Role
Defines a named set of permissions that can be assigned to accounts, groups, or tenants.
This object can be configured from the WebUI under Management › Directory › Roles
Fields
Section titled “Fields”description
Section titled “description”Type:
String· requiredDescription of the role
memberTenantId
Section titled “memberTenantId”Type:
Id<Tenant>?Identifier for the tenant this role belongs to
roleIds
Section titled “roleIds”Type:
Id<Role>[]List of roles this role extends
enabledPermissions
Section titled “enabledPermissions”Type:
Permission[]List of permissions that are explicitly enabled.
disabledPermissions
Section titled “disabledPermissions”Type:
Permission[]List of permissions that are explicitly disabled, even if they would be inherited through other roles or groups. This takes precedence over enabled permissions.
JMAP API
Section titled “JMAP API”The Role object is available via the urn:stalwart:jmap capability.
x:Role/get
Section titled “x:Role/get”This is a standard Foo/get method as defined in RFC 8620, Section 5.1.
This method requires the sysRoleGet permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:Role/get", { "ids": [ "id1" ] }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'x:Role/set
Section titled “x:Role/set”This is a standard Foo/set method as defined in RFC 8620, Section 5.3.
Supports create, update, and destroy operations in a single call.
Create
Section titled “Create”This operation requires the sysRoleCreate permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:Role/set", { "create": { "new1": { "description": "Example", "disabledPermissions": {}, "enabledPermissions": {}, "roleIds": {} } } }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'Update
Section titled “Update”This operation requires the sysRoleUpdate permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:Role/set", { "update": { "id1": { "description": "updated value" } } }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'Destroy
Section titled “Destroy”This operation requires the sysRoleDestroy permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:Role/set", { "destroy": [ "id1" ] }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'x:Role/query
Section titled “x:Role/query”This is a standard Foo/query method as defined in RFC 8620, Section 5.5.
This method requires the sysRoleQuery permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:Role/query", { "filter": { "description": "example" } }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'The x:Role/query filter argument accepts the following conditions (combinable with AnyOf / AllOf / Not per RFC 8620):
| Condition | Kind |
|---|---|
description | text |
memberTenantId | id of Tenant |
stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.
stalwart-cli get Role id1Create
Section titled “Create”stalwart-cli create Role \ --field description=Example \ --field 'roleIds={}' \ --field 'enabledPermissions={}' \ --field 'disabledPermissions={}'stalwart-cli query Rolestalwart-cli query Role --where description=exampleUpdate
Section titled “Update”stalwart-cli update Role id1 --field description='updated value'Delete
Section titled “Delete”stalwart-cli delete Role --ids id1