--- a/.luacheckrc	Wed Jun 15 11:47:39 2022 +0100
+++ b/.luacheckrc	Wed Jun 15 12:15:01 2022 +0100
@@ -62,6 +62,8 @@
 		"module.broadcast",
 		"module.context",
 		"module.depends",
+		"module.default_permission",
+		"module.default_permissions",
 		"module.fire_event",
 		"module.get_directory",
 		"module.get_host",
@@ -86,6 +88,7 @@
 		"module.load_resource",
 		"module.log",
 		"module.log_status",
+		"module.may",
 		"module.measure",
 		"module.metric",
 		"module.open_store",

--- a/core/moduleapi.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/core/moduleapi.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -19,6 +19,7 @@
 local time_now = require "util.time".now;
 local format = require "util.format".format;
 local jid_node = require "util.jid".node;
+local jid_split = require "util.jid".split;
 local jid_resource = require "util.jid".resource;
 
 local t_insert, t_remove, t_concat = table.insert, table.remove, table.concat;
@@ -601,4 +602,66 @@
 	return self.status_type, self.status_message, self.status_time;
 end
 
+function api:default_permission(role_name, permission)
+	permission = permission:gsub("^:", self.name..":");
+	hosts[self.host].authz.add_default_permission(role_name, permission);
+end
+
+function api:default_permissions(role_name, permissions)
+	for _, permission in ipairs(permissions) do
+		permission = permission:gsub("^:", self.name..":");
+		self:default_permission(role_name, permission);
+	end
+end
+
+function api:may(action, context)
+	if type(context) == "string" then -- check JID permissions
+		local role;
+		local node, host = jid_split(context);
+		if host == self.host then
+			role = hosts[host].authz.get_user_role(node);
+		else
+			role = hosts[self.host].authz.get_jid_role(context);
+		end
+		if not role then
+			self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action);
+			return false;
+		end
+		local permit = role:may(action);
+		if not permit then
+			self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name);
+		end
+		return permit;
+	end
+
+	local session = context.origin or context.session;
+	if not session then
+		error("Unable to identify actor session from context");
+	end
+	if action:byte(1) == 58 then -- action begins with ':'
+		action = self.name..action; -- prepend module name
+	end
+	if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then
+		local actor_jid = context.stanza.attr.from;
+		local role = hosts[self.host].authz.get_jid_role(actor_jid);
+		if not role then
+			self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action);
+			return false;
+		end
+		local permit = role:may(action, context);
+		if not permit then
+			self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
+		end
+		return permit;
+	elseif session.role then
+		local permit = session.role:may(action, context);
+		if not permit then
+			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
+				session.id, session.full_jid, action, session.role.name
+			);
+		end
+		return permit;
+	end
+end
+
 return api;

--- a/core/sessionmanager.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/core/sessionmanager.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -123,15 +123,24 @@
 	retire_session(session);
 end
 
-local function make_authenticated(session, username, scope)
+local function make_authenticated(session, username, role_name)
 	username = nodeprep(username);
 	if not username or #username == 0 then return nil, "Invalid username"; end
 	session.username = username;
 	if session.type == "c2s_unauthed" then
 		session.type = "c2s_unbound";
 	end
-	session.auth_scope = scope;
-	session.log("info", "Authenticated as %s@%s", username, session.host or "(unknown)");
+
+	local role;
+	if role_name then
+		role = hosts[session.host].authz.get_role_info(role_name);
+	else
+		role = hosts[session.host].authz.get_user_default_role(username);
+	end
+	if role then
+		sessionlib.set_role(session, role);
+	end
+	session.log("info", "Authenticated as %s@%s [%s]", username, session.host or "(unknown)", role and role.name or "no role");
 	return true;
 end
 

--- a/core/usermanager.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/core/usermanager.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -188,11 +188,6 @@
 	end
 end
 
-local function is_admin(jid, host)
-	local roles = get_roles(jid, host);
-	return roles and roles["prosody:admin"];
-end
-
 local function get_users_with_role(role, host)
 	if not hosts[host] then return false; end
 	if type(role) ~= "string" then return false; end
@@ -224,7 +219,6 @@
 	get_provider = get_provider;
 	get_roles = get_roles;
 	set_roles = set_roles;
-	is_admin = is_admin;
 	get_users_with_role = get_users_with_role;
 	get_jids_with_role = get_jids_with_role;
 };

--- a/plugins/adhoc/adhoc.lib.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/adhoc/adhoc.lib.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -23,9 +23,15 @@
 function _M.new(name, node, handler, permission)
 	if not permission then
 		error "adhoc.new() expects a permission argument, none given"
+	elseif permission == "user" then
+		error "the permission mode 'user' has been renamed 'any', please update your code"
 	end
-	if permission == "user" then
-		error "the permission mode 'user' has been renamed 'any', please update your code"
+	if permission == "admin" then
+		module:default_permission("prosody:admin", "mod_adhoc:"..node);
+		permission = "check";
+	elseif permission == "global_admin" then
+		module:default_permission("prosody:operator", "mod_adhoc:"..node);
+		permission = "check";
 	end
 	return { name = name, node = node, handler = handler, cmdtag = _cmdtag, permission = permission };
 end

--- a/plugins/adhoc/mod_adhoc.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/adhoc/mod_adhoc.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -7,7 +7,6 @@
 
 local it = require "util.iterators";
 local st = require "util.stanza";
-local is_admin = require "core.usermanager".is_admin;
 local jid_host = require "util.jid".host;
 local adhoc_handle_cmd = module:require "adhoc".handle_cmd;
 local xmlns_cmd = "http://jabber.org/protocol/commands";
@@ -15,18 +14,17 @@
 
 module:add_feature(xmlns_cmd);
 
+local function check_permissions(event, node, command)
+	return (command.permission == "check" and module:may("mod_adhoc:"..node, event))
+	    or (command.permission == "local_user" and jid_host(event.stanza.attr.from) == module.host)
+	    or (command.permission == "any");
+end
+
 module:hook("host-disco-info-node", function (event)
 	local stanza, origin, reply, node = event.stanza, event.origin, event.reply, event.node;
 	if commands[node] then
-		local from = stanza.attr.from;
-		local privileged = is_admin(from, stanza.attr.to);
-		local global_admin = is_admin(from);
-		local hostname = jid_host(from);
 		local command = commands[node];
-		if (command.permission == "admin" and privileged)
-		    or (command.permission == "global_admin" and global_admin)
-		    or (command.permission == "local_user" and hostname == module.host)
-		    or (command.permission == "any") then
+		if check_permissions(event, node, command) then
 			reply:tag("identity", { name = command.name,
 			    category = "automation", type = "command-node" }):up();
 			reply:tag("feature", { var = xmlns_cmd }):up();
@@ -44,20 +42,13 @@
 end);
 
 module:hook("host-disco-items-node", function (event)
-	local stanza, reply, disco_node = event.stanza, event.reply, event.node;
+	local reply, disco_node = event.reply, event.node;
 	if disco_node ~= xmlns_cmd then
 		return;
 	end
 
-	local from = stanza.attr.from;
-	local admin = is_admin(from, stanza.attr.to);
-	local global_admin = is_admin(from);
-	local hostname = jid_host(from);
 	for node, command in it.sorted_pairs(commands) do
-		if (command.permission == "admin" and admin)
-		    or (command.permission == "global_admin" and global_admin)
-		    or (command.permission == "local_user" and hostname == module.host)
-		    or (command.permission == "any") then
+		if check_permissions(event, node, command) then
 			reply:tag("item", { name = command.name,
 			    node = node, jid = module:get_host() });
 			reply:up();
@@ -71,15 +62,9 @@
 	local node = stanza.tags[1].attr.node
 	local command = commands[node];
 	if command then
-		local from = stanza.attr.from;
-		local admin = is_admin(from, stanza.attr.to);
-		local global_admin = is_admin(from);
-		local hostname = jid_host(from);
-		if (command.permission == "admin" and not admin)
-		    or (command.permission == "global_admin" and not global_admin)
-		    or (command.permission == "local_user" and hostname ~= module.host) then
+		if not check_permissions(event, node, command) then
 			origin.send(st.error_reply(stanza, "auth", "forbidden", "You don't have permission to execute this command"):up()
-			    :add_child(command:cmdtag("canceled")
+				:add_child(command:cmdtag("canceled")
 				:tag("note", {type="error"}):text("You don't have permission to execute this command")));
 			return true
 		end

--- a/plugins/mod_announce.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/mod_announce.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -9,7 +9,6 @@
 local st, jid = require "util.stanza", require "util.jid";
 
 local hosts = prosody.hosts;
-local is_admin = require "core.usermanager".is_admin;
 
 function send_to_online(message, host)
 	local sessions;
@@ -34,6 +33,7 @@
 	return c;
 end
 
+module:default_permission("prosody:admin", ":send-announcement");
 
 -- Old <message>-based jabberd-style announcement sending
 function handle_announcement(event)
@@ -45,8 +45,8 @@
 		return; -- Not an announcement
 	end
 
-	if not is_admin(stanza.attr.from, host) then
-		-- Not an admin? Not allowed!
+	if not module:may(":send-announcement", event) then
+		-- Not allowed!
 		module:log("warn", "Non-admin '%s' tried to send server announcement", stanza.attr.from);
 		return;
 	end

--- a/plugins/mod_auth_ldap.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/mod_auth_ldap.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -1,6 +1,5 @@
 -- mod_auth_ldap
 
-local jid_split = require "util.jid".split;
 local new_sasl = require "util.sasl".new;
 local lualdap = require "lualdap";
 
@@ -21,6 +20,13 @@
 	module:get_option_string("ldap_admins")); -- COMPAT with mistake in documentation
 local host = ldap_filter_escape(module:get_option_string("realm", module.host));
 
+if ldap_admins then
+	module:log("error", "The 'ldap_admin_filter' option has been deprecated, "..
+	           "and will be ignored. Equivalent functionality may be added in "..
+	           "the future if there is demand."
+	);
+end
+
 -- Initiate connection
 local ld = nil;
 module.unload = function() if ld then pcall(ld, ld.close); end end
@@ -133,22 +139,4 @@
 	module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode));
 end
 
-if ldap_admins then
-	function provider.is_admin(jid)
-		local username, user_host = jid_split(jid);
-		if user_host ~= module.host then
-			return false;
-		end
-		return ldap_do("search", 2, {
-			base = ldap_base;
-			scope = ldap_scope;
-			sizelimit = 1;
-			filter = ldap_admins:gsub("%$(%a+)", {
-				user = ldap_filter_escape(username);
-				host = host;
-			});
-		});
-	end
-end
-
 module:provides("auth", provider);

--- a/plugins/mod_authz_internal.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/mod_authz_internal.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -1,20 +1,89 @@
 local array = require "util.array";
 local it = require "util.iterators";
 local set = require "util.set";
-local jid_split = require "util.jid".split;
+local jid_split, jid_bare = require "util.jid".split, require "util.jid".bare;
 local normalize = require "util.jid".prep;
+local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize;
 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize;
 local host = module.host;
 local role_store = module:open_store("roles");
 local role_map_store = module:open_store("roles", "map");
 
-local admin_role = { ["prosody:admin"] = true };
+local role_methods = {};
+local role_mt = { __index = role_methods };
+
+local role_registry = {
+	["prosody:operator"] = {
+		default = true;
+		priority = 75;
+		includes = { "prosody:admin" };
+	};
+	["prosody:admin"] = {
+		default = true;
+		priority = 50;
+		includes = { "prosody:user" };
+	};
+	["prosody:user"] = {
+		default = true;
+		priority = 25;
+		includes = { "prosody:restricted" };
+	};
+	["prosody:restricted"] = {
+		default = true;
+		priority = 15;
+	};
+};
+
+-- Some processing on the role registry
+for role_name, role_info in pairs(role_registry) do
+	role_info.name = role_name;
+	role_info.includes = set.new(role_info.includes) / function (included_role_name)
+		return role_registry[included_role_name];
+	end;
+	if not role_info.permissions then
+		role_info.permissions = {};
+	end
+	setmetatable(role_info, role_mt);
+end
+
+function role_methods:may(action, context)
+	local policy = self.permissions[action];
+	if policy ~= nil then
+		return policy;
+	end
+	for inherited_role in self.includes do
+		module:log("debug", "Checking included role '%s' for %s", inherited_role.name, action);
+		policy = inherited_role:may(action, context);
+		if policy ~= nil then
+			return policy;
+		end
+	end
+	return false;
+end
+
+-- Public API
+
+local config_operator_role_set = {
+	["prosody:operator"] = role_registry["prosody:operator"];
+};
+local config_admin_role_set = {
+	["prosody:admin"] = role_registry["prosody:admin"];
+};
 
 function get_user_roles(user)
-	if config_admin_jids:contains(user.."@"..host) then
-		return admin_role;
+	local bare_jid = user.."@"..host;
+	if config_global_admin_jids:contains(bare_jid) then
+		return config_operator_role_set;
+	elseif config_admin_jids:contains(bare_jid) then
+		return config_admin_role_set;
 	end
-	return role_store:get(user);
+	local role_names = role_store:get(user);
+	if not role_names then return {}; end
+	local roles = {};
+	for role_name in pairs(role_names) do
+		roles[role_name] = role_registry[role_name];
+	end
+	return roles;
 end
 
 function set_user_roles(user, roles)
@@ -22,10 +91,29 @@
 	return true;
 end
 
-function get_users_with_role(role)
-	local storage_role_users = it.to_array(it.keys(role_map_store:get_all(role) or {}));
-	if role == "prosody:admin" then
-		local config_admin_users = config_admin_jids / function (admin_jid)
+function get_user_default_role(user)
+	local roles = get_user_roles(user);
+	if not roles then return nil; end
+	local default_role;
+	for role_name, role_info in pairs(roles) do --luacheck: ignore 213/role_name
+		if role_info.default and (not default_role or role_info.priority > default_role.priority) then
+			default_role = role_info;
+		end
+	end
+	if not default_role then return nil; end
+	return default_role;
+end
+
+function get_users_with_role(role_name)
+	local storage_role_users = it.to_array(it.keys(role_map_store:get_all(role_name) or {}));
+	local config_set;
+	if role_name == "prosody:admin" then
+		config_set = config_admin_jids;
+	elseif role_name == "prosody:operator" then
+		config_set = config_global_admin_jids;
+	end
+	if config_set then
+		local config_admin_users = config_set / function (admin_jid)
 			local j_node, j_host = jid_split(admin_jid);
 			if j_host == host then
 				return j_node;
@@ -36,24 +124,49 @@
 	return storage_role_users;
 end
 
-function get_jid_roles(jid)
-	if config_admin_jids:contains(jid) then
-		return admin_role;
+function get_jid_role(jid)
+	local bare_jid = jid_bare(jid);
+	if config_global_admin_jids:contains(bare_jid) then
+		return role_registry["prosody:operator"];
+	elseif config_admin_jids:contains(bare_jid) then
+		return role_registry["prosody:admin"];
 	end
 	return nil;
 end
 
-function set_jid_roles(jid) -- luacheck: ignore 212
+function set_jid_role(jid) -- luacheck: ignore 212
 	return false;
 end
 
-function get_jids_with_role(role)
+function get_jids_with_role(role_name)
 	-- Fetch role users from storage
-	local storage_role_jids = array.map(get_users_with_role(role), function (username)
+	local storage_role_jids = array.map(get_users_with_role(role_name), function (username)
 		return username.."@"..host;
 	end);
-	if role == "prosody:admin" then
+	if role_name == "prosody:admin" then
 		return it.to_array(config_admin_jids + set.new(storage_role_jids));
+	elseif role_name == "prosody:operator" then
+		return it.to_array(config_global_admin_jids + set.new(storage_role_jids));
 	end
 	return storage_role_jids;
 end
+
+function add_default_permission(role_name, action, policy)
+	local role = role_registry[role_name];
+	if not role then
+		module:log("warn", "Attempt to add default permission for unknown role: %s", role_name);
+		return nil, "no-such-role";
+	end
+	if role.permissions[action] == nil then
+		if policy == nil then
+			policy = true;
+		end
+		module:log("debug", "Adding permission, role '%s' may '%s': %s", role_name, action, policy and "allow" or "deny");
+		role.permissions[action] = policy;
+	end
+	return true;
+end
+
+function get_role_info(role_name)
+	return role_registry[role_name];
+end

--- a/plugins/mod_disco.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/mod_disco.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -8,7 +8,6 @@
 
 local get_children = require "core.hostmanager".get_children;
 local is_contact_subscribed = require "core.rostermanager".is_contact_subscribed;
-local um_is_admin = require "core.usermanager".is_admin;
 local jid_split = require "util.jid".split;
 local jid_bare = require "util.jid".bare;
 local st = require "util.stanza"
@@ -162,14 +161,16 @@
 	end
 end);
 
+module:default_permission("prosody:admin", ":be-discovered-admin");
+
 -- Handle disco requests to user accounts
 if module:get_host_type() ~= "local" then	return end -- skip for components
 module:hook("iq-get/bare/http://jabber.org/protocol/disco#info:query", function(event)
 	local origin, stanza = event.origin, event.stanza;
 	local node = stanza.tags[1].attr.node;
 	local username = jid_split(stanza.attr.to) or origin.username;
-	local is_admin = um_is_admin(stanza.attr.to or origin.full_jid, module.host)
-	if not stanza.attr.to or (expose_admins and is_admin) or is_contact_subscribed(username, module.host, jid_bare(stanza.attr.from)) then
+	local target_is_admin = module:may(":be-discovered-admin", stanza.attr.to or origin.full_jid);
+	if not stanza.attr.to or (expose_admins and target_is_admin) or is_contact_subscribed(username, module.host, jid_bare(stanza.attr.from)) then
 		if node and node ~= "" then
 			local reply = st.reply(stanza):tag('query', {xmlns='http://jabber.org/protocol/disco#info', node=node});
 			if not reply.attr.from then reply.attr.from = origin.username.."@"..origin.host; end -- COMPAT To satisfy Psi when querying own account
@@ -185,7 +186,7 @@
 		end
 		local reply = st.reply(stanza):tag('query', {xmlns='http://jabber.org/protocol/disco#info'});
 		if not reply.attr.from then reply.attr.from = origin.username.."@"..origin.host; end -- COMPAT To satisfy Psi when querying own account
-		if is_admin then
+		if target_is_admin then
 			reply:tag('identity', {category='account', type='admin'}):up();
 		elseif prosody.hosts[module.host].users.name == "anonymous" then
 			reply:tag('identity', {category='account', type='anonymous'}):up();

--- a/plugins/mod_invites_adhoc.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/mod_invites_adhoc.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -2,7 +2,6 @@
 local dataforms = require "util.dataforms";
 local datetime = require "util.datetime";
 local split_jid = require "util.jid".split;
-local usermanager = require "core.usermanager";
 
 local new_adhoc = module:require("adhoc").new;
 
@@ -13,8 +12,7 @@
 -- on the server, use the option above instead.
 local allow_contact_invites = module:get_option_boolean("allow_contact_invites", true);
 
-local allow_user_invite_roles = module:get_option_set("allow_user_invites_by_roles");
-local deny_user_invite_roles = module:get_option_set("deny_user_invites_by_roles");
+module:default_permission(allow_user_invites and "prosody:user" or "prosody:admin", ":invite-users");
 
 local invites;
 if prosody.shutdown then -- COMPAT hack to detect prosodyctl
@@ -42,36 +40,8 @@
 
 -- This is for checking if the specified JID may create invites
 -- that allow people to register accounts on this host.
-local function may_invite_new_users(jid)
-	if usermanager.get_roles then
-		local user_roles = usermanager.get_roles(jid, module.host);
-		if not user_roles then
-			-- User has no roles we can check, just return default
-			return allow_user_invites;
-		end
-
-		if user_roles["prosody:admin"] then
-			return true;
-		end
-		if allow_user_invite_roles then
-			for allowed_role in allow_user_invite_roles do
-				if user_roles[allowed_role] then
-					return true;
-				end
-			end
-		end
-		if deny_user_invite_roles then
-			for denied_role in deny_user_invite_roles do
-				if user_roles[denied_role] then
-					return false;
-				end
-			end
-		end
-	elseif usermanager.is_admin(jid, module.host) then -- COMPAT w/0.11
-		return true; -- Admins may always create invitations
-	end
-	-- No role matches, so whatever the default is
-	return allow_user_invites;
+local function may_invite_new_users(context)
+	return module:may(":invite-users", context);
 end
 
 module:depends("adhoc");
@@ -91,7 +61,7 @@
 					};
 				};
 			end
-			local invite = invites.create_contact(username, may_invite_new_users(data.from), {
+			local invite = invites.create_contact(username, may_invite_new_users(data), {
 				source = data.from
 			});
 			--TODO: check errors

--- a/plugins/mod_pubsub/mod_pubsub.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/mod_pubsub/mod_pubsub.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -1,7 +1,6 @@
 local pubsub = require "util.pubsub";
 local st = require "util.stanza";
 local jid_bare = require "util.jid".bare;
-local usermanager = require "core.usermanager";
 local new_id = require "util.id".medium;
 local storagemanager = require "core.storagemanager";
 local xtemplate = require "util.xtemplate";
@@ -177,9 +176,10 @@
 end);
 
 local admin_aff = module:get_option_string("default_admin_affiliation", "owner");
+module:default_permission("prosody:admin", ":service-admin");
 local function get_affiliation(jid)
 	local bare_jid = jid_bare(jid);
-	if bare_jid == module.host or usermanager.is_admin(bare_jid, module.host) then
+	if bare_jid == module.host or module:may(":service-admin", bare_jid) then
 		return admin_aff;
 	end
 end

--- a/plugins/muc/hidden.lib.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/muc/hidden.lib.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -8,7 +8,7 @@
 --
 
 local restrict_public = not module:get_option_boolean("muc_room_allow_public", true);
-local um_is_admin = require "core.usermanager".is_admin;
+module:default_permission(restrict_public and "prosody:admin" or "prosody:user", ":create-public-room");
 
 local function get_hidden(room)
 	return room._data.hidden;
@@ -22,8 +22,8 @@
 end
 
 module:hook("muc-config-form", function(event)
-	if restrict_public and not um_is_admin(event.actor, module.host) then
-		-- Don't show option if public rooms are restricted and user is not admin of this host
+	if not module:may(":create-public-room", event.actor) then
+		-- Hide config option if this user is not allowed to create public rooms
 		return;
 	end
 	table.insert(event.form, {
@@ -36,7 +36,7 @@
 end, 100-9);
 
 module:hook("muc-config-submitted/muc#roomconfig_publicroom", function(event)
-	if restrict_public and not um_is_admin(event.actor, module.host) then
+	if not module:may(":create-public-room", event.actor) then
 		return; -- Not allowed
 	end
 	if set_hidden(event.room, not event.value) then

--- a/plugins/muc/mod_muc.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/muc/mod_muc.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -100,7 +100,6 @@
 local jid_bare = require "util.jid".bare;
 local st = require "util.stanza";
 local cache = require "util.cache";
-local um_is_admin = require "core.usermanager".is_admin;
 
 module:require "muc/config_form_sections";
 
@@ -111,21 +110,23 @@
 module:require "muc/hats";
 module:require "muc/lock";
 
-local function is_admin(jid)
-	return um_is_admin(jid, module.host);
-end
+module:default_permissions("prosody:admin", {
+	":automatic-ownership";
+	":create-room";
+	":recreate-destroyed-room";
+});
 
 if module:get_option_boolean("component_admins_as_room_owners", true) then
 	-- Monkey patch to make server admins room owners
 	local _get_affiliation = room_mt.get_affiliation;
 	function room_mt:get_affiliation(jid)
-		if is_admin(jid) then return "owner"; end
+		if module:may(":automatic-ownership", jid) then return "owner"; end
 		return _get_affiliation(self, jid);
 	end
 
 	local _set_affiliation = room_mt.set_affiliation;
 	function room_mt:set_affiliation(actor, jid, affiliation, reason, data)
-		if affiliation ~= "owner" and is_admin(jid) then return nil, "modify", "not-acceptable"; end
+		if affiliation ~= "owner" and module:may(":automatic-ownership", jid) then return nil, "modify", "not-acceptable"; end
 		return _set_affiliation(self, actor, jid, affiliation, reason, data);
 	end
 end
@@ -412,6 +413,8 @@
 	end, -10);
 end
 
+module:default_permission("prosody:admin", ":create-room");
+
 do
 	local restrict_room_creation = module:get_option("restrict_room_creation");
 	if restrict_room_creation == true then
@@ -422,7 +425,7 @@
 		module:hook("muc-room-pre-create", function(event)
 			local origin, stanza = event.origin, event.stanza;
 			local user_jid = stanza.attr.from;
-			if not is_admin(user_jid) and not (
+			if not module:may(":create-room", event) and not (
 				restrict_room_creation == "local" and
 				select(2, jid_split(user_jid)) == host_suffix
 			) then
@@ -465,7 +468,7 @@
 
 		if room and room._data.destroyed then
 			if room._data.locked < os.time()
-			or (is_admin(stanza.attr.from) and stanza.name == "presence" and stanza.attr.type == nil) then
+			or (module:may(":recreate-destroyed-room", event) and stanza.name == "presence" and stanza.attr.type == nil) then
 				-- Allow the room to be recreated by admin or after time has passed
 				delete_room(room);
 				room = nil;

--- a/plugins/muc/persistent.lib.lua	Wed Jun 15 11:47:39 2022 +0100
+++ b/plugins/muc/persistent.lib.lua	Wed Jun 15 12:15:01 2022 +0100
@@ -8,7 +8,10 @@
 --
 
 local restrict_persistent = not module:get_option_boolean("muc_room_allow_persistent", true);
-local um_is_admin = require "core.usermanager".is_admin;
+module:default_permission(
+	restrict_persistent and "prosody:admin" or "prosody:user",
+	":create-persistent-room"
+);
 
 local function get_persistent(room)
 	return room._data.persistent;
@@ -22,8 +25,8 @@
 end
 
 module:hook("muc-config-form", function(event)
-	if restrict_persistent and not um_is_admin(event.actor, module.host) then
-		-- Don't show option if hidden rooms are restricted and user is not admin of this host
+	if not module:may(":create-persistent-room", event.actor) then
+		-- Hide config option if this user is not allowed to create persistent rooms
 		return;
 	end
 	table.insert(event.form, {
@@ -36,7 +39,7 @@
 end, 100-5);
 
 module:hook("muc-config-submitted/muc#roomconfig_persistentroom", function(event)
-	if restrict_persistent and not um_is_admin(event.actor, module.host) then
+	if not module:may(":create-persistent-room", event.actor) then
 		return; -- Not allowed
 	end
 	if set_persistent(event.room, event.value) then