About Queue ACL Permissions
After a client has established a session to a Universal Messaging realm and is successfully authenticated, and the subject has the correct user entitlements, in order to perform operations on a queue, the subject must have the appropriate ACL permissions for the queue. Each queue has an associated ACL that contains a list of subjects and a set of permissions the subject is given for operations on the queue.
You can add, remove, and modify ACL entries, and view ACL permissions on the ACL tab for a queue in the Enterprise Manager. A green check icon indicates the permissions given to each subject.
A subject in the ACL list can have the following permissions to perform operations on the queue:
Manage ACL - Can get and manage the list of ACL entries.
Note: This permission is a combination of two permissions at the Administration API level. The boolean setModify() API function allows or denies permission to change an ACL value, and the boolean setList() API function allows or denies permission to access the current list of ACLs. If both of these functions return the value true, Manage ACL is allowed, otherwise Manage ACL is not allowed. If the green check icon is displayed in the Manage ACL field, the corresponding two API functions for this field are set to true. If you remove the green check icon, this sets the corresponding two API functions for this field to false.
Full - Has complete access to the secured object.
Purge - Can delete events on the queue.
Peek - Can snoop on the queue (non-destructive read).
Push - Can publish events to the queue.
Pop - Can consume events on the queue (destructive read).
The green check icon shows that a subject is permitted to perform the operation. For example, if the subject *@* has only Peek permissions for a queue, this means that any client that has successfully established a session and has obtained a reference to this queue within its application code can only snoop on the queue and read events.