Lotus Expeditor Toolkit, Version 6.2
Operating systems: Linux on x86, Windows

Micro broker ACL example

This section contains a complete example of a simple micro broker ACL file: 

 1.    <?xml version="1.0" encoding="UTF-8"?>
 2.    <micro-acl policy-combination="permit-overrides"
 3.        xmlns='http://com.ibm.micro/micro-acl'
 4.        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 5.        xsi:schemaLocation="http://com.ibm.micro/micro-acl micro-acl.xsd">
 6.        <policy rule-combination="permit-overrides">
 7.            <resource type="broker" />
 8.            <rule effect="deny"/>
 9.            <rule effect="permit">
10.                <subject name="Alice" />
11.                <subject name="Bob" />
12.            </rule>
13.        </policy>
14.        <policy rule-combination="permit-overrides">
15.            <resource type="topic" />
16.            <rule effect="deny" />
17.            <rule effect="permit">
18.                <subject name="Bob" />
19.                <resource type="topic" name="stocks/US/IBM" />
20.                <resource type="topic" name="records/Bob" />
21.                <action value="subscribe" />
22.            </rule>
23.            <rule effect="permit">
24.                <subject name="Alice" />
25.                <resource type="topic" name="stocks/US/IBM" />
26.                <resource type="topic" name="records/Alice/notify" />
27.                <action value="subscribe" />
28.                <action value="publish" />
29.                <environment network="10.1.0.0/16" />
30.            </rule>
31.        </policy>
32.    </micro-acl>

Line 2 defines the root element and the policy-combination algorithm for the ACL file, which is permit overrides.

The file contains two policies.
Lines 6-13
  • Defines a policy that governs access to the broker
  • Access to the broker is granted for Alice and Bob and explicitly denied for everybody else
Lines 14-31
  • Defines a policy controlling access to the topic space
  • Line 15 specifies that the policy applies to topics
  • Line 16 sets the default access to deny
  • Lines 18-22 define a rule that gives user Bob permission to subscribe to the topics stocks/US/IBM and records/Bob.
  • Lines 23-29 define a second rule that allows Alice to both publish and subscribe to the topics stocks/US/IBM and records/Alice/notify, but only when she connects from a client that has an IP address that falls into the range specified by 10.1.0.0/16.
Parent topic: Configuring micro broker authorization

Library | Support | Home | Education | Terms of use |

Last updated: October 21, 2008
© Copyright IBM Corporation 2006, 2008. All Rights Reserved.
This information center is built on Eclipse™ (http://www.eclipse.org)