Version: 0.16

Permissions

Permissions in Stalwart determine which actions and resources a principal is allowed to access. They can be assigned directly to individuals or groups, through roles, or on a tenant as a whole.

To simplify management, multiple permissions can be grouped into a Role object (found in the WebUI under Management › Directory › Roles) and assigned through a single reference on the principal.

Effective Permissions

Each principal carries two permission-related fields: enabledPermissions and disabledPermissions. On Account and Group objects these are wrapped by a Permissions mode that can be Inherit, Merge, or Replace, selecting how the listed permissions combine with those inherited from roles and the containing tenant. The effective permissions of a principal are computed as follows:

Start from the enabled permissions of any assigned roles.
Apply the principal's own enabledPermissions according to the configured mode (inherit, merge with, or replace the role-derived set).
Intersect with the tenant's enabled permissions, in multi-tenant deployments.
Subtract every permission listed in disabledPermissions at any level. Disabled permissions always take precedence.

The result is a layered model in which permissions can be added or removed at the role, principal, or tenant level.

Permissions vs. ACLs

Permissions in Stalwart are distinct from Access Control Lists (ACLs).

Permissions are defined by administrators and control which server-wide actions a principal may perform, such as managing settings, viewing logs, or sending email.
Access Control Lists are managed by users and grant other principals access to specific mailboxes, folders, or other per-resource data. ACLs are controlled through the IMAP ACL extension or JMAP and apply per resource.

Permissions are an administrative policy; ACLs are a user-level sharing mechanism.

Available Permissions

The following table lists the permissions recognised by the server and the built-in roles that include them:

Permission	Description	Admin role	Tenant admin role	User role
`ai-model-interact`	Interact with AI models	✅
`api-key-create`	Create new API keys	✅	✅
`api-key-delete`	Remove API keys	✅	✅
`api-key-get`	Retrieve specific API keys	✅	✅
`api-key-list`	View API keys	✅	✅
`api-key-update`	Modify API keys	✅	✅
`authenticate`	Authenticate	✅	✅	✅
`authenticate-oauth`	Authenticate via OAuth	✅	✅	✅
`blob-fetch`	Retrieve arbitrary blobs	✅
`calendar-alarms`	Receive calendar alarms via e-mail	✅	✅	✅
`calendar-scheduling-receive`	Receive calendar scheduling requests via e-mail	✅	✅	✅
`calendar-scheduling-send`	Send calendar scheduling requests via e-mail	✅	✅	✅
`dav-cal-acl`	Manage access control lists for calendar entries	✅	✅	✅
`dav-cal-copy`	Copy calendar entries to new locations	✅	✅	✅
`dav-cal-delete`	Remove calendar entries or collections	✅	✅	✅
`dav-cal-free-busy-query`	Query free/busy time information for scheduling	✅	✅	✅
`dav-cal-get`	Download calendar entries	✅	✅	✅
`dav-cal-lock`	Lock calendar entries to prevent concurrent modifications	✅	✅	✅
`dav-cal-mk-col`	Create new calendar collections	✅	✅	✅
`dav-cal-move`	Move calendar entries to new locations	✅	✅	✅
`dav-cal-multi-get`	Retrieve multiple calendar entries in a single request	✅	✅	✅
`dav-cal-prop-find`	Retrieve properties of calendar entries	✅	✅	✅
`dav-cal-prop-patch`	Modify properties of calendar entries	✅	✅	✅
`dav-cal-put`	Upload or modify calendar entries	✅	✅	✅
`dav-cal-query`	Search for calendar entries matching criteria	✅	✅	✅
`dav-card-acl`	Manage access control lists for address book entries	✅	✅	✅
`dav-card-copy`	Copy address book entries to new locations	✅	✅	✅
`dav-card-delete`	Remove address book entries or collections	✅	✅	✅
`dav-card-get`	Download address book entries	✅	✅	✅
`dav-card-lock`	Lock address book entries to prevent concurrent modifications	✅	✅	✅
`dav-card-mk-col`	Create new address book collections	✅	✅	✅
`dav-card-move`	Move address book entries to new locations	✅	✅	✅
`dav-card-multi-get`	Retrieve multiple address book entries in a single request	✅	✅	✅
`dav-card-prop-find`	Retrieve properties of address book entries	✅	✅	✅
`dav-card-prop-patch`	Modify properties of address book entries	✅	✅	✅
`dav-card-put`	Upload or modify address book entries	✅	✅	✅
`dav-card-query`	Search for address book entries matching criteria	✅	✅	✅
`dav-expand-property`	Expand properties that reference other resources	✅	✅	✅
`dav-file-acl`	Manage access control lists for file resources	✅	✅	✅
`dav-file-copy`	Copy file resources to new locations	✅	✅	✅
`dav-file-delete`	Remove file resources	✅	✅	✅
`dav-file-get`	Download file resources	✅	✅	✅
`dav-file-lock`	Lock file resources to prevent concurrent modifications	✅	✅	✅
`dav-file-mk-col`	Create new file collections or directories	✅	✅	✅
`dav-file-move`	Move file resources to new locations	✅	✅	✅
`dav-file-prop-find`	Retrieve properties of file resources	✅	✅	✅
`dav-file-prop-patch`	Modify properties of file resources	✅	✅	✅
`dav-file-put`	Upload or modify file resources	✅	✅	✅
`dav-principal-acl`	Set principal properties for access control	✅	✅	✅
`dav-principal-list`	List available principals in the system	✅	✅	✅
`dav-principal-match`	Match principals based on specified criteria	✅	✅	✅
`dav-principal-search`	Search for principals by property values	✅	✅	✅
`dav-principal-search-prop-set`	Define property sets for principal searches	✅	✅	✅
`dav-sync-collection`	Synchronize collection changes with client	✅	✅	✅
`dkim-signature-create`	Create DKIM signatures for email authentication	✅	✅
`dkim-signature-get`	Retrieve DKIM signature information	✅	✅
`domain-create`	Add new email domains	✅	✅
`domain-delete`	Remove email domains	✅	✅
`domain-get`	Retrieve specific domain information	✅	✅
`domain-list`	View list of email domains	✅	✅
`domain-update`	Modify domain information	✅	✅
`email-receive`	Receive emails	✅	✅	✅
`email-send`	Send emails	✅	✅	✅
`fts-reindex`	Rebuild the full-text search index	✅
`group-create`	Add new user groups	✅	✅
`group-delete`	Remove user groups	✅	✅
`group-get`	Retrieve specific group information	✅	✅
`group-list`	View list of user groups	✅	✅
`group-update`	Modify group information	✅	✅
`imap-acl-get`	Retrieve ACLs via IMAP	✅	✅	✅
`imap-acl-set`	Set ACLs via IMAP	✅	✅	✅
`imap-append`	Append messages via IMAP	✅	✅	✅
`imap-authenticate`	Authenticate via IMAP	✅	✅	✅
`imap-capability`	Retrieve server capabilities via IMAP	✅	✅	✅
`imap-copy`	Copy messages via IMAP	✅	✅	✅
`imap-create`	Create mailboxes via IMAP	✅	✅	✅
`imap-delete`	Delete mailboxes or messages via IMAP	✅	✅	✅
`imap-enable`	Enable IMAP extensions	✅	✅	✅
`imap-examine`	Examine mailboxes via IMAP	✅	✅	✅
`imap-expunge`	Expunge deleted messages via IMAP	✅	✅	✅
`imap-fetch`	Fetch messages or metadata via IMAP	✅	✅	✅
`imap-id`	Retrieve server ID via IMAP	✅	✅	✅
`imap-idle`	Use IMAP IDLE command	✅	✅	✅
`imap-list`	List mailboxes via IMAP	✅	✅	✅
`imap-list-rights`	List rights via IMAP	✅	✅	✅
`imap-lsub`	List subscribed mailboxes via IMAP	✅	✅	✅
`imap-move`	Move messages via IMAP	✅	✅	✅
`imap-my-rights`	Retrieve own rights via IMAP	✅	✅	✅
`imap-namespace`	Retrieve namespaces via IMAP	✅	✅	✅
`imap-rename`	Rename mailboxes via IMAP	✅	✅	✅
`imap-search`	Search messages via IMAP	✅	✅	✅
`imap-select`	Select mailboxes via IMAP	✅	✅	✅
`imap-sort`	Sort messages via IMAP	✅	✅	✅
`imap-status`	Retrieve mailbox status via IMAP	✅	✅	✅
`imap-store`	Modify message flags via IMAP	✅	✅	✅
`imap-subscribe`	Subscribe to mailboxes via IMAP	✅	✅	✅
`imap-thread`	Thread messages via IMAP	✅	✅	✅
`impersonate`	Act on behalf of another user	✅
`incoming-report-delete`	Remove incoming DMARC, TLS and ARF reports	✅	✅
`incoming-report-get`	Retrieve specific incoming DMARC, TLS and ARF reports	✅	✅
`incoming-report-list`	View incoming DMARC, TLS and ARF reports	✅	✅
`individual-create`	Add new user accounts	✅	✅
`individual-delete`	Remove user accounts	✅	✅
`individual-get`	Retrieve specific account information	✅	✅
`individual-list`	View list of user accounts	✅	✅
`individual-update`	Modify user account information	✅	✅
`jmap-address-book-changes`	Track address book changes via JMAP	✅	✅	✅
`jmap-address-book-get`	Retrieve address books via JMAP	✅	✅	✅
`jmap-address-book-set`	Create or update address books via JMAP	✅	✅	✅
`jmap-blob-copy`	Copy blobs via JMAP	✅	✅	✅
`jmap-blob-get`	Retrieve blobs via JMAP	✅	✅	✅
`jmap-blob-lookup`	Look up blobs via JMAP	✅	✅	✅
`jmap-blob-upload`	Upload blobs via JMAP	✅	✅	✅
`jmap-calendar-changes`	Track calendar changes via JMAP	✅	✅	✅
`jmap-calendar-event-changes`	Track calendar event changes via JMAP	✅	✅	✅
`jmap-calendar-event-copy`	Copy calendar events to new locations via JMAP	✅	✅	✅
`jmap-calendar-event-get`	Retrieve calendar events via JMAP	✅	✅	✅
`jmap-calendar-event-notification-changes`	Track calendar event notification changes via JMAP	✅	✅	✅
`jmap-calendar-event-notification-get`	Retrieve calendar event notifications via JMAP	✅	✅	✅
`jmap-calendar-event-notification-query`	Search for calendar event notifications matching criteria via JMAP	✅	✅	✅
`jmap-calendar-event-notification-query-changes`	Track calendar event notification query changes via JMAP	✅	✅	✅
`jmap-calendar-event-notification-set`	Create or update calendar event notifications via JMAP	✅	✅	✅
`jmap-calendar-event-parse`	Parse calendar events via JMAP	✅	✅	✅
`jmap-calendar-event-query`	Search for calendar events matching criteria via JMAP	✅	✅	✅
`jmap-calendar-event-query-changes`	Track calendar event query changes via JMAP	✅	✅	✅
`jmap-calendar-event-set`	Create or update calendar events via JMAP	✅	✅	✅
`jmap-calendar-get`	Retrieve calendars via JMAP	✅	✅	✅
`jmap-calendar-set`	Create or update calendars via JMAP	✅	✅	✅
`jmap-contact-card-changes`	Track contact card changes via JMAP	✅	✅	✅
`jmap-contact-card-copy`	Copy contact cards to new locations via JMAP	✅	✅	✅
`jmap-contact-card-get`	Retrieve contact cards via JMAP	✅	✅	✅
`jmap-contact-card-parse`	Parse contact cards via JMAP	✅	✅	✅
`jmap-contact-card-query`	Search for contact cards matching criteria via JMAP	✅	✅	✅
`jmap-contact-card-query-changes`	Track contact card query changes via JMAP	✅	✅	✅
`jmap-contact-card-set`	Create or update contact cards via JMAP	✅	✅	✅
`jmap-echo`	Perform JMAP echo requests	✅	✅	✅
`jmap-email-changes`	Track email changes via JMAP	✅	✅	✅
`jmap-email-copy`	Copy emails via JMAP	✅	✅	✅
`jmap-email-get`	Retrieve emails via JMAP	✅	✅	✅
`jmap-email-import`	Import emails via JMAP	✅	✅	✅
`jmap-email-parse`	Parse emails via JMAP	✅	✅	✅
`jmap-email-query`	Perform email queries via JMAP	✅	✅	✅
`jmap-email-query-changes`	Track email query changes via JMAP	✅	✅	✅
`jmap-email-set`	Modify emails via JMAP	✅	✅	✅
`jmap-email-submission-changes`	Track email submission changes via JMAP	✅	✅	✅
`jmap-email-submission-get`	Retrieve email submission info via JMAP	✅	✅	✅
`jmap-email-submission-query`	Perform email submission queries via JMAP	✅	✅	✅
`jmap-email-submission-query-changes`	Track email submission query changes via JMAP	✅	✅	✅
`jmap-email-submission-set`	Modify email submission settings via JMAP	✅	✅	✅
`jmap-file-node-changes`	Track file node changes via JMAP	✅	✅	✅
`jmap-file-node-get`	Retrieve file nodes via JMAP	✅	✅	✅
`jmap-file-node-query`	Search for file nodes matching criteria via JMAP	✅	✅	✅
`jmap-file-node-query-changes`	Track file node query changes via JMAP	✅	✅	✅
`jmap-file-node-set`	Create or update file nodes via JMAP	✅	✅	✅
`jmap-identity-changes`	Track identity changes via JMAP	✅	✅	✅
`jmap-identity-get`	Retrieve user identities via JMAP	✅	✅	✅
`jmap-identity-set`	Modify user identities via JMAP	✅	✅	✅
`jmap-mailbox-changes`	Track mailbox changes via JMAP	✅	✅	✅
`jmap-mailbox-get`	Retrieve mailboxes via JMAP	✅	✅	✅
`jmap-mailbox-query`	Perform mailbox queries via JMAP	✅	✅	✅
`jmap-mailbox-query-changes`	Track mailbox query changes via JMAP	✅	✅	✅
`jmap-mailbox-set`	Modify mailboxes via JMAP	✅	✅	✅
`jmap-participant-identity-changes`	Track participant identity changes via JMAP	✅	✅	✅
`jmap-participant-identity-get`	Retrieve participant identity information via JMAP	✅	✅	✅
`jmap-participant-identity-set`	Create or update participant identities via JMAP	✅	✅	✅
`jmap-principal-changes`	Track principal changes via JMAP	✅	✅	✅
`jmap-principal-get`	Retrieve principal information via JMAP	✅	✅	✅
`jmap-principal-get-availability`	Retrieve availability information via JMAP	✅	✅	✅
`jmap-principal-query`	Perform principal queries via JMAP	✅	✅	✅
`jmap-principal-query-changes`	Track principal query changes via JMAP	✅	✅	✅
`jmap-push-subscription-get`	Retrieve push subscriptions via JMAP	✅	✅	✅
`jmap-push-subscription-set`	Modify push subscriptions via JMAP	✅	✅	✅
`jmap-quota-changes`	Track quota changes via JMAP	✅	✅	✅
`jmap-quota-get`	Retrieve quota information via JMAP	✅	✅	✅
`jmap-quota-query`	Perform quota queries via JMAP	✅	✅	✅
`jmap-quota-query-changes`	Track quota query changes via JMAP	✅	✅	✅
`jmap-search-snippet`	Retrieve search snippets via JMAP	✅	✅	✅
`jmap-share-notification-changes`	Track share notification changes via JMAP	✅	✅	✅
`jmap-share-notification-get`	Retrieve share notifications via JMAP	✅	✅	✅
`jmap-share-notification-query`	Search for share notifications matching criteria via JMAP	✅	✅	✅
`jmap-share-notification-query-changes`	Track share notification query changes via JMAP	✅	✅	✅
`jmap-share-notification-set`	Create or update share notifications via JMAP	✅	✅	✅
`jmap-sieve-script-get`	Retrieve Sieve scripts via JMAP	✅	✅	✅
`jmap-sieve-script-query`	Perform Sieve script queries via JMAP	✅	✅	✅
`jmap-sieve-script-query-changes`	Track Sieve script query changes via JMAP	✅	✅	✅
`jmap-sieve-script-set`	Modify Sieve scripts via JMAP	✅	✅	✅
`jmap-sieve-script-validate`	Validate Sieve scripts via JMAP	✅	✅	✅
`jmap-thread-changes`	Track thread changes via JMAP	✅	✅	✅
`jmap-thread-get`	Retrieve email threads via JMAP	✅	✅	✅
`jmap-vacation-response-get`	Retrieve vacation responses via JMAP	✅	✅	✅
`jmap-vacation-response-set`	Modify vacation responses via JMAP	✅	✅	✅
`logs-view`	Access system logs	✅
`mailing-list-create`	Create new mailing lists	✅	✅
`mailing-list-delete`	Remove mailing lists	✅	✅
`mailing-list-get`	Retrieve specific mailing list information	✅	✅
`mailing-list-list`	View list of mailing lists	✅	✅
`mailing-list-update`	Modify mailing list information	✅	✅
`manage-encryption`	Manage encryption-at-rest settings	✅	✅	✅
`manage-passwords`	Manage account passwords	✅	✅	✅
`message-queue-delete`	Remove messages from the queue	✅	✅
`message-queue-get`	Retrieve specific messages from the queue	✅	✅
`message-queue-list`	View message queue	✅	✅
`message-queue-update`	Modify queued messages	✅	✅
`metrics-list`	View stored metrics	✅
`metrics-live`	View real-time metrics	✅
`oauth-client-create`	Create new OAuth clients	✅
`oauth-client-delete`	Remove OAuth clients	✅
`oauth-client-get`	Retrieve specific OAuth clients	✅
`oauth-client-list`	View OAuth clients	✅
`oauth-client-override`	Override OAuth client settings	✅
`oauth-client-registration`	Register OAuth clients	✅
`oauth-client-update`	Modify OAuth clients	✅
`outgoing-report-delete`	Remove outgoing DMARC and TLS reports	✅	✅
`outgoing-report-get`	Retrieve specific outgoing DMARC and TLS reports	✅	✅
`outgoing-report-list`	View outgoing DMARC and TLS reports	✅	✅
`pop3-authenticate`	Authenticate via POP3	✅	✅	✅
`pop3-dele`	Mark messages for deletion via POP3	✅	✅	✅
`pop3-list`	List messages via POP3	✅	✅	✅
`pop3-retr`	Retrieve messages via POP3	✅	✅	✅
`pop3-stat`	Retrieve mailbox statistics via POP3	✅	✅	✅
`pop3-uidl`	Retrieve unique IDs via POP3	✅	✅	✅
`principal-create`	Create new principals	✅	✅
`principal-delete`	Remove principals	✅	✅
`principal-get`	Retrieve specific principal information	✅	✅
`principal-list`	View list of principals	✅	✅
`principal-update`	Modify principal information	✅	✅
`purge-account`	Purge user accounts	✅
`purge-blob-store`	Purge the blob storage	✅
`purge-data-store`	Purge the data storage	✅
`purge-in-memory-store`	Purge the in-memory storage	✅
`restart`	Restart the email server	✅
`role-create`	Create new roles	✅	✅
`role-delete`	Remove roles	✅	✅
`role-get`	Retrieve specific role information	✅	✅
`role-list`	View list of roles	✅	✅
`role-update`	Modify role information	✅	✅
`settings-delete`	Remove system settings	✅
`settings-list`	View system settings	✅
`settings-reload`	Refresh system settings	✅
`settings-update`	Modify system settings	✅
`sieve-authenticate`	Authenticate for Sieve script management	✅	✅	✅
`sieve-check-script`	Validate Sieve scripts	✅	✅	✅
`sieve-delete-script`	Delete Sieve scripts	✅	✅	✅
`sieve-get-script`	Retrieve Sieve scripts	✅	✅	✅
`sieve-have-space`	Check available space for Sieve scripts	✅	✅	✅
`sieve-list-scripts`	List Sieve scripts	✅	✅	✅
`sieve-put-script`	Upload Sieve scripts	✅	✅	✅
`sieve-rename-script`	Rename Sieve scripts	✅	✅	✅
`sieve-set-active`	Set active Sieve script	✅	✅	✅
`spam-filter-test`	Test the spam filter	✅	✅
`spam-filter-train`	Train the spam filter	✅	✅
`spam-filter-update`	Modify spam filter settings	✅
`tenant-create`	Add new tenants	✅
`tenant-delete`	Remove tenants	✅
`tenant-get`	Retrieve specific tenant information	✅
`tenant-list`	View list of tenants	✅
`tenant-update`	Modify tenant information	✅
`tracing-get`	Retrieve specific trace information	✅
`tracing-list`	View stored traces	✅
`tracing-live`	Perform real-time tracing	✅
`troubleshoot`	Perform troubleshooting	✅
`undelete`	Restore deleted items	✅	✅
`unlimited-requests`	Perform unlimited requests	✅
`unlimited-uploads`	Upload unlimited data	✅
`webadmin-update`	Modify web admin interface settings	✅

Effective Permissions​

Permissions vs. ACLs​

Available Permissions​

Effective Permissions

Permissions vs. ACLs

Available Permissions