diff --git a/pkg/identityserver/organization_registry_test.go b/pkg/identityserver/organization_registry_test.go
index 4627683210..5b8c6ee17c 100644
--- a/pkg/identityserver/organization_registry_test.go
+++ b/pkg/identityserver/organization_registry_test.go
@@ -213,6 +213,56 @@ func TestOrganizationsCRUD(t *testing.T) {
 			a.So(updated.Name, should.Equal, "Updated Name")
 		}
 
+		t.Run("Contact Info Restrictions", func(t *testing.T) { // nolint:paralleltest
+			a, ctx := test.New(t)
+
+			oldSetOtherAsContacts := is.config.CollaboratorRights.SetOthersAsContacts
+			t.Cleanup(func() { is.config.CollaboratorRights.SetOthersAsContacts = oldSetOtherAsContacts })
+			is.config.CollaboratorRights.SetOthersAsContacts = false
+
+			// Set usr-2 as collaborator to client.
+			oac := ttnpb.NewOrganizationAccessClient(cc)
+			oac.SetCollaborator(ctx, &ttnpb.SetOrganizationCollaboratorRequest{
+				OrganizationIds: created.GetIds(),
+				Collaborator: &ttnpb.Collaborator{
+					Ids:    usr2.GetOrganizationOrUserIdentifiers(),
+					Rights: []ttnpb.Right{ttnpb.Right_RIGHT_ALL},
+				},
+			}, creds)
+
+			// Attempt to set another collaborator as administrative contact.
+			_, err := reg.Update(ctx, &ttnpb.UpdateOrganizationRequest{
+				Organization: &ttnpb.Organization{
+					Ids:                   created.GetIds(),
+					AdministrativeContact: usr2.GetOrganizationOrUserIdentifiers(),
+				},
+				FieldMask: ttnpb.FieldMask("administrative_contact"),
+			}, creds)
+			a.So(errors.IsPermissionDenied(err), should.BeTrue)
+
+			// Admin can bypass contact info restrictions.
+			_, err = reg.Update(ctx, &ttnpb.UpdateOrganizationRequest{
+				Organization: &ttnpb.Organization{
+					Ids:                   created.GetIds(),
+					AdministrativeContact: usr1.GetOrganizationOrUserIdentifiers(),
+				},
+				FieldMask: ttnpb.FieldMask("administrative_contact"),
+			}, adminCreds)
+			a.So(err, should.BeNil)
+
+			is.config.CollaboratorRights.SetOthersAsContacts = true
+
+			// Now usr-1 can set usr-2 as technical contact.
+			_, err = reg.Update(ctx, &ttnpb.UpdateOrganizationRequest{
+				Organization: &ttnpb.Organization{
+					Ids:              created.GetIds(),
+					TechnicalContact: usr2.GetOrganizationOrUserIdentifiers(),
+				},
+				FieldMask: ttnpb.FieldMask("technical_contact"),
+			}, creds)
+			a.So(err, should.BeNil)
+		})
+
 		for _, collaborator := range []*ttnpb.OrganizationOrUserIdentifiers{nil, usr1.GetOrganizationOrUserIdentifiers()} {
 			list, err := reg.List(ctx, &ttnpb.ListOrganizationsRequest{
 				FieldMask:    ttnpb.FieldMask("name"),