Configuring ACL Profiles

ACL profiles control which clients can connect to a Message VPN and which topics connected clients are allowed to publish and subscribe to. They provide a powerful and scalable way to control what clients can and cannot access on an event broker.

After a client authenticates successfully with an event broker, the event broker checks the ACL profile assigned to the client based on the client username or the LDAP authorization group that the client belongs to.

For more information about ACL profiles, see Controlling Client Access with ACL Profiles.

You can perform the following tasks to configure and manage ACL profiles:

Creating ACL Profiles

You can create ACL profiles to assign to clients.If you don't assign an ACL profile to a client, the Default profile is automatically assigned.

To create an ACL profile, perform these steps:.

  1. Open Broker Manager. For instructions, see PubSub+ Broker Manager.
  2. Select a Message VPN.
  3. On the left navigation bar, select Access Control.
  4. Select the ACL Profiles tab.
  5. Click + ACL Profile.
  6. Enter a name for the ACL profile and click Create.
  7. To set client connect exceptions, perform the following steps: 
    1. Select the Client Connect tab.
    2. (Optional) To change the Client Connect Default Action to Allow, click Edit , select Allow from the drop-down list and click Apply.
    3. To add a client to the Exceptions list, click + Exception, enter the client address in CIDR format (nnn.nnn.nnn.nnn/nn) and click Create.
    4. Repeat step c for every exception you want to add.
  8. To set publish topic exceptions, perform the following steps: 
    1. Select the Publish Topic tab.
    2. (Optional) To change the Publish Default Action to Allow, click Edit , select Allow from the drop-down list and click Apply.
    3. To add a topic to the Exceptions list, click + Exception, enter the topic and select the topic format, then click Create.
    4. Repeat step c for every exception you want to add.
  9. To set subscribe topic exceptions, perform the following steps: 
    1. Select the Subscribe Topic tab.
    2. (Optional) To change the Subscribe Default Action to Allow, click Edit , select Allow from the drop-down list and click Apply.
    3. To add a topic to the Exceptions list, click + Exception, enter the topic and select the topic format, then click Create.
    4. Repeat step c for every exception you want to add.
  10. To set subscribe share name exceptions, perform the following steps: 
    1. Select the Subscribe Share Name tab.
    2. (Optional) To change the Subscribe Share NameDefault Action to Allow, click Edit , select Allow from the drop-down list and click Apply.
    3. To add a topic to the Exceptions list, click + Exception, enter the shared subscription identifiers and select the topic format, then click Create.
    4. Repeat step c for every exception you want to add.

Updating ACL Profiles

You can update existing ACL profiles used by clients. You can also create new ACL profiles by cloning and updating an existing profile.

You can change default actions when you update an ACL profile, but keep in mind that changing the default reverses the meaning of the exceptions list. For example, if the default publish action is disallow and you list topic exceptions that clients can publish to, changing the default publish action to allow means that clients are now blocked from publishing to any of the topics on the exceptions list.

When you update an ACL profile by changing the default client connect action or removing clients from the exceptions list, clients with established connections are not disconnected.

To update an ACL profile, perform these steps:.

  1. Open Broker Manager. For instructions, see PubSub+ Broker Manager.
  2. Select a Message VPN.
  3. On the left navigation bar, select Access Control.
  4. Select the ACL Profiles tab.
  5. (Optional) To create a new profile by cloning and updating an existing one, perform these steps:
    1. Select the check box next to the profile you want to clone.
    2. Click Action , and select Clone.
    3. Enter a name for the new ACL profile.
    4. Select the exception lists you want to clone.
    5. Click Apply.
  6. Click the name of the ACL profile you want to update.
  7. To update an exception list, perform the following steps: 
    1. Select the tab for the ACL type.
    2. To add an item to the Exceptions list, click + Exception, enter the client address, topic, or share name you want to add.
    3. To remove an item to the Exceptions list, select the check box next to the item you want to remove, then click Action , and select Delete.

Associating an ACL Profile with a Client Username

When clients connect to an event broker using a client username, each client uses the ACL profile associated with their client username. For more information, see Creating Client Usernames.

To assign an ACL profile to a client username perform these steps:

  1. Open Broker Manager. For instructions, see PubSub+ Broker Manager.
  2. Select a Message VPN.
  3. On the left navigation bar, select Access Control.
  4. Select the Client Usernames tab.
  5. Click the client username you want to update.
  6. Click Edit .
  7. In the ACL Profile list, select the name of the ACL profile you want to associate with the client username.
  8. Click Apply.

Associating an ACL Profile with an Authorization Group

If you are using LDAP client authorization you can associate an ACL profile with an authorization group.

To assign an ACL profile to an authorization group, perform these steps:

  1. Open Broker Manager. For instructions, see PubSub+ Broker Manager.
  2. Select a Message VPN.
  3. On the left navigation bar, select Access Control.
  4. On the Client Authentication tab, select the Authorization Groups tab.
  5. Click the authorization group you want to update.
  6. Click Edit .
  7. In the ACL Profile list, select the name of the ACL profile you want to associate with the authorization group.
  8. Click Apply.