Destination-Level Permissions
Administrators can be granted permissions on each destination. Destination-level permissions control the administration functions a user can perform on a specific destination. Global permissions granted to a user override any destination-level permissions.
The typical use of destination-level administration permissions is to specify permissions on wildcard destinations for different groups of users. This allows you to specify particular destinations over which a group of users has administrative control. For example, you may allow one group to control all ACCOUNTING.* topics, and another group to control all PAYROLL.* queues.
The following table describes the destination-level administration permissions.
| Permission | Allows Administrator To... |
|---|---|
| view | View information for this destination. |
| create | Create the specified destination. This permission is useful when used with wildcard destination names. This allows the user to create any destination that matches the specified parent. |
| delete | Delete this destination. |
| modify | Change the properties for this destination. |
| purge | Either purge this queue, if the destination is a queue, or purge the durable subscribers, if the destination is a topic with durable subscriptions. |
Granting the view permissions is useful when you want specific users to only be able to view items. It is not necessary to grant the view permission if a user already has a permission that allows the user to modify the item.
Administration permissions for a destination are stored alongside all other permissions for the destination in the acl.conf file. For example, if user BOB has publish and subscribe permissions on topic foo, and then BOB is granted view permission, the acl listing would look like the following:
TOPIC=foo USER=BOB PERM=publish,subscribe,view