How Permissions are Computed
When there are multiple access rules in the file, permissions are computed as follows:
-
Specific access rules override general access rules. After applying the following two rules, all users can send to all queues, but Bob cannot send to tq1.
queue.*.produce.allow.user=* queue.tq1.produce.deny.user=Bob
-
Access given to an explicit principal overrides access given to a * principal. The following rules deny Bob the right to produce messages to tq1, but allow everyone else to do it.
queue.tq1.produce.allow.user=* queue.tq1.produce.deny.user=Bob
-
The * principal rule for users overrides the corresponding * principal for groups. For example, the following two rules allow all authenticated users to send messages to tq1.
queue.tq1.produce.allow.user=* queue.tq1.produce.deny.group=*
-
Access granted a user overrides access granted to the user’s group. In the following example, even if Bob is a member of User, he cannot produce messages to tq1. All other members of User will be able to do so.
queue.tq1.produce.allow.group=User queue.tq1.produce.deny.user=Bob
-
Any access permission not explicitly granted through an access rule is implicitly denied. For example, if the ACL file contains no access rules, all users are denied all operations.
-
Deny and allow permissions for the same user or group cancel themselves out. For example, the following two rules cause Bob to be unable to browse q1:
queue.q1.browse.allow.user=Bob queue.q1.browse.deny.user=Bob
The following two rules prevent the group User from consuming messages at q5.
queue.q5.consume.allow.group=User queue.q5.consume.deny.group=User
-
When multiple same left-hand rules exist, only the last entry takes effect.
- © 2010, Oracle Corporation and/or its affiliates