Nirvana Enterprise Manager - Queue Entitlements

Queue ACLs

Once clients have established a session with a Nirvana Realm server, and they have successfully been authenticated and the subject has the correct user entitlements, in order to perform operations on queue objects, the correct entitlements must be granted to the subject on the required queue. Each queue has an associated ACL that contains a list of subjects and a set of privileges the subject is given for operations on the queue.

Using the Enterprise Manager, one can add to, remove or modify entries within the queue ACL.

To view a queue ACL, click on a queue node within the namespace of the Enterprise Manager, and select the 'ACL' tab. This will display the queue ACL and the list of subjects and their associated permissions for the queue. The following image displays and example of a queue acl.

As you can see above, the queue ACL has a number of subject entries and operations that each subject is able to perform on the queue. The operations that can be performed on a queue are described below in the order in which they appear in the acl panel above:

  • List – Allows the subject to get a list of ACL entries
  • Modify – Allows the subject to add/remove ACL entries
  • Full Privileges – Has complete access to the secured object
  • Purge – Can delete events on this queue
  • Peek– Can peek the events on this queue
  • Push– Can push events to this queue
  • Pop – Can pop events from the queue

The green circles show that a subject is permitted to perform the operation. For example, the subject *@* is shown as having only peek permissions for this queue. This means that any client who has successfully established a session and has obtained a reference to this queue within their application code can only subscribe to the queue and read events.

In order to modify the permissions for a subject, you simply need to click on the cell in the ACL table for the subject and the operation you wish to modify permissions for. For example, if I wanted remove the peek permission for the *@* subject I would simply click on the *@* row at the column labelled 'peek'. This would turn the cell from blank to a green circle. This would also ensure that only those subjects listed in the ACL and with sufficient privileges, would be able to perform any operations on the queue.

After making any changes, you then need to click on the 'Apply' button which will notify the Realm Server of the ACL change for that queue.

Any ACL changes that are made by other Enterprise Manager users, or from any programs using the Nirvana Admin API to modify ACLs will be received by all other Enterprise Managers. This is because ACL changes are automatically sent to all Nirvana Admin API clients, the Enterprise Manager being one of those clients.

Any changes made to a channel ACL where the queue is a cluster queue will be replicated to all other instances of the cluster queue in all other cluster realms.