This is archived documentation for an older version of Nirvana (v3.1). Please refer to documentation for the latest version if required.

Nirvana Access Control Lists (ACL's).

Nirvana’s Access Control List (ACL) controls clients’ connection requests and subsequent Nirvana operations. By default access control checks are performed within a realm.

A Nirvana realm’s Access Control List can be controlled programatically through the Nirvana Administration API or using the Nirvana Enterprise Manager GUI. Any 3rd party security service can be passed a subject and request and return a result that directly controls the individual user level ACL’s within a Nirvana realm. The Nirvana Admin API exposes the complete security model of the Nirvana Realm Server remotely allowing customer specific security models to be created.

For more information on Nirvana security please see the Nirvana security white paper.

General ACL permissions

The following flags apply to every ACL.

• Modify – Allows the subject to add/remove ACL entries
• List – Allows the subject to get a list of ACL entries
• Full Privileges – Has complete access to the secured object

Nirvana Realm Server ACL permissions


The Realm Access Control Entry has the following controllable flags

• Use Admin API – Can use the nAdminAPI package
• Manage Realm – Can add / remove realms from this realm
• Manage Joins - Can add/delete channel joins
• Manage P2P Services – Can create/destroy P2P services
• Manage Channels – Can add/delete channels on this realm
• Access The Realm – Can actually connect to this realm
• Override Connection Count – Can bypass the connection count on the realm
• Configure Realm – Can set run time parameters on the realm
• Cluster Management – Can create / delete / managed clusters

Channel ACL permissions

The Channel Access Control Entry has the following controllable flags

• Write – Can publish events to this channel
• Read – Can subscribe for events on this channel
• Purge – Can delete events on this channel
• Get Last EID – Can get the last event Id on this channel
• Named Subscriber – Can use a named subscriber on this channel

Queue ACL permissions

The Queue Access Control Entry has the following controllable flags

• Write – Can push events to this queue
• Read – Can peek the events on this queue
• Purge – Can delete events on this queue
• Pop – Can pop events from the queue

P2P Service permissions

The Service Access Control Entry has the following controllable flags

• Connect – Can access this service

Wildcard Support

As well as being able to specify an access control entry for a specific subject the subject itself can contain wildcards. In this way you can specify access control based on hostname or on username.

For example :

ACL Entry Description
*@* Represents all users from all nodes
*@client1.com Represents all users from the node client1.com
username@nodename Represents the user "username" on the node "nodename"
username@* Represents the user "username" on all nodes