diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml
index d5ccfec7f5..55263bbe2c 100644
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -635,6 +635,8 @@ SystemAPIUsers:
 #           - "SYSTEM_OWNER"
 #           - "SYSTEM_OWNER_VIEWER"
 #           # Actually, we don't recommend adding IAM_OWNER and ORG_OWNER to the System membership, as this basically enables god mode for the system user
+#       - MemberType IAM and Organization let you restrict access to a specific instance or organization by specifying the AggregateID
+#         Roles:
 #           - "IAM_OWNER"
 #           - "IAM_OWNER_VIEWER"
 #           - "IAM_ORG_MANAGER"
@@ -642,9 +644,6 @@ SystemAPIUsers:
 #           - "IAM_ADMIN_IMPERSONATOR"
 #           - "IAM_END_USER_IMPERSONATOR"
 #           - "IAM_LOGIN_CLIENT"
-#       # MemberType IAM and Organization let you restrict access to a specific instance or organization by specifying the AggregateID
-#       - MemberType: IAM
-#         Roles: "IAM_OWNER"
 #         AggregateID: "123456789012345678"
 #       - MemberType: Organization
 #         Roles: "ORG_OWNER"
diff --git a/internal/api/grpc/user/v2/integration_test/query_test.go b/internal/api/grpc/user/v2/integration_test/query_test.go
index 1f0d2bd7b8..f38991e9a9 100644
--- a/internal/api/grpc/user/v2/integration_test/query_test.go
+++ b/internal/api/grpc/user/v2/integration_test/query_test.go
@@ -1199,16 +1199,27 @@ func TestServer_SystemUsers_ListUsers(t *testing.T) {
 	tests := []struct {
 		name                   string
 		ctx                    context.Context
+		req                    *user.ListUsersRequest
 		expectedFoundUsernames []string
 	}{
 		{
 			name:                   "list users with neccessary permissions",
 			ctx:                    SystemCTX,
+			req:                    &user.ListUsersRequest{},
 			expectedFoundUsernames: []string{"Test_SystemUsers_ListUser1@zitadel.com", "Test_SystemUsers_ListUser2@zitadel.com", "Test_SystemUsers_ListUser3@zitadel.com"},
 		},
 		{
 			name: "list users without neccessary permissions",
 			ctx:  SystemUserWithNoPermissionsCTX,
+			req:  &user.ListUsersRequest{},
+		},
+		{
+			name: "list users without neccessary permissions specifying org",
+			req: &user.ListUsersRequest{
+				Queries: []*user.SearchQuery{OrganizationIdQuery(org2.OrganizationId)},
+			},
+			ctx:                    SystemCTX,
+			expectedFoundUsernames: []string{"Test_SystemUsers_ListUser2@zitadel.com"},
 		},
 	}
 
@@ -1220,7 +1231,7 @@ func TestServer_SystemUsers_ListUsers(t *testing.T) {
 
 				retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.ctx, 1*time.Minute)
 				require.EventuallyWithT(t, func(ttt *assert.CollectT) {
-					got, err := Client.ListUsers(tt.ctx, &user.ListUsersRequest{})
+					got, err := Client.ListUsers(tt.ctx, tt.req)
 					require.NoError(ttt, err)
 
 					if tt.expectedFoundUsernames == nil {