diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4ea4c6ea9..0a355cf73 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@
 ### Changed
 
 ### Fixed
+* Prevent to showing both adding user and importing user/group pages by ordinary user.
+  Contributed by @userlocalhost, @hinashi
 
 ## v3.88.0
 
diff --git a/group/tests/test_view.py b/group/tests/test_view.py
index 5bbe35be8..5e4ceca02 100644
--- a/group/tests/test_view.py
+++ b/group/tests/test_view.py
@@ -434,7 +434,16 @@ def test_post_edit_by_guest(self):
 
         self.assertEqual(resp.status_code, 400)
 
-    def test_import_user_and_group(self):
+    def test_import_user_and_group_by_ordinary_user(self):
+        self.guest_login()
+
+        resp = self.client.get(reverse("group:import_user_and_group"))
+        self.assertEqual(resp.status_code, 400)
+        self.assertEqual(
+            resp.content.decode("utf-8"), "This page needs administrative permission to access"
+        )
+
+    def test_import_user_and_group_by_admin_user(self):
         self.admin_login()
 
         fp = self.open_fixture_file("import_user_and_group.yaml")
diff --git a/group/views.py b/group/views.py
index 19ce068e8..3ffde8bc4 100644
--- a/group/views.py
+++ b/group/views.py
@@ -251,6 +251,7 @@ def export(request):
 
 
 @http_get
+@check_superuser
 def import_user_and_group(request):
     return render(request, "import_user_and_group.html", {})
 
diff --git a/user/tests/test_view.py b/user/tests/test_view.py
index 85c0fbaa0..df89fe000 100644
--- a/user/tests/test_view.py
+++ b/user/tests/test_view.py
@@ -72,7 +72,16 @@ def test_create_get_without_login(self):
         resp = self.client.get(reverse("user:create"))
         self.assertEqual(resp.status_code, 303)
 
-    def test_create_get_with_login(self):
+    def test_create_get_with_login_by_normal_user(self):
+        self._guest_login()
+
+        resp = self.client.get(reverse("user:create"))
+        self.assertEqual(resp.status_code, 400)
+        self.assertEqual(
+            resp.content.decode("utf-8"), "This page needs administrative permission to access"
+        )
+
+    def test_create_get_with_login_by_admin_user(self):
         self._admin_login()
 
         resp = self.client.get(reverse("user:create"))
diff --git a/user/views.py b/user/views.py
index 9faca9c35..f2021549b 100644
--- a/user/views.py
+++ b/user/views.py
@@ -29,6 +29,7 @@ def index(request):
 
 
 @http_get
+@check_superuser
 def create(request):
     return render(request, "create_user.html")