diff --git a/backend/src/main/java/org/raddatz/familienarchiv/config/DataInitializer.java b/backend/src/main/java/org/raddatz/familienarchiv/config/DataInitializer.java
index 18571eb3..c4164a66 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/config/DataInitializer.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/config/DataInitializer.java
@@ -81,7 +81,8 @@ public class DataInitializer {
     @Profile("e2e")
     public CommandLineRunner initE2EData(PersonRepository personRepo,
             DocumentRepository docRepo,
-            TagRepository tagRepo) {
+            TagRepository tagRepo,
+            PasswordEncoder passwordEncoder) {
         return args -> {
             if (personRepo.count() > 0) {
                 log.info("E2E seed: Daten bereits vorhanden, überspringe.");
@@ -165,8 +166,21 @@ public class DataInitializer {
                     .receivers(Set.of(otto))
                     .build());
 
-            log.info("E2E seed: {} Personen, {} Tags, {} Dokumente erstellt.",
-                    personRepo.count(), tagRepo.count(), docRepo.count());
+            // ── Read-only user (for permissions E2E tests) ───────────────────
+            // Username: reader / Password: reader123
+            // Has only READ_ALL — used to assert write controls are absent.
+            UserGroup leserGroup = groupRepository.save(UserGroup.builder()
+                    .name("Leser")
+                    .permissions(Set.of("READ_ALL"))
+                    .build());
+            userRepository.save(AppUser.builder()
+                    .username("reader")
+                    .password(passwordEncoder.encode("reader123"))
+                    .groups(Set.of(leserGroup))
+                    .build());
+
+            log.info("E2E seed: {} Personen, {} Tags, {} Dokumente, {} Benutzer erstellt.",
+                    personRepo.count(), tagRepo.count(), docRepo.count(), userRepository.count());
         };
     }
 }