Skip to main content

Permissions

Permissions in Stalwart determine the specific actions and resources that a user, group, or entity is allowed to access. Permissions allow administrators to control fine-grained access to various operations within the mail server, providing a clear distinction between what actions an entity can or cannot perform. Permissions can be assigned directly to individuals, groups, roles, or even entire tenants, giving administrators comprehensive control over access policies.

To simplify the management of permissions, multiple permissions can be grouped together into roles. Assigning roles to users or groups allows administrators to more easily manage access by bundling related permissions rather than having to assign them individually.

Effective Permissions

Each principal type in Stalwart (such as individuals, groups, or roles) has two important fields related to permissions: enabledPermissions and disabledPermissions. The effective permissions for an individual are calculated using a combination of permissions from various levels:

  • Enabled Permissions:
    • Start with the enabledPermissions assigned directly to the individual.
    • Combine these with the enabledPermissions of any roles that are assigned to the individual.
    • Finally, intersect these with the enabledPermissions of the tenant to which the individual belongs.
  • Disabled Permissions:
    • Any permissions explicitly listed in the disabledPermissions field of the individual, roles, or tenant are subtracted from the total. This ensures that even if a permission is enabled at one level, it will be disabled if explicitly restricted at another.

This mechanism allows for a flexible yet precise approach to access control, ensuring that permissions are layered and can be modified at various levels to suit the needs of the organization.

Permissions vs. ACLs

It's important to note that permissions in Stalwart are distinct from Access Control Lists (ACLs).

  • Permissions: Defined by the administrator, permissions control access to specific resources and actions within the mail server itself. These determine what a user or entity is allowed to do globally within the system, such as managing settings, accessing logs, or sending emails.
  • Access Control Lists (ACLs): Managed by users and are used to grant other users or groups access to their emails, folders, or other specific data. ACLs, typically controlled via the IMAP ACL extension or JMAP, regulate how one user's data is shared with others and are applied on a per-folder or per-resource basis.

In summary, permissions are centrally controlled by administrators to define what actions and resources can be accessed by whom, while ACLs give users control over how their own data is shared and accessed by others. Together, they offer robust and flexible security and access control within the Stalwart environment.

Available Permissions

Stalwart provides a wide range of permissions that can be assigned to users, groups, roles, or tenants. These permissions cover various aspects of the mail server, including managing users, domains, settings, and more. The following table lists the available permissions as well as the built-in roles that include them:

PermissionDescriptionAdmin roleTenant admin roleUser role
ai-model-interactInteract with AI models
api-key-createCreate new API keys
api-key-deleteRemove API keys
api-key-getRetrieve specific API keys
api-key-listView API keys
api-key-updateModify API keys
authenticateAuthenticate
authenticate-oauthAuthenticate via OAuth
blob-fetchRetrieve arbitrary blobs
dav-cal-aclManage access control lists for calendar entries
dav-cal-copyCopy calendar entries to new locations
dav-cal-deleteRemove calendar entries or collections
dav-cal-free-busy-queryQuery free/busy time information for scheduling
dav-cal-getDownload calendar entries
dav-cal-lockLock calendar entries to prevent concurrent modifications
dav-cal-mk-colCreate new calendar collections
dav-cal-moveMove calendar entries to new locations
dav-cal-multi-getRetrieve multiple calendar entries in a single request
dav-cal-prop-findRetrieve properties of calendar entries
dav-cal-prop-patchModify properties of calendar entries
dav-cal-putUpload or modify calendar entries
dav-cal-querySearch for calendar entries matching criteria
dav-card-aclManage access control lists for address book entries
dav-card-copyCopy address book entries to new locations
dav-card-deleteRemove address book entries or collections
dav-card-getDownload address book entries
dav-card-lockLock address book entries to prevent concurrent modifications
dav-card-mk-colCreate new address book collections
dav-card-moveMove address book entries to new locations
dav-card-multi-getRetrieve multiple address book entries in a single request
dav-card-prop-findRetrieve properties of address book entries
dav-card-prop-patchModify properties of address book entries
dav-card-putUpload or modify address book entries
dav-card-querySearch for address book entries matching criteria
dav-expand-propertyExpand properties that reference other resources
dav-file-aclManage access control lists for file resources
dav-file-copyCopy file resources to new locations
dav-file-deleteRemove file resources
dav-file-getDownload file resources
dav-file-lockLock file resources to prevent concurrent modifications
dav-file-mk-colCreate new file collections or directories
dav-file-moveMove file resources to new locations
dav-file-prop-findRetrieve properties of file resources
dav-file-prop-patchModify properties of file resources
dav-file-putUpload or modify file resources
dav-principal-aclSet principal properties for access control
dav-principal-listList available principals in the system
dav-principal-matchMatch principals based on specified criteria
dav-principal-searchSearch for principals by property values
dav-principal-search-prop-setDefine property sets for principal searches
dav-sync-collectionSynchronize collection changes with client
delete-system-foldersDelete of system folders
dkim-signature-createCreate DKIM signatures for email authentication
dkim-signature-getRetrieve DKIM signature information
domain-createAdd new email domains
domain-deleteRemove email domains
domain-getRetrieve specific domain information
domain-listView list of email domains
domain-updateModify domain information
email-receiveReceive emails
email-sendSend emails
fts-reindexRebuild the full-text search index
group-createAdd new user groups
group-deleteRemove user groups
group-getRetrieve specific group information
group-listView list of user groups
group-updateModify group information
imap-acl-getRetrieve ACLs via IMAP
imap-acl-setSet ACLs via IMAP
imap-appendAppend messages via IMAP
imap-authenticateAuthenticate via IMAP
imap-capabilityRetrieve server capabilities via IMAP
imap-copyCopy messages via IMAP
imap-createCreate mailboxes via IMAP
imap-deleteDelete mailboxes or messages via IMAP
imap-enableEnable IMAP extensions
imap-examineExamine mailboxes via IMAP
imap-expungeExpunge deleted messages via IMAP
imap-fetchFetch messages or metadata via IMAP
imap-idRetrieve server ID via IMAP
imap-idleUse IMAP IDLE command
imap-listList mailboxes via IMAP
imap-list-rightsList rights via IMAP
imap-lsubList subscribed mailboxes via IMAP
imap-moveMove messages via IMAP
imap-my-rightsRetrieve own rights via IMAP
imap-namespaceRetrieve namespaces via IMAP
imap-renameRename mailboxes via IMAP
imap-searchSearch messages via IMAP
imap-selectSelect mailboxes via IMAP
imap-sortSort messages via IMAP
imap-statusRetrieve mailbox status via IMAP
imap-storeModify message flags via IMAP
imap-subscribeSubscribe to mailboxes via IMAP
imap-threadThread messages via IMAP
impersonateAct on behalf of another user
incoming-report-deleteRemove incoming DMARC, TLS and ARF reports
incoming-report-getRetrieve specific incoming DMARC, TLS and ARF reports
incoming-report-listView incoming DMARC, TLS and ARF reports
individual-createAdd new user accounts
individual-deleteRemove user accounts
individual-getRetrieve specific account information
individual-listView list of user accounts
individual-updateModify user account information
jmap-blob-copyCopy blobs via JMAP
jmap-blob-getRetrieve blobs via JMAP
jmap-blob-lookupLook up blobs via JMAP
jmap-blob-uploadUpload blobs via JMAP
jmap-echoPerform JMAP echo requests
jmap-email-changesTrack email changes via JMAP
jmap-email-copyCopy emails via JMAP
jmap-email-getRetrieve emails via JMAP
jmap-email-importImport emails via JMAP
jmap-email-parseParse emails via JMAP
jmap-email-queryPerform email queries via JMAP
jmap-email-query-changesTrack email query changes via JMAP
jmap-email-setModify emails via JMAP
jmap-email-submission-changesTrack email submission changes via JMAP
jmap-email-submission-getRetrieve email submission info via JMAP
jmap-email-submission-queryPerform email submission queries via JMAP
jmap-email-submission-query-changesTrack email submission query changes via JMAP
jmap-email-submission-setModify email submission settings via JMAP
jmap-identity-changesTrack identity changes via JMAP
jmap-identity-getRetrieve user identities via JMAP
jmap-identity-setModify user identities via JMAP
jmap-mailbox-changesTrack mailbox changes via JMAP
jmap-mailbox-getRetrieve mailboxes via JMAP
jmap-mailbox-queryPerform mailbox queries via JMAP
jmap-mailbox-query-changesTrack mailbox query changes via JMAP
jmap-mailbox-setModify mailboxes via JMAP
jmap-principal-getRetrieve principal information via JMAP
jmap-principal-queryPerform principal queries via JMAP
jmap-principal-query-changesTrack principal query changes via JMAP
jmap-push-subscription-getRetrieve push subscriptions via JMAP
jmap-push-subscription-setModify push subscriptions via JMAP
jmap-quota-changesTrack quota changes via JMAP
jmap-quota-getRetrieve quota information via JMAP
jmap-quota-queryPerform quota queries via JMAP
jmap-quota-query-changesTrack quota query changes via JMAP
jmap-search-snippetRetrieve search snippets via JMAP
jmap-sieve-script-getRetrieve Sieve scripts via JMAP
jmap-sieve-script-queryPerform Sieve script queries via JMAP
jmap-sieve-script-query-changesTrack Sieve script query changes via JMAP
jmap-sieve-script-setModify Sieve scripts via JMAP
jmap-sieve-script-validateValidate Sieve scripts via JMAP
jmap-thread-changesTrack thread changes via JMAP
jmap-thread-getRetrieve email threads via JMAP
jmap-vacation-response-getRetrieve vacation responses via JMAP
jmap-vacation-response-setModify vacation responses via JMAP
logs-viewAccess system logs
mailing-list-createCreate new mailing lists
mailing-list-deleteRemove mailing lists
mailing-list-getRetrieve specific mailing list information
mailing-list-listView list of mailing lists
mailing-list-updateModify mailing list information
manage-encryptionManage encryption-at-rest settings
manage-passwordsManage account passwords
message-queue-deleteRemove messages from the queue
message-queue-getRetrieve specific messages from the queue
message-queue-listView message queue
message-queue-updateModify queued messages
metrics-listView stored metrics
metrics-liveView real-time metrics
oauth-client-createCreate new OAuth clients
oauth-client-deleteRemove OAuth clients
oauth-client-getRetrieve specific OAuth clients
oauth-client-listView OAuth clients
oauth-client-overrideOverride OAuth client settings
oauth-client-registrationRegister OAuth clients
oauth-client-updateModify OAuth clients
outgoing-report-deleteRemove outgoing DMARC and TLS reports
outgoing-report-getRetrieve specific outgoing DMARC and TLS reports
outgoing-report-listView outgoing DMARC and TLS reports
pop3-authenticateAuthenticate via POP3
pop3-deleMark messages for deletion via POP3
pop3-listList messages via POP3
pop3-retrRetrieve messages via POP3
pop3-statRetrieve mailbox statistics via POP3
pop3-uidlRetrieve unique IDs via POP3
principal-createCreate new principals
principal-deleteRemove principals
principal-getRetrieve specific principal information
principal-listView list of principals
principal-updateModify principal information
purge-accountPurge user accounts
purge-blob-storePurge the blob storage
purge-data-storePurge the data storage
purge-in-memory-storePurge the in-memory storage
restartRestart the email server
role-createCreate new roles
role-deleteRemove roles
role-getRetrieve specific role information
role-listView list of roles
role-updateModify role information
settings-deleteRemove system settings
settings-listView system settings
settings-reloadRefresh system settings
settings-updateModify system settings
sieve-authenticateAuthenticate for Sieve script management
sieve-check-scriptValidate Sieve scripts
sieve-delete-scriptDelete Sieve scripts
sieve-get-scriptRetrieve Sieve scripts
sieve-have-spaceCheck available space for Sieve scripts
sieve-list-scriptsList Sieve scripts
sieve-put-scriptUpload Sieve scripts
sieve-rename-scriptRename Sieve scripts
sieve-set-activeSet active Sieve script
spam-filter-classifyClassify emails with the spam filter
spam-filter-trainTrain the spam filter
spam-filter-updateModify spam filter settings
tenant-createAdd new tenants
tenant-deleteRemove tenants
tenant-getRetrieve specific tenant information
tenant-listView list of tenants
tenant-updateModify tenant information
tracing-getRetrieve specific trace information
tracing-listView stored traces
tracing-livePerform real-time tracing
troubleshootPerform troubleshooting
undeleteRestore deleted items
unlimited-requestsPerform unlimited requests
unlimited-uploadsUpload unlimited data
webadmin-updateModify web admin interface settings