Access Control for Physical Destinations (Sun Java System Message Queue 3.7 UR1 Administration Guide)

Sun Java System Message Queue 3.7 UR1 Administration Guide

Access Control for Physical Destinations

The destination access control section of the access control properties file contains physical destination-based access control rules. These rules determine who (users/groups) may do what (operations) where (physical destinations). The types of access that are regulated by these rules include sending messages to a queue, publishing messages to a topic, receiving messages from a queue, subscribing to a topic, and browsing messages in a queue.

By default, any user or group can have all types of access to any physical destination. You can add more specific destination access rules or edit the default rules. The rest of this section explains the syntax of physical destination access rules, which you must understand to write your own rules.

The syntax of destination rules is as follows:

resourceType.resourceVariant.operation.access.principalType=principals

Table 7–4 describes these elements:

Table 7–4 Elements of Physical Destination Access Control Rules


Component	Description
`resourceType`	Can be `queue` or `topic`.
`resourceVariant`	A physical destination name or all physical destinations (*), meaning all queues or all topics.
`operation`	Can be `produce`, `consume`, or `browse`.
`access`	Can be `allow` or `deny`.
`principalType`	Can be `user` or `group`.

Access can be given to one or more users and/or one or more groups.

The following examples illustrate different kinds of physical destination access control rules:

Allow all users to send messages to any queue destinations.
```
queue.*.produce.allow.user=*
```
Deny any member of the group user the ability to subscribe to the topic Admissions.
```
topic.Admissions.consume.deny.group=user
```