diff --git a/roles/ipa/server/files/configure-ipa.sh b/roles/ipa/server/files/configure-ipa.sh
index 33515910eb..0b62940a97 100644
--- a/roles/ipa/server/files/configure-ipa.sh
+++ b/roles/ipa/server/files/configure-ipa.sh
@@ -15,3 +15,8 @@ do
     echo "Removing $line"
     ipa selfservice-del "$line"
 done
+
+# Disable default permissions so we don't break our privacy policy
+ipa permission-mod "System: Read User Addressbook Attributes" --bindtype=permission
+
+# TODO: Add custom permissions to grant specific access to user attributes