--- a/database/schema/users.sql	Sun Apr 10 17:41:24 2022 -0400
+++ b/database/schema/users.sql	Sun Apr 10 19:36:29 2022 -0400
@@ -1,6 +1,8 @@
 --
 -- Users.
 --
+-- (That is, Swallowtail-level users.)
+--
 -- Rather than trying to have different kinds of users (as in the last
 -- rev of this stuff) I think we will just have user permissions.
 -- Otherwise we end up in various kinds of trouble if users change
@@ -73,3 +75,20 @@
 -- (oldresponsible OR responsible OR editpr OR admin)
 -- implies username not null.
 
+-- Admins need to be able to adjust user data freely.
+GRANT SELECT, INSERT, UPDATE, DELETE ON users TO swallowtail_admin;
+GRANT SELECT, INSERT, UPDATE, DELETE ON mailaddresses TO swallowtail_admin;
+GRANT SELECT ON usermail TO swallowtail_admin;
+
+-- Writers need to see the permission bits.
+GRANT SELECT ON users TO swallowtail_writer;
+
+-- Readers only need to be able to print.
+-- XXX: deny public access to emails?
+GRANT SELECT ON usermail TO swallowtail_reader;
+GRANT SELECT ON usermail TO swallowtail_public;
+
+-- The user operations interface needs to manage email addresses.
+GRANT SELECT ON users TO swallowtail_uops;
+GRANT UPDATE (realname) ON users TO swallowtail_uops;
+GRANT SELECT, INSERT, UPDATE, DELETE on mailaddresses to swallowtail_uops;