Destination-Level Permissions
Administrators can be granted permissions on each destination. Destination-level permissions control the administration functions a user can perform on a specific destination. Global permissions granted to a user override any destination-level permissions.
The typical use of destination-level administration permissions is to specify permissions on wildcard destinations for different groups of users. This allows you to specify particular destinations over which a group of users has administrative control. For example, you may allow one group to control all
ACCOUNTING.*
topics, and another group to control all
PAYROLL.*
queues.
The following table describes the destination-level administration permissions.
Permission | Allows Administrator To... |
---|---|
view
|
View information for this destination. |
create
|
Create the specified destination. This permission is useful when used with wildcard destination names. This allows the user to create any destination that matches the specified parent. |
delete
|
Delete this destination. |
modify
|
Change the properties for this destination. |
purge
|
Either purge this queue, if the destination is a queue, or purge the durable subscribers, if the destination is a topic with durable subscriptions. |
Granting the view permissions is useful when you want specific users to only be able to view items. It is not necessary to grant the view permission if a user already has a permission that allows the user to modify the item.
Administration permissions for a destination are stored alongside all other permissions for the destination in the
acl.conf
file. For example, if user
BOB
has publish and subscribe permissions on topic
foo
, and then
BOB
is granted view permission, the acl listing would look like the following:
TOPIC=foo USER=BOB PERM=publish,subscribe,view