diff --git a/devfront/src/components/common/ForbiddenMessage.test.tsx b/devfront/src/components/common/ForbiddenMessage.test.tsx
index 4189d754..99a5c653 100644
--- a/devfront/src/components/common/ForbiddenMessage.test.tsx
+++ b/devfront/src/components/common/ForbiddenMessage.test.tsx
@@ -58,20 +58,21 @@ describe("ForbiddenMessage", () => {
 
     const consents = await renderMessage("consents");
     expect(consents.textContent).toContain("User Consent Grants");
-    expect(consents.textContent).toContain("consent read");
+    expect(consents.textContent).toContain("operational relationship");
 
     const clients = await renderMessage("clients");
     expect(clients.textContent).toContain("Connected Applications");
-    expect(clients.textContent).toContain("target RP");
+    expect(clients.textContent).toContain("target application");
   });
 
-  it("renders role-specific administrator guidance", async () => {
+  it("renders standard user guidance for legacy admin roles", async () => {
+    // legacy roles are now normalized to 'user' and show user guidance
     authState.user.profile.role = "rp_admin";
     const rpAdmin = await renderMessage("clients");
-    expect(rpAdmin.textContent).toContain("RP administrators");
+    expect(rpAdmin.textContent).toContain("Standard user accounts");
 
     authState.user.profile.role = "tenant_admin";
     const tenantAdmin = await renderMessage("clients");
-    expect(tenantAdmin.textContent).toContain("tenant administrator");
+    expect(tenantAdmin.textContent).toContain("Standard user accounts");
   });
 });
diff --git a/devfront/src/lib/role.test.ts b/devfront/src/lib/role.test.ts
index f91d910d..fa87ecf3 100644
--- a/devfront/src/lib/role.test.ts
+++ b/devfront/src/lib/role.test.ts
@@ -4,14 +4,14 @@ import { normalizeRole, resolveProfileRole } from "./role";
 describe("normalizeRole", () => {
   it("normalizes known role aliases", () => {
     expect(normalizeRole("tenant_member")).toBe("user");
-    expect(normalizeRole("admin")).toBe("tenant_admin");
+    expect(normalizeRole("admin")).toBe("user");
     expect(normalizeRole("superadmin")).toBe("super_admin");
-    expect(normalizeRole("tenantadmin")).toBe("tenant_admin");
-    expect(normalizeRole("rpadmin")).toBe("rp_admin");
+    expect(normalizeRole("tenantadmin")).toBe("user");
+    expect(normalizeRole("rpadmin")).toBe("user");
   });
 
-  it("returns a trimmed lowercase role for unknown values", () => {
-    expect(normalizeRole("  custom_role  ")).toBe("custom_role");
+  it("returns 'user' for unknown string values and empty string for non-strings", () => {
+    expect(normalizeRole("  custom_role  ")).toBe("user");
     expect(normalizeRole(123)).toBe("");
   });
 });