Permissions
Permissions in Stalwart determine the specific actions and resources that a user, group, or entity is allowed to access. Permissions allow administrators to control fine-grained access to various operations within the mail server, providing a clear distinction between what actions an entity can or cannot perform. Permissions can be assigned directly to individuals, groups, roles, or even entire tenants, giving administrators comprehensive control over access policies.
To simplify the management of permissions, multiple permissions can be grouped together into roles. Assigning roles to users or groups allows administrators to more easily manage access by bundling related permissions rather than having to assign them individually.
Effective Permissions
Each principal type in Stalwart (such as individuals, groups, or roles) has two important fields related to permissions: enabledPermissions and disabledPermissions. The effective permissions for an individual are calculated using a combination of permissions from various levels:
- Enabled Permissions:
- Start with the
enabledPermissionsassigned directly to the individual. - Combine these with the
enabledPermissionsof any roles that are assigned to the individual. - Finally, intersect these with the
enabledPermissionsof the tenant to which the individual belongs.
- Start with the
- Disabled Permissions:
- Any permissions explicitly listed in the
disabledPermissionsfield of the individual, roles, or tenant are subtracted from the total. This ensures that even if a permission is enabled at one level, it will be disabled if explicitly restricted at another.
- Any permissions explicitly listed in the
This mechanism allows for a flexible yet precise approach to access control, ensuring that permissions are layered and can be modified at various levels to suit the needs of the organization.
Permissions vs. ACLs
It's important to note that permissions in Stalwart are distinct from Access Control Lists (ACLs).
- Permissions: Defined by the administrator, permissions control access to specific resources and actions within the mail server itself. These determine what a user or entity is allowed to do globally within the system, such as managing settings, accessing logs, or sending emails.
- Access Control Lists (ACLs): Managed by users and are used to grant other users or groups access to their emails, folders, or other specific data. ACLs, typically controlled via the IMAP ACL extension or JMAP, regulate how one user's data is shared with others and are applied on a per-folder or per-resource basis.
In summary, permissions are centrally controlled by administrators to define what actions and resources can be accessed by whom, while ACLs give users control over how their own data is shared and accessed by others. Together, they offer robust and flexible security and access control within the Stalwart environment.
Available Permissions
Stalwart provides a wide range of permissions that can be assigned to users, groups, roles, or tenants. These permissions cover various aspects of the mail server, including managing users, domains, settings, and more. The following table lists the available permissions as well as the built-in roles that include them:
| Permission | Description | Admin role | Tenant admin role | User role |
|---|---|---|---|---|
ai-model-interact | Interact with AI models | ✅ | ||
api-key-create | Create new API keys | ✅ | ✅ | |
api-key-delete | Remove API keys | ✅ | ✅ | |
api-key-get | Retrieve specific API keys | ✅ | ✅ | |
api-key-list | View API keys | ✅ | ✅ | |
api-key-update | Modify API keys | ✅ | ✅ | |
authenticate | Authenticate | ✅ | ✅ | ✅ |
authenticate-oauth | Authenticate via OAuth | ✅ | ✅ | ✅ |
blob-fetch | Retrieve arbitrary blobs | ✅ | ||
dav-cal-acl | Manage access control lists for calendar entries | ✅ | ✅ | ✅ |
dav-cal-copy | Copy calendar entries to new locations | ✅ | ✅ | ✅ |
dav-cal-delete | Remove calendar entries or collections | ✅ | ✅ | ✅ |
dav-cal-free-busy-query | Query free/busy time information for scheduling | ✅ | ✅ | ✅ |
dav-cal-get | Download calendar entries | ✅ | ✅ | ✅ |
dav-cal-lock | Lock calendar entries to prevent concurrent modifications | ✅ | ✅ | ✅ |
dav-cal-mk-col | Create new calendar collections | ✅ | ✅ | ✅ |
dav-cal-move | Move calendar entries to new locations | ✅ | ✅ | ✅ |
dav-cal-multi-get | Retrieve multiple calendar entries in a single request | ✅ | ✅ | ✅ |
dav-cal-prop-find | Retrieve properties of calendar entries | ✅ | ✅ | ✅ |
dav-cal-prop-patch | Modify properties of calendar entries | ✅ | ✅ | ✅ |
dav-cal-put | Upload or modify calendar entries | ✅ | ✅ | ✅ |
dav-cal-query | Search for calendar entries matching criteria | ✅ | ✅ | ✅ |
dav-card-acl | Manage access control lists for address book entries | ✅ | ✅ | ✅ |
dav-card-copy | Copy address book entries to new locations | ✅ | ✅ | ✅ |
dav-card-delete | Remove address book entries or collections | ✅ | ✅ | ✅ |
dav-card-get | Download address book entries | ✅ | ✅ | ✅ |
dav-card-lock | Lock address book entries to prevent concurrent modifications | ✅ | ✅ | ✅ |
dav-card-mk-col | Create new address book collections | ✅ | ✅ | ✅ |
dav-card-move | Move address book entries to new locations | ✅ | ✅ | ✅ |
dav-card-multi-get | Retrieve multiple address book entries in a single request | ✅ | ✅ | ✅ |
dav-card-prop-find | Retrieve properties of address book entries | ✅ | ✅ | ✅ |
dav-card-prop-patch | Modify properties of address book entries | ✅ | ✅ | ✅ |
dav-card-put | Upload or modify address book entries | ✅ | ✅ | ✅ |
dav-card-query | Search for address book entries matching criteria | ✅ | ✅ | ✅ |
dav-expand-property | Expand properties that reference other resources | ✅ | ✅ | ✅ |
dav-file-acl | Manage access control lists for file resources | ✅ | ✅ | ✅ |
dav-file-copy | Copy file resources to new locations | ✅ | ✅ | ✅ |
dav-file-delete | Remove file resources | ✅ | ✅ | ✅ |
dav-file-get | Download file resources | ✅ | ✅ | ✅ |
dav-file-lock | Lock file resources to prevent concurrent modifications | ✅ | ✅ | ✅ |
dav-file-mk-col | Create new file collections or directories | ✅ | ✅ | ✅ |
dav-file-move | Move file resources to new locations | ✅ | ✅ | ✅ |
dav-file-prop-find | Retrieve properties of file resources | ✅ | ✅ | ✅ |
dav-file-prop-patch | Modify properties of file resources | ✅ | ✅ | ✅ |
dav-file-put | Upload or modify file resources | ✅ | ✅ | ✅ |
dav-principal-acl | Set principal properties for access control | ✅ | ✅ | ✅ |
dav-principal-list | List available principals in the system | ✅ | ||
dav-principal-match | Match principals based on specified criteria | ✅ | ✅ | ✅ |
dav-principal-search | Search for principals by property values | ✅ | ||
dav-principal-search-prop-set | Define property sets for principal searches | ✅ | ✅ | ✅ |
dav-sync-collection | Synchronize collection changes with client | ✅ | ✅ | ✅ |
delete-system-folders | Delete of system folders | ✅ | ||
dkim-signature-create | Create DKIM signatures for email authentication | ✅ | ✅ | |
dkim-signature-get | Retrieve DKIM signature information | ✅ | ✅ | |
domain-create | Add new email domains | ✅ | ✅ | |
domain-delete | Remove email domains | ✅ | ✅ | |
domain-get | Retrieve specific domain information | ✅ | ✅ | |
domain-list | View list of email domains | ✅ | ✅ | |
domain-update | Modify domain information | ✅ | ✅ | |
email-receive | Receive emails | ✅ | ✅ | ✅ |
email-send | Send emails | ✅ | ✅ | ✅ |
fts-reindex | Rebuild the full-text search index | ✅ | ||
group-create | Add new user groups | ✅ | ✅ | |
group-delete | Remove user groups | ✅ | ✅ | |
group-get | Retrieve specific group information | ✅ | ✅ | |
group-list | View list of user groups | ✅ | ✅ | |
group-update | Modify group information | ✅ | ✅ | |
imap-acl-get | Retrieve ACLs via IMAP | ✅ | ✅ | ✅ |
imap-acl-set | Set ACLs via IMAP | ✅ | ✅ | ✅ |
imap-append | Append messages via IMAP | ✅ | ✅ | ✅ |
imap-authenticate | Authenticate via IMAP | ✅ | ✅ | ✅ |
imap-capability | Retrieve server capabilities via IMAP | ✅ | ✅ | ✅ |
imap-copy | Copy messages via IMAP | ✅ | ✅ | ✅ |
imap-create | Create mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-delete | Delete mailboxes or messages via IMAP | ✅ | ✅ | ✅ |
imap-enable | Enable IMAP extensions | ✅ | ✅ | ✅ |
imap-examine | Examine mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-expunge | Expunge deleted messages via IMAP | ✅ | ✅ | ✅ |
imap-fetch | Fetch messages or metadata via IMAP | ✅ | ✅ | ✅ |
imap-id | Retrieve server ID via IMAP | ✅ | ✅ | ✅ |
imap-idle | Use IMAP IDLE command | ✅ | ✅ | ✅ |
imap-list | List mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-list-rights | List rights via IMAP | ✅ | ✅ | ✅ |
imap-lsub | List subscribed mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-move | Move messages via IMAP | ✅ | ✅ | ✅ |
imap-my-rights | Retrieve own rights via IMAP | ✅ | ✅ | ✅ |
imap-namespace | Retrieve namespaces via IMAP | ✅ | ✅ | ✅ |
imap-rename | Rename mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-search | Search messages via IMAP | ✅ | ✅ | ✅ |
imap-select | Select mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-sort | Sort messages via IMAP | ✅ | ✅ | ✅ |
imap-status | Retrieve mailbox status via IMAP | ✅ | ✅ | ✅ |
imap-store | Modify message flags via IMAP | ✅ | ✅ | ✅ |
imap-subscribe | Subscribe to mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-thread | Thread messages via IMAP | ✅ | ✅ | ✅ |
impersonate | Act on behalf of another user | ✅ | ||
incoming-report-delete | Remove incoming DMARC, TLS and ARF reports | ✅ | ✅ | |
incoming-report-get | Retrieve specific incoming DMARC, TLS and ARF reports | ✅ | ✅ | |
incoming-report-list | View incoming DMARC, TLS and ARF reports | ✅ | ✅ | |
individual-create | Add new user accounts | ✅ | ✅ | |
individual-delete | Remove user accounts | ✅ | ✅ | |
individual-get | Retrieve specific account information | ✅ | ✅ | |
individual-list | View list of user accounts | ✅ | ✅ | |
individual-update | Modify user account information | ✅ | ✅ | |
jmap-blob-copy | Copy blobs via JMAP | ✅ | ✅ | ✅ |
jmap-blob-get | Retrieve blobs via JMAP | ✅ | ✅ | ✅ |
jmap-blob-lookup | Look up blobs via JMAP | ✅ | ✅ | ✅ |
jmap-blob-upload | Upload blobs via JMAP | ✅ | ✅ | ✅ |
jmap-echo | Perform JMAP echo requests | ✅ | ✅ | ✅ |
jmap-email-changes | Track email changes via JMAP | ✅ | ✅ | ✅ |
jmap-email-copy | Copy emails via JMAP | ✅ | ✅ | ✅ |
jmap-email-get | Retrieve emails via JMAP | ✅ | ✅ | ✅ |
jmap-email-import | Import emails via JMAP | ✅ | ✅ | ✅ |
jmap-email-parse | Parse emails via JMAP | ✅ | ✅ | ✅ |
jmap-email-query | Perform email queries via JMAP | ✅ | ✅ | ✅ |
jmap-email-query-changes | Track email query changes via JMAP | ✅ | ✅ | ✅ |
jmap-email-set | Modify emails via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-changes | Track email submission changes via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-get | Retrieve email submission info via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-query | Perform email submission queries via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-query-changes | Track email submission query changes via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-set | Modify email submission settings via JMAP | ✅ | ✅ | ✅ |
jmap-identity-changes | Track identity changes via JMAP | ✅ | ✅ | ✅ |
jmap-identity-get | Retrieve user identities via JMAP | ✅ | ✅ | ✅ |
jmap-identity-set | Modify user identities via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-changes | Track mailbox changes via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-get | Retrieve mailboxes via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-query | Perform mailbox queries via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-query-changes | Track mailbox query changes via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-set | Modify mailboxes via JMAP | ✅ | ✅ | ✅ |
jmap-principal-get | Retrieve principal information via JMAP | ✅ | ✅ | |
jmap-principal-query | Perform principal queries via JMAP | ✅ | ✅ | |
jmap-principal-query-changes | Track principal query changes via JMAP | ✅ | ✅ | |
jmap-push-subscription-get | Retrieve push subscriptions via JMAP | ✅ | ✅ | ✅ |
jmap-push-subscription-set | Modify push subscriptions via JMAP | ✅ | ✅ | ✅ |
jmap-quota-changes | Track quota changes via JMAP | ✅ | ✅ | ✅ |
jmap-quota-get | Retrieve quota information via JMAP | ✅ | ✅ | ✅ |
jmap-quota-query | Perform quota queries via JMAP | ✅ | ✅ | ✅ |
jmap-quota-query-changes | Track quota query changes via JMAP | ✅ | ✅ | ✅ |
jmap-search-snippet | Retrieve search snippets via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-get | Retrieve Sieve scripts via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-query | Perform Sieve script queries via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-query-changes | Track Sieve script query changes via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-set | Modify Sieve scripts via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-validate | Validate Sieve scripts via JMAP | ✅ | ✅ | ✅ |
jmap-thread-changes | Track thread changes via JMAP | ✅ | ✅ | ✅ |
jmap-thread-get | Retrieve email threads via JMAP | ✅ | ✅ | ✅ |
jmap-vacation-response-get | Retrieve vacation responses via JMAP | ✅ | ✅ | ✅ |
jmap-vacation-response-set | Modify vacation responses via JMAP | ✅ | ✅ | ✅ |
logs-view | Access system logs | ✅ | ||
mailing-list-create | Create new mailing lists | ✅ | ✅ | |
mailing-list-delete | Remove mailing lists | ✅ | ✅ | |
mailing-list-get | Retrieve specific mailing list information | ✅ | ✅ | |
mailing-list-list | View list of mailing lists | ✅ | ✅ | |
mailing-list-update | Modify mailing list information | ✅ | ✅ | |
manage-encryption | Manage encryption-at-rest settings | ✅ | ✅ | ✅ |
manage-passwords | Manage account passwords | ✅ | ✅ | ✅ |
message-queue-delete | Remove messages from the queue | ✅ | ✅ | |
message-queue-get | Retrieve specific messages from the queue | ✅ | ✅ | |
message-queue-list | View message queue | ✅ | ✅ | |
message-queue-update | Modify queued messages | ✅ | ✅ | |
metrics-list | View stored metrics | ✅ | ||
metrics-live | View real-time metrics | ✅ | ||
oauth-client-create | Create new OAuth clients | ✅ | ||
oauth-client-delete | Remove OAuth clients | ✅ | ||
oauth-client-get | Retrieve specific OAuth clients | ✅ | ||
oauth-client-list | View OAuth clients | ✅ | ||
oauth-client-override | Override OAuth client settings | ✅ | ||
oauth-client-registration | Register OAuth clients | ✅ | ||
oauth-client-update | Modify OAuth clients | ✅ | ||
outgoing-report-delete | Remove outgoing DMARC and TLS reports | ✅ | ✅ | |
outgoing-report-get | Retrieve specific outgoing DMARC and TLS reports | ✅ | ✅ | |
outgoing-report-list | View outgoing DMARC and TLS reports | ✅ | ✅ | |
pop3-authenticate | Authenticate via POP3 | ✅ | ✅ | ✅ |
pop3-dele | Mark messages for deletion via POP3 | ✅ | ✅ | ✅ |
pop3-list | List messages via POP3 | ✅ | ✅ | ✅ |
pop3-retr | Retrieve messages via POP3 | ✅ | ✅ | ✅ |
pop3-stat | Retrieve mailbox statistics via POP3 | ✅ | ✅ | ✅ |
pop3-uidl | Retrieve unique IDs via POP3 | ✅ | ✅ | ✅ |
principal-create | Create new principals | ✅ | ✅ | |
principal-delete | Remove principals | ✅ | ✅ | |
principal-get | Retrieve specific principal information | ✅ | ✅ | |
principal-list | View list of principals | ✅ | ✅ | |
principal-update | Modify principal information | ✅ | ✅ | |
purge-account | Purge user accounts | ✅ | ||
purge-blob-store | Purge the blob storage | ✅ | ||
purge-data-store | Purge the data storage | ✅ | ||
purge-in-memory-store | Purge the in-memory storage | ✅ | ||
restart | Restart the email server | ✅ | ||
role-create | Create new roles | ✅ | ✅ | |
role-delete | Remove roles | ✅ | ✅ | |
role-get | Retrieve specific role information | ✅ | ✅ | |
role-list | View list of roles | ✅ | ✅ | |
role-update | Modify role information | ✅ | ✅ | |
settings-delete | Remove system settings | ✅ | ||
settings-list | View system settings | ✅ | ||
settings-reload | Refresh system settings | ✅ | ||
settings-update | Modify system settings | ✅ | ||
sieve-authenticate | Authenticate for Sieve script management | ✅ | ✅ | ✅ |
sieve-check-script | Validate Sieve scripts | ✅ | ✅ | ✅ |
sieve-delete-script | Delete Sieve scripts | ✅ | ✅ | ✅ |
sieve-get-script | Retrieve Sieve scripts | ✅ | ✅ | ✅ |
sieve-have-space | Check available space for Sieve scripts | ✅ | ✅ | ✅ |
sieve-list-scripts | List Sieve scripts | ✅ | ✅ | ✅ |
sieve-put-script | Upload Sieve scripts | ✅ | ✅ | ✅ |
sieve-rename-script | Rename Sieve scripts | ✅ | ✅ | ✅ |
sieve-set-active | Set active Sieve script | ✅ | ✅ | ✅ |
spam-filter-classify | Classify emails with the spam filter | ✅ | ✅ | ✅ |
spam-filter-train | Train the spam filter | ✅ | ✅ | ✅ |
spam-filter-update | Modify spam filter settings | ✅ | ||
tenant-create | Add new tenants | ✅ | ||
tenant-delete | Remove tenants | ✅ | ||
tenant-get | Retrieve specific tenant information | ✅ | ||
tenant-list | View list of tenants | ✅ | ||
tenant-update | Modify tenant information | ✅ | ||
tracing-get | Retrieve specific trace information | ✅ | ||
tracing-list | View stored traces | ✅ | ||
tracing-live | Perform real-time tracing | ✅ | ||
troubleshoot | Perform troubleshooting | ✅ | ||
undelete | Restore deleted items | ✅ | ✅ | |
unlimited-requests | Perform unlimited requests | ✅ | ||
unlimited-uploads | Upload unlimited data | ✅ | ||
webadmin-update | Modify web admin interface settings | ✅ |