Customizing the ACL Profile for an Application

ACL profiles on an event broker control which clients can connect to a Message VPN, which topics a connected client is allowed to publish to, and which topics clients are allowed to subscribe to.

When using runtime configuration to configure event brokers, Event Portal automatically creates an ACL profile associated with the client username or LDAP authorization group. The generated ACL profile allows the client application to:

  • connect to the Message VPN
  • publish only the topics for the events that the Event Portal application publishes
  • subscribe only to the topics that consumers in the Event Portal application subscribe to

For more information about ACL profiles, see Managing Client Access with ACL Profiles.

Customizing the Client Connection Default Action and Exceptions

ACL profiles include a client connection ACL that determines whether clients are allowed to connect to a Message VPN on an event broker.

You can configure ACLs to either allow or disallow all connections by default and take the opposite action for clients included on the exception list. After you set the default client connection action, you can specify a list of client IP addresses that are exceptions to the default action.

For example, if the client connection ACL uses a default action of Allow, but 10.1.1.0/24 and 2001:cdba::/64 are listed as exceptions, clients with an address in the range of 10.1.1.0/24 or 2001:cdba::/64 are denied access. Similarly, if the default client connection action is Disallow and a client with an address included on the exceptions list attempts to connect, that client is allowed to connect with no restrictions.

To set the default action and exceptions, when you add runtime configuration to a standard application, perform these steps:

  1. In the Configure Application dialog, in the Define Access Control step, after you enter the client credentials, click the Show Advanced Options toggle to display the Access Control List (ACL) Profile options.
  2. Set the Client Connection Default Action and any Client IP Address Exceptions:

    • If you want to block specific applications from connecting to the event broker, set the Client Connection Default Action to Allow and add the IPv4 or IPv6 addresses in CIDR format for the applications you want to block to the Client IP Address Exceptions field.
    • If you want to allow only specific applications to connect to the event broker, set the Client Connection Default Action to Disallow and add the allowed IPv4 or IPv6 addresses in CIDR format to the Client IP Address Exceptions field.

Customizing Allowed Publish Topics

Customizing the list of allowed publish topics in Event Portal is a Controlled Availability (CA) feature. Please contact Solace to find out if this feature is supported for your use case.

ACL profiles include topic ACLs that specify which topics clients can publish to and subscribe to. When Event Portal creates an ACL profile for an application, the ACL disallows the application from publishing messages to any topic except those that Event Portal adds to a publish topic exception list. Event Portal uses the topic addresses for topics published by the application to create the exception list.

If necessary, you can refine the list of allowed publish topics. For instance, when an application publishes an event that includes a variable in the topic address, the variable is represented as a wildcard in the publish topic exception list, which allows the application to publish topics with any value in place of the wildcard. You may want to update the allowed publish topics for the application to restrict the values. For example, if the variable is a location, you may want to allow the application to only publish events for a specific location.

Be aware of these considerations for customizing the allowed publish topics:

  • If you customize ACL profiles, Event Portal does not validate whether the customization creates security issues. For example, the allowed publish topics could be customized to allow an application to publish to many more topics than necessary.

  • If you customize the list of allowed publish topics and the list includes a topic for an event that is defined in Event Portal but not declared as published by the application, the application displays a warning before promotion. If the allowed event requires approval, you must get approval before publishing the application.

To customize the allowed publish topics, perform these steps:

  1. Follow the instructions in Creating a Standard Solace Application or Updating Standard Solace Applications in the Component View to configure event flows for the application version, including at least one event that the application publishes.
  2. In the component view for the application, select the version you want to change the allowed publish topics for and then select Design Details.
  3. In the Events section, select the Advanced Topic Setup tab.
  4. Expand the Allowed Publish Topics section to display the list of topics that the application is allowed to publish.
  5. Click Override Publish Topics. If you have already added an override, you can update the list by clicking next to a topic to remove it from the list or by clicking Add Publish Topics to add more topics.
  6. In the Add Publish Topics dialog, perform any of these actions:
    • Edit a topic.
    • Click Duplicate next to a topic to duplicate the entry, then modify it.
    • Click Delete next to a topic to remove it from the list.
    • Click Add to add a field to enter another topic.
  7. Click Add Publish Topics.
  8. If you have customized the allowed publish topics and want to delete a topic from the list, on the Advanced Topic Setup tab, click Remove for the topic.

    If you delete all allowed publish topics, the ACL publish topic exception list reverts to the publish topics generated by Event Portal.

Customizing an ACL Profile Name

Customizing ACL profile names in Event Portal is a Controlled Availability (CA) feature. Please contact Solace to find out if this feature is supported for your use case.

By default, ACL profiles created in Event Portal are assigned to only one client username or LDAP authorization group on an event broker. If you want to configure more than one application to use the same ACL profile, the applications must have the same client username or LDAP authorization group and you must independently track which applications use the same profile.

You can set the ACL profile name when you configure runtime configuration. For more information, see Adding Runtime Configuration to a Standard Application.

To set the ACL profile name when you add runtime configuration to a standard application, perform these steps:

  1. In the Configure Application dialog, in the Define Access Control step, after you enter the client credentials, click the Show Advanced Options toggle to display the ACL Profile Name field.
  2. Click Customize Profile Name to change the name from the generated default ACL profile name.
  3. Enter an ACL Profile Name. The name is case sensitive and can be a maximum of 32 characters. Only alphanumeric characters and underscores (_) are permitted. ACL profile names must be unique on the event broker service or Message VPN.

    If you later want to revert to the generated default name, click Use Default Profile Name.

  4. Click Next: Review and review the configuration in the Review step.
  5. Perform one of these steps:
    1. If you're ready to promote the application to an environment, click Start Promotion.
    2. If you're not ready to promote the application, click Save & Promote Later. You can start promotion later from the Guidance panel or the component view.

    When you're ready, complete the promotion according to the steps for Promoting a Standard Application to an Environment.