Within each profile, you can configure exactly two subject rules—one subscribe rule and one
publish rule. Each rule consists of a
default action and a set of
exceptions.
For example, suppose profile P1 has a subscribe rule that allows all subjects, and an exception disallowing
foo.>. Then client connections that map to profile
P1 can subscribe to any subject except those that either match
foo.> directly (for example,
foo.bar,
foo.*.baz) or
overlap foo.> (for example,
*.bar,
*.*,
>).
For a description of analogous behavior in rvrd, see Subject Filtering with Wildcards, in
TIBCO Rendezvous Administration.)
Conversely, suppose profile P2 has a subscribe rule that disallows all subjects, and an exception allowing
Free.Chat.>. Then client connections that map to profile
P2 can subscribe to any subject that matches
Free.Chat.> directly (for example,
Free.Chat.Cats.> and
Free.Chat.*.Feeding).
Notice that overlapping subjects (such as Free.*.*) are not allowed. As a general rule, overlapping is sufficient to disallow, but not to allow.
When you first enable the ACL feature, a profile named default is factory configured. This profile has a subscribe rule that allows all subjects, and a publish rule that allows all subjects. All client connections (that is, any combination of username and service) map to this
default profile (specificity 4).
You may change the subject rules of the default profile, but you cannot delete it.