Permissions
The actions a client session can take in Diffusion™ Cloud are controlled by a set of permissions. These permissions are assigned to roles.
- Topic
- Permissions at topic scope apply to actions on a topic.
Topic-scoped permissions are defined against topic branches. The permissions that apply to a topic are the set of permissions defined at the most specific branch of the topic tree.
- Global
- Permissions at global scope apply to actions on Diffusion Cloud.
Topic permissions
The topic-scoped permissions are listed in the following table:
Name | Description |
---|---|
Use a topic selector that selects the topic path. A session must have this permission for the path prefix of any topic selector used to subscribe or fetch. | |
Grant read access to the topics. If a session does not have this permission for a topic, that topic does not match subscriptions and is excluded from fetch requests. Also the topics details cannot be retrieved. |
|
Update topics at or below a topic branch. | |
Create or modify topics at or below a topic branch. | |
Send a topic message to the server for a topic at or below a topic branch. | |
Send a message to a client session for a topic at or below a topic branch. |
Understanding topic-scoped permissions
Topic-scoped permissions are assigned to roles for specific topic paths. The permission assignment applies to all descendant topics, unless there is a more specific assignment.
To evaluate whether a client session has access to a permission for a topic, Diffusion Cloud starts at that topic and searches up the tree to find the nearest permission assignment. The first assignment is the only one considered, even if the client has roles involved in assignments further up the topic tree.
Default topic-scope assignments can also be defined. These are used if no path assignment matches.
The topic-scoped permissions included in the set of roles that are predefined in Diffusion Cloud are all scoped to the whole path hierarchy.
- A
- A permission set is defined for the topic path A.
These permissions give client sessions with the ALPHA role , , and permissions on the topic A.
- A/B
- No permission set is defined for the topic path A/B. In this case, the permissions at the most specific scope are those
defined for the topic path A
These permissions give client sessions with the ALPHA role B.
, , and permissions on the topic - A/C
- A permission set is defined for the topic path A/C. These permissions do not include any permissions for the ALPHA role.
Client sessions with the ALPHA role have no permissions on the topic C. Permissions are defined for the ALPHA role at a less specific scope. However, these permissions are not referred to or inherited if any permissions are defined at a more specific scope. Only the most specific set of permissions is used. In this case, those permissions are only for the BETA role and not the ALPHA role.
- A/C/D
- A permission set is defined for the topic path A/C/D.
These permissions give client sessions with the ALPHA role and permissions on the topic D.
The role ALPHA has only these permissions even though at A/C the role has no permissions defined and at A the role has additional permissions. Only the most specific set of permissions is used.
The BETA role also has permissions defined at this scope. These permissions do not affect the permissions that the ALPHA role has at this scope.
Understanding the
and permissionsThe default configuration grants the Diffusion topic using the OPERATOR role. You can alter this configuration to protect sensitive topics.
and permissions to all sessions then protects the topic tree below theA session that does not have the
permission for a particular topic path cannot subscribe directly to topics at that path. However, the session can be independently subscribed to that topic by a control session that has permission in addition to the permission for that topic path. The subscribed session requires the permission for that topic for the subscription to the topic to occur. The control session cannot subscribe a session to a topic if that session does not have the permission for the topic. When this occurs, the topic is filtered out of the subscription.Use the Diffusion or ?Diffusion//", but the CLIENT role is sufficient to use the topic selector expression ?// which selects all of the topics in the topic tree.
permission with some care because topic selectors can use wild card expressions. For example, with the default configuration, the OPERATOR role is required to use topic selector expressions such asIn the default configuration, this does not cause a problem as sessions that do not have the OPERATOR role also do not have the
permission for topics below "Diffusion". Any matching topics are filtered from subscription and fetch results for those sessions.Managing all subscriptions from a separate control session
You can prevent client sessions from subscribing themselves to topics and control all subscriptions from a separate control client session that uses SubscriptionControl feature to subscribe clients to topics.
To restrict subscription capability to control sessions, configure the following permissions:
- Grant the permission
- Grant the
This can either be granted for the default topic scope or more selectively to restrict the topic selectors the control session can use.
permission
- Grant to the appropriate topics.
- Deny the
Do not assign the session a role that has the
permission for the default topic scope. This prevents the session from subscribing to all topics using a wildcard selector.
permission by
default. - Optionally, grant the permission to specific branches of the topic tree to which the session can subscribe freely.
Global permissions
The global permissions are listed in the following table:
Name | Description |
---|---|
List or listen to client sessions. | |
Alter a client session. This covers a range of actions including the following:
|
|
Register any handler with Diffusion Cloud. | |
Register an authentication handler. The permission is also required to perform this action. |
|
Shut down Diffusion Cloud.
Note: This
action can be taken only from the dashboard. Client sessions cannot shut down
Diffusion Cloud.
|
|
View the security policy. | |
Change the security policy. |
This page last modified: 2017/06/05