diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index bed708ff2..16e286d21 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -13,11 +13,14 @@ class UserPolicy < ApplicationPolicy
   end
 
   def update?
+    # full access for admins
     return true if user.permissions?('admin.user')
     # forbid non-agents to change users
     return false if !user.permissions?('ticket.agent')
 
-    # allow agents to change customers
+    # allow agents to change customers only
+    return false if record.permissions?(['admin.user', 'ticket.agent'])
+
     record.permissions?('ticket.customer')
   end
 
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index 1212bfbcb..339fb47ef 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -126,6 +126,21 @@ describe UserPolicy do
       it { is_expected.to permit_action(:show) }
       it { is_expected.to forbid_actions(%i[update destroy]) }
     end
+
+    context 'when record is both admin and customer' do
+      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
+
+      it { is_expected.to permit_action(:show) }
+      it { is_expected.to forbid_actions(%i[update destroy]) }
+    end
+
+    context 'when record is both agent and customer' do
+      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
+
+      it { is_expected.to permit_action(:show) }
+      it { is_expected.to forbid_actions(%i[update destroy]) }
+    end
+
   end
 
   context 'when user is a customer' do
@@ -169,5 +184,18 @@ describe UserPolicy do
       it { is_expected.to permit_action(:show) }
       it { is_expected.to forbid_actions(%i[update destroy]) }
     end
+
+    context 'when record is both admin and customer' do
+      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
+
+      it { is_expected.to forbid_actions(%i[show update destroy]) }
+    end
+
+    context 'when record is both agent and customer' do
+      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
+
+      it { is_expected.to forbid_actions(%i[show update destroy]) }
+    end
+
   end
 end