diff --git a/db/changes/231601/00-aclAccount.sql b/db/changes/231601/00-aclAccount.sql
new file mode 100644
index 000000000..42579a65b
--- /dev/null
+++ b/db/changes/231601/00-aclAccount.sql
@@ -0,0 +1,6 @@
+DELETE
+    FROM `salix`.`ACL`
+    WHERE model='Account' AND property='*' AND accessType='*';
+
+INSERT INTO `salix`.`ACL` (model, property, accessType, permission, principalType, principalId)
+    VALUES('Account', '*', 'WRITE', 'ALLOW', 'ROLE', 'sysadmin');
diff --git a/modules/account/front/aliases/index.html b/modules/account/front/aliases/index.html
index 9f4ba857f..87f3c92de 100644
--- a/modules/account/front/aliases/index.html
+++ b/modules/account/front/aliases/index.html
@@ -15,7 +15,9 @@
                     </vn-item-section>
                     <vn-item-section side>
                         <vn-icon-button
+                            ng-if="!$ctrl.isSubordinate"
                             icon="delete"
+                            label="$ctrl.isSubordinate"
                             translate-attr="{title: 'Unsubscribe'}"
                             ng-click="removeConfirm.show(row)">
                         </vn-icon-button>
@@ -32,7 +34,7 @@
         ng-click="$ctrl.onAddClick()"
         fixed-bottom-right>
     </vn-float-button>
-    <vn-dialog 
+    <vn-dialog
         vn-id="dialog"
         on-accept="$ctrl.onAddSave()">
         <tpl-body>
@@ -49,7 +51,7 @@
             <button response="accept" translate>Save</button>
         </tpl-buttons>
     </vn-dialog>
-    <vn-confirm 
+    <vn-confirm
         vn-id="removeConfirm"
         message="User will be removed from alias"
         question="Are you sure you want to continue?"
diff --git a/modules/account/front/aliases/index.js b/modules/account/front/aliases/index.js
index 0fc806a71..9cedaf308 100644
--- a/modules/account/front/aliases/index.js
+++ b/modules/account/front/aliases/index.js
@@ -4,6 +4,13 @@ import Section from 'salix/components/section';
 export default class Controller extends Section {
     $onInit() {
         this.refresh();
+        this.getIsSubordinate();
+        console.log(this.isSubordinate);
+    }
+
+    getIsSubordinate() {
+        this.$http.get(`Workers/${this.$params.id}/isSubordinate`)
+            .then(res => this.isSubordinate = res.data);
     }
 
     refresh() {
diff --git a/modules/account/front/descriptor/index.html b/modules/account/front/descriptor/index.html
index 7a7ba43f3..625c50ba2 100644
--- a/modules/account/front/descriptor/index.html
+++ b/modules/account/front/descriptor/index.html
@@ -6,7 +6,7 @@
         <vn-item
             ng-click="deleteUser.show()"
             name="deleteUser"
-            vn-acl="it"
+            vn-acl="sysadmin"
             vn-acl-action="remove"
             translate>
             Delete
@@ -15,7 +15,7 @@
             ng-if="::$root.user.id == $ctrl.id"
             ng-click="$ctrl.onChangePassClick(true)"
             name="changePassword"
-            vn-acl="hr"
+            vn-acl="sysadmin"
             vn-acl-action="remove"
             translate>
             Change password
@@ -23,7 +23,7 @@
         <vn-item
             ng-click="$ctrl.onChangePassClick(false)"
             name="setPassword"
-            vn-acl="hr"
+            vn-acl="sysadmin"
             vn-acl-action="remove"
             translate>
             Set password
@@ -32,7 +32,7 @@
             ng-if="!$ctrl.hasAccount"
             ng-click="enableAccount.show()"
             name="enableAccount"
-            vn-acl="it"
+            vn-acl="sysadmin"
             vn-acl-action="remove"
             translate>
             Enable account
@@ -41,7 +41,7 @@
             ng-if="$ctrl.hasAccount"
             ng-click="disableAccount.show()"
             name="disableAccount"
-            vn-acl="it"
+            vn-acl="sysadmin"
             vn-acl-action="remove"
             translate>
             Disable account
@@ -50,8 +50,7 @@
             ng-if="!$ctrl.user.active"
             ng-click="activateUser.show()"
             name="activateUser"
-            vn-acl="hr"
-            vn-acl-action="remove"
+            vn-acl="sysadmin"
             translate>
             Activate user
         </vn-item>
@@ -59,8 +58,7 @@
             ng-if="$ctrl.user.active"
             ng-click="deactivateUser.show()"
             name="deactivateUser"
-            vn-acl="hr"
-            vn-acl-action="remove"
+            vn-acl="sysadmin"
             translate>
             Deactivate user
         </vn-item>
diff --git a/modules/account/front/mail-forwarding/index.html b/modules/account/front/mail-forwarding/index.html
index 6c688f504..1e0504c23 100644
--- a/modules/account/front/mail-forwarding/index.html
+++ b/modules/account/front/mail-forwarding/index.html
@@ -9,17 +9,17 @@
     </vn-watcher>
     <form
         name="form"
-        ng-submit="watcher.submit()"
+        ng-submit="$ctrl.onSubmit()"
         class="vn-w-md">
         <vn-card class="vn-pa-lg">
             <vn-vertical>
                 <vn-check
-                    label="Enable mail forwarding" 
+                    label="Enable mail forwarding"
                     ng-model="watcher.hasData">
                 </vn-check>
                 <vn-textfield
                     ng-if="watcher.hasData"
-                    label="Forward email" 
+                    label="Forward email"
                     ng-model="data.forwardTo"
                     info="All emails will be forwarded to the specified address."
                     rule="MailForward"
diff --git a/modules/account/front/mail-forwarding/index.js b/modules/account/front/mail-forwarding/index.js
index 5118e8eab..2047cdaa8 100644
--- a/modules/account/front/mail-forwarding/index.js
+++ b/modules/account/front/mail-forwarding/index.js
@@ -1,7 +1,22 @@
 import ngModule from '../module';
 import Section from 'salix/components/section';
+import UserError from 'core/lib/user-error';
 
-export default class Controller extends Section {}
+export default class Controller extends Section {
+    onSubmit() {
+        this.getIsAuthorized();
+    }
+
+    getIsAuthorized() {
+        this.$http.get(`Workers/${this.$params.id}/authorizeSelfOrSuperior`)
+            .then(res => {
+                this.isAuthorized = res.data;
+
+                if (!this.isAuthorized) throw new UserError(`You don't have enough privileges`);
+                this.$.watcher.submit();
+            });
+    }
+}
 
 ngModule.component('vnUserMailForwarding', {
     template: require('./index.html'),
diff --git a/modules/worker/back/methods/worker/authorizeSelfOrSuperior.js b/modules/worker/back/methods/worker/authorizeSelfOrSuperior.js
new file mode 100644
index 000000000..30dfd17c1
--- /dev/null
+++ b/modules/worker/back/methods/worker/authorizeSelfOrSuperior.js
@@ -0,0 +1,44 @@
+module.exports = Self => {
+    Self.remoteMethod('authorizeSelfOrSuperior', {
+        description: 'Return true if is himself or a superior',
+        accessType: 'READ',
+        accepts: [{
+            arg: 'ctx',
+            type: 'Object',
+            http: {source: 'context'}
+        }, {
+            arg: 'id',
+            type: 'number',
+            required: true,
+            description: 'The worker id',
+            http: {source: 'path'}
+        }],
+        returns: {
+            type: 'boolean',
+            root: true
+        },
+        http: {
+            path: `/:id/authorizeSelfOrSuperior`,
+            verb: 'GET'
+        }
+    });
+
+    Self.authorizeSelfOrSuperior = async(ctx, id, options) => {
+        const models = Self.app.models;
+        const currentUserId = ctx.req.accessToken.userId;
+        const isHimself = currentUserId == id;
+
+        const myOptions = {};
+
+        if (typeof options == 'object')
+            Object.assign(myOptions, options);
+
+        const isSubordinate = await models.Worker.isSubordinate(ctx, id, myOptions);
+        const isTeamBoss = await models.VnUser.hasRole(currentUserId, 'teamBoss', myOptions);
+
+        if (!isSubordinate || (isSubordinate && !isHimself && !isTeamBoss))
+            return false;
+
+        return true;
+    };
+};
diff --git a/modules/worker/back/models/worker.js b/modules/worker/back/models/worker.js
index fa17640a8..ffcb688ee 100644
--- a/modules/worker/back/models/worker.js
+++ b/modules/worker/back/models/worker.js
@@ -16,6 +16,7 @@ module.exports = Self => {
     require('../methods/worker/new')(Self);
     require('../methods/worker/deallocatePDA')(Self);
     require('../methods/worker/allocatePDA')(Self);
+    require('../methods/worker/authorizeSelfOrSuperior')(Self);
 
     Self.validatesUniquenessOf('locker', {
         message: 'This locker has already been assigned'