Permissions
Permissions in Stalwart Mail Server determine the specific actions and resources that a user, group, or entity is allowed to access. Permissions allow administrators to control fine-grained access to various operations within the mail server, providing a clear distinction between what actions an entity can or cannot perform. Permissions can be assigned directly to individuals, groups, roles, or even entire tenants, giving administrators comprehensive control over access policies.
To simplify the management of permissions, multiple permissions can be grouped together into roles. Assigning roles to users or groups allows administrators to more easily manage access by bundling related permissions rather than having to assign them individually.
Effective Permissions
Each principal type in Stalwart Mail Server (such as individuals, groups, or roles) has two important fields related to permissions: enabledPermissions
and disabledPermissions
. The effective permissions for an individual are calculated using a combination of permissions from various levels:
- Enabled Permissions:
- Start with the
enabledPermissions
assigned directly to the individual. - Combine these with the
enabledPermissions
of any roles that are assigned to the individual. - Finally, intersect these with the
enabledPermissions
of the tenant to which the individual belongs.
- Start with the
- Disabled Permissions:
- Any permissions explicitly listed in the
disabledPermissions
field of the individual, roles, or tenant are subtracted from the total. This ensures that even if a permission is enabled at one level, it will be disabled if explicitly restricted at another.
- Any permissions explicitly listed in the
This mechanism allows for a flexible yet precise approach to access control, ensuring that permissions are layered and can be modified at various levels to suit the needs of the organization.
Permissions vs. ACLs
It's important to note that permissions in Stalwart Mail Server are distinct from Access Control Lists (ACLs).
- Permissions: Defined by the administrator, permissions control access to specific resources and actions within the mail server itself. These determine what a user or entity is allowed to do globally within the system, such as managing settings, accessing logs, or sending emails.
- Access Control Lists (ACLs): Managed by users and are used to grant other users or groups access to their emails, folders, or other specific data. ACLs, typically controlled via the IMAP ACL extension or JMAP, regulate how one user's data is shared with others and are applied on a per-folder or per-resource basis.
In summary, permissions are centrally controlled by administrators to define what actions and resources can be accessed by whom, while ACLs give users control over how their own data is shared and accessed by others. Together, they offer robust and flexible security and access control within the Stalwart Mail Server environment.
Available Permissions
Stalwart Mail Server provides a wide range of permissions that can be assigned to users, groups, roles, or tenants. These permissions cover various aspects of the mail server, including managing users, domains, settings, and more. The following table lists the available permissions as well as the built-in roles that include them:
Permission | Description | Admin role | Tenant admin role | User role |
---|---|---|---|---|
impersonate | Act on behalf of another user | ✅ | ||
unlimited-requests | Perform unlimited requests | ✅ | ||
unlimited-uploads | Upload unlimited data | ✅ | ||
delete-system-folders | Delete system folders | ✅ | ||
message-queue-list | View message queue | ✅ | ✅ | |
message-queue-get | Retrieve specific messages from the queue | ✅ | ✅ | |
message-queue-update | Modify queued messages | ✅ | ✅ | |
message-queue-delete | Remove messages from the queue | ✅ | ✅ | |
outgoing-report-list | View outgoing DMARC and TLS reports | ✅ | ✅ | |
outgoing-report-get | Retrieve specific outgoing DMARC and TLS reports | ✅ | ✅ | |
outgoing-report-delete | Remove outgoing DMARC and TLS reports | ✅ | ✅ | |
incoming-report-list | View incoming DMARC, TLS and ARF reports | ✅ | ✅ | |
incoming-report-get | Retrieve specific incoming DMARC, TLS and ARF reports | ✅ | ✅ | |
incoming-report-delete | Remove incoming DMARC, TLS and ARF reports | ✅ | ✅ | |
settings-list | View system settings | ✅ | ||
settings-update | Modify system settings | ✅ | ||
settings-delete | Remove system settings | ✅ | ||
settings-reload | Refresh system settings | ✅ | ||
individual-list | View list of user accounts | ✅ | ✅ | |
individual-get | Retrieve specific account information | ✅ | ✅ | |
individual-update | Modify user account information | ✅ | ✅ | |
individual-delete | Remove user accounts | ✅ | ✅ | |
individual-create | Add new user accounts | ✅ | ✅ | |
group-list | View list of user groups | ✅ | ✅ | |
group-get | Retrieve specific group information | ✅ | ✅ | |
group-update | Modify group information | ✅ | ✅ | |
group-delete | Remove user groups | ✅ | ✅ | |
group-create | Add new user groups | ✅ | ✅ | |
domain-list | View list of email domains | ✅ | ✅ | |
domain-get | Retrieve specific domain information | ✅ | ✅ | |
domain-create | Add new email domains | ✅ | ✅ | |
domain-update | Modify domain information | ✅ | ✅ | |
domain-delete | Remove email domains | ✅ | ✅ | |
tenant-list | View list of tenants | ✅ | ||
tenant-get | Retrieve specific tenant information | ✅ | ||
tenant-create | Add new tenants | ✅ | ||
tenant-update | Modify tenant information | ✅ | ||
tenant-delete | Remove tenants | ✅ | ||
mailing-list-list | View list of mailing lists | ✅ | ✅ | |
mailing-list-get | Retrieve specific mailing list information | ✅ | ✅ | |
mailing-list-create | Create new mailing lists | ✅ | ✅ | |
mailing-list-update | Modify mailing list information | ✅ | ✅ | |
mailing-list-delete | Remove mailing lists | ✅ | ✅ | |
role-list | View list of roles | ✅ | ✅ | |
role-get | Retrieve specific role information | ✅ | ✅ | |
role-create | Create new roles | ✅ | ✅ | |
role-update | Modify role information | ✅ | ✅ | |
role-delete | Remove roles | ✅ | ✅ | |
principal-list | View list of principals | ✅ | ✅ | |
principal-get | Retrieve specific principal information | ✅ | ✅ | |
principal-create | Create new principals | ✅ | ✅ | |
principal-update | Modify principal information | ✅ | ✅ | |
principal-delete | Remove principals | ✅ | ✅ | |
blob-fetch | Retrieve arbitrary blobs | ✅ | ||
purge-blob-store | Purge the blob storage | ✅ | ||
purge-data-store | Purge the data storage | ✅ | ||
purge-lookup-store | Purge the lookup storage | ✅ | ||
purge-account | Purge user accounts | ✅ | ||
fts-reindex | Rebuild the full-text search index | ✅ | ||
undelete | Restore deleted items | ✅ | ✅ | |
dkim-signature-create | Create DKIM signatures for email authentication | ✅ | ✅ | |
dkim-signature-get | Retrieve DKIM signature information | ✅ | ✅ | |
update-spam-filter | Modify spam filter settings | ✅ | ||
update-webadmin | Modify web admin interface settings | ✅ | ||
logs-view | Access system logs | ✅ | ||
sieve-run | Execute Sieve scripts from the REST API | ✅ | ||
restart | Restart the email server | ✅ | ||
tracing-list | View stored traces | ✅ | ||
tracing-get | Retrieve specific trace information | ✅ | ||
tracing-live | Perform real-time tracing | ✅ | ||
metrics-list | View stored metrics | ✅ | ||
metrics-live | View real-time metrics | ✅ | ||
authenticate | Authenticate | ✅ | ✅ | ✅ |
authenticate-oauth | Authenticate via OAuth | ✅ | ✅ | ✅ |
email-send | Send emails | ✅ | ✅ | ✅ |
email-receive | Receive emails | ✅ | ✅ | ✅ |
manage-encryption | Manage encryption-at-rest settings | ✅ | ✅ | ✅ |
manage-passwords | Manage account passwords | ✅ | ✅ | ✅ |
jmap-email-get | Retrieve emails via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-get | Retrieve mailboxes via JMAP | ✅ | ✅ | ✅ |
jmap-thread-get | Retrieve email threads via JMAP | ✅ | ✅ | ✅ |
jmap-identity-get | Retrieve user identities via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-get | Retrieve email submission info via JMAP | ✅ | ✅ | ✅ |
jmap-push-subscription-get | Retrieve push subscriptions via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-get | Retrieve Sieve scripts via JMAP | ✅ | ✅ | ✅ |
jmap-vacation-response-get | Retrieve vacation responses via JMAP | ✅ | ✅ | ✅ |
jmap-principal-get | Retrieve principal information via JMAP | ✅ | ✅ | |
jmap-quota-get | Retrieve quota information via JMAP | ✅ | ✅ | ✅ |
jmap-blob-get | Retrieve blobs via JMAP | ✅ | ✅ | ✅ |
jmap-email-set | Modify emails via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-set | Modify mailboxes via JMAP | ✅ | ✅ | ✅ |
jmap-identity-set | Modify user identities via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-set | Modify email submission settings via JMAP | ✅ | ✅ | ✅ |
jmap-push-subscription-set | Modify push subscriptions via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-set | Modify Sieve scripts via JMAP | ✅ | ✅ | ✅ |
jmap-vacation-response-set | Modify vacation responses via JMAP | ✅ | ✅ | ✅ |
jmap-email-changes | Track email changes via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-changes | Track mailbox changes via JMAP | ✅ | ✅ | ✅ |
jmap-thread-changes | Track thread changes via JMAP | ✅ | ✅ | ✅ |
jmap-identity-changes | Track identity changes via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-changes | Track email submission changes via JMAP | ✅ | ✅ | ✅ |
jmap-quota-changes | Track quota changes via JMAP | ✅ | ✅ | ✅ |
jmap-email-copy | Copy emails via JMAP | ✅ | ✅ | ✅ |
jmap-blob-copy | Copy blobs via JMAP | ✅ | ✅ | ✅ |
jmap-email-import | Import emails via JMAP | ✅ | ✅ | ✅ |
jmap-email-parse | Parse emails via JMAP | ✅ | ✅ | ✅ |
jmap-email-query-changes | Track email query changes via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-query-changes | Track mailbox query changes via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-query-changes | Track email submission query changes via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-query-changes | Track Sieve script query changes via JMAP | ✅ | ✅ | ✅ |
jmap-principal-query-changes | Track principal query changes via JMAP | ✅ | ✅ | |
jmap-quota-query-changes | Track quota query changes via JMAP | ✅ | ✅ | ✅ |
jmap-email-query | Perform email queries via JMAP | ✅ | ✅ | ✅ |
jmap-mailbox-query | Perform mailbox queries via JMAP | ✅ | ✅ | ✅ |
jmap-email-submission-query | Perform email submission queries via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-query | Perform Sieve script queries via JMAP | ✅ | ✅ | ✅ |
jmap-principal-query | Perform principal queries via JMAP | ✅ | ✅ | |
jmap-quota-query | Perform quota queries via JMAP | ✅ | ✅ | ✅ |
jmap-search-snippet | Retrieve search snippets via JMAP | ✅ | ✅ | ✅ |
jmap-sieve-script-validate | Validate Sieve scripts via JMAP | ✅ | ✅ | ✅ |
jmap-blob-lookup | Look up blobs via JMAP | ✅ | ✅ | ✅ |
jmap-blob-upload | Upload blobs via JMAP | ✅ | ✅ | ✅ |
jmap-echo | Perform JMAP echo requests | ✅ | ✅ | ✅ |
imap-authenticate | Authenticate via IMAP | ✅ | ✅ | ✅ |
imap-acl-get | Retrieve ACLs via IMAP | ✅ | ✅ | ✅ |
imap-acl-set | Set ACLs via IMAP | ✅ | ✅ | ✅ |
imap-my-rights | Retrieve own rights via IMAP | ✅ | ✅ | ✅ |
imap-list-rights | List rights via IMAP | ✅ | ✅ | ✅ |
imap-append | Append messages via IMAP | ✅ | ✅ | ✅ |
imap-capability | Retrieve server capabilities via IMAP | ✅ | ✅ | ✅ |
imap-id | Retrieve server ID via IMAP | ✅ | ✅ | ✅ |
imap-copy | Copy messages via IMAP | ✅ | ✅ | ✅ |
imap-move | Move messages via IMAP | ✅ | ✅ | ✅ |
imap-create | Create mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-delete | Delete mailboxes or messages via IMAP | ✅ | ✅ | ✅ |
imap-enable | Enable IMAP extensions | ✅ | ✅ | ✅ |
imap-expunge | Expunge deleted messages via IMAP | ✅ | ✅ | ✅ |
imap-fetch | Fetch messages or metadata via IMAP | ✅ | ✅ | ✅ |
imap-idle | Use IMAP IDLE command | ✅ | ✅ | ✅ |
imap-list | List mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-lsub | List subscribed mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-namespace | Retrieve namespaces via IMAP | ✅ | ✅ | ✅ |
imap-rename | Rename mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-search | Search messages via IMAP | ✅ | ✅ | ✅ |
imap-sort | Sort messages via IMAP | ✅ | ✅ | ✅ |
imap-select | Select mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-examine | Examine mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-status | Retrieve mailbox status via IMAP | ✅ | ✅ | ✅ |
imap-store | Modify message flags via IMAP | ✅ | ✅ | ✅ |
imap-subscribe | Subscribe to mailboxes via IMAP | ✅ | ✅ | ✅ |
imap-thread | Thread messages via IMAP | ✅ | ✅ | ✅ |
pop3-authenticate | Authenticate via POP3 | ✅ | ✅ | ✅ |
pop3-list | List messages via POP3 | ✅ | ✅ | ✅ |
pop3-uidl | Retrieve unique IDs via POP3 | ✅ | ✅ | ✅ |
pop3-stat | Retrieve mailbox statistics via POP3 | ✅ | ✅ | ✅ |
pop3-retr | Retrieve messages via POP3 | ✅ | ✅ | ✅ |
pop3-dele | Mark messages for deletion via POP3 | ✅ | ✅ | ✅ |
sieve-authenticate | Authenticate for Sieve script management | ✅ | ✅ | ✅ |
sieve-list-scripts | List Sieve scripts | ✅ | ✅ | ✅ |
sieve-set-active | Set active Sieve script | ✅ | ✅ | ✅ |
sieve-get-script | Retrieve Sieve scripts | ✅ | ✅ | ✅ |
sieve-put-script | Upload Sieve scripts | ✅ | ✅ | ✅ |
sieve-delete-script | Delete Sieve scripts | ✅ | ✅ | ✅ |
sieve-rename-script | Rename Sieve scripts | ✅ | ✅ | ✅ |
sieve-check-script | Validate Sieve scripts | ✅ | ✅ | ✅ |
sieve-have-space | Check available space for Sieve scripts | ✅ | ✅ | ✅ |
api-key-list | View API keys | ✅ | ✅ | |
api-key-get | Retrieve specific API keys | ✅ | ✅ | |
api-key-create | Create new API keys | ✅ | ✅ | |
api-key-update | Modify API keys | ✅ | ✅ | |
api-key-delete | Remove API keys | ✅ | ✅ | |
oauth-client-list | View OAuth clients | ✅ | ||
oauth-client-get | Retrieve specific OAuth clients | ✅ | ||
oauth-client-create | Create new OAuth clients | ✅ | ||
oauth-client-update | Modify OAuth clients | ✅ | ||
oauth-client-delete | Remove OAuth clients | ✅ | ||
oauth-client-registration | Register OAuth clients | ✅ | ||
oauth-client-override | Override OAuth client settings | ✅ | ||
ai-model-interact | Interact with AI models | ✅ | ||
troubleshoot | Perform Troubleshooting | ✅ |