diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 04d596429aa..80a2227b983 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -757,6 +757,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         // first search distinct vm id by using query criteria and pagination
         SearchBuilder<UserVmJoinVO> sb = _userVmJoinDao.createSearchBuilder();
         sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct ids
+
+        // build acl search builder condition
         _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
                 listProjectResourcesCriteria, grantedIds, revokedIds);
 
@@ -824,10 +826,12 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             sb.and("affinityGroupId", sb.entity().getAffinityGroupId(), SearchCriteria.Op.EQ);
         }
 
+
+
         // populate the search criteria with the values passed in
         SearchCriteria<UserVmJoinVO> sc = sb.create();
 
-        // building ACL condition
+        // building ACL search criteria
         _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
                 listProjectResourcesCriteria);
 
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index db21b3dfc88..03b51f4cbaa 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2368,7 +2368,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                 if (rolePerm.getScope() == PermissionScope.ACCOUNT || !listAll) {
                     // only resource owner can see it, only match account
                     permittedAccounts.add(caller.getId());
-                } else {
+                } else if (rolePerm.getScope() == PermissionScope.DOMAIN) {
                     // match domain tree based on cmd.isRecursive flag or not
                     domainIdRecursiveListProject.first(caller.getDomainId());
                 }
@@ -2403,29 +2403,52 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     @Override
     public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
             ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
-        sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
-        sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
 
-        if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
-            // if accountId isn't specified, we can do a domain match for the
-            // admin case if isRecursive is true
-            sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+        if (!revokedIds.isEmpty()) {
+            sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
         }
+        if (permittedAccounts.isEmpty() && domainId == null && listProjectResourcesCriteria == null) {
+            // caller role authorize him to access everything matching query criteria
+            return;
+
+        }
+        boolean hasOp = true;
+        if (!permittedAccounts.isEmpty()) {
+            sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
+        } else if (domainId != null) {
+            if (isRecursive) {
+                // if accountId isn't specified, we can do a domain match for the
+                // admin case if isRecursive is true
+                sb.and().op("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+            } else {
+                sb.and().op("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
+            }
+        } else {
+            hasOp = false;
+        }
+
 
         if (listProjectResourcesCriteria != null) {
-            if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
-                sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
-            } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
-                sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+            if (hasOp) {
+                if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+                    sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
+                } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+                    sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+                }
+            } else {
+                if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+                    sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
+                } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+                    sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+                }
             }
         }
+
         if (!grantedIds.isEmpty()) {
             sb.or("idIN", sb.entity().getId(), SearchCriteria.Op.IN);
         }
         sb.cp();
-        if (!revokedIds.isEmpty()) {
-            sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
-        }
+
 
     }