Overview
Authorization determines what actions an authenticated user or entity may perform within the server. Where authentication establishes identity, authorization controls what that identity is allowed to do once verified.
Permissions
Permissions in Stalwart determine which actions and resources a principal is allowed to access. They can be assigned directly to individuals or groups, through roles, or on a tenant as a whole.
Roles
Roles group permissions so that access can be managed across individuals, groups, and tenants without assigning every permission individually. Each role is represented by a Role object (found in the WebUI under Management › Directory › Roles) and can reference other roles, producing a hierarchical model in which a parent role inherits the permissions of its subroles.
Administrators
Stalwart has no dedicated "administrator account" type in the directory. Administrative capabilities are granted by assigning specific permissions to regular individual accounts. This avoids handing out blanket administrative privileges and allows each administrator to hold only the permissions required for the tasks they perform.
Tenants
Multi-tenancy allows several independent organisations, referred to as tenants, to share the same Stalwart deployment while keeping their data and resources isolated from one another. A tenant is a logical division within the server: it has its own accounts, groups, mailing lists, and domains, and principals that belong to one tenant cannot reach resources that belong to another.
Quotas
Quotas regulate resource consumption on the server, ensuring fair allocation of storage and object capacity across accounts and tenants. They define limits on the amount of data an account may hold, as well as the number of objects of a given kind it may create. Quotas can be enforced per account or, in multi-tenant deployments, per tenant.