diff --git a/kanidmd/src/lib/constants.rs b/kanidmd/src/lib/constants.rs
index 5186bc21a..b67365038 100644
--- a/kanidmd/src/lib/constants.rs
+++ b/kanidmd/src/lib/constants.rs
@@ -332,7 +332,7 @@ pub static JSON_IDM_SELF_ACP_READ_V1: &'static str = r#"{
         "description": ["Builtin IDM Control for self read - required for whoami and many other functions."],
         "acp_enable": ["true"],
         "acp_receiver": [
-            "\"Self\""
+            "{\"And\": [\"Self\", {\"AndNot\": {\"Or\": [{\"Eq\": [\"class\", \"tombstone\"]}, {\"Eq\": [\"class\", \"recycled\"]}]}}]}"
         ],
         "acp_targetscope": [
             "\"Self\""
@@ -349,6 +349,29 @@ pub static JSON_IDM_SELF_ACP_READ_V1: &'static str = r#"{
     }
 }"#;
 
+pub static _UUID_IDM_SELF_ACP_WRITE_V1: &'static str = "00000000-0000-0000-0000-ffffff000021";
+pub static JSON_IDM_SELF_ACP_WRITE_V1: &'static str = r#"{
+    "attrs": {
+        "class": ["object", "access_control_profile", "access_control_modify"],
+        "name": ["idm_self_acp_write"],
+        "uuid": ["00000000-0000-0000-0000-ffffff000021"],
+        "description": ["Builtin IDM Control for self write - required for people to update their own identities in line with best practices."],
+        "acp_enable": ["true"],
+        "acp_receiver": [
+            "{\"And\": [\"Self\", {\"AndNot\": {\"Or\": [{\"Eq\": [\"class\", \"tombstone\"]}, {\"Eq\": [\"class\", \"recycled\"]}, {\"Eq\": [\"uuid\", \"00000000-0000-0000-0000-ffffffffffff\"]}]}}]}"
+        ],
+        "acp_targetscope": [
+            "\"Self\""
+        ],
+        "acp_modify_removedattr": [
+            "name", "displayname", "legalname"
+        ],
+        "acp_modify_presentattr": [
+            "name", "displayname", "legalname"
+        ]
+    }
+}"#;
+
 /*
 pub static _UUID_IDM_ADMINS_ACP_MANAGE_V1: &'static str = "00000000-0000-0000-0000-ffffff000005";
 pub static JSON_IDM_ADMINS_ACP_MANAGE_V1: &'static str = r#"{
diff --git a/kanidmd/src/lib/server.rs b/kanidmd/src/lib/server.rs
index 15f62ff6f..a0c533b13 100644
--- a/kanidmd/src/lib/server.rs
+++ b/kanidmd/src/lib/server.rs
@@ -1601,6 +1601,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
             // JSON_IDM_ADMINS_ACP_MANAGE_V1,
             JSON_IDM_ALL_ACP_READ_V1,
             JSON_IDM_SELF_ACP_READ_V1,
+            JSON_IDM_SELF_ACP_WRITE_V1,
             JSON_IDM_ACP_PEOPLE_READ_PRIV_V1,
             JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1,
             JSON_IDM_ACP_GROUP_WRITE_PRIV_V1,