diff --git a/app/database/crud/rbac.py b/app/database/crud/rbac.py
index d3a215ac..5204d535 100644
--- a/app/database/crud/rbac.py
+++ b/app/database/crud/rbac.py
@@ -467,7 +467,7 @@ class AuditLogCRUD:
         if user_id is not None:
             filters.append(AdminAuditLog.user_id == user_id)
         if action is not None:
-            filters.append(AdminAuditLog.action == action)
+            filters.append(AdminAuditLog.action.ilike(f'%{action}%'))
         if resource_type is not None:
             filters.append(AdminAuditLog.resource_type == resource_type)
         if status is not None:
diff --git a/app/services/permission_service.py b/app/services/permission_service.py
index 26f1affc..13b0a34f 100644
--- a/app/services/permission_service.py
+++ b/app/services/permission_service.py
@@ -300,10 +300,11 @@ class PermissionService:
         permissions, role_names, max_level = await UserRoleCRUD.get_user_permissions(db, user_id)
 
         # Legacy config-based admins get full superadmin permissions
+        # Level is SUPERADMIN_LEVEL + 1 so they can manage all roles including level-999
         if user is not None and not permissions and _is_legacy_admin(user):
             permissions = ['*:*']
             role_names = ['superadmin']
-            max_level = SUPERADMIN_LEVEL
+            max_level = SUPERADMIN_LEVEL + 1
 
         return {
             'permissions': permissions,