diff --git a/apps/assets/models/asset/common.py b/apps/assets/models/asset/common.py
index 6d845f05b..a22e552e9 100644
--- a/apps/assets/models/asset/common.py
+++ b/apps/assets/models/asset/common.py
@@ -131,8 +131,16 @@ class JSONFilterMixin:
             value = [value]
         if name == 'nodes':
             nodes = Node.objects.filter(id__in=value)
-            children = Node.get_nodes_all_children(nodes, with_self=True).values_list('id', flat=True)
-            return Q(nodes__in=children)
+            if match == 'm2m_all':
+                assets = Asset.objects.all()
+                for n in nodes:
+                    children_pattern = Node.get_node_all_children_key_pattern(n.key)
+                    assets = assets.filter(nodes__key__regex=children_pattern)
+                q = Q(id__in=assets.values_list('id', flat=True))
+                return q
+            else:
+                children = Node.get_nodes_all_children(nodes, with_self=True).values_list('id', flat=True)
+                return Q(nodes__in=children)
         elif name == 'category':
             return Q(platform__category__in=value)
         elif name == 'type':
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 15054aa4f..b8dd467c6 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -12,6 +12,7 @@ from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.core.cache import cache
 from django.db import models
+from django.db.models import Count
 from django.shortcuts import reverse
 from django.utils import timezone
 from django.utils.module_loading import import_string
@@ -708,29 +709,29 @@ class MFAMixin:
 
 
 class JSONFilterMixin:
-    """
-    users = JSONManyToManyField('users.User', blank=True, null=True)
-    """
-
     @staticmethod
     def get_json_filter_attr_q(name, value, match):
         from rbac.models import RoleBinding
         from orgs.utils import current_org
 
+        kwargs = {}
         if name == 'system_roles':
-            user_id = RoleBinding.objects \
-                .filter(role__in=value, scope='system') \
-                .values_list('user_id', flat=True)
-            return models.Q(id__in=user_id)
+            kwargs['scope'] = 'system'
         elif name == 'org_roles':
-            kwargs = dict(role__in=value, scope='org')
+            kwargs['scope'] = 'org'
             if not current_org.is_root():
                 kwargs['org_id'] = current_org.id
+        else:
+            return None
 
-            user_id = RoleBinding.objects.filter(**kwargs) \
-                .values_list('user_id', flat=True)
-            return models.Q(id__in=user_id)
-        return None
+        bindings = RoleBinding.objects.filter(**kwargs, role__in=value)
+        if match == 'm2m_all':
+            user_id = bindings.values('user_id').annotate(count=Count('user_id')) \
+                .filter(count=len(value)).values_list('user_id', flat=True)
+        else:
+            user_id = bindings.values_list('user_id', flat=True)
+
+        return models.Q(id__in=user_id)
 
 
 class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, JSONFilterMixin, AbstractUser):