Roles and permissions
Note: This documentation applies to Prosody 13.0 and higher, where the new roles and permissions framework was introduced.
Overview
Prosody has a flexible roles and permissions system, which allows you to customize who may perform which actions.
Role scope
As with most things in Prosody, roles are scoped to a specific “host”
(i.e. a VirtualHost or a Component defined in
the config file). This means that if you set the role
prosody:admin for the account user@example.com
they will have this role only in the context of
example.com. If the same Prosody server also hosts
jabber.example, they won’t have any
prosody:admin permissions on that host.
Components
In Prosody, Components are top-level entities and they do not
inherently “belong” to any VirtualHost. For convenience, however,
Prosody does copy over certain configuration (such as
certificates) if a component is a direct subdomain of
VirtualHost (e.g. share.example.com is a direct subdomain
of example.com, but share.foo.example.com is
not).
Components do not directly have access to the role information of
users in Prosody. Granting someone prosody:admin on
example.com does not give them this role
on share.example.com. All users on a “parent host” will
have the prosody:registered role by default on a component.
You can change which host is considered the parent host using the
parent_host option under the component.
If you need to change any of this behaviour, there are two main approaches to customize user roles within components:
- Use the built-in configuration options
host_user_role,server_user_roleandpublic_user_rolefrom mod_authz_internal to control which roles the component assigns to users by default. - Use the community module mod_authz_delegate to configure a component to pull role information from another host (which must be on the same Prosody instance).
Built-in roles
Prosody has a number of built-in roles, which should be all you need in most cases:
| Role | Description |
|---|---|
| prosody:operator | Highest privileges, allows actions affecting the entire Prosody instance. |
| prosody:admin | Administrative control over a particular domain (i.e. VirtualHost/Component). |
| prosody:member | A normal member of the domain. |
| prosody:registered | Default role for accounts created via in-band registration. |
| prosody:guest | Anonymous, guest or remote users |
Automatic role assignment
Most deployments do not need to worry about managing roles manually. Prosody will automatically assign sensible roles by default:
- prosody:operator
- This role is applied to accounts which are listed in the ‘admins’ list in the global section of the configuration.
- prosody:admin
- Similarly, applied to accounts which are listed as admins under a specific VirtualHost or Component only.
- prosody:member
- The default role for accounts created by the admin or via an invitation link.
- prosody:registered
- If the server has open in-band registration, new accounts will be assigned this role by default.
- prosody:guest
- This role is used in most other circumstances, e.g. for anonymous logins or remote JIDs.
Note: If a JID is listed in the ‘admins’ option in the configuration file, this will override anything else (e.g. using the ‘user:set_role’ shell command will have no observable effect).
Manual role assignment
It is possible to change the role of an account, e.g. using prosodyctl shell:
prosodyctl shell user set_role user@example.com prosody:memberYou can view the current role with:
prosodyctl shell user role user@example.comPermissions
Each permission in Prosody is identified by a string, for example ‘mod_muc:list-rooms’. By default each permission is already assigned to built-in roles in order to provide sensible defaults without any additional configuration.
In some cases you may wish to override the default permissions belonging to a role. See the mod_authz_internal documentation for details.
Developers
Plugin developers can easily hook into the roles and permissions system. See our developer docs on permissions for more information.