Search Results

Access Control Using Roles



All connections to TIBCO Cloud Messaging use token-based authentication over TLS to secure them.

Role-based access control is a feature of TIBCO Cloud Messaging which allows administrators to use the roles REST API or user interface to secure application access to services and functionality provided by TIBCO Cloud Messaging.

To use roles, administrators simply create a role with the desired access controls and then distribute a configuration file generated for that role to client applications.

TIBCO Cloud Messaging subscriptions have a default administrative role.


A role is a unique name, a set of claims, and a description (with the latter two inputs being optional). Use roles to organize applications by access rights.

A role without claims is an administrative role. An administrative role allows access to all services and supported functionality. A role with claims is a restricted role. A restricted role grants access to only those services and functionality indicated by the role’s claims.

Administrators cannot modify a role after creating it, but they can delete it. Applications using a deleted role cannot connect to TIBCO Cloud Messaging.

Client configuration

The client configuration file contains all the information client applications need to securely connect to TIBCO Cloud Messaging. Generate the client configuration file using the roles REST API or user interface.

Role Name and Description

A unique name is a required property of a role. The maximum length of a role name is 60 characters. The characters in a role name can only be letters a-z, A-Z, numbers 0-9, periods ., hyphens -, and underscores _.

A role description is optional. The maximum length of a role description is 500 characters.


Claims describe the services and functionality a role has access to. There are three claim types: services, entitlements, and channels.


The services claim indicates which messaging products an application using the role has access to. The available services are ems, eftl, ftl, pulsar, and kafka. An empty services claim means applications using this role can access any messaging product enabled on the subscription.


The entitlements claim indicates the messaging product functionality an application using the role has access to. An empty entitlement claim means applications using this role can access any functionality supported by the subscription. Currently, there are two entitlements, pub and sub, which grant access to the publish and subscribe functionality of the various messaging products.


A channel represents a separate data partition with distinct connection properties. Channels have names that follow the pattern channel[N], for example, channel1 and channel7. When generating a configuration, the channel name plays a significant part in determining the value of a number of configuration fields.

The channel claim can be any combination of channels enabled on the subscription, for example, channel1, channel2, and channel5. An empty channel claim means applications using this role can access any channel supported by the subscription.

Default TIBCO Cloud Messaging subscriptions have a single channel named channel. The channel claim only applies to subscriptions updated to support multiple channels.

Claims Support Matrix

This table indicates whether a messaging product supports a particular claim type. TIBCO Cloud Messaging access control ignores unsupported claims (unless otherwise noted).

Product Name Service Entitlements Channel Note
TIBCO Enterprise Message Service ems Yes Yes No None
TIBCO eFTL eftl Yes Yes Yes None
TIBCO FTL® ftl Yes No* Yes If the service claim includes ftl, the entitlements must be empty or include both pub and sub.
Apache Pulsar pulsar Yes Yes No None
Apache Kafka® kafka Yes No No None