 
-use App\EntityListener\UserPasswordEntityListener;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
@@ -18,9 +17,8 @@
  *   }
  * )
  * @ORM\Entity(repositoryClass="App\Repository\OrganizationRepository")
- * @ORM\EntityListeners({UserPasswordEntityListener::class})
  */
-class Organization implements UserPasswordInterface, UserSerializableInterface
+class Organization
 {
     /**
      * @ORM\Id
@@ -36,16 +34,6 @@ class Organization implements UserPasswordInterface, UserSerializableInterface
      */
     public string $name = '';
 
-    /**
-     * @ORM\Column(nullable=true)
-     */
-    public ?string $password = null;
-
-    /**
-     * Not persisted in database, used to encode password.
-     */
-    public ?string $plainPassword = null;
-
     /**
      * @ORM\ManyToOne(targetEntity="App\Entity\Organization", inversedBy="children")
      */
@@ -53,12 +41,19 @@ class Organization implements UserPasswordInterface, UserSerializableInterface
 
     /**
      * @ORM\OneToMany(targetEntity="App\Entity\Organization", mappedBy="parent", fetch="EXTRA_LAZY")
+     * @ORM\OrderBy({"name"="ASC"})
      */
     public Collection $children;
 
+    /**
+     * @ORM\ManyToMany(targetEntity="App\Entity\User", mappedBy="managedOrganizations")
+     */
+    public Collection $admins;
+
     public function __construct()
     {
         $this->children = new ArrayCollection();
+        $this->admins = new ArrayCollection();
     }
 
     public function __toString(): string
@@ -70,14 +65,6 @@ public function __toString(): string
         return $this->name;
     }
 
-    public function userSerialize(): array
-    {
-        return [
-            'id' => $this->id,
-            'name' => $this->__toString(),
-        ];
-    }
-
     public function getId(): int
     {
         if (null === $this->id) {
@@ -87,41 +74,6 @@ public function getId(): int
         return $this->id;
     }
 
-    public function getRoles(): array
-    {
-        $roles = ['ROLE_ORGANIZATION'];
-
-        if ($this->isParent()) {
-            $roles[] = 'ROLE_PARENT_ORGANIZATION';
-        }
-
-        return $roles;
-    }
-
-    public function getPlainPassword(): ?string
-    {
-        return $this->plainPassword;
-    }
-
-    public function getPassword(): ?string
-    {
-        return $this->password;
-    }
-
-    public function getSalt(): ?string
-    {
-        return null;
-    }
-
-    public function getUsername(): string
-    {
-        return $this->name;
-    }
-
-    public function eraseCredentials(): void
-    {
-    }
-
     public function getName(): string
     {
         return $this->name;
@@ -173,8 +125,24 @@ public function removeChild(self $organization): void
         $this->children->removeElement($organization);
     }
 
-    public function setPassword(?string $password): void
+    /**
+     * @return Collection|User[]
+     */
+    public function getAdmins(): Collection
+    {
+        return $this->admins;
+    }
+
+    public function addAdmin(User $admin): void
+    {
+        if (!$this->admins->contains($admin)) {
+            $this->admins[] = $admin;
+            $admin->addManagedOrganization($this);
+        }
+    }
+
+    public function removeAdmin(User $admin): void
     {
-        $this->password = $password;
+        $this->admins->removeElement($admin);
     }
 }
diff --git a/src/Entity/ResetPasswordRequest.php b/src/Entity/ResetPasswordRequest.php
new file mode 100644
index 00000000..2a34e687
--- /dev/null
+++ b/src/Entity/ResetPasswordRequest.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Entity;
+
+use Doctrine\ORM\Mapping as ORM;
+use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordRequestInterface;
+use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordRequestTrait;
+
+/**
+ * @ORM\Entity(repositoryClass="App\Repository\ResetPasswordRequestRepository")
+ */
+class ResetPasswordRequest implements ResetPasswordRequestInterface
+{
+    use ResetPasswordRequestTrait;
+
+    /**
+     * @ORM\Id
+     * @ORM\GeneratedValue
+     * @ORM\Column(type="integer")
+     */
+    private ?int $id = null;
+
+    /**
+     * @ORM\ManyToOne(targetEntity="App\Entity\User", inversedBy="resetPasswordRequests")
+     */
+    private User $user;
+
+    public function __construct(User $user, \DateTimeInterface $expiresAt, string $selector, string $hashedToken)
+    {
+        $this->user = $user;
+        $this->initialize($expiresAt, $selector, $hashedToken);
+    }
+
+    public function getUser(): object
+    {
+        return $this->user;
+    }
+}
diff --git a/src/Entity/User.php b/src/Entity/User.php
index 8572badd..9d112773 100644
--- a/src/Entity/User.php
+++ b/src/Entity/User.php
@@ -5,11 +5,14 @@
 namespace App\Entity;
 
 use App\EntityListener\AddDependantSkillsEntityListener;
+use App\EntityListener\UserPasswordEntityListener;
+use App\Validator\Constraints\CurrentPassword;
+use Doctrine\Common\Collections\ArrayCollection;
+use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
 use libphonenumber\PhoneNumber;
 use Misd\PhoneNumberBundle\Validator\Constraints\PhoneNumber as AssertPhoneNumber;
 use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
-use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Serializer\Annotation\Groups;
 use function Symfony\Component\String\u;
 use Symfony\Component\Validator\Constraints as Assert;
@@ -26,9 +29,10 @@
  * @ORM\Entity(repositoryClass="App\Repository\UserRepository")
  * @UniqueEntity("emailAddress")
  * @UniqueEntity("identificationNumber")
- * @ORM\EntityListeners({AddDependantSkillsEntityListener::class})
+ * @CurrentPassword(groups={"Default", "user:password"})
+ * @ORM\EntityListeners({AddDependantSkillsEntityListener::class, UserPasswordEntityListener::class})
  */
-class User implements UserInterface, AvailabilitableInterface, UserSerializableInterface, \Serializable
+class User implements UserPasswordInterface, AvailabilitableInterface, UserSerializableInterface /*, \Serializable*/
 {
     public const NIVOL_FORMAT = '#^\d+[A-Z]$#';
 
@@ -41,7 +45,7 @@ class User implements UserInterface, AvailabilitableInterface, UserSerializableI
     public ?int $id = null;
 
     /**
-     * @ORM\Column
+     * @ORM\Column(unique=true)
      * @Assert\NotBlank
      * @Assert\Regex(
      *     pattern=User::NIVOL_FORMAT,
@@ -51,7 +55,7 @@ class User implements UserInterface, AvailabilitableInterface, UserSerializableI
     private string $identificationNumber = '';
 
     /**
-     * @ORM\Column
+     * @ORM\Column(unique=true)
      * @Assert\NotBlank
      * @Assert\Email
      */
@@ -86,10 +90,18 @@ class User implements UserInterface, AvailabilitableInterface, UserSerializableI
 
     /**
      * @ORM\ManyToOne(targetEntity="App\Entity\Organization", fetch="EAGER")
-     * @Assert\NotNull()
+     * @Assert\Expression("'ROLE_SUPER_ADMIN' in this.roles or value != null")
      */
     public ?Organization $organization = null;
 
+    /**
+     * Organizations whose user is admin.
+     *
+     * @ORM\ManyToMany(targetEntity="App\Entity\Organization", inversedBy="admins")
+     * @ORM\OrderBy({"name"="ASC"})
+     */
+    public Collection $managedOrganizations;
+
     /**
      * @ORM\Column(type="text[]", nullable=true)
      * @Assert\NotBlank
@@ -105,6 +117,11 @@ class User implements UserInterface, AvailabilitableInterface, UserSerializableI
      */
     private iterable $availabilities = [];
 
+    /**
+     * @ORM\OneToMany(targetEntity="App\Entity\ResetPasswordRequest", mappedBy="user", cascade={"remove"})
+     */
+    private iterable $resetPasswordRequests = []; // Used for cascade
+
     /**
      * @ORM\ManyToMany(targetEntity="App\Entity\Mission", mappedBy="users")
      */
@@ -115,6 +132,28 @@ class User implements UserInterface, AvailabilitableInterface, UserSerializableI
      */
     public array $properties = [];
 
+    /**
+     * @ORM\Column(nullable=true)
+     */
+    public ?string $password = null;
+
+    /**
+     * Not persisted in database, used to encode password.
+     *
+     * @Assert\NotBlank(groups={"user:password"})
+     */
+    public ?string $plainPassword = null;
+
+    /**
+     * Not persisted in database, used to update password.
+     */
+    public ?string $currentPassword = null;
+
+    /**
+     * @ORM\Column(type="array")
+     */
+    public array $roles = ['ROLE_USER'];
+
     public static function bootstrap(string $identifier = null): self
     {
         $user = new self();
@@ -145,6 +184,11 @@ public static function normalizeEmailAddress(string $emailAddress): string
         return u($emailAddress)->trim()->lower()->toString();
     }
 
+    public function __construct()
+    {
+        $this->managedOrganizations = new ArrayCollection();
+    }
+
     public function __toString(): string
     {
         if (null === $this->organization) {
@@ -181,6 +225,7 @@ public function serialize(): string
             $this->identificationNumber,
             $this->emailAddress,
             $this->birthday,
+            $this->password,
         ]);
     }
 
@@ -189,11 +234,13 @@ public function serialize(): string
      */
     public function unserialize($serialized): void
     {
-        list(
+        [
             $this->id,
             $this->identificationNumber,
             $this->emailAddress,
-            $this->birthday) = unserialize($serialized);
+            $this->birthday,
+            $this->password,
+        ] = unserialize($serialized, ['allowed_classes' => [__CLASS__]]);
     }
 
     public function getId(): ?int
@@ -233,12 +280,22 @@ public function getShortFullName(): string
 
     public function getRoles(): array
     {
-        return ['ROLE_USER'];
+        return $this->roles;
+    }
+
+    public function getPlainPassword(): ?string
+    {
+        return $this->plainPassword;
+    }
+
+    public function getPassword(): ?string
+    {
+        return $this->password;
     }
 
-    public function getPassword(): string
+    public function setPassword(string $password): void
     {
-        return '';
+        $this->password = $password;
     }
 
     public function getSalt(): ?string
@@ -255,18 +312,29 @@ public function eraseCredentials(): void
     {
     }
 
-    public function getBirthday(): string
+    public function getAvailabilities(): iterable
     {
-        return $this->birthday;
+        return $this->availabilities;
     }
 
-    public function setBirthday(string $birthday): void
+    /**
+     * @return Collection|Organization[]
+     */
+    public function getManagedOrganizations(): Collection
     {
-        $this->birthday = $birthday;
+        return $this->managedOrganizations;
     }
 
-    public function getAvailabilities(): iterable
+    public function addManagedOrganization(Organization $organization): void
     {
-        return $this->availabilities;
+        if (!$this->managedOrganizations->contains($organization)) {
+            $this->managedOrganizations[] = $organization;
+            $organization->addAdmin($this);
+        }
+    }
+
+    public function removeManagedOrganization(Organization $organization): void
+    {
+        $this->managedOrganizations->removeElement($organization);
     }
 }
diff --git a/src/EventListener/OrganizationListener.php b/src/EventListener/OrganizationListener.php
new file mode 100644
index 00000000..3e9be575
--- /dev/null
+++ b/src/EventListener/OrganizationListener.php
@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\EventListener;
+
+use App\Repository\OrganizationRepository;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+final class OrganizationListener implements EventSubscriberInterface
+{
+    private OrganizationRepository $organizationRepository;
+    private AuthorizationCheckerInterface $authorizationChecker;
+
+    public function __construct(OrganizationRepository $organizationRepository, AuthorizationCheckerInterface $authorizationChecker)
+    {
+        $this->organizationRepository = $organizationRepository;
+        $this->authorizationChecker = $authorizationChecker;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            KernelEvents::REQUEST => ['onKernelRequest'],
+        ];
+    }
+
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        $request = $event->getRequest();
+        if (!($route = $request->attributes->get('_route')) || !preg_match('/^app_organization_.*$/', $route)) {
+            return;
+        }
+
+        $id = $request->attributes->getInt('organization');
+        $organization = $this->organizationRepository->find($id);
+        if (!$organization) {
+            throw new NotFoundHttpException(sprintf('Organization with id "%d" not found.', $id));
+        }
+
+        if (!$this->authorizationChecker->isGranted('ROLE_ORGANIZATION', $organization)) {
+            throw new AccessDeniedException('Access denied.');
+        }
+
+        $request->attributes->set('currentOrganization', $organization);
+        $request->attributes->set('organization', $organization);
+
+        if (null === ($organizationId = $request->query->get('organizationId'))) {
+            return;
+        }
+
+        $organization = $this->organizationRepository->find($organizationId);
+        if (!$organization) {
+            throw new NotFoundHttpException(sprintf('Organization with id "%d" not found.', $organizationId));
+        }
+
+        $request->attributes->set('organization', $organization);
+    }
+}
diff --git a/src/Form/Factory/OrganizationSelectorFormFactory.php b/src/Form/Factory/OrganizationSelectorFormFactory.php
index 93eb928f..5b827a6d 100644
--- a/src/Form/Factory/OrganizationSelectorFormFactory.php
+++ b/src/Form/Factory/OrganizationSelectorFormFactory.php
@@ -18,12 +18,12 @@ public function __construct(FormFactoryInterface $formFactory)
         $this->formFactory = $formFactory;
     }
 
-    public function createForm(Organization $organization, Organization $loggedOrganization): FormInterface
+    public function createForm(Organization $organization, Organization $currentOrganization): FormInterface
     {
         return $this->formFactory->create(
             OrganizationSelectorType::class,
             ['organization' => $organization],
-            ['currentOrganization' => $loggedOrganization]
+            ['currentOrganization' => $currentOrganization]
         );
     }
 }
diff --git a/src/Form/Type/ChangePasswordFormType.php b/src/Form/Type/ChangePasswordFormType.php
new file mode 100644
index 00000000..734cd4d4
--- /dev/null
+++ b/src/Form/Type/ChangePasswordFormType.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Form\Type;
+
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\PasswordType;
+use Symfony\Component\Form\Extension\Core\Type\RepeatedType;
+use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+use Symfony\Component\Validator\Constraints\Length;
+use Symfony\Component\Validator\Constraints\NotBlank;
+
+class ChangePasswordFormType extends AbstractType
+{
+    public function buildForm(FormBuilderInterface $builder, array $options): void
+    {
+        $builder
+            ->add('plainPassword', RepeatedType::class, [
+                'type' => PasswordType::class,
+                'first_options' => [
+                    'constraints' => [
+                        new NotBlank(),
+                        new Length([
+                            // max length allowed by Symfony for security reasons
+                            'max' => 4096,
+                        ]),
+                    ],
+                    'label' => 'user.newPassword',
+                ],
+                'second_options' => [
+                    'label' => 'user.confirmNewPassword',
+                ],
+                // Instead of being set onto the object directly,
+                // this is read and encoded in the controller
+                'mapped' => false,
+            ])
+        ;
+    }
+
+    public function configureOptions(OptionsResolver $resolver): void
+    {
+        $resolver->setDefaults([]);
+    }
+}
diff --git a/src/Form/Type/MissionTypeAssetTypesType.php b/src/Form/Type/MissionTypeAssetTypesType.php
index 2d76f0ad..4cf408fc 100644
--- a/src/Form/Type/MissionTypeAssetTypesType.php
+++ b/src/Form/Type/MissionTypeAssetTypesType.php
@@ -4,28 +4,24 @@
 
 namespace App\Form\Type;
 
-use App\Entity\Organization;
 use App\Repository\AssetTypeRepository;
 use Symfony\Component\Form\AbstractType;
 use Symfony\Component\Form\Extension\Core\Type\ChoiceType;
 use Symfony\Component\Form\Extension\Core\Type\IntegerType;
 use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\OptionsResolver\OptionsResolver;
-use Symfony\Component\Security\Core\Security;
 
 class MissionTypeAssetTypesType extends AbstractType
 {
-    protected array $assetTypes;
+    private RequestStack $requestStack;
+    private AssetTypeRepository $assetTypeRepository;
 
-    public function __construct(Security $security, AssetTypeRepository $assetTypeRepository)
+    public function __construct(RequestStack $requestStack, AssetTypeRepository $assetTypeRepository)
     {
-        /** @var Organization $organization */
-        $organization = $security->getUser();
-
-        $assetTypes = $assetTypeRepository->findByOrganization($organization->getParentOrganization());
-        foreach ($assetTypes as $assetType) {
-            $this->assetTypes[$assetType->id] = $assetType->name;
-        }
+        $this->requestStack = $requestStack;
+        $this->assetTypeRepository = $assetTypeRepository;
     }
 
     public function buildForm(FormBuilderInterface $builder, array $options): void
@@ -34,7 +30,7 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
         $builder
             ->add('type', ChoiceType::class, [
                 'label' => 'organization.missionType.assetTypes.type',
-                'choices' => array_flip($this->assetTypes),
+                'choices' => array_flip($this->getAssetTypes()),
                 'placeholder' => '',
                 'row_attr' => ['class' => 'row'],
                 'label_attr' => ['class' => 'col-sm-2'],
@@ -58,4 +54,18 @@ public function configureOptions(OptionsResolver $resolver): void
             ],
         ]);
     }
+
+    private function getAssetTypes(): array
+    {
+        /** @var Request $request */
+        $request = $this->requestStack->getCurrentRequest();
+        $organization = $request->attributes->get('organization');
+        $assetTypes = $this->assetTypeRepository->findByOrganization($organization->getParentOrganization());
+        $data = [];
+        foreach ($assetTypes as $assetType) {
+            $data[$assetType->id] = $assetType->name;
+        }
+
+        return $data;
+    }
 }
diff --git a/src/Form/Type/ResetPasswordRequestFormType.php b/src/Form/Type/ResetPasswordRequestFormType.php
new file mode 100644
index 00000000..a19eb36e
--- /dev/null
+++ b/src/Form/Type/ResetPasswordRequestFormType.php
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Form\Type;
+
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\EmailType;
+use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\Validator\Constraints\NotBlank;
+
+class ResetPasswordRequestFormType extends AbstractType
+{
+    public function buildForm(FormBuilderInterface $builder, array $options): void
+    {
+        $builder
+            ->add('emailAddress', EmailType::class, [
+                'label' => 'user.email',
+                'constraints' => [
+                    new NotBlank(),
+                ],
+            ])
+        ;
+    }
+}
diff --git a/src/Form/Type/UserLoginType.php b/src/Form/Type/UserLoginType.php
index 0cfcf792..8e50cb73 100644
--- a/src/Form/Type/UserLoginType.php
+++ b/src/Form/Type/UserLoginType.php
@@ -6,6 +6,7 @@
 
 use Symfony\Component\Form\AbstractType;
 use Symfony\Component\Form\Extension\Core\Type\BirthdayType;
+use Symfony\Component\Form\Extension\Core\Type\PasswordType;
 use Symfony\Component\Form\Extension\Core\Type\TextType;
 use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\OptionsResolver\OptionsResolver;
@@ -22,6 +23,11 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
                 'format' => 'dd MMMM yyyy',
                 'input' => 'string',
                 'label' => 'user.dob',
+                'required' => false,
+            ])
+            ->add('password', PasswordType::class, [
+                'label' => 'user.password',
+                'required' => false,
             ]);
     }
 
diff --git a/src/Form/Type/UserPasswordType.php b/src/Form/Type/UserPasswordType.php
new file mode 100644
index 00000000..6e59bf6b
--- /dev/null
+++ b/src/Form/Type/UserPasswordType.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Form\Type;
+
+use App\Entity\User;
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\PasswordType;
+use Symfony\Component\Form\Extension\Core\Type\RepeatedType;
+use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\Form\FormEvent;
+use Symfony\Component\Form\FormEvents;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
+class UserPasswordType extends AbstractType
+{
+    public function buildForm(FormBuilderInterface $builder, array $options): void
+    {
+        $builder->add('plainPassword', RepeatedType::class, [
+            'type' => PasswordType::class,
+            'required' => true,
+            'first_options' => [
+                'label' => 'user.newPassword',
+            ],
+            'second_options' => [
+                'label' => 'user.confirmNewPassword',
+            ],
+        ]);
+
+        $builder->addEventListener(FormEvents::PRE_SET_DATA, function (FormEvent $event): void {
+            /** @var User $user */
+            $user = $event->getData();
+            if (!empty($user->getPassword())) {
+                $event->getForm()->add('currentPassword', PasswordType::class, [
+                    'required' => true,
+                    'label' => 'user.currentPassword',
+                ]);
+            }
+        });
+    }
+
+    public function configureOptions(OptionsResolver $resolver): void
+    {
+        $resolver->setDefaults([
+            'data_class' => User::class,
+            'validation_groups' => ['user:password'],
+        ]);
+    }
+}
diff --git a/src/Form/Type/UserType.php b/src/Form/Type/UserType.php
index 8067e6fe..763fe904 100644
--- a/src/Form/Type/UserType.php
+++ b/src/Form/Type/UserType.php
@@ -36,8 +36,9 @@ public function __construct(SkillSetDomain $skillSetDomain, array $userPropertie
 
     public function buildForm(FormBuilderInterface $builder, array $options): void
     {
-        /** @var Organization|null $organization */
-        $organization = $builder->getData()->organization;
+        /** @var User|null $data */
+        $data = $builder->getData();
+        $organization = $data->organization ?? null;
 
         $builder
             ->add('organization', OrganizationEntityType::class, [
@@ -49,7 +50,7 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
                         ->addOrderBy('o.name', 'ASC');
 
                     if ($organization instanceof Organization) {
-                        $qb = $repository->findByIdOrParentIdQueryBuilder($organization->getId(), $qb);
+                        $qb = $repository->findByIdOrParentIdQueryBuilder($organization->getParentOrganization()->getId(), $qb);
                     }
 
                     return $qb;
diff --git a/src/Migrations/Version20200516150857.php b/src/Migrations/Version20200516150857.php
new file mode 100644
index 00000000..8a202b67
--- /dev/null
+++ b/src/Migrations/Version20200516150857.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20200516150857 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Remove Organization.password, add User.password and User.roles, and add Organizations.admins relation.';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->abortIf('postgresql' !== $this->connection->getDatabasePlatform()->getName(), 'Migration can only be executed safely on \'postgresql\'.');
+
+        $this->addSql('CREATE TABLE user_organization (user_id INT NOT NULL, organization_id INT NOT NULL, PRIMARY KEY(user_id, organization_id))');
+        $this->addSql('CREATE INDEX IDX_41221F7EA76ED395 ON user_organization (user_id)');
+        $this->addSql('CREATE INDEX IDX_41221F7E32C8A3DE ON user_organization (organization_id)');
+        $this->addSql('ALTER TABLE user_organization ADD CONSTRAINT FK_41221F7EA76ED395 FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE');
+        $this->addSql('ALTER TABLE user_organization ADD CONSTRAINT FK_41221F7E32C8A3DE FOREIGN KEY (organization_id) REFERENCES organization (id) ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE');
+        $this->addSql('ALTER TABLE users ADD password VARCHAR(255) DEFAULT NULL');
+        $this->addSql('ALTER TABLE users ADD roles TEXT NOT NULL DEFAULT \'a:1:{i:0;s:9:"ROLE_USER";}\'');
+        $this->addSql('ALTER TABLE users ALTER roles DROP DEFAULT');
+        $this->addSql('COMMENT ON COLUMN users.roles IS \'(DC2Type:array)\'');
+        $this->addSql('ALTER TABLE organization DROP password');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->abortIf('postgresql' !== $this->connection->getDatabasePlatform()->getName(), 'Migration can only be executed safely on \'postgresql\'.');
+
+        $this->addSql('DROP TABLE user_organization');
+        $this->addSql('ALTER TABLE users DROP password');
+        $this->addSql('ALTER TABLE users DROP roles');
+        $this->addSql('ALTER TABLE organization ADD password VARCHAR(255) DEFAULT NULL');
+    }
+}
diff --git a/src/Migrations/Version20200519114430.php b/src/Migrations/Version20200519114430.php
new file mode 100644
index 00000000..f6749711
--- /dev/null
+++ b/src/Migrations/Version20200519114430.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20200519114430 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add user reset password request table';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->abortIf('postgresql' !== $this->connection->getDatabasePlatform()->getName(), 'Migration can only be executed safely on \'postgresql\'.');
+
+        $this->addSql('CREATE SEQUENCE reset_password_request_id_seq INCREMENT BY 1 MINVALUE 1 START 1');
+        $this->addSql('CREATE TABLE reset_password_request (id INT NOT NULL, user_id INT DEFAULT NULL, selector VARCHAR(20) NOT NULL, hashed_token VARCHAR(100) NOT NULL, requested_at TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL, expires_at TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL, PRIMARY KEY(id))');
+        $this->addSql('CREATE INDEX IDX_7CE748AA76ED395 ON reset_password_request (user_id)');
+        $this->addSql('COMMENT ON COLUMN reset_password_request.requested_at IS \'(DC2Type:datetime_immutable)\'');
+        $this->addSql('COMMENT ON COLUMN reset_password_request.expires_at IS \'(DC2Type:datetime_immutable)\'');
+        $this->addSql('ALTER TABLE reset_password_request ADD CONSTRAINT FK_7CE748AA76ED395 FOREIGN KEY (user_id) REFERENCES users (id) NOT DEFERRABLE INITIALLY IMMEDIATE');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->abortIf('postgresql' !== $this->connection->getDatabasePlatform()->getName(), 'Migration can only be executed safely on \'postgresql\'.');
+
+        $this->addSql('DROP SEQUENCE reset_password_request_id_seq CASCADE');
+        $this->addSql('DROP TABLE reset_password_request');
+    }
+}
diff --git a/src/ParamConverter/AssetParamConverter.php b/src/ParamConverter/AssetParamConverter.php
index d3a93de5..f9d2f596 100644
--- a/src/ParamConverter/AssetParamConverter.php
+++ b/src/ParamConverter/AssetParamConverter.php
@@ -15,12 +15,10 @@
 class AssetParamConverter implements ParamConverterInterface
 {
     private CommissionableAssetRepository $assetRepository;
-    private OrganizationParamConverter $organizationParamConverter;
 
-    public function __construct(CommissionableAssetRepository $assetRepository, OrganizationParamConverter $organizationParamConverter)
+    public function __construct(CommissionableAssetRepository $assetRepository)
     {
         $this->assetRepository = $assetRepository;
-        $this->organizationParamConverter = $organizationParamConverter;
     }
 
     /**
@@ -30,15 +28,8 @@ public function apply(Request $request, ParamConverter $configuration): bool
     {
         $name = $configuration->getName();
 
-        /** @var Organization|int|null $organization */
+        /** @var Organization $organization */
         $organization = $request->attributes->get('organization');
-
-        // Force OrganizationParamConverter to retrieve the organization
-        if (!\is_object($organization)) {
-            $this->organizationParamConverter->apply($request, new ParamConverter(['name' => 'organization']));
-            $organization = $request->attributes->get('organization');
-        }
-
         $id = $request->attributes->getInt($name);
         $asset = $this->assetRepository->findOneByIdAndOrganization($id, $organization);
 
diff --git a/src/ParamConverter/OrganizationParamConverter.php b/src/ParamConverter/OrganizationParamConverter.php
deleted file mode 100644
index a2b381d1..00000000
--- a/src/ParamConverter/OrganizationParamConverter.php
+++ /dev/null
@@ -1,54 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\ParamConverter;
-
-use App\Entity\Organization;
-use App\Repository\OrganizationRepository;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
-use Sensio\Bundle\FrameworkExtraBundle\Request\ParamConverter\ParamConverterInterface;
-use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
-
-class OrganizationParamConverter implements ParamConverterInterface
-{
-    private OrganizationRepository $organizationRepository;
-
-    public function __construct(OrganizationRepository $organizationRepository)
-    {
-        $this->organizationRepository = $organizationRepository;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function apply(Request $request, ParamConverter $configuration): bool
-    {
-        $name = $configuration->getName();
-        $id = $request->attributes->getInt($name);
-
-        if (!empty($organizationId = $request->query->getInt('organizationId'))
-        ) {
-            $id = $organizationId;
-        }
-
-        $organization = $this->organizationRepository->find($id);
-
-        if (null === $organization) {
-            throw new NotFoundHttpException(sprintf('Organization with id "%d" does not exist.', $id));
-        }
-
-        $request->attributes->set($name, $organization);
-
-        return true;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function supports(ParamConverter $configuration): bool
-    {
-        return Organization::class === $configuration->getClass();
-    }
-}
diff --git a/src/ParamConverter/UserParamConverter.php b/src/ParamConverter/UserParamConverter.php
index 9f7a9441..db3485af 100644
--- a/src/ParamConverter/UserParamConverter.php
+++ b/src/ParamConverter/UserParamConverter.php
@@ -15,12 +15,10 @@
 class UserParamConverter implements ParamConverterInterface
 {
     private UserRepository $userRepository;
-    private OrganizationParamConverter $organizationParamConverter;
 
-    public function __construct(UserRepository $userRepository, OrganizationParamConverter $organizationParamConverter)
+    public function __construct(UserRepository $userRepository)
     {
         $this->userRepository = $userRepository;
-        $this->organizationParamConverter = $organizationParamConverter;
     }
 
     /**
@@ -31,15 +29,9 @@ public function apply(Request $request, ParamConverter $configuration): bool
         $name = $configuration->getName();
         $id = $request->attributes->getInt($name);
 
-        /** @var Organization|int|null $organization */
+        /** @var Organization|null $organization */
         $organization = $request->attributes->get('organization');
         if (null !== $organization) {
-            // Force OrganizationParamConverter to retrieve the organization
-            if (!\is_object($organization)) {
-                $this->organizationParamConverter->apply($request, new ParamConverter(['name' => 'organization']));
-                $organization = $request->attributes->get('organization');
-            }
-
             $user = $this->userRepository->findOneByIdAndOrganization($id, $organization);
         } else {
             $user = $this->userRepository->find($id);
diff --git a/src/Repository/OrganizationRepository.php b/src/Repository/OrganizationRepository.php
index dfe791d5..62ae253d 100644
--- a/src/Repository/OrganizationRepository.php
+++ b/src/Repository/OrganizationRepository.php
@@ -8,7 +8,6 @@
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Common\Persistence\ManagerRegistry;
 use Doctrine\ORM\QueryBuilder;
-use Symfony\Bridge\Doctrine\Security\User\UserLoaderInterface;
 
 /**
  * @method Organization|null find($id, $lockMode = null, $lockVersion = null)
@@ -16,25 +15,13 @@
  * @method Organization[]    findAll()
  * @method Organization[]    findBy(array $criteria, array $orderBy = null, $limit = null, $offset = null)
  */
-class OrganizationRepository extends ServiceEntityRepository implements UserLoaderInterface
+class OrganizationRepository extends ServiceEntityRepository
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, Organization::class);
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function loadUserByUsername(string $username): ?Organization
-    {
-        return $this->createQueryBuilder('o')
-            ->where('o.name = :value')
-            ->setParameter('value', $username)
-            ->getQuery()
-            ->getOneOrNullResult();
-    }
-
     /**
      * @return Organization[][]
      */
diff --git a/src/Repository/ResetPasswordRequestRepository.php b/src/Repository/ResetPasswordRequestRepository.php
new file mode 100644
index 00000000..53e5de12
--- /dev/null
+++ b/src/Repository/ResetPasswordRequestRepository.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Repository;
+
+use App\Entity\ResetPasswordRequest;
+use App\Entity\User;
+use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
+use Doctrine\Common\Persistence\ManagerRegistry;
+use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordRequestInterface;
+use SymfonyCasts\Bundle\ResetPassword\Persistence\Repository\ResetPasswordRequestRepositoryTrait;
+use SymfonyCasts\Bundle\ResetPassword\Persistence\ResetPasswordRequestRepositoryInterface;
+
+/**
+ * @method ResetPasswordRequest|null find($id, $lockMode = null, $lockVersion = null)
+ * @method ResetPasswordRequest|null findOneBy(array $criteria, array $orderBy = null)
+ * @method ResetPasswordRequest[]    findAll()
+ * @method ResetPasswordRequest[]    findBy(array $criteria, array $orderBy = null, $limit = null, $offset = null)
+ */
+class ResetPasswordRequestRepository extends ServiceEntityRepository implements ResetPasswordRequestRepositoryInterface
+{
+    use ResetPasswordRequestRepositoryTrait;
+
+    public function __construct(ManagerRegistry $registry)
+    {
+        parent::__construct($registry, ResetPasswordRequest::class);
+    }
+
+    /**
+     * @param User $user
+     */
+    public function createResetPasswordRequest(
+        object $user,
+        \DateTimeInterface $expiresAt,
+        string $selector,
+        string $hashedToken
+    ): ResetPasswordRequestInterface {
+        return new ResetPasswordRequest(
+            $user,
+            $expiresAt,
+            $selector,
+            $hashedToken
+        );
+    }
+}
diff --git a/src/Repository/UserRepository.php b/src/Repository/UserRepository.php
index 33c5b8be..8ec1b4c0 100644
--- a/src/Repository/UserRepository.php
+++ b/src/Repository/UserRepository.php
@@ -29,7 +29,7 @@ public function __construct(ManagerRegistry $registry, string $slotInterval)
     {
         parent::__construct($registry, User::class);
 
-        $this->slotInterval = $slotInterval;
+        $this->slotInterval = $slotInterval; // Used in AvailabilityQueryTrait methods
     }
 
     public function findOneByIdAndOrganization(int $id, Organization $organization): ?User
@@ -181,4 +181,21 @@ public function findByOrganizationAndChildrenQb(Organization $organization, bool
 
         return $qb;
     }
+
+    public function usersCount(): int
+    {
+        return$this->createQueryBuilder('u')
+            ->select('COUNT(u) as total_count')
+            ->setMaxResults(1)
+            ->getQuery()
+            ->getOneOrNullResult()['total_count'] ?? 0;
+    }
+
+    public function addUserRoles(User $user): void
+    {
+        // The first user is the super admin
+        if (0 === $this->usersCount()) {
+            $user->roles[] = 'ROLE_SUPER_ADMIN';
+        }
+    }
 }
diff --git a/src/Security/OrganizationLoginFormAuthenticator.php b/src/Security/OrganizationLoginFormAuthenticator.php
deleted file mode 100644
index fdc1a876..00000000
--- a/src/Security/OrganizationLoginFormAuthenticator.php
+++ /dev/null
@@ -1,115 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Security;
-
-use App\Entity\Organization;
-use App\Repository\OrganizationRepository;
-use Symfony\Component\HttpFoundation\RedirectResponse;
-use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
-use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
-use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
-use Symfony\Component\Security\Core\Security;
-use Symfony\Component\Security\Core\User\UserInterface;
-use Symfony\Component\Security\Core\User\UserProviderInterface;
-use Symfony\Component\Security\Csrf\CsrfToken;
-use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
-use Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator;
-use Symfony\Component\Security\Guard\PasswordAuthenticatedInterface;
-use Symfony\Component\Security\Http\Util\TargetPathTrait;
-
-final class OrganizationLoginFormAuthenticator extends AbstractFormLoginAuthenticator implements PasswordAuthenticatedInterface
-{
-    use TargetPathTrait;
-
-    private $organizationRepository;
-    private $urlGenerator;
-    private $csrfTokenManager;
-    private $passwordChecker;
-
-    public function __construct(
-        OrganizationRepository $organizationRepository,
-        UrlGeneratorInterface $urlGenerator,
-        CsrfTokenManagerInterface $csrfTokenManager,
-        UserPasswordEncoderInterface $passwordChecker
-    ) {
-        $this->organizationRepository = $organizationRepository;
-        $this->urlGenerator = $urlGenerator;
-        $this->csrfTokenManager = $csrfTokenManager;
-        $this->passwordChecker = $passwordChecker;
-    }
-
-    public function supports(Request $request)
-    {
-        return 'app_organization_login' === $request->attributes->get('_route')
-            && $request->isMethod('POST');
-    }
-
-    public function getCredentials(Request $request)
-    {
-        $credentials = [
-            'identifier' => $request->request->get('identifier', ''),
-            'password' => $request->request->get('password'),
-            'csrf_token' => $request->request->get('_csrf_token'),
-        ];
-
-        $request->getSession()->set(Security::LAST_USERNAME, $credentials['identifier']);
-
-        return $credentials;
-    }
-
-    public function getUser($credentials, UserProviderInterface $userProvider)
-    {
-        $token = new CsrfToken('authenticate', $credentials['csrf_token']);
-
-        if (!$this->csrfTokenManager->isTokenValid($token)) {
-            throw new InvalidCsrfTokenException();
-        }
-
-        if (!$user = $this->organizationRepository->find($credentials['identifier'])) {
-            throw new CustomUserMessageAuthenticationException('Organization could not be found.');
-        }
-
-        return $user;
-    }
-
-    public function checkCredentials($credentials, UserInterface $user)
-    {
-        return $this->passwordChecker->isPasswordValid($user, $credentials['password']);
-    }
-
-    /**
-     * @param array $credentials The submitted credentials
-     */
-    public function getPassword($credentials): ?string
-    {
-        return $credentials['password'];
-    }
-
-    /**
-     * @param string $providerKey
-     *
-     * @return Response|null
-     */
-    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
-    {
-        if ($targetPath = $this->getTargetPath($request->getSession(), $providerKey)) {
-            return new RedirectResponse($targetPath);
-        }
-
-        /** @var Organization $user */
-        $user = $token->getUser();
-
-        return new RedirectResponse($this->urlGenerator->generate('app_organization_dashboard', ['organization' => $user->getId()]));
-    }
-
-    protected function getLoginUrl(): string
-    {
-        return $this->urlGenerator->generate('app_organization_login');
-    }
-}
diff --git a/src/Security/UserAutomaticLoginHandler.php b/src/Security/UserAutomaticLoginHandler.php
index 87413abb..773c0d57 100644
--- a/src/Security/UserAutomaticLoginHandler.php
+++ b/src/Security/UserAutomaticLoginHandler.php
@@ -15,10 +15,8 @@ final class UserAutomaticLoginHandler
     private GuardAuthenticatorHandler $guardHandler;
     private UserLoginFormAuthenticator $formAuthenticator;
 
-    public function __construct(
-        GuardAuthenticatorHandler $guardHandler,
-        UserLoginFormAuthenticator $formAuthenticator
-    ) {
+    public function __construct(GuardAuthenticatorHandler $guardHandler, UserLoginFormAuthenticator $formAuthenticator)
+    {
         $this->guardHandler = $guardHandler;
         $this->formAuthenticator = $formAuthenticator;
     }
@@ -28,10 +26,6 @@ public function __construct(
      */
     public function handleAuthentication(Request $request, UserInterface $user): Response
     {
-        if (!$user instanceof User) {
-            throw new \InvalidArgumentException(sprintf('Method %s only accepts a %s instance as its second argument.', __METHOD__, User::class));
-        }
-
         $response = $this->guardHandler->authenticateUserAndHandleSuccess(
             $user,
             $request,
diff --git a/src/Security/UserLoginFormAuthenticator.php b/src/Security/UserLoginFormAuthenticator.php
index a9b9b024..cb358735 100644
--- a/src/Security/UserLoginFormAuthenticator.php
+++ b/src/Security/UserLoginFormAuthenticator.php
@@ -10,6 +10,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
@@ -31,13 +32,15 @@ final class UserLoginFormAuthenticator extends AbstractFormLoginAuthenticator
     private RouterInterface $router;
     private CsrfTokenManagerInterface $csrfTokenManager;
     private ValidatorInterface $validator;
+    private UserPasswordEncoderInterface $userPasswordEncoder;
 
-    public function __construct(UserRepository $userRepository, RouterInterface $router, CsrfTokenManagerInterface $csrfTokenManager, ValidatorInterface $validator)
+    public function __construct(UserRepository $userRepository, RouterInterface $router, CsrfTokenManagerInterface $csrfTokenManager, ValidatorInterface $validator, UserPasswordEncoderInterface $userPasswordEncoder)
     {
         $this->userRepository = $userRepository;
         $this->router = $router;
         $this->csrfTokenManager = $csrfTokenManager;
         $this->validator = $validator;
+        $this->userPasswordEncoder = $userPasswordEncoder;
     }
 
     public function supports(Request $request)
@@ -52,6 +55,7 @@ public function getCredentials(Request $request)
         $credentials = [
             'identifier' => $loginCredentials['identifier'] ?? null,
             'birthday' => $loginCredentials['birthday'] ?? false ? $this->formatBirthday($loginCredentials['birthday']) : null,
+            'password' => $loginCredentials['password'] ?? null,
             'csrf_token' => $loginCredentials['_token'] ?? null,
         ];
 
@@ -78,13 +82,18 @@ public function getUser($credentials, UserProviderInterface $userProvider)
         return $this->userRepository->loadUserByUsername($credentials['identifier']);
     }
 
-    public function checkCredentials($credentials, UserInterface $user)
+    /**
+     * @param array              $credentials
+     * @param UserInterface|User $user
+     */
+    public function checkCredentials($credentials, UserInterface $user): bool
     {
-        if (!$user instanceof User) {
-            throw new \RuntimeException('Bad user type');
+        /** @var User $user */
+        if (null === $user->getPassword()) {
+            return $credentials['birthday'] === $user->birthday;
         }
 
-        return $credentials['birthday'] === $user->getBirthday();
+        return !empty($credentials['password']) && $this->userPasswordEncoder->isPasswordValid($user, $credentials['password']);
     }
 
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey)
diff --git a/src/Security/Voter/CommissionableAssetVoter.php b/src/Security/Voter/CommissionableAssetVoter.php
deleted file mode 100644
index 362ac4d6..00000000
--- a/src/Security/Voter/CommissionableAssetVoter.php
+++ /dev/null
@@ -1,36 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Security\Voter;
-
-use App\Entity\CommissionableAsset;
-use App\Entity\Organization;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\Security\Core\Authorization\Voter\Voter;
-
-class CommissionableAssetVoter extends Voter
-{
-    public const CAN_EDIT = 'CAN_EDIT_ASSET';
-
-    protected function supports($attribute, $subject): bool
-    {
-        return self::CAN_EDIT === $attribute
-            && $subject instanceof CommissionableAsset;
-    }
-
-    /**
-     * @param string              $attribute
-     * @param CommissionableAsset $subject
-     */
-    protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
-    {
-        $loggedOrganization = $token->getUser();
-
-        if (!$loggedOrganization instanceof Organization) {
-            return false;
-        }
-
-        return $subject->organization === $loggedOrganization || $subject->organization->parent === $loggedOrganization;
-    }
-}
diff --git a/src/Security/Voter/OrganizationVoter.php b/src/Security/Voter/OrganizationVoter.php
index 75895538..d1145a13 100644
--- a/src/Security/Voter/OrganizationVoter.php
+++ b/src/Security/Voter/OrganizationVoter.php
@@ -5,41 +5,56 @@
 namespace App\Security\Voter;
 
 use App\Entity\Organization;
+use App\Entity\User;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 
-class OrganizationVoter extends Voter
+final class OrganizationVoter extends Voter
 {
-    public const CAN_MANAGE = 'CAN_MANAGE_ORGANIZATION';
-    public const CAN_CREATE = 'CAN_CREATE_ORGANIZATION';
+    public const ROLE_ORGANIZATION = 'ROLE_ORGANIZATION';
+    public const ROLE_PARENT_ORGANIZATION = 'ROLE_PARENT_ORGANIZATION';
+
+    private AccessDecisionManagerInterface $decisionManager;
+
+    public function __construct(AccessDecisionManagerInterface $decisionManager)
+    {
+        $this->decisionManager = $decisionManager;
+    }
 
     protected function supports($attribute, $subject): bool
     {
-        return (self::CAN_MANAGE === $attribute && $subject instanceof Organization)
-            || (self::CAN_CREATE === $attribute && null === $subject);
+        return \in_array($attribute, [
+            self::ROLE_ORGANIZATION,
+            self::ROLE_PARENT_ORGANIZATION,
+        ], true);
     }
 
     /**
-     * @param string       $attribute
-     * @param Organization $subject
+     * @param string            $attribute
+     * @param Organization|null $subject
      */
     protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
     {
-        $loggedOrganization = $token->getUser();
+        /** @var User|null $user */
+        $user = $token->getUser();
 
-        if (!$loggedOrganization instanceof Organization) {
+        if (!$user instanceof User || null === $user->getPassword()) {
             return false;
         }
 
-        if (self::CAN_CREATE === $attribute) {
-            return $loggedOrganization->isParent();
+        if (!$subject instanceof Organization) {
+            return !$user->getManagedOrganizations()->isEmpty();
         }
 
-        return $this->canManageOrganization($loggedOrganization, $subject);
-    }
+        if ($this->decisionManager->decide($token, ['ROLE_SUPER_ADMIN'])) {
+            return true;
+        }
 
-    private function canManageOrganization(Organization $loggedOrganization, Organization $organization): bool
-    {
-        return $loggedOrganization === $organization || $loggedOrganization === $organization->parent;
+        if (self::ROLE_PARENT_ORGANIZATION === $attribute) {
+            return $subject->getAdmins()->contains($user) || $subject->getParentOrganization()->getAdmins()->contains($user);
+        }
+
+        return $subject->getAdmins()->contains($user);
     }
 }
diff --git a/src/Security/Voter/UserVoter.php b/src/Security/Voter/UserVoter.php
deleted file mode 100644
index 02c785d8..00000000
--- a/src/Security/Voter/UserVoter.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Security\Voter;
-
-use App\Entity\Organization;
-use App\Entity\User;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\Security\Core\Authorization\Voter\Voter;
-
-class UserVoter extends Voter
-{
-    public const CAN_EDIT = 'CAN_EDIT_USER';
-
-    protected function supports($attribute, $subject): bool
-    {
-        return self::CAN_EDIT === $attribute && $subject instanceof User;
-    }
-
-    /**
-     * @param string $attribute
-     * @param User   $subject
-     */
-    protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
-    {
-        $loggedOrganization = $token->getUser();
-
-        if (!$loggedOrganization instanceof Organization || null === $subject->organization) {
-            return false;
-        }
-
-        return $subject->organization === $loggedOrganization || $subject->getNotNullOrganization()->parent === $loggedOrganization;
-    }
-}
diff --git a/src/Twig/Extension/OrganizationExtension.php b/src/Twig/Extension/OrganizationExtension.php
index 48b59e75..06dcf20c 100644
--- a/src/Twig/Extension/OrganizationExtension.php
+++ b/src/Twig/Extension/OrganizationExtension.php
@@ -5,20 +5,19 @@
 namespace App\Twig\Extension;
 
 use App\Entity\Organization;
-use App\Entity\User;
 use Symfony\Bridge\Twig\Extension\RoutingExtension;
-use Symfony\Component\Security\Core\Security;
+use Symfony\Component\HttpFoundation\RequestStack;
 use Twig\Extension\AbstractExtension;
 use Twig\TwigFunction;
 
 final class OrganizationExtension extends AbstractExtension
 {
-    private Security $security;
+    private RequestStack $requestStack;
     private RoutingExtension $routingExtension;
 
-    public function __construct(Security $security, RoutingExtension $routingExtension)
+    public function __construct(RequestStack $requestStack, RoutingExtension $routingExtension)
     {
-        $this->security = $security;
+        $this->requestStack = $requestStack;
         $this->routingExtension = $routingExtension;
     }
 
@@ -43,18 +42,25 @@ public function getOrganizationUrl(string $name, array $parameters = [], bool $s
         return $this->routingExtension->getUrl($name, $this->buildParameters($name, $parameters), $schemeRelative);
     }
 
-    private function buildParameters(string $name, array $parameters): array
+    private function buildParameters(string $routeName, array $parameters): array
     {
-        /** @var Organization|User|null $user */
-        $user = $this->security->getUser();
-        if (!$user instanceof Organization || !preg_match('/^app_organization_.*$/', $name)) {
+        $request = $this->requestStack->getCurrentRequest();
+        if (0 !== strpos($routeName, 'app_organization_')
+            || !$request
+            || !($currentOrganization = $request->attributes->get('currentOrganization'))
+            || !$currentOrganization instanceof Organization
+        ) {
             return $parameters;
         }
 
-        $organization = $parameters['organization'] ?? null;
-        $parameters = array_merge($parameters, ['organization' => $user->getId()]);
-        if (null !== $organization && $parameters['organization'] !== $organization) {
-            $parameters['organizationId'] = $organization;
+        $organizationParameter = $parameters['organization'] ?? null;
+        $parameters = array_merge($parameters, ['organization' => $currentOrganization->getId()]);
+        if (null !== $organizationParameter && $parameters['organization'] !== $organizationParameter) {
+            if ('app_organization_dashboard' === $routeName) {
+                $parameters['organization'] = $organizationParameter;
+            } else {
+                $parameters['organizationId'] = $organizationParameter;
+            }
         }
 
         return $parameters;
diff --git a/src/Validator/Constraints/CurrentPassword.php b/src/Validator/Constraints/CurrentPassword.php
new file mode 100644
index 00000000..0ed87354
--- /dev/null
+++ b/src/Validator/Constraints/CurrentPassword.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Validator\Constraints;
+
+use Symfony\Component\Validator\Constraint;
+
+/**
+ * @Annotation
+ */
+final class CurrentPassword extends Constraint
+{
+    public function getMessage(): string
+    {
+        return 'Cette valeur n\'est pas valide.';
+    }
+
+    public function getTargets()
+    {
+        return self::CLASS_CONSTRAINT;
+    }
+}
diff --git a/src/Validator/Constraints/CurrentPasswordValidator.php b/src/Validator/Constraints/CurrentPasswordValidator.php
new file mode 100644
index 00000000..3f2eabe6
--- /dev/null
+++ b/src/Validator/Constraints/CurrentPasswordValidator.php
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Validator\Constraints;
+
+use App\Entity\User;
+use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
+use Symfony\Component\Validator\Constraint;
+use Symfony\Component\Validator\ConstraintValidator;
+use Symfony\Component\Validator\Exception\UnexpectedTypeException;
+
+final class CurrentPasswordValidator extends ConstraintValidator
+{
+    private $userPasswordEncoder;
+
+    public function __construct(UserPasswordEncoderInterface $userPasswordEncoder)
+    {
+        $this->userPasswordEncoder = $userPasswordEncoder;
+    }
+
+    /**
+     * @param User                       $user
+     * @param Constraint|CurrentPassword $constraint
+     */
+    public function validate($user, Constraint $constraint): void
+    {
+        if (!$constraint instanceof CurrentPassword) {
+            throw new UnexpectedTypeException($constraint, CurrentPassword::class);
+        }
+
+        if (!empty($user->getPassword()) && !empty($user->plainPassword) && (null === $user->currentPassword || !$this->userPasswordEncoder->isPasswordValid($user, $user->currentPassword))) {
+            $this->context->buildViolation($constraint->getMessage())
+                ->atPath('currentPassword')
+                ->addViolation();
+        }
+    }
+}
diff --git a/templates/_navbar.html.twig b/templates/_navbar.html.twig
index 14d295ab..c4f607ac 100644
--- a/templates/_navbar.html.twig
+++ b/templates/_navbar.html.twig
@@ -16,16 +16,36 @@
             </ul>
             <div class="navbar-nav">
                 {% if not app.user %}
-                    <a class="nav-link" href="{{ path('app_organization_login') }}">{{ 'nav.section.organization' | trans }}</a>
                     <a class="btn btn-outline-primary" href="{{ path('app_user_create') }}">{{ 'user.createMyAccount' | trans }}</a>
                 {% else %}
                     <a class="nav-link active" href="{{ path('app_user_edit') }}">{{ 'nav.profile' | trans }}</a>
                     <a class="nav-link active" href="{{ path('user_availability') }}">{{ 'nav.availability' | trans }}</a>
-                    <a class="nav-link" href="{{ logout_path() }}">{{ 'action.logout' | trans }}</a>
+
                     <span class="navbar-text navbar-separator mt-1 ml-3 mr-4 d-none d-lg-block"></span>
-                    <span class="navbar-text active text-dark font-weight-bold">
-                        {{ app.user }}
-                    </span>
+
+                    <li class="nav-item dropdown">
+                        <a class="nav-link dropdown-toggle text-dark font-weight-bold" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+                            {{ app.user.fullName }}
+                        </a>
+                        <div class="dropdown-menu" aria-labelledby="navbarDropdown">
+                            {% if is_granted('ROLE_PREVIOUS_ADMIN') %}
+                                <a class="dropdown-item text-danger" href="{{ path('app_organization_user_list', {'organization': app.user.organization.id, '_switch_user': '_exit'}) }}">{{ 'nav.section.exitImpersonation' | trans }}</a>
+                                <hr>
+                            {% endif %}
+
+                            {% if is_granted('ROLE_SUPER_ADMIN') %}
+                                <a class="dropdown-item" href="{{ path('app_admin_organizations') }}">{{ 'nav.section.admin' | trans }}</a>
+                            {% endif %}
+
+                            {% for organization in app.user.managedOrganizations %}
+                                <a class="dropdown-item" href="{{
+                                    app.user.password is empty ? path('app_user_password') : path('app_organization_dashboard', {organization: organization.id})
+                                }}">{{ organization.name }}</a>
+                            {% endfor %}
+
+                            <a class="dropdown-item text-danger" href="{{ logout_path() }}">{{ 'action.logout' | trans }}</a>
+                        </div>
+                    </li>
                 {% endif %}
             </div>
         </div>
diff --git a/templates/admin/organizations.html.twig b/templates/admin/organizations.html.twig
new file mode 100644
index 00000000..d8a89574
--- /dev/null
+++ b/templates/admin/organizations.html.twig
@@ -0,0 +1,26 @@
+{% extends 'base.html.twig' %}
+
+{% block title %}{{ 'nav.section.adminArganization' | trans }}{% endblock %}
+
+{% block body %}
+    <h1>{{ 'nav.section.admin' | trans }}</h1>
+
+    <table class="table table-striped">
+        <thead class="thead-light">
+        <tr>
+            <th>{{ 'common.name' | trans }}</th>
+            <th class="actions">{{ 'common.actions' | trans }}</th>
+        </tr>
+        </thead>
+        <tbody>
+        {% for organization in organizations | sort %}
+            <tr>
+                <td>{{ organization }}</td>
+                <td>
+                    <a href="{{ path('app_organization_dashboard', { organization: organization.id }) }}" class="btn btn-outline-secondary">{{ 'action.edit' | trans }}</a>
+                </td>
+            </tr>
+        {% endfor %}
+        </tbody>
+    </table>
+{% endblock %}
diff --git a/templates/mailer/_macro.html.twig b/templates/mailer/_macro.html.twig
new file mode 100644
index 00000000..91872c7d
--- /dev/null
+++ b/templates/mailer/_macro.html.twig
@@ -0,0 +1,17 @@
+{% macro button(link, text, linkId) %}
+    <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
+        <tbody>
+        <tr>
+            <td align="center">
+                <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+                    <tbody>
+                    <tr>
+                        <td><a href="{{ link }}" target="_blank" {% if linkId %}id="{{ linkId }}"{% endif %}>{{ text }}</a></td>
+                    </tr>
+                    </tbody>
+                </table>
+            </td>
+        </tr>
+        </tbody>
+    </table>
+{% endmacro %}
diff --git a/templates/mailer/_template.html.twig b/templates/mailer/_template.html.twig
new file mode 100644
index 00000000..9b0a7b94
--- /dev/null
+++ b/templates/mailer/_template.html.twig
@@ -0,0 +1,411 @@
+{# This email template comes from https://github.com/leemunroe/responsive-html-email-template #}
+{# For an API service you need to inline the CSS before sending. See https://symfony.com/doc/current/mailer.html#inlining-css-styles or https://github.com/leemunroe/responsive-html-email-template#sending-emails-directly-from-your-codebase-or-using-a-developer-service #}
+
+<!doctype html>
+<html>
+<head>
+    <meta name="viewport" content="width=device-width"/>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+    <title>{{ 'project.name'|trans }}</title>
+    <style>
+        /* -------------------------------------
+            GLOBAL RESETS
+        ------------------------------------- */
+
+        /*All the styling goes here*/
+
+        img {
+            border: none;
+            -ms-interpolation-mode: bicubic;
+            max-width: 100%;
+        }
+
+        body {
+            background-color: #f6f6f6;
+            font-family: Arial, sans-serif;
+            -webkit-font-smoothing: antialiased;
+            font-size: 14px;
+            line-height: 1.4;
+            margin: 0;
+            padding: 0;
+            -ms-text-size-adjust: 100%;
+            -webkit-text-size-adjust: 100%;
+        }
+
+        table {
+            border-collapse: separate;
+            mso-table-lspace: 0pt;
+            mso-table-rspace: 0pt;
+            width: 100%;
+        }
+
+        table td {
+            font-family: sans-serif;
+            font-size: 14px;
+            vertical-align: top;
+        }
+
+        /* -------------------------------------
+            BODY & CONTAINER
+        ------------------------------------- */
+
+        .body {
+            background-color: #f6f6f6;
+            width: 100%;
+        }
+
+        /* Set a max-width, and make it display as block so it will automatically stretch to that width, but will also shrink down on a phone or something */
+        .container {
+            display: block;
+            margin: 0 auto !important;
+            /* makes it centered */
+            max-width: 800px;
+            padding: 50px 10px;
+            width: 800px;
+        }
+
+        /* This should also be a block element, so that it will fill 100% of the .container */
+        .content {
+            box-sizing: border-box;
+            display: block;
+            margin: 0 auto;
+            max-width: 800px;
+            padding: 10px;
+        }
+
+        /* -------------------------------------
+            HEADER, FOOTER, MAIN
+        ------------------------------------- */
+        .main {
+            background: #ffffff;
+            border-radius: 3px;
+            width: 100%;
+            margin-top: 20px;
+        }
+
+        .wrapper {
+            box-sizing: border-box;
+            padding: 40px;
+        }
+
+        .content-block {
+            padding-bottom: 10px;
+            padding-top: 10px;
+        }
+
+        .prefooter p {
+            color: #9b9b9b;
+        }
+
+        .footer {
+            clear: both;
+            margin-top: 10px;
+            text-align: center;
+            width: 100%;
+        }
+
+        .footer td,
+        .footer p,
+        .footer span,
+        .footer a {
+            color: #999999;
+            font-size: 12px;
+            text-align: center;
+        }
+
+        /* -------------------------------------
+            TYPOGRAPHY
+        ------------------------------------- */
+        h1,
+        h2,
+        h3,
+        h4 {
+            color: #000000;
+            font-family: sans-serif;
+            font-weight: 400;
+            line-height: 1.4;
+            margin: 0;
+            margin-bottom: 30px;
+        }
+
+        h1 {
+            font-size: 35px;
+            font-weight: 300;
+            text-align: center;
+            text-transform: capitalize;
+        }
+
+        p,
+        ul,
+        ol {
+            color: #4a4a4a;
+            font-family: Arial, sans-serif;
+            font-size: 17px;
+            font-weight: normal;
+            line-height: 28px;
+            margin: 0;
+            margin-bottom: 15px;
+        }
+
+        p.small {
+            font-size: 15px;
+        }
+
+        p li,
+        ul li,
+        ol li {
+            list-style-position: inside;
+            margin-left: 5px;
+        }
+
+        a {
+            color: #007bff;
+            text-decoration: none;
+        }
+
+        /* -------------------------------------
+            BUTTONS
+        ------------------------------------- */
+        .btn {
+            margin-top: 40px;
+            box-sizing: border-box;
+            width: 100%;
+        }
+
+        .btn > tbody > tr > td {
+            padding-bottom: 15px;
+        }
+
+        .btn table {
+            width: auto;
+        }
+
+        .btn table td {
+            background-color: #ffffff;
+            border-radius: 35px;
+            text-align: center;
+        }
+
+        .btn a {
+            background-color: #ffffff;
+            border: solid 1px;
+            border-radius: 35px;
+            box-sizing: border-box;
+            cursor: pointer;
+            display: inline-block;
+            font-size: 18px;
+            font-weight: bold;
+            margin: 0;
+            padding: 15px 80px;
+            text-decoration: none;
+        }
+
+        .btn-primary a {
+            color: #ffffff;
+        }
+
+        .btn a, .btn-primary table td, .btn-primary a {
+            background-color: #007bff;
+            border-color: #007bff;
+        }
+
+        /* -------------------------------------
+            OTHER STYLES THAT MIGHT BE USEFUL
+        ------------------------------------- */
+        .last {
+            margin-bottom: 0;
+        }
+
+        .first {
+            margin-top: 0;
+        }
+
+        .align-center {
+            text-align: center;
+        }
+
+        .align-right {
+            text-align: right;
+        }
+
+        .align-left {
+            text-align: left;
+        }
+
+        .clear {
+            clear: both;
+        }
+
+        .mt0 {
+            margin-top: 0;
+        }
+
+        .mb0 {
+            margin-bottom: 0;
+        }
+
+        .preheader {
+            color: transparent;
+            display: none;
+            height: 0;
+            max-height: 0;
+            max-width: 0;
+            opacity: 0;
+            overflow: hidden;
+            mso-hide: all;
+            visibility: hidden;
+            width: 0;
+        }
+
+        .powered-by a {
+            text-decoration: none;
+        }
+
+        .title-container {
+            max-width: 50%;
+            margin-bottom: 40px;
+        }
+
+        hr {
+            border: 0;
+            border-bottom: 1px solid #d8d8d8;
+            margin: 20px 0 10px;
+        }
+
+        /* -------------------------------------
+            RESPONSIVE AND MOBILE FRIENDLY STYLES
+        ------------------------------------- */
+        @media only screen and (max-width: 620px) {
+            table[class=body] h1 {
+                font-size: 28px !important;
+                margin-bottom: 10px !important;
+            }
+
+            table[class=body] p,
+            table[class=body] ul,
+            table[class=body] ol,
+            table[class=body] td,
+            table[class=body] span,
+            table[class=body] a {
+                font-size: 16px !important;
+            }
+
+            table[class=body] .wrapper,
+            table[class=body] .article {
+                padding: 10px !important;
+            }
+
+            table[class=body] .content {
+                padding: 0 !important;
+            }
+
+            table[class=body] .container {
+                padding: 0 !important;
+                width: 100% !important;
+            }
+
+            table[class=body] .main {
+                border-left-width: 0 !important;
+                border-radius: 0 !important;
+                border-right-width: 0 !important;
+            }
+
+            table[class=body] .btn table {
+                width: 100% !important;
+            }
+
+            table[class=body] .btn a {
+                width: 100% !important;
+                /*padding: 15px 20px;*/
+            }
+
+            table[class=body] .img-responsive {
+                height: auto !important;
+                max-width: 100% !important;
+                width: auto !important;
+            }
+        }
+
+        /* -------------------------------------
+            PRESERVE THESE STYLES IN THE HEAD
+        ------------------------------------- */
+        @media all {
+            .ExternalClass {
+                width: 100%;
+            }
+
+            .ExternalClass,
+            .ExternalClass p,
+            .ExternalClass span,
+            .ExternalClass font,
+            .ExternalClass td,
+            .ExternalClass div {
+                line-height: 100%;
+            }
+
+            .btn-primary table td:hover {
+                background-color: #34495e !important;
+            }
+
+            .btn-primary a:hover {
+                background-color: #34495e !important;
+                border-color: #34495e !important;
+            }
+        }
+
+    </style>
+</head>
+<body class="">
+<span class="preheader">{{ 'project.name'|trans }}</span>
+<table role="presentation" border="0" cellpadding="0" cellspacing="0" class="body">
+    <tr>
+        <td>&nbsp;</td>
+        <td class="container">
+            <div class="content">
+
+                <!-- START CENTERED WHITE CONTAINER -->
+                <table role="presentation" class="main">
+
+                    <!-- START MAIN CONTENT AREA -->
+                    <tr>
+                        <td class="wrapper">
+                            <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+                                <tr>
+                                    <td>
+                                        <p class="title-container">
+                                            {% block header_content %}
+                                                <a href="{{ url('app_user_home') }}" target="_blank">{{ 'project.name'|trans }}</a>
+                                            {% endblock %}
+                                        </p>
+
+                                        {% block content "" %}
+                                    </td>
+                                </tr>
+                            </table>
+                        </td>
+                    </tr>
+                    <!-- END MAIN CONTENT AREA -->
+                </table>
+                <!-- END CENTERED WHITE CONTAINER -->
+
+                <!-- START FOOTER -->
+                <div class="footer">
+                    <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+                        <tr>
+                            <td class="content-block powered-by">
+                                {% block contacts %}
+                                    <a href="{{ url('app_user_home') }}">{{ 'project.name'|trans }}</a>
+                                {% endblock %}
+                            </td>
+                        </tr>
+                    </table>
+                </div>
+                <!-- END FOOTER -->
+
+            </div>
+        </td>
+        <td>&nbsp;</td>
+    </tr>
+</table>
+</body>
+</html>
diff --git a/templates/misc/flash-messages.html.twig b/templates/misc/flash-messages.html.twig
index a69a5b66..4e7dce76 100644
--- a/templates/misc/flash-messages.html.twig
+++ b/templates/misc/flash-messages.html.twig
@@ -1,10 +1,10 @@
 {% for message in app.flashes('success') %}
-    <div class="alert alert-success" role="alert">
+    <div class="alert alert-success {{ class|default('') }}" role="alert">
         {{ message | trans }}
     </div>
 {% endfor %}
 {% for message in app.flashes('error') %}
-    <div class="alert alert-danger" role="alert">
+    <div class="alert alert-danger {{ class|default('') }}" role="alert">
         {{ message }}
     </div>
 {% endfor %}
diff --git a/templates/organization/assetType/edit.html.twig b/templates/organization/assetType/edit.html.twig
index afb60b25..f5d59202 100644
--- a/templates/organization/assetType/edit.html.twig
+++ b/templates/organization/assetType/edit.html.twig
@@ -11,9 +11,9 @@
     <a href="{{ path('app_organization_assetType_list') }}">{{ 'common.backToList' | trans }}</a>
     <h1>
         {% if app.request.get('_route') == 'app_organization_assetType_new' %}
-            {{ 'organization.asset_type.add_new' | trans }} - {{ app.user }}
+            {{ 'organization.asset_type.add_new' | trans }} - {{ organization }}
         {% else %}
-            {{ 'organization.asset_type.edit_form_title' | trans }} - {{ app.user }}
+            {{ 'organization.asset_type.edit_form_title' | trans }} - {{ organization }}
         {% endif %}
     </h1>
 
diff --git a/templates/organization/assetType/list.html.twig b/templates/organization/assetType/list.html.twig
index a408ab8b..7b015307 100644
--- a/templates/organization/assetType/list.html.twig
+++ b/templates/organization/assetType/list.html.twig
@@ -7,7 +7,7 @@
 {% endblock %}
 
 {% block body %}
-    <h1>{{ 'organization.asset_type.main_title' | trans }} - {{ app.user }}</h1>
+    <h1>{{ 'organization.asset_type.main_title' | trans }} - {{ organization }}</h1>
 
     <div class="row">
         <div class="col-12 text-right mb-2">
@@ -28,7 +28,7 @@
                 <tr>
                     <td>{{ assetType.name }}</td>
                     <td>
-                        <a href="{{ path('app_organization_assetType_edit', { id: assetType.id }) }}" class="btn btn-outline-secondary">{{ 'action.edit' | trans }}</a>
+                        <a href="{{ path('app_organization_assetType_edit', { assetType: assetType.id }) }}" class="btn btn-outline-secondary">{{ 'action.edit' | trans }}</a>
                     </td>
                 </tr>
             {% endfor %}
diff --git a/templates/organization/base.html.twig b/templates/organization/base.html.twig
index 3122b8ba..bdd3afd8 100644
--- a/templates/organization/base.html.twig
+++ b/templates/organization/base.html.twig
@@ -13,7 +13,7 @@
     <body>
         <nav class="navbar navbar-expand-lg navbar-light">
             <div class="container-xl">
-                <a class="navbar-brand" href="{{ path('app_organization_index')}}">{{ 'project.name' | trans }}</a>
+                <a class="navbar-brand" href="{{ path('app_organization_dashboard')}}">{{ 'project.name' | trans }}</a>
 
                 <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false" aria-label="Toggle navigation">
                     <span class="navbar-toggler-icon"></span>
@@ -24,36 +24,55 @@
                 <div class="collapse navbar-collapse" id="navbarContent">
                     <ul class="navbar-nav mr-auto">
                         <li class="nav-item">
-                            <a class="nav-link" href="{{ path('app_organization_index')}}">{{ 'nav.section.organization' | trans }}</a>
+                            <a class="nav-link" href="{{ path('app_organization_dashboard')}}" title="{{ app.request.attributes.get('currentOrganization') }}">
+                                {{ 'nav.section.organization' | trans }} -
+                                {{ app.request.attributes.get('currentOrganization') }}
+                            </a>
                         </li>
                     </ul>
                     <div class="navbar-nav">
-                        {% if not app.user %}
-                            <a class="nav-link" href="{{ path('app_login')}}">{{ 'nav.section.volunteer' | trans }}</a>
-                        {% else %}
-                            <form action="{{ path('app_organization_search') }}" method="get" class="mr-3">
-                                <div class="input-group input-group-search">
-                                    <div class="input-group-prepend">
-                                        <span class="input-group-text"><span class="fa fa-search"></span></span>
-                                    </div>
-                                    <input type="search" class="form-control" value="{{ query | default('') }}" required name="query" placeholder="{{ 'organization.search.submit'|trans }}" />
-                                    <div class="input-group-append">
-                                        <button type="submit" class="btn btn-outline-secondary" title="{{ 'organization.search.submit'|trans }}">
-                                            <i class="fa fa-long-arrow-right"></i>
-                                        </button>
-                                    </div>
+                        <form action="{{ path('app_organization_search') }}" method="get" class="mr-3">
+                            <div class="input-group input-group-search">
+                                <div class="input-group-prepend">
+                                    <span class="input-group-text"><span class="fa fa-search"></span></span>
                                 </div>
-                            </form>
+                                <input type="search" class="form-control" value="{{ query | default('') }}" required name="query" placeholder="{{ 'organization.search.submit'|trans }}" />
+                                <div class="input-group-append">
+                                    <button type="submit" class="btn btn-outline-secondary" title="{{ 'organization.search.submit'|trans }}">
+                                        <i class="fa fa-long-arrow-right"></i>
+                                    </button>
+                                </div>
+                            </div>
+                        </form>
+
+                        {% include 'organization/_help.html.twig' %}
+
+                        <span class="navbar-text navbar-separator mt-1 ml-3 mr-4 d-none d-lg-block"></span>
 
-                            {% include 'organization/_help.html.twig' %}
+                        <li class="nav-item dropdown">
+                            <a class="nav-link dropdown-toggle text-dark font-weight-bold" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+                                {{ app.user.fullName }}
+                            </a>
+                            <div class="dropdown-menu" aria-labelledby="navbarDropdown">
+                                {% if is_granted('ROLE_PREVIOUS_ADMIN') %}
+                                    <a class="dropdown-item text-danger" href="{{ path('app_organization_user_list', {'organization': app.user.organization.id, '_switch_user': '_exit'}) }}">{{ 'nav.section.exitImpersonation' | trans }}</a>
+                                    <hr>
+                                {% endif %}
 
-                            <a class="nav-link" href="{{ logout_path() }}">{{ 'action.logout' | trans }}</a>
+                                {% if is_granted('ROLE_SUPER_ADMIN') %}
+                                    <a class="dropdown-item" href="{{ path('app_admin_organizations') }}">{{ 'nav.section.admin' | trans }}</a>
+                                {% endif %}
 
-                            <span class="navbar-text navbar-separator mt-1 ml-3 mr-4 d-none d-lg-block"></span>
-                            <span class="navbar-text active text-dark font-weight-bold">
-                                {{  app.user }}
-                            </span>
-                        {% endif %}
+                                <a class="dropdown-item" href="{{ path('app_user_home')}}">{{ 'nav.section.volunteer' | trans }}</a>
+
+                                {% for organization in app.user.managedOrganizations %}
+                                    <a class="dropdown-item" href="{{ path('app_organization_dashboard', {organization: organization.id}) }}">{{ organization.name }}</a>
+                                {% endfor %}
+
+                                <hr>
+                                <a class="dropdown-item text-danger" href="{{ logout_path() }}">{{ 'action.logout' | trans }}</a>
+                            </div>
+                        </li>
                     </div>
                 </div>
             </div>
diff --git a/templates/organization/commissionable_asset/_list.html.twig b/templates/organization/commissionable_asset/_list.html.twig
index 9d8cee29..a4d36b07 100644
--- a/templates/organization/commissionable_asset/_list.html.twig
+++ b/templates/organization/commissionable_asset/_list.html.twig
@@ -32,7 +32,7 @@
 
                 {% if showLinks is not defined or showLinks %}
                     <td>
-                        <button class="btn btn-outline-primary text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_asset_show_modal', { 'asset': asset.id }) }}" title="{{ 'action.show' | trans }}">
+                        <button class="btn btn-outline-primary text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_asset_show_modal', { asset: asset.id }) }}" title="{{ 'action.show' | trans }}">
                             <span class="fa fa-copy"></span> {{ 'action.show' | trans }}
                         </button>
                     </td>
diff --git a/templates/organization/commissionable_asset/_show.html.twig b/templates/organization/commissionable_asset/_show.html.twig
index 9e228fc4..fbdf6127 100644
--- a/templates/organization/commissionable_asset/_show.html.twig
+++ b/templates/organization/commissionable_asset/_show.html.twig
@@ -1,5 +1,5 @@
-{% if app.user == asset.organization or app.user == asset.organization.parent %}
-    <a class="btn btn-primary float-right" href="{{ path('app_organization_asset_edit', {asset: asset.id, organization: asset.organization.id}) }}">{{ 'action.edit' | trans }}</a>
+{% if is_granted('ROLE_PARENT_ORGANIZATION', asset.organization) %}
+    <a class="btn btn-primary float-right" href="{{ path('app_organization_asset_edit', {asset: asset.id}) }}">{{ 'action.edit' | trans }}</a>
 {% endif %}
 
 <h1 class="mb-4">{{ asset }}</h1>
diff --git a/templates/organization/commissionable_asset/availability.html.twig b/templates/organization/commissionable_asset/availability.html.twig
index 17958fae..162f3f75 100644
--- a/templates/organization/commissionable_asset/availability.html.twig
+++ b/templates/organization/commissionable_asset/availability.html.twig
@@ -9,6 +9,8 @@
 {% endblock %}
 
 {% block body %}
+    <a href="{{ path('app_organization_assets') }}">{{ 'common.backToList' | trans }}</a>
+
     <h1>{{ 'organization.asset.availabilities' | trans ({ '%asset%' : asset }) }}</h1>
 
     {% include 'availability/_table.html.twig' with { availabilityType: 'assets', availabilityId: asset.id } %}
diff --git a/templates/organization/commissionable_asset/form.html.twig b/templates/organization/commissionable_asset/form.html.twig
index 8f07516d..4d5bd9c6 100644
--- a/templates/organization/commissionable_asset/form.html.twig
+++ b/templates/organization/commissionable_asset/form.html.twig
@@ -6,12 +6,14 @@
 
 {% block body %}
 
+    <a href="{{ path('app_organization_assets') }}">{{ 'common.backToList' | trans }}</a>
+
     {% if asset.id %}
         <a
             class="btn btn-outline-danger trigger-delete float-right"
             data-message="{{ 'message.deleteAssetWarning' | trans }}"
             data-display-name="{{ asset }}"
-            data-href="{{ path('app_organization_asset_delete', { asset: asset.id, organization: asset.organization.id }) }}"
+            data-href="{{ path('app_organization_asset_delete', { asset: asset.id }) }}"
             href="#"
         >{{ 'action.delete' | trans }}</a>
     {% endif %}
diff --git a/templates/organization/commissionable_asset/list.html.twig b/templates/organization/commissionable_asset/list.html.twig
index 0a0c863b..ba9ff830 100644
--- a/templates/organization/commissionable_asset/list.html.twig
+++ b/templates/organization/commissionable_asset/list.html.twig
@@ -14,7 +14,7 @@
 
     <div class="row">
         <div class="col-12 text-right mb-2">
-            <a class="btn btn-success" href="{{ path('app_organization_commissionable_pre_add_asset', {organization: organization.id | default(app.user.id)}) }}" role="button">
+            <a class="btn btn-success" href="{{ path('app_organization_commissionable_pre_add_asset', {organization: organization.id}) }}" role="button">
                 {{ 'organization.asset.add' | trans }}
             </a>
         </div>
diff --git a/templates/organization/commissionable_asset/preAdd.html.twig b/templates/organization/commissionable_asset/preAdd.html.twig
index 4ec23805..5b431a92 100644
--- a/templates/organization/commissionable_asset/preAdd.html.twig
+++ b/templates/organization/commissionable_asset/preAdd.html.twig
@@ -1,7 +1,7 @@
 {% extends 'organization/base.html.twig' %}
 
 {% block body %}
-    {{ form_start(form, { method: 'GET', action: path('app_organization_asset_add', {organization: organization.id | default(app.user.id)})}) }}
+    {{ form_start(form, { method: 'GET', action: path('app_organization_asset_add')}) }}
     {{ form_rest(form) }}
     {{ form_end(form) }}
 {% endblock %}
diff --git a/templates/organization/edit.html.twig b/templates/organization/edit.html.twig
index 5b2f8c10..79b21b85 100644
--- a/templates/organization/edit.html.twig
+++ b/templates/organization/edit.html.twig
@@ -4,7 +4,7 @@
     {% set formAction = path('app_organization_new') %}
     {% set formTitle = 'organization.add' | trans %}
 {% else %}
-    {% set formAction = path('app_organization_edit', { object: organization.id }) %}
+    {% set formAction = path('app_organization_edit', { organizationToEdit: organization.id }) %}
     {% set formTitle = 'organization.edit' | trans %}
 {% endif %}
 
diff --git a/templates/organization/home.html.twig b/templates/organization/home.html.twig
index a934fa53..3edd8896 100644
--- a/templates/organization/home.html.twig
+++ b/templates/organization/home.html.twig
@@ -5,27 +5,27 @@
 {% block body %}
     {{ include('misc/flash-messages.html.twig') }}
 
-    <h1>{{ app.user }}</h1>
+    <h1>{{ organization }}</h1>
 
     <p>{{ 'calendar.week.current' | trans }} : {{ 'calendar.period' | trans ({ '%from%' : 'this week' | date('d/m/Y'), '%to%' : 'sunday this week' | date('d/m/Y') }) }}</p>
     <p>
-        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_planning', {'organizations[]': app.user.id, 'from': 'monday this week' | date('Y-m-d\\T00:00:00'), 'to': 'sunday this week' | date('Y-m-d\\T00:00:00')}) }}">
+        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_planning', {'organizations[]': organization.id, 'from': 'monday this week' | date('Y-m-d\\T00:00:00'), 'to': 'sunday this week' | date('Y-m-d\\T00:00:00')}) }}">
             {{ 'organization.userAvailabilityCurrentWeek' | trans }}
         </a>
     </p>
 
     <p>{{ 'calendar.week.next' | trans }} : {{ 'calendar.period' | trans ({ '%from%' : 'next week' | date('d/m/Y'), '%to%' : 'sunday next week' | date('d/m/Y') }) }}</p>
     <p>
-        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_planning', {'organizations[]': app.user.id, 'from': 'monday next week' | date('Y-m-d\\T00:00:00'), 'to': 'sunday next week' | date('Y-m-d\\T00:00:00')}) }}">
+        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_planning', {'organizations[]': organization.id, 'from': 'monday next week' | date('Y-m-d\\T00:00:00'), 'to': 'sunday next week' | date('Y-m-d\\T00:00:00')}) }}">
             {{ 'organization.userAvailabilityNextWeek' | trans }}
         </a>
     </p>
 
     <hr>
-    <p><a class="btn btn-secondary" role="button" href="{{ path('app_organization_user_list', {'organization': app.user.id}) }}">{{ 'organization.showUserList' | trans }}</a></p>
-    <p><a class="btn btn-secondary" href="{{ path('app_organization_assets', {'organization': app.user.id}) }}" role="button">{{ 'organization.showCommissionableAssets' | trans }}</a></p>
+    <p><a class="btn btn-secondary" role="button" href="{{ path('app_organization_user_list') }}">{{ 'organization.showUserList' | trans }}</a></p>
+    <p><a class="btn btn-secondary" href="{{ path('app_organization_assets') }}" role="button">{{ 'organization.showCommissionableAssets' | trans }}</a></p>
 
-    {% if app.user.isParent() %}
+    {% if organization.isParent() %}
         <hr>
         <p><a class="btn btn-danger" href="{{ path('app_organization_planning', {minimumAvailableHours: 1, hideAssets: 1, 'userPropertyFilters[vulnerable]': 0}) }}" role="button">{{ 'organization.showAllUsersAvailability' | trans }}</a></p>
         <p><a class="btn btn-info" href="{{ path('app_organization_forecast') }}" role="button">{{ 'organization.forecast.title' | trans }}</a></p>
diff --git a/templates/organization/list.html.twig b/templates/organization/list.html.twig
index d81c5084..d8a11b4a 100644
--- a/templates/organization/list.html.twig
+++ b/templates/organization/list.html.twig
@@ -3,7 +3,7 @@
 {% block title %}{{ 'organization.list' | trans }}{% endblock %}
 
 {% block body %}
-    <h1>{{ app.user }}</h1>
+    <h1>{{ organization }}</h1>
 
     <div class="row">
         <div class="col-12 text-right mb-2">
@@ -19,14 +19,14 @@
             </tr>
             </thead>
             <tbody>
-            {% for organization in organizations %}
+            {% for child in organization.children %}
                 <tr>
-                    <td>{{ organization.name }}</td>
+                    <td>{{ child.name }}</td>
                     <td>
-                        <a href="{{ path('app_organization_edit', { object: organization.id }) }}" class="btn btn-outline-secondary">{{ 'action.edit' | trans }}</a>
-                        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_user_list', {'organization': organization.id}) }}">{{ 'organization.userList' | trans }}</a>
-                        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_assets', {'organization': organization.id}) }}">{{ 'organization.assetsList' | trans }}</a>
-                        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_planning', {'organizations[]': organization.id, 'from': 'monday this week' | date('Y-m-d\\T00:00:00'), 'to': 'sunday this week' | date('Y-m-d\\T00:00:00')}) }}">{{ 'organization.userAvailabilities' | trans }}</a>
+                        <a href="{{ path('app_organization_edit', { organizationToEdit: child.id }) }}" class="btn btn-outline-secondary">{{ 'action.edit' | trans }}</a>
+                        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_user_list', {organization: child.id}) }}">{{ 'organization.userList' | trans }}</a>
+                        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_assets', {organization: child.id}) }}">{{ 'organization.assetsList' | trans }}</a>
+                        <a class="btn btn-outline-primary" role="button" href="{{ path('app_organization_planning', {'organizations[]': child.id, 'from': 'monday this week' | date('Y-m-d\\T00:00:00'), 'to': 'sunday this week' | date('Y-m-d\\T00:00:00')}) }}">{{ 'organization.userAvailabilities' | trans }}</a>
                     </td>
                 </tr>
             {% endfor %}
diff --git a/templates/organization/login.html.twig b/templates/organization/login.html.twig
deleted file mode 100644
index d814e45e..00000000
--- a/templates/organization/login.html.twig
+++ /dev/null
@@ -1,55 +0,0 @@
-{% extends 'organization/base.html.twig' %}
-
-{% block title %}{{ 'action.login' | trans }}{% endblock %}
-
-{% block body %}
-    <div class="row">
-        <div class="col-12 col-md-6 offset-md-3">
-            <form method="post">
-                {% if error %}
-                    <div class="alert alert-danger">
-                        {{ error.messageKey|trans(error.messageData, 'security_organization') }}
-                    </div>
-                {% endif %}
-
-                <h1 class="h3 mb-3 font-weight-normal">{{ 'action.login' | trans }}</h1>
-
-                <div class="form-row mb-4">
-                    <label for="inputIdentifier">{{ 'organization.label' | trans }}</label>
-                    <select name="identifier" id="inputIdentifier" class="form-control selectpicker show-tick" required data-live-search="true">
-                        {% for parentName, children in organizations %}
-                            <optgroup label="{{ parentName }}">
-                                {% for organization in children -%}
-                                    <option
-                                        value="{{ organization.id }}" {{ last_username == organization.id ? 'selected' : '' }}
-                                        title="{{ (organization.isParent ? '' : parentName~' - ')~ organization.name}}"
-                                    >
-                                        {{ (organization.isParent ? ' - ' : '') ~organization.name }}
-                                    </option>
-                                {%- endfor %}
-                            </optgroup>
-                        {% endfor %}
-                    </select>
-                </div>
-
-                <div class="form-row mb-4">
-                    <label for="inputPassword">Mot de passe</label>
-                    <input type="password" name="password" id="inputPassword" class="form-control" required>
-                </div>
-
-                <div class="mt-4 mb-2 d-flex">
-                    <label>
-                        <input type="checkbox" name="_remember_me"> {{ 'action.rememberMe' | trans }}
-                    </label>
-                </div>
-
-                <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">
-
-                <button class="btn btn-lg btn-primary w-100" type="submit">
-                    {{ 'action.loginSubmit' | trans }}
-                </button>
-            </form>
-        </div>
-    </div>
-
-{% endblock %}
diff --git a/templates/organization/mission/_list.html.twig b/templates/organization/mission/_list.html.twig
index c8219ca7..785040d3 100644
--- a/templates/organization/mission/_list.html.twig
+++ b/templates/organization/mission/_list.html.twig
@@ -58,7 +58,7 @@
                     {% endif %}
 
                     {% if modalLinks is not defined or modalLinks %}
-                        <button type="button" class="btn btn-outline-primary text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_mission_modal', {id: mission.id}) }}">
+                        <button type="button" class="btn btn-outline-primary text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_mission_modal', {mission: mission.id}) }}">
                             <span class="fa fa-copy"></span> {{ 'action.show' | trans }}
                         </button>
                     {% endif %}
diff --git a/templates/organization/mission/_list_full.html.twig b/templates/organization/mission/_list_full.html.twig
index 0d2cbb83..d7a90aa0 100644
--- a/templates/organization/mission/_list_full.html.twig
+++ b/templates/organization/mission/_list_full.html.twig
@@ -23,7 +23,7 @@
                 <td>
                     <span class="badge badge-secondary">{{ mission.type.name | default('') }}</span>
 
-                    <button type="button" class="btn btn-link p-0 text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_mission_modal', {id: mission.id}) }}">
+                    <button type="button" class="btn btn-link p-0 text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_mission_modal', {mission: mission.id}) }}">
                         <span class="fa fa-copy"></span> {{ mission.name }}
                     </button>
                 </td>
@@ -45,7 +45,7 @@
                     <td colspan="3"></td>
                     <td>{{ user.organization.name }}</td>
                     <td>
-                        <button type="button" class="btn btn-link p-0 text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_user_show_modal', {userToShow: user.id, organization: user.organization.id}) }}">
+                        <button type="button" class="btn btn-link p-0 text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_user_show_modal', {item: user.id}) }}">
                             <span class="fa fa-copy"></span> {{ user.fullName }}
                         </button>
                     </td>
@@ -66,7 +66,7 @@
                     <td colspan="3"></td>
                     <td>{{ asset.organization.name }}</td>
                     <td>
-                        <button type="button" class="btn btn-link p-0 text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_asset_show_modal', {asset: asset.id, organization: asset.organization.id}) }}">
+                        <button type="button" class="btn btn-link p-0 text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_asset_show_modal', {asset: asset.id}) }}">
                             <span class="fa fa-copy"></span> {{ asset }}
                         </button>
                     </td>
diff --git a/templates/organization/mission/_show.html.twig b/templates/organization/mission/_show.html.twig
index d6510371..d99b2cdd 100644
--- a/templates/organization/mission/_show.html.twig
+++ b/templates/organization/mission/_show.html.twig
@@ -1,4 +1,4 @@
-{% if app.user == mission.organization %}
+{% if organization == mission.organization %}
     <a class="btn btn-primary float-right" href="{{ path('app_organization_mission_edit', {'id': mission.id}) }}">{{ 'action.edit' | trans }}</a>
 {% endif %}
 
diff --git a/templates/organization/planning/_availabilities_assets.html.twig b/templates/organization/planning/_availabilities_assets.html.twig
index b233ccd2..8d7e5b85 100644
--- a/templates/organization/planning/_availabilities_assets.html.twig
+++ b/templates/organization/planning/_availabilities_assets.html.twig
@@ -11,7 +11,7 @@
 {% endblock itemDataHeader %}
 
 {% block itemDataRowHeader %}
-    <button type="button" class="btn btn-link p-0" data-toggle="ajax-modal" data-href="{{ path('app_organization_asset_show_modal', {asset: item.entity.id, organization: item.entity.organization.id}) }}">
+    <button type="button" class="btn btn-link p-0" data-toggle="ajax-modal" data-href="{{ path('app_organization_asset_show_modal', {asset: item.entity.id}) }}">
         {{ item.entity }}
     </button>
 {% endblock itemDataRowHeader %}
diff --git a/templates/organization/planning/_availabilities_users.html.twig b/templates/organization/planning/_availabilities_users.html.twig
index 82c3dc72..a69e058f 100644
--- a/templates/organization/planning/_availabilities_users.html.twig
+++ b/templates/organization/planning/_availabilities_users.html.twig
@@ -14,7 +14,7 @@
 {% endblock itemDataHeader %}
 
 {% block itemDataRowHeader %}
-    <button type="button" class="btn btn-link p-0" data-toggle="ajax-modal" data-href="{{ path('app_organization_user_show_modal', {userToShow: item.entity.id, organization: item.entity.organization.id}) }}">
+    <button type="button" class="btn btn-link p-0" data-toggle="ajax-modal" data-href="{{ path('app_organization_user_show_modal', {item: item.entity.id}) }}">
         {{ item.entity }}
     </button>
 
@@ -41,7 +41,7 @@
                     from: periodCalculator.from | date('Y-m-d\\T00:00:00'),
                     to: periodCalculator.to | date_modify('- 1 minute') | date('Y-m-d\\T00:00:00'),
                     organization: item.entity.organization.id,
-                    userToAdd: item.entity.id
+                    item: item.entity.id
                 }) }}"
                 title="{{ 'organization.asset.engage' | trans }}"
             ><span class="fa fa-plus"></span> {{ 'organization.mission.title' | trans }}</button>
diff --git a/templates/organization/planning/_results.html.twig b/templates/organization/planning/_results.html.twig
index 68dd456d..fff30a5a 100644
--- a/templates/organization/planning/_results.html.twig
+++ b/templates/organization/planning/_results.html.twig
@@ -1,4 +1,4 @@
-{% set displayActions = app.user.parent is empty %}
+{% set displayActions = organization.parent is empty %}
 <div class="container planning-actions-container">
     <div class="row">
         <div class="col-md">
diff --git a/templates/organization/search.html.twig b/templates/organization/search.html.twig
index 87cd27aa..e7c9e885 100644
--- a/templates/organization/search.html.twig
+++ b/templates/organization/search.html.twig
@@ -15,11 +15,11 @@
     <hr/>
     <h3>Bénévoles</h3>
     {% if users|length %}
-        {% include 'organization/user/_list.html.twig' with {organization: app.user} %}
+        {% include 'organization/user/_list.html.twig' %}
     {% else %}
         <p>{{ 'organization.search.noUsers' | trans }}</p>
     {% endif %}
-    <p><a class="btn btn-secondary" role="button" href="{{ path('app_organization_user_list', {'organization': app.user.id}) }}">Afficher la liste de mes bénévoles inscrits</a></p>
+    <p><a class="btn btn-secondary" role="button" href="{{ path('app_organization_user_list') }}">Afficher la liste de mes bénévoles inscrits</a></p>
 
     <hr/>
     <h3>Véhicules</h3>
@@ -28,5 +28,5 @@
     {% else %}
         <p>{{ 'organization.search.noAssets' | trans }}</p>
     {% endif %}
-    <p><a class="btn btn-secondary" href="{{ path('app_organization_assets', {'organization': app.user.id}) }}" role="button">Afficher la liste de mes véhicules</a></p>
+    <p><a class="btn btn-secondary" href="{{ path('app_organization_assets') }}" role="button">Afficher la liste de mes véhicules</a></p>
 {% endblock %}
diff --git a/templates/organization/user/_list.html.twig b/templates/organization/user/_list.html.twig
index 385439b0..39916590 100644
--- a/templates/organization/user/_list.html.twig
+++ b/templates/organization/user/_list.html.twig
@@ -38,9 +38,14 @@
                 </td>
                 {% if showLinks is not defined or showLinks %}
                     <td>
-                        <button class="btn btn-outline-primary text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_user_show_modal', { 'userToShow': user.id }) }}">
+                        <button class="btn btn-outline-primary text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_user_show_modal', { item: user.id }) }}" title="{{ 'action.showUser'|trans({'%user%': user.fullName}) }}">
                             <span class="fa fa-copy"></span> {{ 'action.show' | trans }}
                         </button>
+                        {% if is_granted('ROLE_ALLOWED_TO_SWITCH') %}
+                            <a class="btn btn-outline-danger text-nowrap" href="{{ path('app_user_home', { _switch_user: user.username }) }}" role="button">
+                                {{ 'action.impersonate' | trans }}
+                            </a>
+                        {% endif %}
                     </td>
                 {% endif %}
             </tr>
diff --git a/templates/organization/user/_show.html.twig b/templates/organization/user/_show.html.twig
index 9f14a4e1..27e4c44f 100644
--- a/templates/organization/user/_show.html.twig
+++ b/templates/organization/user/_show.html.twig
@@ -1,5 +1,15 @@
-{% if app.user == user.organization or app.user == user.organization.parent %}
-    <a class="btn btn-primary float-right" href="{{ path('app_organization_user_edit', {userToEdit: user.id}) }}">{{ 'action.edit' | trans }}</a>
+{% if is_granted('ROLE_PARENT_ORGANIZATION', user.organization) %}
+    <a class="btn btn-primary float-right" href="{{ path('app_organization_user_edit', {item: user.id}) }}">{{ 'action.edit' | trans }}</a>
+{% endif %}
+
+{% if is_granted('ROLE_ALLOWED_TO_SWITCH') %}
+    <a class="btn btn-outline-danger float-right mr-1 text-nowrap" href="{{ path('app_user_home', { _switch_user: user.username }) }}" role="button">{{ 'action.impersonate' | trans }}</a>
+{% endif %}
+
+{% if is_granted('ROLE_PARENT_ORGANIZATION', user.organization) and not user.organization.admins.contains(user) %}
+    <a class="btn btn-outline-danger float-right mr-1" href="{{ path('app_organization_user_promote', { item: user.id, organization: user.organization.id }) }}" role="button">
+        {{ 'action.promote' | trans({ '%organization%': user.organization.name, '%user%': user.fullName }) }}
+    </a>
 {% endif %}
 
 <h1 class="mb-4">{{ user }}</h1>
@@ -26,5 +36,33 @@
     {% endfor %}
 </dl>
 
+{% if is_granted('ROLE_PARENT_ORGANIZATION', user.organization) and user.managedOrganizations|length %}
+    <h6 class="mt-4">{{ 'organization.isAdminOf'|trans }}</h6>
+    <div class="table-responsive mb-4">
+        <table class="table text-nowrap">
+            <thead class="thead-light">
+            <tr>
+                <th>{{ 'common.name' | trans }}</th>
+                <th></th>
+            </tr>
+            </thead>
+            <tbody>
+            {% for managedOrganization in user.managedOrganizations %}
+                <tr>
+                    <td>{{ managedOrganization }}</td>
+                    <td>
+                        {% if app.user != user %}
+                            <a class="btn btn-outline-danger" href="{{ path('app_organization_user_revoke', { item: user.id, organization: managedOrganization.id }) }}" role="button">
+                                {{ 'action.revoke' | trans({ '%organization%': managedOrganization.name, '%user%': user.fullName }) }}
+                            </a>
+                        {% endif %}
+                    </td>
+                </tr>
+            {% endfor %}
+            </tbody>
+        </table>
+    </div>
+{% endif %}
+
 <h5>{{ 'organization.mission.listTitle'|trans }}</h5>
 {% include 'organization/mission/_list.html.twig' with {missions: user.missions, modalLinks: true} %}
diff --git a/templates/organization/user/edit.html.twig b/templates/organization/user/edit.html.twig
index d9212767..094bfff7 100644
--- a/templates/organization/user/edit.html.twig
+++ b/templates/organization/user/edit.html.twig
@@ -6,15 +6,20 @@
 {% endblock %}
 
 {% block body %}
+    <a href="{{ path('app_organization_user_list') }}">{{ 'common.backToList' | trans }}</a>
+
     <h1>{{ 'organization.editUserProfile' | trans }}</h1>
 
-    <a
-        class="btn btn-outline-danger trigger-delete float-right"
-        data-message="{{ 'message.deleteUserWarning' | trans }}"
-        data-display-name="{{ user.firstName }} {{ user.lastName }} ( {{ user.identificationNumber }} )"
-        data-href="{{ path('app_organization_user_delete', { 'userToDelete': user.id }) }}"
-        href="#"
-    >{{ 'action.delete' | trans }}</a>
+    <div class="float-right">
+        <a
+            class="btn btn-outline-danger trigger-delete"
+            data-message="{{ 'message.deleteUserWarning' | trans }}"
+            data-display-name="{{ user.firstName }} {{ user.lastName }} ( {{ user.identificationNumber }} )"
+            data-href="{{ path('app_organization_user_delete', { item: user.id }) }}"
+            href="#"
+        >{{ 'action.delete' | trans }}</a>
+    </div>
+    <div class="clearfix"></div>
 
     {% include '/user/_user_form.html.twig' %}
 {% endblock %}
diff --git a/templates/organization/user/list.html.twig b/templates/organization/user/list.html.twig
index cf6013de..95ef5b16 100644
--- a/templates/organization/user/list.html.twig
+++ b/templates/organization/user/list.html.twig
@@ -12,5 +12,45 @@
 
     {{ form(organization_selector_form) }}
 
+    <div class="table-responsive">
+        <table class="table table-striped text-nowrap mt-3 mb-0">
+            <thead  class="thead-light">
+            <tr>
+                <th>{{ 'user.admin' | trans }}</th>
+                <th></th>
+            </tr>
+            </thead>
+            <tbody>
+            {% for user in organization.admins %}
+                <tr>
+                    <td>{{ user }}</td>
+                    <td>
+                        <button class="btn btn-outline-primary text-nowrap" data-toggle="ajax-modal" data-href="{{ path('app_organization_user_show_modal', { item: user.id }) }}">
+                            <span class="fa fa-copy"></span> {{ 'action.show' | trans }}
+                        </button>
+                        {% if is_granted('ROLE_ALLOWED_TO_SWITCH') %}
+                            <a class="btn btn-outline-danger text-nowrap" href="{{ path('app_user_home', { _switch_user: user.username }) }}" role="button">{{ 'action.impersonate' | trans }}</a>
+                        {% endif %}
+                        {% if is_granted('ROLE_PARENT_ORGANIZATION', organization) and app.user != user %}
+                            <a class="btn btn-outline-danger" href="{{ path('app_organization_user_revoke', { item: user.id, organization: organization.id }) }}" role="button">
+                                {{ 'action.revoke' | trans({ '%organization%': organization.name, '%user%': user.fullName }) }}
+                            </a>
+                        {% endif %}
+                    </td>
+                </tr>
+            {% else %}
+                <tr>
+                    <td colspan="2">{{ 'message.noAvailableData' | trans }}</td>
+                </tr>
+            {% endfor %}
+            </tbody>
+        </table>
+    </div>
+
+    <p class="font-italic text-right small mb-5">
+        {{ 'organization.addAdmin' | trans }}<br>
+        {{ 'organization.addAdminOtherOrganization' | trans }}
+    </p>
+
     {{ include('organization/user/_list.html.twig') }}
 {% endblock %}
diff --git a/templates/reset_password/check_email.html.twig b/templates/reset_password/check_email.html.twig
new file mode 100644
index 00000000..2f444222
--- /dev/null
+++ b/templates/reset_password/check_email.html.twig
@@ -0,0 +1,14 @@
+{% extends 'base.html.twig' %}
+
+{% block title %}{{ 'user.passwordForgotten.title' | trans }}{% endblock %}
+
+{% block body %}
+
+    <h1>{{ 'user.passwordForgotten.title' | trans }}</h1>
+
+    <p class="alert alert-info mt-5">
+        {{ 'user.passwordForgotten.emailCheck' | trans({'%hours%': tokenLifetime|date('g')}) }}
+        <br><br>
+        {{ 'user.passwordForgotten.emailCheckAgain' | trans({'%link%': path('app_forgot_password_request')}) | raw }}
+    </p>
+{% endblock %}
diff --git a/templates/reset_password/email.html.twig b/templates/reset_password/email.html.twig
new file mode 100644
index 00000000..35645016
--- /dev/null
+++ b/templates/reset_password/email.html.twig
@@ -0,0 +1,11 @@
+{% extends 'mailer/_template.html.twig' %}
+
+{% block content %}
+    {% import 'mailer/_macro.html.twig' as template %}
+
+    <p>
+        {{ 'user.resetPassword.emailText'|trans({'%hours%': tokenLifetime|date('g')}) }}
+    </p>
+
+    {{ template.button(url('app_reset_password', {token: resetToken.token}), 'user.resetPassword.button'|trans, 'reset-password') }}
+{% endblock %}
diff --git a/templates/reset_password/request.html.twig b/templates/reset_password/request.html.twig
new file mode 100644
index 00000000..a5f79894
--- /dev/null
+++ b/templates/reset_password/request.html.twig
@@ -0,0 +1,21 @@
+{% extends 'base.html.twig' %}
+
+{% block title %}{{ 'user.passwordForgotten.title' | trans }}{% endblock %}
+
+{% block body %}
+
+    <h1>{{ 'user.passwordForgotten.title' | trans }}</h1>
+
+    <p>{{ 'user.passwordForgotten.request' | trans }}</p>
+
+    {{ form_start(form) }}
+
+        {% for error in app.flashes('error') %}
+            <div class="alert alert-danger" role="alert">{{ error }}</div>
+        {% endfor %}
+
+        {{ form_row(form.emailAddress) }}
+
+        <button type="submit" class="btn btn-primary">{{ 'action.submit' | trans }}</button>
+    {{ form_end(form) }}
+{% endblock %}
diff --git a/templates/reset_password/reset.html.twig b/templates/reset_password/reset.html.twig
new file mode 100644
index 00000000..bf447028
--- /dev/null
+++ b/templates/reset_password/reset.html.twig
@@ -0,0 +1,14 @@
+{% extends 'base.html.twig' %}
+
+{% block title %}{{ 'user.passwordForgotten.title' | trans }}{% endblock %}
+
+{% block body %}
+
+    <h1>{{ 'user.passwordForgotten.title' | trans }}</h1>
+
+    {{ form_start(resetForm) }}
+        {{ form_row(resetForm.plainPassword) }}
+
+        <button class="btn btn-primary">{{ 'user.resetPassword.button' | trans }}</button>
+    {{ form_end(resetForm) }}
+{% endblock %}
diff --git a/templates/user/account-form.html.twig b/templates/user/account-form.html.twig
index aa03b3dd..711c46c2 100644
--- a/templates/user/account-form.html.twig
+++ b/templates/user/account-form.html.twig
@@ -1,6 +1,6 @@
 {% extends 'base.html.twig' %}
 
-{%  set actionName = (user is defined and user.id is not null) ? 'Modification' : 'Création' %}
+{% set actionName = (user is defined and user.id is not null) ? 'Modification' : 'Création' %}
 {% block title %}{{ 'user.accountAction' | trans({ '%action%' : actionName }) }}{% endblock %}
 
 {% block javascripts %}
@@ -9,6 +9,10 @@
 {% endblock %}
 
 {% block body %}
+    {% if user is defined%}
+        <a href="{{ path('app_user_password') }}" class="btn btn-secondary float-right mt-2">{{ 'user.editMyPassword'|trans }}</a>
+    {% endif %}
+
     <h1>{{ 'user.accountAction' | trans({ '%action%' : actionName }) }}</h1>
 
     {% if user is not defined or user.id is not defined or user.id is null %}
diff --git a/templates/user/index.html.twig b/templates/user/index.html.twig
index 5d23637d..8b016f8c 100644
--- a/templates/user/index.html.twig
+++ b/templates/user/index.html.twig
@@ -10,8 +10,6 @@
 {% block body %}
     <div class="user-homepage pt-4">
         <div class="container-xl text-light">
-            {{ include('misc/flash-messages.html.twig') }}
-
             <h1 class="mt-3 mb-3 font-weight-bold">{{ 'user.welcome'|trans }} <span class="d-block d-sm-inline font-weight-normal">{{ app.user.fullName }}</span></h1>
             <h4 class="mt-1 d-md-inline-block">{{ app.user.organization }}</h4>
             <h5 class="mt-1 d-md-inline-block">
@@ -24,6 +22,14 @@
                     <span class="fa fa-angle-right"></span>
                 </a>
             </p>
+
+            {% if app.user.managedOrganizations|length and app.user.password is empty %}
+                <p class="alert alert-danger">
+                    <a href="{{ path('app_user_password') }}" class="text-danger">{{ 'user.passwordRequired'|trans }}</a>
+                </p>
+            {% endif %}
+
+            {{ include('misc/flash-messages.html.twig') }}
         </div>
 
         <div class="container-xl pt-xl-3">
diff --git a/templates/user/login.html.twig b/templates/user/login.html.twig
index e35247ce..67dd73a6 100644
--- a/templates/user/login.html.twig
+++ b/templates/user/login.html.twig
@@ -16,13 +16,47 @@
                         <form method="post">
                             <h1 class="h1 mb-3">{{ 'action.login' | trans }}</h1>
 
+                            {{ include('misc/flash-messages.html.twig', {class: 'small'}) }}
+
                             {% if error %}
                                 <div class="alert alert-danger small">{{ error.messageKey|trans(error.messageData, 'security') }}</div>
                             {% endif %}
 
                             {{ form_start(loginForm) }}
                             {{ form_row(loginForm.identifier) }}
-                            {{ form_row(loginForm.birthday) }}
+
+                            <div id="accordion">
+                                <div class="card">
+                                    <div class="card-header" id="login-birthday">
+                                        <button type="button" class="btn btn-link text-dark p-1" data-toggle="collapse" data-target="#login-birthday-body" aria-expanded="true" aria-controls="login-birthday-body">
+                                            {{ 'user.loginWithBirthday' | trans }}
+                                        </button>
+                                    </div>
+                                    <div id="login-birthday-body" class="collapse show" aria-labelledby="login-birthday" data-parent="#accordion">
+                                        <div class="card-body">
+                                            {{ form_errors(loginForm.birthday) }}
+                                            {{ form_widget(loginForm.birthday) }}
+                                        </div>
+                                    </div>
+                                </div>
+                                <div class="card">
+                                    <div class="card-header" id="login-password">
+                                        <button type="button" class="btn btn-link text-dark p-1 collapsed" data-toggle="collapse" data-target="#login-password-body" aria-expanded="false" aria-controls="login-password-body">
+                                            {{ 'user.loginWithPassword' | trans }}
+                                        </button>
+                                    </div>
+                                    <div id="login-password-body" class="collapse" aria-labelledby="login-password" data-parent="#accordion">
+                                        <div class="card-body">
+                                            {{ form_errors(loginForm.password) }}
+                                            {{ form_widget(loginForm.password) }}
+
+                                            <a href="{{ path('app_forgot_password_request') }}">
+                                                <small class="form-text text-muted">{{ 'user.passwordForgotten.title' | trans }}</small>
+                                            </a>
+                                        </div>
+                                    </div>
+                                </div>
+                            </div>
 
                             <div class="custom-control custom-checkbox mt-4 mb-5">
                                 <input type="checkbox" class="custom-control-input" name="_remember_me" id="_remember_me">
diff --git a/templates/user/password-form.html.twig b/templates/user/password-form.html.twig
new file mode 100644
index 00000000..8fde091d
--- /dev/null
+++ b/templates/user/password-form.html.twig
@@ -0,0 +1,27 @@
+{% extends 'base.html.twig' %}
+
+{% block title %}{{ 'user.passwordAction' | trans }}{% endblock %}
+
+{% block body %}
+    <h1>{{ 'user.passwordAction' | trans }}</h1>
+
+    {{ form_start(form) }}
+    {{ form_errors(form) }}
+
+    <div class="row">
+        {% if form.currentPassword is defined %}
+            <div class="col-12 col-md-6">
+                {{ form_row(form.currentPassword) }}
+            </div>
+        {% endif %}
+        <div class="col-12 col-md-6">
+            {{ form_row(form.plainPassword) }}
+        </div>
+    </div>
+
+    <div class="form-group">
+        <button type="submit" id="user_submit" class="btn-primary btn">{{ 'user.editMyPassword'|trans }}</button>
+    </div>
+
+    {{ form_end(form) }}
+{% endblock %}
diff --git a/tests/Behat/MailsContext.php b/tests/Behat/MailsContext.php
new file mode 100644
index 00000000..e5111616
--- /dev/null
+++ b/tests/Behat/MailsContext.php
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Behat;
+
+use Alex\MailCatcher\Behat\MailCatcherContext;
+use Alex\MailCatcher\Message;
+use Symfony\Component\DomCrawler\Crawler;
+
+class MailsContext extends MailCatcherContext
+{
+    use MinkContextTrait;
+
+    /**
+     * @Then /^I click on the "([^"]+)" link in mail$/
+     */
+    public function clickOnLinkInMail(string $selector): void
+    {
+        $crawler = $this->getCrawler($this->getCurrentMessage());
+        $link = $crawler->filter($selector);
+
+        if (!$link->count()) {
+            throw new \RuntimeException("Unable to find the $selector link in mail");
+        }
+
+        if (empty($link->attr('href'))) {
+            throw new \RuntimeException("The $selector link does not have any href");
+        }
+
+        $this->getMinkContext()->visitPath((string) $link->attr('href'));
+    }
+
+    private function getCrawler(Message $message): Crawler
+    {
+        if (!$message->isMultipart() || !$message->hasPart('text/html')) {
+            throw new \RuntimeException(sprintf('The current message has no html part.'));
+        }
+
+        return new Crawler($message->getPart('text/html')->getContent());
+    }
+
+    private function getCurrentMessage(): Message
+    {
+        if (null === $this->currentMessage) {
+            throw new \RuntimeException('No message selected');
+        }
+
+        return $this->currentMessage;
+    }
+}
diff --git a/tests/Behat/MinkContextTrait.php b/tests/Behat/MinkContextTrait.php
new file mode 100644
index 00000000..a7f556c2
--- /dev/null
+++ b/tests/Behat/MinkContextTrait.php
@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Behat;
+
+use Behat\Behat\Context\Environment\InitializedContextEnvironment;
+use Behat\Behat\Hook\Scope\BeforeScenarioScope;
+use Behat\MinkExtension\Context\MinkContext;
+
+trait MinkContextTrait
+{
+    private ?MinkContext $minkContext = null;
+
+    /**
+     * @BeforeScenario
+     */
+    public function gatherContexts(BeforeScenarioScope $scope): void
+    {
+        /** @var InitializedContextEnvironment $environment */
+        $environment = $scope->getEnvironment();
+        $minkContext = $environment->getContext(MinkContext::class);
+
+        if (!$minkContext instanceof MinkContext) {
+            throw new \RuntimeException('Invalid mink context');
+        }
+
+        $this->minkContext = $minkContext;
+    }
+
+    private function getMinkContext(): MinkContext
+    {
+        if (null === $this->minkContext) {
+            throw new \RuntimeException('Invalid mink context value');
+        }
+
+        return $this->minkContext;
+    }
+}
diff --git a/tests/Behat/ResetPasswordContext.php b/tests/Behat/ResetPasswordContext.php
new file mode 100644
index 00000000..c0e19cff
--- /dev/null
+++ b/tests/Behat/ResetPasswordContext.php
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Behat;
+
+use Behat\MinkExtension\Context\RawMinkContext;
+use Symfony\Component\Routing\RouterInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelperInterface;
+
+final class ResetPasswordContext extends RawMinkContext
+{
+    private RouterInterface $router;
+    private UserProviderInterface $userProvider;
+    private ResetPasswordHelperInterface $resetPasswordHelper;
+
+    public function __construct(RouterInterface $router, UserProviderInterface $userProvider, ResetPasswordHelperInterface $resetPasswordHelper)
+    {
+        $this->router = $router;
+        $this->userProvider = $userProvider;
+        $this->resetPasswordHelper = $resetPasswordHelper;
+    }
+
+    /**
+     * @When I go to the reset password page of :username
+     */
+    public function generateToken(string $username): void
+    {
+        $this->visitPath(
+            $this->router->generate('app_reset_password', [
+                'token' => $this->resetPasswordHelper->generateResetToken(
+                    $this->userProvider->loadUserByUsername($username)
+                )->getToken(),
+            ])
+        );
+    }
+}
diff --git a/tests/Behat/SecurityContext.php b/tests/Behat/SecurityContext.php
index bc7cf07e..496c6ef3 100644
--- a/tests/Behat/SecurityContext.php
+++ b/tests/Behat/SecurityContext.php
@@ -4,18 +4,11 @@
 
 namespace App\Tests\Behat;
 
-use App\Entity\Organization;
-use App\Entity\User;
-use App\Repository\OrganizationRepository;
 use App\Repository\UserRepository;
-use Behat\Behat\Context\Environment\InitializedContextEnvironment;
-use Behat\Behat\Hook\Scope\BeforeScenarioScope;
 use Behat\Mink\Driver\BrowserKitDriver;
 use Behat\Mink\Exception\ExpectationException;
-use Behat\MinkExtension\Context\MinkContext;
 use Behat\MinkExtension\Context\RawMinkContext;
 use PantherExtension\Driver\PantherDriver;
-use Symfony\Bridge\Doctrine\Security\User\UserLoaderInterface;
 use Symfony\Component\BrowserKit\Cookie;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
@@ -24,43 +17,25 @@
 
 final class SecurityContext extends RawMinkContext
 {
+    use MinkContextTrait;
+
     private UserRepository $userRepository;
-    private OrganizationRepository $organizationRepository;
     private SessionInterface $session;
-    private MinkContext $minkContext;
 
-    public function __construct(UserRepository $userRepository, OrganizationRepository $organizationRepository, SessionInterface $session)
+    public function __construct(UserRepository $userRepository, SessionInterface $session)
     {
         $this->userRepository = $userRepository;
-        $this->organizationRepository = $organizationRepository;
         $this->session = $session;
     }
 
-    /**
-     * @BeforeScenario
-     */
-    public function gatherContext(BeforeScenarioScope $scope): void
-    {
-        /** @var InitializedContextEnvironment $environment */
-        $environment = $scope->getEnvironment();
-        /** @var MinkContext $minkContext */
-        $minkContext = $environment->getContext(MinkContext::class);
-        $this->minkContext = $minkContext;
-    }
-
     /**
      * @Given I am authenticated as :username
      */
-    public function login(string $username, UserLoaderInterface $repository = null): void
+    public function login(string $username): void
     {
-        if ($repository) {
-            $user = $repository->loadUserByUsername($username);
-        } elseif (!$user = $this->userRepository->loadUserByUsername($username)) {
-            $user = $this->organizationRepository->loadUserByUsername($username);
-        }
-
+        $user = $this->userRepository->loadUserByUsername($username);
         if (!$user) {
-            throw new UsernameNotFoundException(\sprintf('%s is not a valid User or Organization.', $username));
+            throw new UsernameNotFoundException(\sprintf('%s is not a valid User.', $username));
         }
 
         /** @var BrowserKitDriver|PantherDriver $driver */
@@ -72,10 +47,9 @@ public function login(string $username, UserLoaderInterface $repository = null):
             return;
         }
 
-        $firewall = $user instanceof Organization ? 'organizations' : 'main';
         $this->session->set(
-            "_security_$firewall",
-            serialize(new UsernamePasswordToken($user, null, $firewall, $user->getRoles()))
+            '_security_main',
+            serialize(new UsernamePasswordToken($user, null, 'main', $user->getRoles()))
         );
         $this->session->save();
 
@@ -87,33 +61,15 @@ public function login(string $username, UserLoaderInterface $repository = null):
      */
     private function loginForPanther(UserInterface $user): void
     {
+        $minkContext = $this->getMinkContext();
         try {
-            if ($user instanceof User) {
-                $this->loginUserForPantherDriver($user);
-            }
-
-            if ($user instanceof Organization) {
-                $this->loginOrganizationForPantherDriver($user);
-            }
+            $minkContext->visit('/login');
+            $minkContext->fillField('user_login[identifier]', $user->getUsername());
+            $minkContext->fillField('user_login[password]', 'covid19');
+            $minkContext->pressButton('Je me connecte');
+            $minkContext->assertPageAddress('/');
         } catch (\Exception $exception) {
             throw new ExpectationException(sprintf('Impossible to connect user: %s', $exception->getMessage()), $this->getSession(), $exception);
         }
     }
-
-    private function loginUserForPantherDriver(User $user): void
-    {
-        $this->minkContext->visit('/login');
-        $this->minkContext->fillField('user_login[identifier]', $user->getIdentificationNumber());
-        $this->minkContext->pressButton('Je me connecte');
-        $this->minkContext->assertPageAddress('/');
-    }
-
-    private function loginOrganizationForPantherDriver(Organization $user): void
-    {
-        $this->minkContext->visit('/organizations/login');
-        $this->minkContext->selectOption('identifier', $user->getUsername());
-        $this->minkContext->fillField('password', 'covid19');
-        $this->minkContext->pressButton('Je me connecte');
-        $this->minkContext->assertPageAddress('/organizations/'.$user->getId());
-    }
 }
diff --git a/tests/Behat/UserPlanningContext.php b/tests/Behat/UserPlanningContext.php
index 12b03441..094f4413 100644
--- a/tests/Behat/UserPlanningContext.php
+++ b/tests/Behat/UserPlanningContext.php
@@ -4,12 +4,20 @@
 
 namespace App\Tests\Behat;
 
+use App\Domain\DatePeriodCalculator;
 use Behat\Mink\Exception\ElementNotFoundException;
 use Behat\Mink\Exception\ExpectationException;
 use Behat\MinkExtension\Context\RawMinkContext;
 
 final class UserPlanningContext extends RawMinkContext
 {
+    private string $slotInterval;
+
+    public function __construct(string $slotInterval)
+    {
+        $this->slotInterval = $slotInterval;
+    }
+
     /**
      * @When /^I (?P<action>(?:check|uncheck)) "(?P<time>[^"]+)" availability checkbox$/
      */
@@ -20,12 +28,7 @@ public function checkColumn(string $action, string $time): void
             throw new \InvalidArgumentException("Time \"$time\" is not valid.");
         }
 
-        $dateTime = new \DateTime($time);
-        $dateTime->setTime((int) $dateTime->format('H'), 0, 0, 0);
-        if (1 === (int) $dateTime->format('H') % 2) {
-            $dateTime->setTime((int) $dateTime->format('H') - 1, 0, 0, 0);
-        }
-
+        $dateTime = DatePeriodCalculator::roundToDailyInterval(new \DateTimeImmutable($time), \DateInterval::createFromDateString($this->slotInterval));
         $elements = $page->findAll('css', sprintf('table.availability-form-table tbody td[data-from="%d"] input[type="checkbox"]:not(:disabled)', $dateTime->format('U')));
         if (0 === \count($elements)) {
             throw new ElementNotFoundException($this->getSession()->getDriver(), 'form field', 'css', sprintf('%s (%s) (%s)', $time, $dateTime->format('Y-m-d H:i:s'), $dateTime->format('U')));
@@ -82,8 +85,15 @@ public function verifyColumn(string $time, string $state): void
         // Reverse the state to ensure no element is checked/unchecked
         $locator .= 'checked' === $state ? ':not(:checked)' : ':checked';
         $count = \count($page->findAll('css', $locator));
-        if (0 < $count) {
-            throw new ExpectationException(sprintf('%d checkboxes of column "%s" are not %s.', (int) $count, $time, $state), $this->getSession()->getDriver());
+        if (0 === $count) {
+            return;
         }
+
+        $message = sprintf('%d checkboxes of column "%s" are not %s.', (int) $count, $time, (string) $state);
+        if (1 === $count) {
+            $message = sprintf('the checkbox of column "%s" is not %s.', $time, (string) $state);
+        }
+
+        throw new ExpectationException($message, $this->getSession()->getDriver());
     }
 }
diff --git a/tests/Security/Voter/CommissionableAssetVoterTest.php b/tests/Security/Voter/CommissionableAssetVoterTest.php
deleted file mode 100644
index b009cd38..00000000
--- a/tests/Security/Voter/CommissionableAssetVoterTest.php
+++ /dev/null
@@ -1,80 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Tests\Security\Voter;
-
-use App\Entity\CommissionableAsset;
-use App\Entity\Organization;
-use App\Entity\User;
-use App\Security\Voter\CommissionableAssetVoter;
-use PHPUnit\Framework\TestCase;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
-use Symfony\Component\Security\Core\User\UserInterface;
-
-class CommissionableAssetVoterTest extends TestCase
-{
-    /** @dataProvider voteProvider */
-    public function testVote(string $attribute, CommissionableAsset $subject, int $expectedResult, ?UserInterface $user): void
-    {
-        $voter = new CommissionableAssetVoter();
-        $token = $this->createMock(TokenInterface::class);
-
-        $token->expects(self::exactly($expectedResult ? 1 : 0))->method('getUser')->willReturn($user);
-
-        self::assertSame($expectedResult, $voter->vote($token, $subject, [$attribute]));
-    }
-
-    public function voteProvider(): array
-    {
-        $parentOrganization = new Organization();
-        $childOrganization = new Organization();
-        $childOrganization->parent = $parentOrganization;
-
-        $parentAsset = new CommissionableAsset();
-        $parentAsset->organization = $parentOrganization;
-
-        $childAsset = new CommissionableAsset();
-        $childAsset->organization = $childOrganization;
-
-        return [
-            'wrong attribute abstains' => [
-                'attribute' => 'foo',
-                'subject' => $parentAsset,
-                'expectedResult' => VoterInterface::ACCESS_ABSTAIN,
-                'loggedOrganization' => null,
-            ],
-            'denies access for plain user' => [
-                'attribute' => CommissionableAssetVoter::CAN_EDIT,
-                'subject' => $parentAsset,
-                'expectedResult' => VoterInterface::ACCESS_DENIED,
-                'loggedOrganization' => new User(),
-            ],
-            'denies access for different organization' => [
-                'attribute' => CommissionableAssetVoter::CAN_EDIT,
-                'subject' => $parentAsset,
-                'expectedResult' => VoterInterface::ACCESS_DENIED,
-                'loggedOrganization' => new Organization(),
-            ],
-            'grants access for same organization' => [
-                'attribute' => CommissionableAssetVoter::CAN_EDIT,
-                'subject' => $parentAsset,
-                'expectedResult' => VoterInterface::ACCESS_GRANTED,
-                'loggedOrganization' => $parentOrganization,
-            ],
-            'denies access for child organization' => [
-                'attribute' => CommissionableAssetVoter::CAN_EDIT,
-                'subject' => $parentAsset,
-                'expectedResult' => VoterInterface::ACCESS_DENIED,
-                'loggedOrganization' => $childOrganization,
-            ],
-            'grants access for parent organization' => [
-                'attribute' => CommissionableAssetVoter::CAN_EDIT,
-                'subject' => $childAsset,
-                'expectedResult' => VoterInterface::ACCESS_GRANTED,
-                'loggedOrganization' => $parentOrganization,
-            ],
-        ];
-    }
-}
diff --git a/tests/Security/Voter/OrganizationVoterTest.php b/tests/Security/Voter/OrganizationVoterTest.php
deleted file mode 100644
index a43bcce4..00000000
--- a/tests/Security/Voter/OrganizationVoterTest.php
+++ /dev/null
@@ -1,73 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Tests\Security\Voter;
-
-use App\Entity\Organization;
-use App\Entity\User;
-use App\Security\Voter\OrganizationVoter;
-use PHPUnit\Framework\TestCase;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
-use Symfony\Component\Security\Core\User\UserInterface;
-
-class OrganizationVoterTest extends TestCase
-{
-    /** @dataProvider voteProvider */
-    public function testVote(string $attribute, Organization $subject, int $expectedResult, ?UserInterface $user): void
-    {
-        $voter = new OrganizationVoter();
-        $token = $this->createMock(TokenInterface::class);
-
-        $token->expects(self::exactly($expectedResult ? 1 : 0))->method('getUser')->willReturn($user);
-
-        self::assertSame($expectedResult, $voter->vote($token, $subject, [$attribute]));
-    }
-
-    public function voteProvider(): array
-    {
-        $organization = new Organization();
-        $child = new Organization();
-        $child->parent = $organization;
-
-        return [
-            'wrong attribute abstains' => [
-                'attribute' => 'foo',
-                'subject' => $organization,
-                'expectedResult' => VoterInterface::ACCESS_ABSTAIN,
-                'loggedOrganization' => null,
-            ],
-            'denies access for plain user' => [
-                'attribute' => OrganizationVoter::CAN_MANAGE,
-                'subject' => $organization,
-                'expectedResult' => VoterInterface::ACCESS_DENIED,
-                'loggedOrganization' => new User(),
-            ],
-            'denies access for different organization' => [
-                'attribute' => OrganizationVoter::CAN_MANAGE,
-                'subject' => $organization,
-                'expectedResult' => VoterInterface::ACCESS_DENIED,
-                'loggedOrganization' => new Organization(),
-            ],
-            'grants access for same organization' => [
-                'attribute' => OrganizationVoter::CAN_MANAGE,
-                'subject' => $organization,
-                'expectedResult' => VoterInterface::ACCESS_GRANTED,
-                'loggedOrganization' => $organization,
-            ],
-            'denies access for child organization' => [
-                'attribute' => OrganizationVoter::CAN_MANAGE,
-                'subject' => $organization,
-                'expectedResult' => VoterInterface::ACCESS_DENIED,
-                'loggedOrganization' => $child,
-            ],
-            'grants access for parent organization' => [
-                'attribute' => OrganizationVoter::CAN_MANAGE,
-                'subject' => $child,
-                'expectedResult' => VoterInterface::ACCESS_GRANTED,
-                'loggedOrganization' => $organization,
-            ],
-        ];
-    }
-}
diff --git a/translations/messages.fr.yaml b/translations/messages.fr.yaml
index 08cbd87d..bae9b3b0 100644
--- a/translations/messages.fr.yaml
+++ b/translations/messages.fr.yaml
@@ -6,6 +6,10 @@ action:
   edit: Modifier
   loading: Chargement...
   login: Connexion
+  promote: Promouvoir en tant qu'admin de %organization%
+  revoke: Révoquer les droits d'admin sur %organization%
+  showUser: Afficher la fiche de %user%
+  impersonate: Usurper l'identité
   search: Rechercher
   searchQuery: Rechercher "%query%"
   loginSubmit: Je me connecte
@@ -70,6 +74,8 @@ nav:
   section:
     volunteer: Espace bénévole
     organization: Espace structure
+    admin: Admin
+    exitImpersonation: Retour à l'admin
   welcome: Bienvenue
 organization:
   add: Ajouter une structure
@@ -177,6 +183,9 @@ organization:
     skillset: Compétences Croix-Rouge
   userTitle: Bénévole
   users: Bénévoles
+  addAdmin: Pour ajouter un admin, utiliser le bouton "Promouvoir en tant qu'admin" dans la fiche d'un bénévole.
+  addAdminOtherOrganization: Pour promouvoir un bénévole d'une autre structure, vous devez le changer de structure, le promouvoir, puis changer à nouveau.
+  isAdminOf: Ce bénévole est administrateur des structures (et de leurs sous-structures) 
   asset_type:
     main_title: Types de véhicule
     add_new: Ajouter un nouveau type de véhicule
@@ -211,8 +220,11 @@ project:
   description: Réserve opérationnelle - Croix-Rouge Française à Paris
   name: ResOP
   version: Version %tag%
+  emailSender: noreply@resop.com
 user:
+  admin: Admin
   accountAction: "%action% de compte"
+  passwordAction: Mon mot de passe
   availabilities: Vos disponibilités
   availabilityCurrentWeek: Mes disponibilités pour la semaine courante
   availabilityNextWeek: Mes disponibilités pour la semaine prochaine
@@ -231,11 +243,21 @@ user:
   dob: Date de naissance
   info: Informations
   editMyInfo: Modifier mes informations
+  editMyPassword: Modifier mon mot de passe
+  createMyPassword: Renseigner mon mot de passe
+  passwordRequired: Vous devez renseigner votre mot de passe afin d'administrer votre structure
   email: E-mail
   firstName: Prénom
   identificationNumber: NIVOL
   lastName: Nom
   login: Numéro NIVOL ou Adresse e-mail
+  loginWithBirthday: Je me connecte avec ma date de naissance
+  loginWithPassword: Je me connecte avec mon mot de passe
+  currentPassword: Mot de passe actuel
+  password: Mot de passe
+  confirmPassword: Confirmation du mot de passe
+  newPassword: Nouveau mot de passe
+  confirmNewPassword: Confirmation du nouveau mot de passe
   mobile: Numéro de téléphone portable
   occupationTitle: Profession
   occupation:
@@ -255,10 +277,26 @@ user:
   skill: Compétence
   skills: Compétences
   organizationOccupation: Cadre
-  welcome: Bienvenue, 
+  welcome: Bienvenue,
+  passwordForgotten:
+    title: J'ai oublié mon mot de passe
+    request: Veuillez saisir votre adresse email afin d'obtenir un lien de réinitialisation de votre mot de passe.
+    emailCheck: |
+      Si votre adresse mail est valide, un email vous a été envoyé contenant un lien vous permettant de réinitialiser mon mot de passe.
+      Ce lien expirera dans %hours% heure(s).
+    emailCheckAgain: Si vous ne recevez pas cet email, veuillez vérifier vos spams ou <a href="%link%">réessayez</a>.
+  resetPassword:
+    button: Réinitialiser mon mot de passe
+    tooMany: Vous avez déjà demandé la réinitialisation de votre mot de passe. Attendez une minute avant de recommencer si vous n'avez rien reçu.
+    expired: Le lien de réinitialisation est invalide ou a expiré. Réessayez à nouveau de réinitialiser votre mot de passe.
+    emailText: |
+      Afin de réinitialiser votre mot de passe, cliquez sur le bouton ci-dessous.
+      Attention: le lien expirera dans %hours% heure(s).
+    sucess: Votre mot de passe a été mis à jour avec succès.
 
 # Symfony default translations
 Submit: Enregistrer
+Current password: Votre mot de passe actuel
 
 register:
   introduction: |