.. _imap-admin-access-control-defaults: Access Control Defaults ======================= Administrators -------------- Regardless of the ACL on a mailbox, users who are listed in the ``admins`` configuration option in :cyrusman:`imapd.conf(5)` implicitly have the ``l`` and ``a`` rights on all mailboxes. Administrators can also see across domains which normal users cannot. .. warning:: An admin user should not be a normal email account. Mailbox owners -------------- The user who owns a mailbox folder has additional rights which are set regardless of any additional ACLs. These are: * **l** - :ref:`lookup ` * **k** - :ref:`create subfolders ` * **x** - :ref:`delete this folder ` * **a** - :ref:`administer ` These are set in ``implicit_owner_rights`` of :cyrusman:`imapd.conf(5)`. Default ------- For all other mailboxes not owned by a user, any user accessing these mailboxes have the following default privileges: * **l** - :ref:`lookup ` * **r** - :ref:`read contents ` * **s** - :ref:`seen ` These are set in ``defaultacl`` of :cyrusman:`imapd.conf(5)`. Initial ACLs for Newly Created Mailboxes ---------------------------------------- When a mailbox is created, its ACL starts off with a copy of the ACL of its closest parent mailbox. When a user is created, the ACL on the user's ``INBOX`` starts off with a single entry granting all rights to the user. When a non-user mailbox is created and does not have a parent, its ACL is initialized to the value of the ``defaultacl`` option in :cyrusman:`imapd.conf(5)`. Other Implicit Rights --------------------- Note that some rights are available implicitly, for example 'anonymous' always has 'p' on user INBOXes, and users always have ``la`` rights on mailboxes within their INBOX hierarchy.