diff --git a/devfront/src/components/common/ForbiddenMessage.test.tsx b/devfront/src/components/common/ForbiddenMessage.test.tsx
index 99a5c653..bbad6610 100644
--- a/devfront/src/components/common/ForbiddenMessage.test.tsx
+++ b/devfront/src/components/common/ForbiddenMessage.test.tsx
@@ -65,14 +65,17 @@ describe("ForbiddenMessage", () => {
     expect(clients.textContent).toContain("target application");
   });
 
-  it("renders standard user guidance for legacy admin roles", async () => {
-    // legacy roles are now normalized to 'user' and show user guidance
+  it("renders specific guidance for privileged admin roles", async () => {
     authState.user.profile.role = "rp_admin";
     const rpAdmin = await renderMessage("clients");
-    expect(rpAdmin.textContent).toContain("Standard user accounts");
+    expect(rpAdmin.textContent).toContain(
+      "RP administrators can only access resources for their assigned applications.",
+    );
 
     authState.user.profile.role = "tenant_admin";
     const tenantAdmin = await renderMessage("clients");
-    expect(tenantAdmin.textContent).toContain("Standard user accounts");
+    expect(tenantAdmin.textContent).toContain(
+      "Tenant administrator permissions are not configured correctly or have expired.",
+    );
   });
 });
diff --git a/devfront/src/lib/role.test.ts b/devfront/src/lib/role.test.ts
index fa87ecf3..6ad7bb98 100644
--- a/devfront/src/lib/role.test.ts
+++ b/devfront/src/lib/role.test.ts
@@ -6,8 +6,8 @@ describe("normalizeRole", () => {
     expect(normalizeRole("tenant_member")).toBe("user");
     expect(normalizeRole("admin")).toBe("user");
     expect(normalizeRole("superadmin")).toBe("super_admin");
-    expect(normalizeRole("tenantadmin")).toBe("user");
-    expect(normalizeRole("rpadmin")).toBe("user");
+    expect(normalizeRole("tenantadmin")).toBe("tenant_admin");
+    expect(normalizeRole("rpadmin")).toBe("rp_admin");
   });
 
   it("returns 'user' for unknown string values and empty string for non-strings", () => {