diff --git a/backend/src/main/java/com/example/erp/common/constants/UsrErrorCode.java b/backend/src/main/java/com/example/erp/common/constants/UsrErrorCode.java
index c0bc742..91c769e 100644
--- a/backend/src/main/java/com/example/erp/common/constants/UsrErrorCode.java
+++ b/backend/src/main/java/com/example/erp/common/constants/UsrErrorCode.java
@@ -5,6 +5,7 @@ public final class UsrErrorCode {
     public static final int PERMISSION_DENIED = 40300;
     public static final int USERNAME_EXISTS = 40901;
     public static final int USER_CODE_EXISTS = 40902;
+    public static final int EMPLOYEE_NOT_FOUND = 40401;
 
     private UsrErrorCode() {}
 }
diff --git a/backend/src/main/java/com/example/erp/module/usr/service/impl/UserServiceImpl.java b/backend/src/main/java/com/example/erp/module/usr/service/impl/UserServiceImpl.java
index f5345a1..9a526b9 100644
--- a/backend/src/main/java/com/example/erp/module/usr/service/impl/UserServiceImpl.java
+++ b/backend/src/main/java/com/example/erp/module/usr/service/impl/UserServiceImpl.java
@@ -60,7 +60,7 @@ public class UserServiceImpl implements UserService {
                     .eq(StaffEntity::getSId, req.getEmployeeId())
                     .eq(StaffEntity::getSBrandsId, principal.brandId()));
             if (staff == null) {
-                throw new BizException(40001, "员工不存在");
+                throw new BizException(UsrErrorCode.EMPLOYEE_NOT_FOUND, "员工不存在");
             }
         }
 
@@ -81,15 +81,18 @@ public class UserServiceImpl implements UserService {
         userMapper.insert(user);
 
         if (req.getPermGroupIds() != null && !req.getPermGroupIds().isEmpty()) {
-            for (String groupId : req.getPermGroupIds()) {
-                UserPermissionEntity perm = new UserPermissionEntity();
-                perm.setSId(UUID.randomUUID().toString());
-                perm.setSBrandsId(principal.brandId());
-                perm.setTCreateDate(LocalDateTime.now());
-                perm.setSUserId(user.getSId());
-                perm.setSPermGroupId(groupId);
-                userPermissionMapper.insert(perm);
-            }
+            List<UserPermissionEntity> perms = req.getPermGroupIds().stream()
+                    .map(groupId -> {
+                        UserPermissionEntity perm = new UserPermissionEntity();
+                        perm.setSId(UUID.randomUUID().toString());
+                        perm.setSBrandsId(principal.brandId());
+                        perm.setTCreateDate(LocalDateTime.now());
+                        perm.setSUserId(user.getSId());
+                        perm.setSPermGroupId(groupId);
+                        return perm;
+                    })
+                    .collect(Collectors.toList());
+            userPermissionMapper.insert(perms);
         }
 
         UserCreateRespVO vo = new UserCreateRespVO();
@@ -116,7 +119,8 @@ public class UserServiceImpl implements UserService {
     @Override
     @Transactional(readOnly = true)
     public List<PermissionGroupVO> getPermissionGroups(String brandId) {
-        List<PermissionGroupEntity> groups = permGroupMapper.selectList(null);
+        List<PermissionGroupEntity> groups = permGroupMapper.selectList(new LambdaQueryWrapper<PermissionGroupEntity>()
+                .eq(PermissionGroupEntity::getSBrandsId, brandId));
         return groups.stream().map(g -> {
             PermissionGroupVO vo = new PermissionGroupVO();
             vo.setSId(g.getSId());
diff --git a/backend/src/test/java/com/example/erp/module/usr/UserServiceTest.java b/backend/src/test/java/com/example/erp/module/usr/UserServiceTest.java
index 34eb6af..e08b6b0 100644
--- a/backend/src/test/java/com/example/erp/module/usr/UserServiceTest.java
+++ b/backend/src/test/java/com/example/erp/module/usr/UserServiceTest.java
@@ -8,6 +8,7 @@ import com.example.erp.module.usr.entity.UsrUserEntity;
 import com.example.erp.module.usr.entity.UserPermissionEntity;
 import com.example.erp.module.usr.mapper.PermissionGroupMapper;
 import com.example.erp.module.usr.mapper.StaffMapper;
+import com.example.erp.common.constants.UsrErrorCode;
 import com.example.erp.module.usr.mapper.UserPermissionMapper;
 import com.example.erp.module.usr.mapper.UsrUserMapper;
 import com.example.erp.module.usr.service.impl.UserServiceImpl;
@@ -94,16 +95,16 @@ class UserServiceTest {
     }
 
     @Test
+    @SuppressWarnings("unchecked")
     void createUser_withPermGroups_insertsPermissions() {
         req.setPermGroupIds(List.of("g1", "g2"));
         when(userMapper.selectCount(any())).thenReturn(0L);
         when(passwordEncoder.encode(anyString())).thenReturn("$2a$10$hashed");
         when(userMapper.insert(any(UsrUserEntity.class))).thenReturn(1);
-        when(userPermissionMapper.insert(any(UserPermissionEntity.class))).thenReturn(1);
 
         userService.createUser(req, superAdmin);
 
-        verify(userPermissionMapper, times(2)).insert(any(UserPermissionEntity.class));
+        verify(userPermissionMapper).insert(argThat((java.util.Collection<UserPermissionEntity> c) -> c.size() == 2));
     }
 
     @Test
@@ -114,6 +115,6 @@ class UserServiceTest {
 
         BizException ex = assertThrows(BizException.class,
                 () -> userService.createUser(req, superAdmin));
-        assertEquals(40001, ex.getCode());
+        assertEquals(UsrErrorCode.EMPLOYEE_NOT_FOUND, ex.getCode());
     }
 }