diff --git a/kanidmd/lib/src/constants/acp.rs b/kanidmd/lib/src/constants/acp.rs
index 04dd4ecbe..8a0eb29a3 100644
--- a/kanidmd/lib/src/constants/acp.rs
+++ b/kanidmd/lib/src/constants/acp.rs
@@ -1,3 +1,9 @@
+use crate::constants::uuids::*;
+///! Constant Entries for the IDM
+use crate::constants::values::*;
+use crate::entry::{Entry, EntryInit, EntryInitNew, EntryNew};
+use crate::value::Value;
+
 /*
 // Template acp
 pub const _UUID_IDM_ACP_XX_V1: &str = "00000000-0000-0000-0000-ffffff0000XX";
@@ -326,6 +332,37 @@ pub const JSON_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: &str = r#"{
     }
 }"#;
 
+lazy_static! {
+    pub static ref E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: EntryInitNew = entry_init!(
+        ("class", CLASS_OBJECT.clone()),
+        ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()),
+        ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()),
+        (
+            "name",
+            Value::new_iname("idm_acp_account_mail_read_priv")
+        ),
+        (
+            "uuid",
+            Value::new_uuid(UUID_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1)
+        ),
+        (
+            "description",
+            Value::new_utf8s(
+                "Builtin IDM Control for reading account mail attributes."
+            )
+        ),
+        (
+            "acp_receiver_group",
+            Value::Refer(UUID_IDM_ACCOUNT_MAIL_READ_PRIV)
+        ),
+        (
+            "acp_targetscope",
+            Value::new_json_filter_s("{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}").expect("filter")
+        ),
+        ("acp_search_attr", Value::new_iutf8("mail"))
+    );
+}
+
 pub const JSON_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: &str = r#"{
     "attrs": {
         "class": [
diff --git a/kanidmd/lib/src/constants/entries.rs b/kanidmd/lib/src/constants/entries.rs
index b8e6b2a08..13804bf47 100644
--- a/kanidmd/lib/src/constants/entries.rs
+++ b/kanidmd/lib/src/constants/entries.rs
@@ -498,6 +498,25 @@ lazy_static! {
         ),
         ("grant_ui_hint", Value::UiHint(UiHint::ExperimentalFeatures))
     );
+
+    pub static ref E_IDM_ACCOUNT_MAIL_READ_PRIV: EntryInitNew = entry_init!(
+        ("class", CLASS_OBJECT.clone()),
+        ("class", CLASS_GROUP.clone()),
+        (
+            "name",
+            Value::new_iname("idm_account_mail_read_priv")
+        ),
+        (
+            "uuid",
+            Value::new_uuid(UUID_IDM_ACCOUNT_MAIL_READ_PRIV)
+        ),
+        (
+            "description",
+            Value::new_utf8s(
+                "Members of this group will have access to read the mail attribute of all persons and service accounts."
+            )
+        )
+    );
 }
 
 /// This must be the last group to init to include the UUID of the other high priv groups.
diff --git a/kanidmd/lib/src/constants/uuids.rs b/kanidmd/lib/src/constants/uuids.rs
index 0a1122928..476733a58 100644
--- a/kanidmd/lib/src/constants/uuids.rs
+++ b/kanidmd/lib/src/constants/uuids.rs
@@ -57,6 +57,7 @@ pub const _UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid =
 
 pub const UUID_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES: Uuid =
     uuid!("00000000-0000-0000-0000-000000000038");
+pub const UUID_IDM_ACCOUNT_MAIL_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000039");
 
 //
 pub const _UUID_IDM_HIGH_PRIVILEGE: Uuid = uuid!("00000000-0000-0000-0000-000000001000");
@@ -291,6 +292,8 @@ pub const _UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid =
 pub const _UUID_IDM_ACP_OAUTH2_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000043");
 pub const _UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
     uuid!("00000000-0000-0000-0000-ffffff000044");
+pub const UUID_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: Uuid =
+    uuid!("00000000-0000-0000-0000-ffffff000045");
 
 // End of system ranges
 pub const UUID_DOES_NOT_EXIST: Uuid = uuid!("00000000-0000-0000-0000-fffffffffffe");
diff --git a/kanidmd/lib/src/constants/values.rs b/kanidmd/lib/src/constants/values.rs
index 86a758fcc..1eaf777a9 100644
--- a/kanidmd/lib/src/constants/values.rs
+++ b/kanidmd/lib/src/constants/values.rs
@@ -36,6 +36,8 @@ lazy_static! {
     pub static ref PVCLASS_SYSTEM_CONFIG: PartialValue = PartialValue::new_class("system_config");
     pub static ref PVCLASS_TOMBSTONE: PartialValue = PartialValue::new_class("tombstone");
     pub static ref PVUUID_DOMAIN_INFO: PartialValue = PartialValue::new_uuid(UUID_DOMAIN_INFO);
+    pub static ref CLASS_ACCESS_CONTROL_PROFILE: Value = Value::new_class("access_control_profile");
+    pub static ref CLASS_ACCESS_CONTROL_SEARCH: Value = Value::new_class("access_control_search");
     pub static ref CLASS_ACCOUNT: Value = Value::new_class("account");
     pub static ref CLASS_DOMAIN_INFO: Value = Value::new_class("domain_info");
     pub static ref CLASS_DYNGROUP: Value = Value::new_class("dyngroup");
diff --git a/kanidmd/lib/src/server.rs b/kanidmd/lib/src/server.rs
index e9eb46564..cc8e5eab3 100644
--- a/kanidmd/lib/src/server.rs
+++ b/kanidmd/lib/src/server.rs
@@ -2859,7 +2859,11 @@ impl<'a> QueryServerWriteTransaction<'a> {
         debug_assert!(res.is_ok());
         res?;
 
-        let idm_entries = [E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone()];
+        let idm_entries = [
+            E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone(),
+            E_IDM_ACCOUNT_MAIL_READ_PRIV.clone(),
+            E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1.clone(),
+        ];
 
         let res: Result<(), _> = idm_entries
             .into_iter()