diff --git a/service/internal/auth/casbin_test.go b/service/internal/auth/casbin_test.go
index 7c6f04f0f..c4d480a17 100644
--- a/service/internal/auth/casbin_test.go
+++ b/service/internal/auth/casbin_test.go
@@ -460,27 +460,32 @@ func (s *AuthnCasbinSuite) Test_ExtendDefaultPolicies_MalformedErrors() {
 func (s *AuthnCasbinSuite) Test_SetPolicy() {
 	enforcer, err := NewCasbinEnforcer(CasbinConfig{}, logger.CreateTestLogger())
 	s.Require().NoError(err)
-	tok := s.newTokWithDefaultClaim(true, false, false)
 
 	// Org-admin role
 	err = enforcer.SetPolicy(strings.Join([]string{
-		"p, role:org-admin, new.service.*, *, allow",
 		"p, role:admin, new.hello.*, *, allow",
 		"p, role:standard, new.hello.*, read, allow",
 		"p, role:standard, new.hello.*, write, deny",
 	}, "\n"))
 	s.Require().NoError(err)
 
-	// allowed role for new policy is allowed
-	allowed, err := enforcer.Enforce(tok, "new.service.DoSomething", "read")
-	s.Require().NoError(err)
-	s.True(allowed)
+	// unauthorized role
+	tok := s.newTokWithDefaultClaim(false, false)
+	allowed, err := enforcer.Enforce(tok, "new.hello.World", "read")
+	s.Require().Error(err)
+	s.False(allowed)
+	allowed, err = enforcer.Enforce(tok, "new.hello.World", "write")
+	s.Require().Error(err)
+	s.False(allowed)
+	allowed, err = enforcer.Enforce(tok, "new.service.DoSomething", "read")
+	s.Require().Error(err)
+	s.False(allowed)
 	allowed, err = enforcer.Enforce(tok, "new.service.DoSomething", "write")
-	s.Require().NoError(err)
-	s.True(allowed)
+	s.Require().Error(err)
+	s.False(allowed)
 
 	// other roles denied new policy: admin
-	tok = s.newTokWithDefaultClaim(false, true, false)
+	tok = s.newTokWithDefaultClaim(true, false)
 	allowed, err = enforcer.Enforce(tok, "new.hello.World", "read")
 	s.Require().NoError(err)
 	s.True(allowed)
@@ -495,7 +500,7 @@ func (s *AuthnCasbinSuite) Test_SetPolicy() {
 	s.False(allowed)
 
 	// other roles denied new policy: standard
-	tok = s.newTokWithDefaultClaim(false, false, true)
+	tok = s.newTokWithDefaultClaim(false, true)
 	allowed, err = enforcer.Enforce(tok, "new.hello.World", "read")
 	s.Require().NoError(err)
 	s.True(allowed)