diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
index f778e781725..64c7f1a0652 100644
--- a/lib/rbac/filterer.rb
+++ b/lib/rbac/filterer.rb
@@ -61,7 +61,7 @@ class Filterer
     # value:
     #   array - disallowed roles for the user's role
     DISALLOWED_ROLES_FOR_USER_ROLE = {
-      'EvmRole-tenant_administrator' => %w(EvmRole-super_administrator)
+      'EvmRole-tenant_administrator' => %w(EvmRole-super_administrator EvmRole-administrator)
     }.freeze
 
     # key: descendant::klass
diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb
index 73703ec6743..6906b389e4e 100644
--- a/spec/lib/rbac/filterer_spec.rb
+++ b/spec/lib/rbac/filterer_spec.rb
@@ -341,6 +341,10 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects)
           FactoryGirl.create(:miq_user_role, :name => MiqUserRole::SUPER_ADMIN_ROLE_NAME)
         end
 
+        let!(:administrator_user_role) do
+          FactoryGirl.create(:miq_user_role, :name => MiqUserRole::ADMIN_ROLE_NAME)
+        end
+
         let(:group) do
           FactoryGirl.create(:miq_group, :tenant => default_tenant, :miq_user_role => tenant_administrator_user_role)
         end
@@ -348,12 +352,12 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects)
         let!(:user) { FactoryGirl.create(:user, :miq_groups => [group]) }
 
         it 'can see all roles expect to EvmRole-super_administrator' do
-          expect(MiqUserRole.count).to eq(2)
+          expect(MiqUserRole.count).to eq(3)
           get_rbac_results_for_and_expect_objects(MiqUserRole, [tenant_administrator_user_role])
         end
 
         it 'can see all groups expect to group with role EvmRole-super_administrator' do
-          expect(MiqUserRole.count).to eq(2)
+          expect(MiqUserRole.count).to eq(3)
           get_rbac_results_for_and_expect_objects(MiqGroup, [group])
         end
       end