diff --git a/modules/account/back/models/mail-alias-acl.js b/modules/account/back/models/mail-alias-acl.js
new file mode 100644
index 000000000..4a74472fe
--- /dev/null
+++ b/modules/account/back/models/mail-alias-acl.js
@@ -0,0 +1,70 @@
+const UserError = require('vn-loopback/util/user-error');
+
+module.exports = Self => {
+    require('../methods/notification/getList')(Self);
+
+    Self.observe('before save', async function(ctx) {
+        await checkModifyPermission(ctx);
+    });
+
+    Self.observe('before delete', async function(ctx) {
+        await checkModifyPermission(ctx);
+    });
+
+    async function checkModifyPermission(ctx) {
+        const models = Self.app.models;
+        const instance = ctx.instance;
+        const userId = ctx.options.accessToken.userId;
+
+        let mailAliasFk;
+        let roleFk;
+
+        if (instance) {
+            mailAliasFk = instance.mailAliasFk;
+            roleFk = instance.roleFk;
+        } else {
+            const mailAliasAcl = await models.MailAlias.findById(ctx.where.id);
+            mailAliasFk = mailAliasAcl.id;
+            roleFk = mailAliasAcl.roleFk;
+        }
+
+        const role = await models.VnUser.findById(roleFk, {fields: ['id', 'role']});
+        const available = await Self.getAvailable(roleFk);
+        const hasAcl = available.has(mailAliasFk);
+
+        if (!hasAcl || (userId.role != role))
+            throw new UserError('The alias cant be modified');
+    }
+
+    Self.getAvailable = async function(userId, options) {
+        const availableMailAliasMap = new Map();
+        const models = Self.app.models;
+
+        const myOptions = {};
+
+        if (typeof options == 'object')
+            Object.assign(myOptions, options);
+
+        const roles = await models.RoleMapping.find({
+            fields: ['roleId'],
+            where: {principalId: userId}
+        }, myOptions);
+
+        const availableMailAlias = await models.MailAliasAcl.find({
+            fields: ['mailAliasFk', 'roleFk'],
+            include: {relation: 'roleFk'},
+            where: {
+                roleFk: {
+                    inq: roles.map(role => role.roleId),
+                },
+            }
+        }, myOptions);
+
+        for (available of availableMailAlias) {
+            availableMailAliasMap.set(available.mailAliasFk, {
+                mailAliasFk: available.mailAliasFk,
+            });
+        }
+        return availableMailAliasMap;
+    };
+};
diff --git a/modules/account/back/models/mail-alias-acl.json b/modules/account/back/models/mail-alias-acl.json
new file mode 100644
index 000000000..2e44f38eb
--- /dev/null
+++ b/modules/account/back/models/mail-alias-acl.json
@@ -0,0 +1,29 @@
+{
+    "name": "mailAliasACL",
+    "base": "VnModel",
+    "options": {
+        "mysql": {
+            "table": "account.mailAliasACL"
+        }
+    },
+    "properties": {
+        "mailAliasFk": {
+            "type": "number"
+        },
+        "roleFk": {
+            "type": "number"
+        }
+    },
+    "relations": {
+        "mailAlias": {
+            "type": "belongsTo",
+            "model": "VnUser",
+            "foreignKey": "mailAliasFk"
+        },
+        "role": {
+            "type": "belongsTo",
+            "model": "VnUser",
+            "foreignKey": "roleFk"
+        }
+    }
+}