ACL
When routing a secure topic or queue, servers consult the ACL specification before forwarding each message. The servers must grant one another appropriate permissions to send, receive, publish or subscribe.
For example, in above image, you don’t need an ACL for messages to flow from A (where a producer is sending to) to B (where a consumer is consuming from) because B has authorization turned off and messages are being sent to and consumed from queues. However, if messages were to flow from B to A (producer connects to B and consumer connects to A), then server A's ACL should grant user B send permission on the queue Q2.
If we were to use topics in this example, then for messages to flow from A to B, you would need A to grant B the subscribe and durable permission on the topic (global on both servers). And for messages to flow from B to A, you would have to grant topic B publish permission on the topic.
Also see Authentication and Permissions.