Skip to main content

Permissions

Permissions in Stalwart Mail Server determine the specific actions and resources that a user, group, or entity is allowed to access. Permissions allow administrators to control fine-grained access to various operations within the mail server, providing a clear distinction between what actions an entity can or cannot perform. Permissions can be assigned directly to individuals, groups, roles, or even entire tenants, giving administrators comprehensive control over access policies.

To simplify the management of permissions, multiple permissions can be grouped together into roles. Assigning roles to users or groups allows administrators to more easily manage access by bundling related permissions rather than having to assign them individually.

Effective Permissions

Each principal type in Stalwart Mail Server (such as individuals, groups, or roles) has two important fields related to permissions: enabledPermissions and disabledPermissions. The effective permissions for an individual are calculated using a combination of permissions from various levels:

  • Enabled Permissions:
    • Start with the enabledPermissions assigned directly to the individual.
    • Combine these with the enabledPermissions of any roles that are assigned to the individual.
    • Finally, intersect these with the enabledPermissions of the tenant to which the individual belongs.
  • Disabled Permissions:
    • Any permissions explicitly listed in the disabledPermissions field of the individual, roles, or tenant are subtracted from the total. This ensures that even if a permission is enabled at one level, it will be disabled if explicitly restricted at another.

This mechanism allows for a flexible yet precise approach to access control, ensuring that permissions are layered and can be modified at various levels to suit the needs of the organization.

Permissions vs. ACLs

It's important to note that permissions in Stalwart Mail Server are distinct from Access Control Lists (ACLs).

  • Permissions: Defined by the administrator, permissions control access to specific resources and actions within the mail server itself. These determine what a user or entity is allowed to do globally within the system, such as managing settings, accessing logs, or sending emails.
  • Access Control Lists (ACLs): Managed by users and are used to grant other users or groups access to their emails, folders, or other specific data. ACLs, typically controlled via the IMAP ACL extension or JMAP, regulate how one user's data is shared with others and are applied on a per-folder or per-resource basis.

In summary, permissions are centrally controlled by administrators to define what actions and resources can be accessed by whom, while ACLs give users control over how their own data is shared and accessed by others. Together, they offer robust and flexible security and access control within the Stalwart Mail Server environment.

Available Permissions

Stalwart Mail Server provides a wide range of permissions that can be assigned to users, groups, roles, or tenants. These permissions cover various aspects of the mail server, including managing users, domains, settings, and more. The following table lists the available permissions as well as the built-in roles that include them:

PermissionDescriptionAdmin roleTenant admin roleUser role
impersonateAct on behalf of another user
unlimited-requestsPerform unlimited requests
unlimited-uploadsUpload unlimited data
delete-system-foldersDelete system folders
message-queue-listView message queue
message-queue-getRetrieve specific messages from the queue
message-queue-updateModify queued messages
message-queue-deleteRemove messages from the queue
outgoing-report-listView outgoing DMARC and TLS reports
outgoing-report-getRetrieve specific outgoing DMARC and TLS reports
outgoing-report-deleteRemove outgoing DMARC and TLS reports
incoming-report-listView incoming DMARC, TLS and ARF reports
incoming-report-getRetrieve specific incoming DMARC, TLS and ARF reports
incoming-report-deleteRemove incoming DMARC, TLS and ARF reports
settings-listView system settings
settings-updateModify system settings
settings-deleteRemove system settings
settings-reloadRefresh system settings
individual-listView list of user accounts
individual-getRetrieve specific account information
individual-updateModify user account information
individual-deleteRemove user accounts
individual-createAdd new user accounts
group-listView list of user groups
group-getRetrieve specific group information
group-updateModify group information
group-deleteRemove user groups
group-createAdd new user groups
domain-listView list of email domains
domain-getRetrieve specific domain information
domain-createAdd new email domains
domain-updateModify domain information
domain-deleteRemove email domains
tenant-listView list of tenants
tenant-getRetrieve specific tenant information
tenant-createAdd new tenants
tenant-updateModify tenant information
tenant-deleteRemove tenants
mailing-list-listView list of mailing lists
mailing-list-getRetrieve specific mailing list information
mailing-list-createCreate new mailing lists
mailing-list-updateModify mailing list information
mailing-list-deleteRemove mailing lists
role-listView list of roles
role-getRetrieve specific role information
role-createCreate new roles
role-updateModify role information
role-deleteRemove roles
principal-listView list of principals
principal-getRetrieve specific principal information
principal-createCreate new principals
principal-updateModify principal information
principal-deleteRemove principals
blob-fetchRetrieve arbitrary blobs
purge-blob-storePurge the blob storage
purge-data-storePurge the data storage
purge-lookup-storePurge the lookup storage
purge-accountPurge user accounts
fts-reindexRebuild the full-text search index
undeleteRestore deleted items
dkim-signature-createCreate DKIM signatures for email authentication
dkim-signature-getRetrieve DKIM signature information
update-spam-filterModify spam filter settings
update-webadminModify web admin interface settings
logs-viewAccess system logs
sieve-runExecute Sieve scripts from the REST API
restartRestart the email server
tracing-listView stored traces
tracing-getRetrieve specific trace information
tracing-livePerform real-time tracing
metrics-listView stored metrics
metrics-liveView real-time metrics
authenticateAuthenticate
authenticate-oauthAuthenticate via OAuth
email-sendSend emails
email-receiveReceive emails
manage-encryptionManage encryption-at-rest settings
manage-passwordsManage account passwords
jmap-email-getRetrieve emails via JMAP
jmap-mailbox-getRetrieve mailboxes via JMAP
jmap-thread-getRetrieve email threads via JMAP
jmap-identity-getRetrieve user identities via JMAP
jmap-email-submission-getRetrieve email submission info via JMAP
jmap-push-subscription-getRetrieve push subscriptions via JMAP
jmap-sieve-script-getRetrieve Sieve scripts via JMAP
jmap-vacation-response-getRetrieve vacation responses via JMAP
jmap-principal-getRetrieve principal information via JMAP
jmap-quota-getRetrieve quota information via JMAP
jmap-blob-getRetrieve blobs via JMAP
jmap-email-setModify emails via JMAP
jmap-mailbox-setModify mailboxes via JMAP
jmap-identity-setModify user identities via JMAP
jmap-email-submission-setModify email submission settings via JMAP
jmap-push-subscription-setModify push subscriptions via JMAP
jmap-sieve-script-setModify Sieve scripts via JMAP
jmap-vacation-response-setModify vacation responses via JMAP
jmap-email-changesTrack email changes via JMAP
jmap-mailbox-changesTrack mailbox changes via JMAP
jmap-thread-changesTrack thread changes via JMAP
jmap-identity-changesTrack identity changes via JMAP
jmap-email-submission-changesTrack email submission changes via JMAP
jmap-quota-changesTrack quota changes via JMAP
jmap-email-copyCopy emails via JMAP
jmap-blob-copyCopy blobs via JMAP
jmap-email-importImport emails via JMAP
jmap-email-parseParse emails via JMAP
jmap-email-query-changesTrack email query changes via JMAP
jmap-mailbox-query-changesTrack mailbox query changes via JMAP
jmap-email-submission-query-changesTrack email submission query changes via JMAP
jmap-sieve-script-query-changesTrack Sieve script query changes via JMAP
jmap-principal-query-changesTrack principal query changes via JMAP
jmap-quota-query-changesTrack quota query changes via JMAP
jmap-email-queryPerform email queries via JMAP
jmap-mailbox-queryPerform mailbox queries via JMAP
jmap-email-submission-queryPerform email submission queries via JMAP
jmap-sieve-script-queryPerform Sieve script queries via JMAP
jmap-principal-queryPerform principal queries via JMAP
jmap-quota-queryPerform quota queries via JMAP
jmap-search-snippetRetrieve search snippets via JMAP
jmap-sieve-script-validateValidate Sieve scripts via JMAP
jmap-blob-lookupLook up blobs via JMAP
jmap-blob-uploadUpload blobs via JMAP
jmap-echoPerform JMAP echo requests
imap-authenticateAuthenticate via IMAP
imap-acl-getRetrieve ACLs via IMAP
imap-acl-setSet ACLs via IMAP
imap-my-rightsRetrieve own rights via IMAP
imap-list-rightsList rights via IMAP
imap-appendAppend messages via IMAP
imap-capabilityRetrieve server capabilities via IMAP
imap-idRetrieve server ID via IMAP
imap-copyCopy messages via IMAP
imap-moveMove messages via IMAP
imap-createCreate mailboxes via IMAP
imap-deleteDelete mailboxes or messages via IMAP
imap-enableEnable IMAP extensions
imap-expungeExpunge deleted messages via IMAP
imap-fetchFetch messages or metadata via IMAP
imap-idleUse IMAP IDLE command
imap-listList mailboxes via IMAP
imap-lsubList subscribed mailboxes via IMAP
imap-namespaceRetrieve namespaces via IMAP
imap-renameRename mailboxes via IMAP
imap-searchSearch messages via IMAP
imap-sortSort messages via IMAP
imap-selectSelect mailboxes via IMAP
imap-examineExamine mailboxes via IMAP
imap-statusRetrieve mailbox status via IMAP
imap-storeModify message flags via IMAP
imap-subscribeSubscribe to mailboxes via IMAP
imap-threadThread messages via IMAP
pop3-authenticateAuthenticate via POP3
pop3-listList messages via POP3
pop3-uidlRetrieve unique IDs via POP3
pop3-statRetrieve mailbox statistics via POP3
pop3-retrRetrieve messages via POP3
pop3-deleMark messages for deletion via POP3
sieve-authenticateAuthenticate for Sieve script management
sieve-list-scriptsList Sieve scripts
sieve-set-activeSet active Sieve script
sieve-get-scriptRetrieve Sieve scripts
sieve-put-scriptUpload Sieve scripts
sieve-delete-scriptDelete Sieve scripts
sieve-rename-scriptRename Sieve scripts
sieve-check-scriptValidate Sieve scripts
sieve-have-spaceCheck available space for Sieve scripts
api-key-listView API keys
api-key-getRetrieve specific API keys
api-key-createCreate new API keys
api-key-updateModify API keys
api-key-deleteRemove API keys
oauth-client-listView OAuth clients
oauth-client-getRetrieve specific OAuth clients
oauth-client-createCreate new OAuth clients
oauth-client-updateModify OAuth clients
oauth-client-deleteRemove OAuth clients
oauth-client-registrationRegister OAuth clients
oauth-client-overrideOverride OAuth client settings
ai-model-interactInteract with AI models
troubleshootPerform Troubleshooting