Universal Messaging 10.3 | Administration Guide | Universal Messaging Enterprise Manager | Administration Using Enterprise Manager | Using ACLs for role-based Security | Channel Entitlements
 
Channel Entitlements
Channel ACLs
Once clients have established a session with a Universal Messaging Realm server, and they have successfully been authenticated and the subject has the correct user entitlements, in order to perform operations on channel objects, the correct entitlements must be granted to the subject on the required channels. Each channel has an associated ACL that contains a list of subjects and a set of privileges the subject is given for operations on the channel.
Using the Enterprise Manager, one can add to, remove or modify entries within the channel ACL.
To view a channel ACL, click on a channel node within the namespace of the Enterprise Manager, and select the 'ACL' tab. This will display the channel ACL and the list of subjects and their associated permissions for the channel. The following image displays and example of a channel ACL.
As you can see above, the channel ACL has a number of subject entries and operations that each subject is able to perform on the channel. The operations that can be performed on a channel are described below in the order in which they appear in the ACL panel above:
*Manage ACL - Allows the subject to get and manage the list of ACL entries.
Note: 
This permission is a combination of two permissions at the Administration API level. The boolean setModify() API function allows/denies permission to change an ACL value, and the boolean setList() API function allows/denies permission to access the current list of ACLs. If both of these functions return the value true, Manage ACL is allowed, otherwise Manage ACL is not allowed.
If the green check icon is displayed in the Manage ACL field, the corresponding two API functions for this field are set to true. If you remove the green check icon, this sets the corresponding two API functions for this field to false.
*Full - Has complete access to the secured object
*Purge - Can delete events on this channel
*Subscribe - Can subscribe for events on this channel
*Publish - Can publish events to this channel
*Named - Can the user connect using a named (durable) subscriber
The green check icon shows that a subject is permitted to perform the operation. For example, if there is a subject *@* with only subscribe permissions for this channel, this means that any client who has successfully established a session and has obtained a reference to this channel within their application code can only subscribe to the channel and read events.
In order to modify the permissions for a subject, you simply need to click on the cell in the ACL table for the subject and the operation you wish to modify permissions for. For example, if you want to remove the subscribe permission for the *@* subject you would simply click on the *@* row at the column labelled 'subscribe'. This would turn the cell from blank to a green check icon. This would also ensure that only those subjects listed in the ACL and with sufficient privileges, would be able to perform any operations on the channel.
After making any changes, you then need to click on the 'Apply' button which will notify the Realm Server of the ACL change for that channel.
Any ACL changes that are made by other Enterprise Manager users, or from any programs using the Universal Messaging Admin API to modify ACLs will be received by all other Enterprise Managers. This is because ACL changes are automatically sent to all Universal Messaging Admin API clients, the Enterprise Manager being one of those clients.
Any changes made to a channel ACL where the channel is a cluster channel will be replicated to all other instances of the cluster channel in all other cluster realms.