When there are multiple access rules in the file, permissions are computed as follows:
Specific access rules override general access rules. After applying the following two rules, all users can send to all queues, but Bob cannot send to tq1.
queue.*.produce.allow.user=* queue.tq1.produce.deny.user=Bob
Access given to an explicit principal overrides access given to a * principal. The following rules deny Bob the right to produce messages to tq1, but allow everyone else to do it.
queue.tq1.produce.allow.user=* queue.tq1.produce.deny.user=Bob
The * principal rule for users overrides the corresponding * principal for groups. For example, the following two rules allow all authenticated users to send messages to tq1.
queue.tq1.produce.allow.user=* queue.tq1.produce.deny.group=*
Access granted a user overrides access granted to the user’s group. In the following example, even if Bob is a member of User, he cannot produce messages to tq1. All other members of User will be able to do so.
queue.tq1.produce.allow.group=User queue.tq1.produce.deny.user=Bob
Any access permission not explicitly granted through an access rule is implicitly denied. For example, if the ACL file contains no access rules, all users are denied all operations.
Deny and allow permissions for the same user or group cancel themselves out. For example, the following two rules cause Bob to be unable to browse q1:
queue.q1.browse.allow.user=Bob queue.q1.browse.deny.user=Bob
The following two rules prevent the group User from consuming messages at q5.
queue.q5.consume.allow.group=User queue.q5.consume.deny.group=User
When multiple same left-hand rules exist, only the last entry takes effect.