diff --git a/user/schema/mutation.py b/user/schema/mutation.py
index 782dd09ece5722decfd9bdd0ba6c31021aaf7a63..5636e58b208096b2bb7d17fdaa667c9e6ba47548 100644
--- a/user/schema/mutation.py
+++ b/user/schema/mutation.py
@@ -2,6 +2,7 @@ from typing import List
 
 import graphene
 from django.contrib.auth.models import Group
+from rest_framework.exceptions import PermissionDenied
 
 from aai.models import Perms
 from aai.utils import protected, extra_protected, Check
@@ -230,8 +231,23 @@ class ChangeUserDataMutation(graphene.Mutation):
     ) -> graphene.Mutation:
         user = get_model(User, id=change_user_input.user_id)
         if change_user_input.group is not None:
+            if (
+                change_user_input.group == "admin"
+                and not info.context.user.is_superuser
+            ):
+                raise PermissionDenied(
+                    "Permission denied - Only admin can change user to admin group"
+                )
             user.group = Group.objects.get(name=change_user_input.group)
-
+            if change_user_input.group == "admin":
+                user.is_superuser = True
+                user.is_staff = True
+            elif change_user_input.group == "instructor":
+                user.is_staff = True
+                user.is_superuser = False
+            elif change_user_input.group == "trainee":
+                user.is_staff = False
+                user.is_superuser = False
         if (
             change_user_input.active is not None and not user.is_imported
         ):  # can not change is_active of imported user (should be always False)