diff --git a/src/Backend/SolutionErp.Api/Controllers/UsersController.cs b/src/Backend/SolutionErp.Api/Controllers/UsersController.cs
index 363e5b1..a2e9910 100644
--- a/src/Backend/SolutionErp.Api/Controllers/UsersController.cs
+++ b/src/Backend/SolutionErp.Api/Controllers/UsersController.cs
@@ -72,8 +72,21 @@ public class UsersController(IMediator mediator) : ControllerBase
         await mediator.Send(new SetUserBypassReviewCommand(id, body.CanBypassReview), ct);
         return NoContent();
     }
+
+    // N-stage workflow inner step (Mig 18): admin set cấp chức danh user
+    // (1=NV, 2=PP, 3=TP, null=admin/external). Body PositionLevel int? — null
+    // sẽ clear PositionLevel của user.
+    [HttpPatch("{id:guid}/position-level")]
+    [Authorize(Policy = "Users.Update")]
+    public async Task<IActionResult> SetPositionLevel(
+        Guid id, [FromBody] SetPositionLevelBody body, CancellationToken ct)
+    {
+        await mediator.Send(new SetUserPositionLevelCommand(id, body.PositionLevel), ct);
+        return NoContent();
+    }
 }
 
 public record AssignRolesBody(List<string> Roles);
 public record ResetPasswordBody(string NewPassword);
 public record SetBypassReviewBody(bool CanBypassReview);
+public record SetPositionLevelBody(int? PositionLevel);