![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |
When granting user permissions, you specify the user or group to whom you wish to grant the permission, the name of the destination, and the permission(s) to grant. Granting permissions is an action that is independent from both the authorization server parameter, and the secure property of the relevant destinations. The currently granted permissions are stored in the access control file, however, the server enforces them only if the authorization is enabled, and only for secure destinations.
User permissions can only be granted by an administrator with the appropriate permissions described in Administrator Permissions.You assign permissions either by specifying them in the acl.conf file, using the tibemsadmin tool, or by using the administration APIs. When setting user permissions, you can specify either explicit destination names or wildcard destination names. See Inheritance of User Permissions for more information on wildcard destination names and permissions.The permissions that can be granted to users to access queues are listed in Table 47; the permissions to access topics are listed in Table 48.
Table 47 Queue Permission
Table 48 Topic Permission permission to use an existing durable subscriber on the topic, but not to create, delete, or modify the durable subscriberThis set of permissions means that bob can subscribe to topic foo and publish messages to it, but bob cannot create durable subscribers to foo.If both the user bob and the group engineering have entries in the acl.conf file, then bob has permissions that are a union of all permissions set for bob directly and the permissions of the group engineering.For example, you can grant user Bob the browse permission on queue foo.*. The user Bob receives the browse permission on the foo.bar queue, and you can also grant Bob the send permission on the foo.bar queue. However, you cannot take away the inherited browse permission from Bob on the foo.bar queue.Administrators can revoke permissions for users to create consumers on a destination. Without permission, the user cannot create new consumers for a destination—however, existing consumers of the destination continue to receive messages.You can only revoke a permission that is granted directly. That is, you cannot revoke a permission from a user that the user receives from a group. Also, you cannot revoke a permission that is inherited from a parent topic. The revoke command in tibemsadmin can only remove items from specific entries in the acl.conf file. The revoke command cannot remove items that are inherited from other entries.
• Remove or edit entries in the acl.conf file.
![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |