diff --git a/ansible-inventory.yml b/ansible-inventory.yml
index 77a51a24249bec39759000d48dd3f3acc9a2fce3..51a6a930012117b4e46b406602f0124f4b6a6ed9 100644
--- a/ansible-inventory.yml
+++ b/ansible-inventory.yml
@@ -34,20 +34,37 @@ all:
         description: "Adminrechte im uffd Selfservice"
       acls:
       - >-
-        {0}to *
+        {0}to attrs=userPassword
+        by dn="cn=uffd,ou=system,dc=example,dc=com" =xw
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" =xw
+        by self =xw
+        by anonymous auth
+      - >-
+        {1}to attrs=shadowLastChange
+        by dn="cn=uffd,ou=system,dc=example,dc=com" write
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by self write
+      - >-
+        {2}to dn.subtree="ou=users,dc=example,dc=com"
         by dn="cn=uffd,ou=system,dc=example,dc=com" write
-        by * break
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by self write
+        by * read
       - >-
-        {1}to dn.children="ou=groups,dc=example,dc=com"
+        {3}to dn.children="ou=groups,dc=example,dc=com"
         by dn="cn=uffd,ou=system,dc=example,dc=com" write
-        by * break
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by * read
       - >-
-        {2}to dn.children="ou=postfix,dc=example,dc=com"
+        {4}to dn.children="ou=postfix,dc=example,dc=com"
         by dn="cn=uffd,ou=system,dc=example,dc=com" write
-        by * break
-      - '{3}to attrs=userPassword by self write by anonymous auth by * none'
-      - '{4}to attrs=shadowLastChange by self write by * read'
-      - '{5}to * by * read'
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by * read
+#      - >-
+#        {5}to *
+#        by dn="cn=uffd,ou=system,dc=example,dc=com" write
+#        by dn="uid=testadmin,ou=users,dc=example,dc=com" write
+#        by * read
     certificates:
       disable_letsencrypt_account_registration: True
       certs: