diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py
index 2b4c22404e..96c08308ab 100644
--- a/keystone/tests/unit/test_v3_assignment.py
+++ b/keystone/tests/unit/test_v3_assignment.py
@@ -24,6 +24,7 @@ import keystone.conf
 from keystone import exception
 from keystone.tests import unit
 from keystone.tests.unit import test_v3
+from keystone.tests.unit import utils as test_utils
 
 
 CONF = keystone.conf.CONF
@@ -3591,6 +3592,29 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
         ) % {'project_id': self.project_id}
         self.get(path, expected_status=http_client.BAD_REQUEST)
 
+    @test_utils.wip("Waiting on fix for bug #1748970")
+    def test_query_for_role_id_does_not_return_system_user_roles(self):
+        system_role_id = self._create_new_role()
+
+        # assign the user a role on the system
+        member_url = '/system/users/%(user_id)s/roles/%(role_id)s' % {
+            'user_id': self.user['id'],
+            'role_id': system_role_id
+        }
+        self.put(member_url)
+
+        # The user has a role on the system and on a project, but self.role_id
+        # is only given to the user on the project. If we ask for role
+        # assignments matching that role for that specific user, we should only
+        # get one back. Instead, we get two back because the role assignment
+        # API isn't filtering out system role assignments when queried for a
+        # specific role.
+        path = (
+            '/role_assignments?role.id=%(role_id)s&user.id=%(user_id)s'
+        ) % {'role_id': self.role_id, 'user_id': self.user['id']}
+        response = self.get(path)
+        self.assertValidRoleAssignmentListResponse(response, expected_length=1)
+
 
 # FIXME(lbragstad): These tests contain system-level API calls, which means
 # they will log a warning message if they are called with a project-scoped
@@ -3860,3 +3884,36 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
             }
         )
         self.assertValidRoleAssignmentListResponse(response, expected_length=0)
+
+    @test_utils.wip("Waiting on fix for bug #1748970")
+    def test_query_for_role_id_does_not_return_system_group_roles(self):
+        system_role_id = self._create_new_role()
+        group = self._create_group()
+
+        # assign the group a role on the system
+        member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % {
+            'group_id': group['id'],
+            'role_id': system_role_id
+        }
+        self.put(member_url)
+
+        # assign the group a role on the system
+        member_url = (
+            '/projects/%(project_id)s/groups/%(group_id)s/roles/%(role_id)s' %
+            {'project_id': self.project_id,
+             'group_id': group['id'],
+             'role_id': self.role_id}
+        )
+        self.put(member_url)
+
+        # The group has a role on the system and on a project, but self.role_id
+        # is only given to the group on the project. If we ask for role
+        # assignments matching that role for that specific group, we should
+        # only get one back. Instead, we get two back because the role
+        # assignment API isn't filtering out system role assignments when
+        # queried for a specific role.
+        path = (
+            '/role_assignments?role.id=%(role_id)s&group.id=%(group_id)s'
+        ) % {'role_id': self.role_id, 'group_id': group['id']}
+        response = self.get(path)
+        self.assertValidRoleAssignmentListResponse(response, expected_length=1)