Appearance
Roles and Permissions
MyEmailVault uses role-based access control (RBAC) with custom roles. Each role contains a set of policy statements that define exactly what a user with that role can do.
How It Works
Each role consists of one or more CASL policy statements. A policy statement is a pair of:
- Action -- What the user is allowed to do.
- Subject -- What resource the action applies to.
A user's effective permissions are the union of all policy statements in their assigned role.
Available Actions
| Action | Description |
|---|---|
read | View a resource |
create | Create a new resource |
update | Modify an existing resource |
delete | Remove a resource |
sync | Trigger a synchronization operation |
search | Search within a resource |
manage | Full access (includes all actions) |
Available Subjects
| Subject | Description |
|---|---|
archive | Archived emails |
ingestion | Email ingestion sources |
users | User accounts |
roles | Role definitions |
audit-log | Audit log entries |
dashboard | Dashboard and analytics |
settings | System settings |
all | All resources (wildcard) |
Special Values
- The manage action grants every possible action on the specified subject.
- The all subject applies the action to every resource in the system.
- Combining
manage+allgrants unrestricted access to the entire platform.
Creating a Custom Role
- Go to Settings > Roles.
- Click Create Role.
- Enter a name for the role.
- Add one or more policy statements by selecting an action and a subject for each.
- Save the role.
Assigning Roles to Users
Roles are assigned when creating or editing a user account in Settings > Users. Each user has exactly one role.
Example Roles
Super Admin
| Action | Subject |
|---|---|
manage | all |
Full, unrestricted access to every feature and resource.
Auditor
| Action | Subject |
|---|---|
read | archive |
read | audit-log |
search | archive |
Read-only access to the archive and audit log, with the ability to search archived emails. No access to settings, user management, or ingestion.