Add ACL, add models

docs/model-acl.md

@@ -0,0 +1,21 @@
+Editing a domain administrator or a mailbox user allows to set restrictions to that account.
+
+**Important**: For overlapping modules like sync jobs, which both domain administrators and mailbox users can be granted access to, the domain administrators permissions are inherited, when logging in as mailbox user.
+
+Some examples:
+
+1.
+
+- A domain administror has **not** access to sync jobs but can login as mailbox user
+- When logging in as mailbox user, he does not gain access to sync jobs, even if the given mailbox user _has_ access when logging in directly
+
+2.
+
+- A domain administror **has** access to sync jobs and can login as mailbox user
+- The mailbox user he tries to login as has **not** access to sync jobs
+- The domain administrator, now logged in as mailbox user, inherits its permission to the mailbox user and can access sync jobs
+
+3.
+
+- A domain administrator logs in as mailbox user
+- Every permission, that does **not** exist in a domain administrators ACL, is automatically granted (example: time-limited alias, TLS policy etc.)

mkdocs.yml

@@ -16,7 +16,7 @@ markdown_extensions:
   - pymdownx.tilde
   - pymdownx.extra
   - footnotes
-pages:
+nav:
 - 'Information & Support': 'index.md'
 - 'Prerequisites':
   - 'Prepare Your System': 'prerequisite-system.md'
@@ -33,7 +33,9 @@ pages:
   - 'Setup a relayhost': 'firststeps-relayhost.md'
   - 'Logging': 'firststeps-logging.md'
   - 'Local MTA on Docker host': 'firststeps-local_mta.md'
-  - 'Sender and receiver model': 'firststeps-sender_rcv.md'
+- 'Models':
+  - 'Sender and receiver model': 'model-sender_rcv.md'
+  - 'ACL': 'model-acl.md'
 - 'Debugging & Troubleshooting':
     - 'Introduction': debug.md
     - 'Logs': 'debug-logs.md'