Users and Groups

User permissions apply to the activities a user can perform on each destination (topic and queue). Using permissions you can control which users have permission to send, receive, or browse messages for queues. You can also control who can publish or subscribe to topics, or who can create durable subscriptions to topics. Permissions are stored in the access control list for the server.

Groups allow you to create classes of users and control permissions on a more global level. Rather than granting and revoking permissions on destinations to individual users, you can control destination access at the group level. Users inherit any permissions from each of the groups they belong to, in addition to any permissions that are granted to them directly.

The following figure illustrates the relationships between users, groups and permissions.

Externally-configured users and groups are defined and managed using the external directory. Locally-configured users and groups, as well as the access control list, are configured using any of the administration interfaces (editing configuration files, using the administration tool, or the administration APIs).

Note: Access control and Transport Layer Security (TLS) have some similar characteristics. TLS allows for servers to require user authentication by way of the user’s digital certificate. TLS does not, however, specify any access control at the destination level. TLS and the access control features described in this chapter can be used together or separately to ensure secure access to your system. See TLS Protocol for more information about TLS.

The following sections describe users and groups in EMS.