diff --git a/application/User/UserController.php b/application/User/UserController.php
index 06c1ba42e..eb9f27e23 100644
--- a/application/User/UserController.php
+++ b/application/User/UserController.php
@@ -12,6 +12,9 @@ class UserController extends mfBaseController
 {
     private $me;
 
+    // User IDs allowed to manage (add/edit/delete) users
+    private const ALLOWED_USER_MANAGER_IDS = [2, 5, 9, 6, 89, 145, 24];
+
     protected function init($request = null)
     {
         $this->needlogin = true;
@@ -24,6 +27,11 @@ class UserController extends mfBaseController
         if ($_SERVER['REQUEST_METHOD'] === 'POST') $this->postData = json_decode(file_get_contents('php://input'), true);
     }
 
+    private function canManageUsers(): bool
+    {
+        return in_array($this->me->id, self::ALLOWED_USER_MANAGER_IDS);
+    }
+
     protected function indexAction($request)
     {
         if (!$this->isAdmin()) {
@@ -32,6 +40,7 @@ class UserController extends mfBaseController
 
         Helper::renderVue($this, "User", "Benutzer", [
             "IS_ADMIN" => $this->me->isAdmin(),
+            "CAN_MANAGE_USERS" => $this->canManageUsers(),
             "USERS" => array_map(fn($user) => [
                 "username" => $user->username,
                 "name" => $user->name,
@@ -53,6 +62,7 @@ class UserController extends mfBaseController
 
     protected function formAction() {
         if (!$this->isAdmin()) $this->redirect("Dashboard");
+        if (!$this->canManageUsers()) $this->redirect("User");
 
         $id = $this->request->id;
         $user = ($id && is_numeric($id) && $id > 0) ? new User($id) : new User();
@@ -178,6 +188,7 @@ class UserController extends mfBaseController
 
     protected function generateApikeyAction($request) {
         if (!$this->isAdmin()) $this->redirect("Dashboard");
+        if (!$this->canManageUsers()) $this->redirect("User");
 
         $id = $request['id'];
         if (!is_numeric($id) || $id < 1) {
@@ -207,6 +218,11 @@ class UserController extends mfBaseController
             unset($r->address_id);
         }
 
+        // Only allowed users can create/edit other users
+        if ($this->isAdmin() && !$this->canManageUsers()) {
+            self::redirect('User');
+        }
+
         if (!$id && !$r->username) self::redirect('User');
 
         $user = new User($id);
@@ -569,7 +585,7 @@ class UserController extends mfBaseController
     }
 
     protected function impersonateAction() {
-        if(!$this->me->isAdmin() || $this->me->address_id != 1) {
+        if(!$this->me->isAdmin() || $this->me->address_id != 1 || !$this->canManageUsers()) {
             header("HTTP/1.1 403 Forbidden");
             exit;
         }
@@ -590,6 +606,10 @@ class UserController extends mfBaseController
 
     protected function sendLoginEmailAction()
     {
+        if (!$this->canManageUsers()) {
+            self::sendError("Keine Berechtigung.");
+        }
+
         $id = $this->request->id;
         if (!$id || !is_numeric($id)) {
             self::sendError("Benutzer-ID fehlt oder ist ungültig.");
diff --git a/public/js/pages/User/User.js b/public/js/pages/User/User.js
index b39a9b265..6cb411b16 100644
--- a/public/js/pages/User/User.js
+++ b/public/js/pages/User/User.js
@@ -3,14 +3,14 @@ Vue.component("User", {
       <div>
         <tt-card>
           <tt-table :data="window['TT_CONFIG']['USERS']" :config="UserTableConfig">
-            <template v-slot:top-buttons>
+            <template v-slot:top-buttons v-if="canManageUsers">
               <tt-button @click="window.location = window['TT_CONFIG']['ADD_URL']"
                          additional-class="btn-primary"
                          text="Benutzer hinzufügen"
                          icon="fas fa-plus"/>
             </template>
 
-            <template v-slot:actions="{ row: user }">
+            <template v-slot:actions="{ row: user }" v-if="canManageUsers">
               <div class="d-flex justify-content-center" style="gap: 4px">
                 <tt-button @click="window.location = window['TT_CONFIG']['EDIT_URL'] + '?id=' + user.id"
                            additional-class="btn-outline-primary"
@@ -49,11 +49,14 @@ Vue.component("User", {
         showSendMailModal: false,
         selectedUserForMail: null,
         isSendingMail: false,
-        UserTableConfig: {
-            key: "UserTable",
-            tableHeader: "Benutzer",
-            defaultPageSize: 25,
-            headers: [{text: "Username", key: "username", class: "text-center", sortable: false, priority: 20},
+    }),
+    computed: {
+        canManageUsers() {
+            return window['TT_CONFIG']['CAN_MANAGE_USERS'] === true;
+        },
+        UserTableConfig() {
+            const headers = [
+                {text: "Username", key: "username", class: "text-center", sortable: false, priority: 20},
                 {text: "Name", key: "name", class: "text-center", sortable: false, priority: 18},
                 {text: "Firma", key: "address", class: "text-center", priority: 19},
                 {text: "E-Mail", key: "email", priority: 14},
@@ -79,9 +82,18 @@ Vue.component("User", {
                     filterOptions: [{value: "1", text: "Ist Aktiv", icon: "fa-regular fa-circle-check text-success"},
                         {value: "0", text: "Ist nicht aktiv", icon: "fa-regular fa-circle-xmark text-danger"}],
                 },
-                {text: "Aktionen", key: "actions", class: "text-center", sortable: false, priority: 21, filter: false}]
+            ];
+            if (this.canManageUsers) {
+                headers.push({text: "Aktionen", key: "actions", class: "text-center", sortable: false, priority: 21, filter: false});
+            }
+            return {
+                key: "UserTable",
+                tableHeader: "Benutzer",
+                defaultPageSize: 25,
+                headers: headers
+            };
         }
-    }),
+    },
     methods: {
         openSendMailModal(user) {
             this.selectedUserForMail = user;