Customizing the ACL Profile for an Application

ACL profile customization in Event Portal is a Controlled Availability (CA) feature. Please contact Solace to find out if this feature is supported for your use case.

ACL profiles on an event broker control which clients can connect to a Message VPN, which topics a connected client is allowed to publish to, and which topics clients that receive Direct messages are allowed to subscribe to.

When using runtime configuration to configure event brokers, Event Portal automatically creates an ACL profile associated with the client username or LDAP authorization group. The generated ACL profile allows the client application to connect to the Message VPN, to publish only the topics for the events that the application publishes in Event Portal, and subscribe only to the topics that the consumer in the application subscribes to. For more information about ACL profiles, see Controlling Client Access with ACL Profiles.

ACL profiles are assigned to only one client username or LDAP authorization group on an event broker. If you want to configure more than one application to use the same ACL profile, the applications must also have the same client username or LDAP authorization group and you must independently track which applications are using the same profile.

Customizing Allowed Publish Topics

ACL profiles include topic ACLs that specify which topics clients can publish to and subscribe to. When Event Portal creates an ACL profile for an application, the ACL disallows the application from publishing messages to any topic except those that Event Portal adds to a publish topic exception list. Event Portal uses the topic addresses for topics published by the application to create the exception list.

If necessary, you can refine the list of allowed publish topics. For instance, when an application publishes an event that includes a variable in the topic address, the variable is represented as a wildcard in the publish topic exception list, which allows the application to publish topics with any value in place of the wildcard. You may want to update the allowed publish topics for the application to restrict the values. For example, if the variable is a location, you may want to allow the application to only publish events for a specific location.

Be aware of these considerations for customizing the allowed publish topics:

  • If you customize ACL profiles, Event Portal does not validate whether the customization creates security issues. For example, the allowed publish topics could be customized to allow an application to publish to many more topics than necessary.

  • If you customize the list of allowed publish topics and the list includes a topic for an event that is defined in Event Portal but not declared as published by the application, the application displays a warning before promotion. If the allowed event requires approval, you must get approval before publishing the application.

To customize the allowed publish topics, perform these steps:

  1. Follow the instructions in Creating a Standard Solace Application or Updating Standard Solace Applications in the Component View to configure event flows for the application version, including at least one event that the application publishes.
  2. In the component view for the application, select the version you want to change the allowed publish topics for and then select Design Details.
  3. In the Events section, select the Advanced Topic Setup tab.
  4. Expand the Allowed Publish Topics section to display the list of topics that the application is allowed to publish.
  5. Click Override Publish Topics. If you have already added an override, you can update the list by clicking next to a topic to remove it from the list or by clicking Add Publish Topics to add more topics.
  6. In the Add Publish Topics dialog, perform any of these actions:
    • Edit a topic.
    • Click Duplicate next to a topic to duplicate the entry, then modify it.
    • Click Delete next to a topic to remove it from the list.
    • Click Add to add a field to enter another topic.
  7. Click Add Publish Topics.

  8. If you have customized the allowed publish topics and want to delete a topic from the list, on the Advanced Topic Setup tab, click Remove for the topic.

    If you delete all allowed publish topics, the ACL publish topic exception list reverts to the publish topics generated by Event Portal.

Customizing an ACL Profile Name

You can set the ACL profile name when you configure runtime configuration. For more information, see Adding Runtime Configuration to a Standard Application.

To set the ACL profile name when you add runtime configuration to a standard application, perform these steps:

  1. In the Configure Application dialog, in the Define Access Control step, after you enter the client credentials, click the Show Advanced Options toggle to display the ACL Profile Name field.
  2. Click Customize Profile Name to change the name from the generated default ACL profile name.

  3. Enter an ACL Profile Name. The name is case sensitive and can be a maximum of 32 characters. Only alphanumeric characters and underscores (_) are permitted. ACL profile names must be unique on the event broker service or Message VPN.

    If you later want to revert to the generated default name, click Use Default Profile Name.

  4. Click Next: Review and review the configuration in the Review step.
  5. Perform one of these steps:
    1. If you're ready to promote the application to an environment, click Start Promotion.
    2. If you're not ready to promote the application, click Save & Promote Later. You can start promotion later from the Guidance panel or the component view.

    When you're ready, complete the promotion according to the steps for Promoting a Standard Application to an Environment.