In WebSphere MQ Publish/Subscribe, all publish and subscribe authority checks are performed against the stream queue. Publishing applications need authority to put messages to the stream queue. The WebSphere MQ Publish/Subscribe broker also checks the authority of subscribing applications which require browse authority on the stream queue. A subscribing application also needs to have put authority for the queue that it nominates to receive its publications.
A similar check is made by WebSphere Event Broker brokers, but there is no checking for subscribe, or browse, authority. Instead, WebSphere Event Broker uses Access Control Lists (ACLs), which you can create using the workbench, to provide the required authorities for individual topics. For more information about ACLs, see Authorization to access runtime resources.
However, stream publications can be processed by WebSphere Event Broker on any input queue, because publishers no longer need to put to a queue with the same name as the stream. Therefore, set up equivalent ACLs for all streams using their corresponding topic level qualifiers
Stream authorities
The figure shows the stream authorities that are required. This example assumes that you have updated the default ACL on the topic root for principal PublicGroup with authority for publish, subscribe, and persistent delivery all set to deny.
These settings ensure that publishers and subscribers on the default stream are unable to publish on, or subscribe to, other streams without an explicit ACL that overrides the relevant setting.
These settings override any setting on parent topics and limit publish and subscribe activity to users within these specific groups.
These settings override any setting on parent topics and limit publish and subscribe activity to users within these specific groups.
If you want to set up exceptions to this situation, you can do so by introducing an ACL at the appropriate point. For example, if you wanted to grant authority to publishers to the default stream, PDefault, to publish on StreamX, you must create an explicit ACL at point (3) to grant that authority; this overrides the denial of authority at point (2). In this scenario, users in PDefault would still be unable to publish on StreamY.
Notices |
Trademarks |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
aq18560_ |