diff --git a/internal/dms/biz/user.go b/internal/dms/biz/user.go
index 5f8d4248..838bf8f0 100644
--- a/internal/dms/biz/user.go
+++ b/internal/dms/biz/user.go
@@ -98,7 +98,7 @@ type User struct {
 	LastLoginAt time.Time
 	// 用户是否被删除
 	Deleted bool
-	// 业务写权开关，默认 true；为 false 时系统管理员/admin 不通过全局身份放行业务写操作
+	// 业务写权开关，为 false 时系统管理员/admin 不通过全局身份放行业务写操作
 	BusinessWritePermission bool
 }
 
@@ -506,7 +506,7 @@ type CreateUserArgs struct {
 	OpPermissionUIDs        []string
 	UserAuthenticationType  UserAuthenticationType
 	System                  UserSystem
-	BusinessWritePermission *bool // nil means use default (true)
+	BusinessWritePermission *bool
 }
 
 func (d *UserUsecase) AddUser(ctx context.Context, currentUserUid string, args *CreateUserArgs) (uid string, err error) {
@@ -885,8 +885,8 @@ func (d *UserUsecase) UpdateUser(ctx context.Context, currentUserUid string, arg
 				user.BusinessWritePermission = *args.BusinessWritePermission
 			}
 		} else {
-			// User is not system administrator: always reset BWP to true
-			user.BusinessWritePermission = true
+			// User is not system administrator: always reset BWP to flase
+			user.BusinessWritePermission = false
 		}
 	}
 
diff --git a/internal/dms/service/user.go b/internal/dms/service/user.go
index 75252d7b..d8d82c7b 100644
--- a/internal/dms/service/user.go
+++ b/internal/dms/service/user.go
@@ -96,6 +96,17 @@ func (d *DMSService) AddUser(ctx context.Context, currentUserUid string, req *dm
 	defer func() {
 		d.log.Infof("AddUsers.req=%v;reply=%v;error=%v", req, reply, err)
 	}()
+	// 如果 BusinessWritePermission 为 nil，如果为系统管理员权限，默认有业务写权限
+	businessWritePermission := req.User.BusinessWritePermission
+	if businessWritePermission == nil {
+		for _, uid := range req.User.OpPermissionUids {
+			if uid == pkgConst.UIDOfOpPermissionGlobalManagement {
+				t := true
+				businessWritePermission = &t
+				break
+			}
+		}
+	}
 
 	args := &biz.CreateUserArgs{
 		UID:                     req.User.UID,
@@ -111,7 +122,7 @@ func (d *DMSService) AddUser(ctx context.Context, currentUserUid string, req *dm
 		ThirdPartyUserID:        req.User.ThirdPartyUserID,
 		ThirdPartyUserInfo:      req.User.ThirdPartyUserInfo,
 		UserAuthenticationType:  biz.UserAuthenticationType(req.User.UserAuthenticationType),
-		BusinessWritePermission: req.User.BusinessWritePermission,
+		BusinessWritePermission: businessWritePermission,
 	}
 
 	uid, err := d.UserUsecase.AddUser(ctx, currentUserUid, args)