The destination access control section of the access control properties file contains physical destination-based access control rules. These rules determine who (users/groups) may do what (operations) where (physical destinations). The types of access that are regulated by these rules include sending messages to a queue, publishing messages to a topic, receiving messages from a queue, subscribing to a topic, and browsing messages in a queue.
By default, any user or group can have all types of access to any physical destination. You can add more specific destination access rules or edit the default rules. The rest of this section explains the syntax of physical destination access rules, which you must understand to write your own rules.
The syntax of destination rules is as follows:
resourceType.resourceVariant.operation.access.principalType=principals
Table 7–4 describes these elements:
Table 7–4 Elements of Physical Destination Access Control Rules
Component |
Description |
---|---|
resourceType |
Can be queue or topic. |
resourceVariant |
A physical destination name or all physical destinations (*), meaning all queues or all topics. |
operation |
Can be produce, consume, or browse. |
access |
Can be allow or deny. |
principalType |
Can be user or group. |
Access can be given to one or more users and/or one or more groups.
The following examples illustrate different kinds of physical destination access control rules: