There are some industry-wide “best practices” to this. One should not be able to change the password, but only reset it unless you are logged in as that user. This is particularly important so that the user cannot just login to another users account, even though you are the admin. Obviously with database access, you can change salts + hash and then do this… but then it means a deeper breach. I know we don’t implement this meaningfully in OpenMRS now… But we should think about this, not just for REST. But thinking about it now (and a ticket in core after we agree about this is good) that we are doing in REST is my recommendation.
I’ve seen a case where an admin user changed the user password, logged in as that user, made a change with the user not knowing it at all. There is no way for non-repudiation principle in the way its currently implemented in OpenMRS.