Global Administrator Permissions
Certain permissions allow administrators to perform global actions, such as creating users or viewing all queues.
The following table describes the global administrator permissions.
| Permission | Allows Administrator To... |
|---|---|
| all | Perform all administrative commands. |
| view-all | View any item that can be administered (for example, users, groups, topics, and so on). |
| change-acl | Grant and revoke user-level permissions. |
| change-admin-acl | Grant and revoke administrative permissions. |
| change-bridge | Create and delete destination bridges. |
| change-connection | Delete connections. |
| create-destination | Create any destination. |
| modify-destination | Modify any destination. |
| delete-destination | Delete any destination. |
| change-durable | Delete durable subscribers. |
| change-factory | Create, delete, and modify factories. |
| change-group | Create, delete, and modify groups. |
| change-message | Delete messages stored in the server. |
| change-route | Create, delete, and modify routes |
| change-server | Modify server parameters. |
| change-user | Create, delete, and modify users. |
| purge-destination | Purge destinations. |
| purge-durable | Purge durable subscribers. |
| shutdown | Shutdown the server. |
| view-acl | View user-level permissions. |
| view-admin-acl | View administrative permissions. |
| view-connection | View connections, producers and consumers. |
| view-bridge | View destination bridges. |
| view-destination | View destination properties and information. |
| view-durable | View durable subscribers.
To view a durable subscriber, you must also have view-destination permission (because information about a durable subscriber includes information about the destination to which it subscribes.) |
| view-factory | View factories. |
| view-group | View all groups.
Granting this permission implicitly grants view-user as well. |
| view-message | View messages stored in the server. |
| view-route | View routes. |
| view-server | View server configuration and information. |
| view-user | View any user. |
Granting the view permissions is useful when you want specific users to only be able to view items. It is not necessary to grant the view permission if a user already has a permission that allows the user to modify the item.
Global permissions are stored in the acl.conf file, along with all other permissions. Global permissions in this file have the following syntax:
ADMIN USER=<username> PERM=<permission>
or
ADMIN GROUP=<groupname> PERM=<permission>
For example, if a user named BOB is granted the view-user global administration permission and the group sys-admins is granted the change-acl permission, the following entries are added to the acl.conf file:
ADMIN USER=BOB PERM=view-user ADMIN GROUP=sys-admins PERM=change-acl