From 19ef1e357712823daadfda1620d733e5b11b5125 Mon Sep 17 00:00:00 2001
From: VIacheslavKlimov <viacheslavklimov11@gmail.com>
Date: Fri, 3 Oct 2025 11:18:56 +0300
Subject: [PATCH] Fix tenant admins filter for enforced 2FA

---
 .../java/org/thingsboard/server/dao/user/UserServiceImpl.java  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dao/src/main/java/org/thingsboard/server/dao/user/UserServiceImpl.java b/dao/src/main/java/org/thingsboard/server/dao/user/UserServiceImpl.java
index 7b5e4da6a0..4a83c71d66 100644
--- a/dao/src/main/java/org/thingsboard/server/dao/user/UserServiceImpl.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/user/UserServiceImpl.java
@@ -556,6 +556,9 @@ public class UserServiceImpl extends AbstractCachedEntityService<UserCacheKey, U
     public boolean matchesFilter(TenantId tenantId, SystemLevelUsersFilter filter, User user) {
         switch (filter.getType()) {
             case TENANT_ADMINISTRATORS -> {
+                if (user.isSystemAdmin() || user.isCustomerUser()) {
+                    return false;
+                }
                 TenantAdministratorsFilter tenantAdministratorsFilter = (TenantAdministratorsFilter) filter;
                 if (isNotEmpty(tenantAdministratorsFilter.getTenantsIds())) {
                     return tenantAdministratorsFilter.getTenantsIds().contains(user.getTenantId().getId());