diff --git a/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java b/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java
index 2b330a83..a0fca09c 100644
--- a/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/controller/UserControllerTest.java
@@ -18,8 +18,10 @@ import java.util.UUID;
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -104,4 +106,31 @@ class UserControllerTest {
                         .content("{\"email\":\"\",\"initialPassword\":\"secret123\"}"))
                 .andExpect(status().isBadRequest());
     }
+
+    // ─── permission enforcement ───────────────────────────────────────────────
+
+    @Test
+    @WithMockUser(username = "reader@example.com")
+    void createUser_returns403_whenCallerLacksAdminUserPermission() throws Exception {
+        mockMvc.perform(post("/api/users")
+                        .contentType(org.springframework.http.MediaType.APPLICATION_JSON)
+                        .content("{\"email\":\"x@x.com\",\"initialPassword\":\"secret123\"}"))
+                .andExpect(status().isForbidden());
+    }
+
+    @Test
+    @WithMockUser(username = "reader@example.com")
+    void adminUpdateUser_returns403_whenCallerLacksAdminUserPermission() throws Exception {
+        mockMvc.perform(put("/api/users/" + UUID.randomUUID())
+                        .contentType(org.springframework.http.MediaType.APPLICATION_JSON)
+                        .content("{}"))
+                .andExpect(status().isForbidden());
+    }
+
+    @Test
+    @WithMockUser(username = "reader@example.com")
+    void deleteUser_returns403_whenCallerLacksAdminUserPermission() throws Exception {
+        mockMvc.perform(delete("/api/users/" + UUID.randomUUID()))
+                .andExpect(status().isForbidden());
+    }
 }