An ACL rule with an identity topic filter needs a complementary ACL rule with a wildcarded topic filter. In the wildcarded topic filter, the + wildcard replaces the topic level that matches a device or user identifier. This replacement allows specific authorization groups to access topics that otherwise require device or user identifiers to be accessed. When creating this pair of ACL rules, follow these guidelines:

  1. In the first ACL rule, specify an identity topic filter where %c or %u replaces a topic level that matches a client or user identifier.

  2. For the topic filter's publishers or subscribers, either:

    • Specify at least one authorization group. Note: Within this group, the only devices or users that can access this topic have identifiers that match the topic level represented by %c or %u in the topic filter.

    • Use * to authorize any devices or users with identifiers that match the topic level represented by %c or %u in the topic filter.

  3. In the second ACL rule, specify a wildcarded topic filter where + replaces a topic level that matches a client or user identifier.

  4. For the topic filter's publishers or subscribers, either:

    • Specify at least one publisher authorization group if the first ACL rule authorizes a subscriber authorization group.

    • Specify at least one subscriber authorization group if the first ACL rule authorizes a publisher authorization group.

ūüöß

Overlapping authorization groups for a pair of identity and + topic filters may result in unintended groups of devices or users being authorized to access the topic. You should always specify publisher and subscriber authorization groups for such a pair of topic filters in two separate ACL rules.

Example

Here you can see how to configure an identity topic rule for car owners and a complementary topic rule for car administrators. The first rule allows each car owner belonging to the car-owners authorization group to read diagnostic messages from their personal topics. The second rule allows car administrators belonging to the car-administrators authorization group to publish diagnostic messages to all vehicles. Watch the video: