diff --git a/backend/src/main/java/com/xly/test4/module/usr/controller/UserController.java b/backend/src/main/java/com/xly/test4/module/usr/controller/UserController.java
new file mode 100644
index 0000000..c81f37f
--- /dev/null
+++ b/backend/src/main/java/com/xly/test4/module/usr/controller/UserController.java
@@ -0,0 +1,30 @@
+package com.xly.test4.module.usr.controller;
+
+import com.xly.test4.common.response.Result;
+import com.xly.test4.module.usr.dto.UserCreateDTO;
+import com.xly.test4.module.usr.service.UserService;
+import com.xly.test4.module.usr.vo.UserCreateVO;
+import jakarta.validation.Valid;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/usr/user")
+public class UserController {
+
+    private final UserService userService;
+
+    public UserController(UserService userService) {
+        this.userService = userService;
+    }
+
+    // REQ-USR-001: 增加用户
+    @PostMapping
+    @PreAuthorize("hasAuthority('usr:user:create')")
+    public Result<UserCreateVO> createUser(@Valid @RequestBody UserCreateDTO dto) {
+        return Result.success(userService.createUser(dto));
+    }
+}
diff --git a/backend/src/test/java/com/xly/test4/module/usr/controller/UserControllerIT.java b/backend/src/test/java/com/xly/test4/module/usr/controller/UserControllerIT.java
new file mode 100644
index 0000000..ef867ad
--- /dev/null
+++ b/backend/src/test/java/com/xly/test4/module/usr/controller/UserControllerIT.java
@@ -0,0 +1,83 @@
+package com.xly.test4.module.usr.controller;
+
+import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.xly.test4.common.security.JwtTokenProvider;
+import com.xly.test4.module.usr.dto.UserCreateDTO;
+import com.xly.test4.module.usr.entity.User;
+import com.xly.test4.module.usr.mapper.UserMapper;
+import com.xly.test4.module.usr.mapper.UserPermissionMapper;
+import com.xly.test4.support.TestJwtFactory;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.MockMvc;
+
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@SpringBootTest
+@AutoConfigureMockMvc
+class UserControllerIT {
+
+    @Autowired
+    private MockMvc mockMvc;
+
+    @Autowired
+    private ObjectMapper objectMapper;
+
+    @Autowired
+    private JwtTokenProvider tokenProvider;
+
+    @Autowired
+    private UserMapper userMapper;
+
+    @Autowired
+    private UserPermissionMapper userPermissionMapper;
+
+    private String adminBearer() {
+        // 取 DB 中种子 admin 的 iIncrement 一并放进 token,便于审计字段(若需要)
+        User admin = userMapper.selectOne(new LambdaQueryWrapper<User>()
+                .eq(User::getSUserName, "admin"));
+        return "Bearer " + TestJwtFactory.adminToken(tokenProvider, admin.getIIncrement());
+    }
+
+    @Test
+    void createUser_validRequestWithAdminToken_returns200WithUserIdAndUserCode() throws Exception {
+        UserCreateDTO dto = new UserCreateDTO();
+        dto.setUserCode("U-IT-001");
+        dto.setUserName("it-user-001");
+        dto.setEmployeeId(null);
+        dto.setUserType("NORMAL");
+        dto.setLanguage("zh-CN");
+        dto.setCanEditDoc(false);
+        dto.setPassword("Pass1234");
+        dto.setPermissionIds(List.of());
+
+        mockMvc.perform(post("/api/usr/user")
+                        .header(HttpHeaders.AUTHORIZATION, adminBearer())
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(objectMapper.writeValueAsString(dto)))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.code").value(200))
+                .andExpect(jsonPath("$.data.userId").isNumber())
+                .andExpect(jsonPath("$.data.userCode").value("U-IT-001"));
+
+        User created = userMapper.selectOne(new LambdaQueryWrapper<User>()
+                .eq(User::getSUserName, "it-user-001"));
+        assertThat(created).isNotNull();
+        assertThat(created.getSCreatedBy()).isEqualTo("admin");
+        assertThat(created.getSBrandsId()).isEqualTo("BR-DEFAULT");
+        assertThat(created.getSSubsidiaryId()).isEqualTo("SUB-DEFAULT");
+        assertThat(created.getIIsDisabled()).isZero();
+        assertThat(created.getSPasswordHash()).startsWith("$2").hasSize(60);
+        assertThat(created.getSPasswordHash()).isNotEqualTo("Pass1234");
+    }
+}