OK, we have different options:
- By default the extension sets the permission to create newsletters to a specific user group: 'newsletter-create'. In practice, this means that administrators should give this right on a case by case basis.
MassMessage_senders would be the next sensible option. This user groups is only available in Meta. This is fine for the initial deployment of the Newsletter extension (which targets Meta only).(the first wiki will be mediawiki.org, where this user right is not available)
- Autopatrollers would be a next logical step, using a standard MediaWiki user group.
- Confirmed users would be probably the most open and still sensible option. We are trusting confirmed users for many actions, and Newsletters are ultimately no different than wiki pages.
Whatever works for the Security review and the mediawiki.org admins will work for us Newsletter maintainers too.
(I'm not sure Wikimedia-Site-requests applies here, feel free to remove it if not.)