Access Control Using Roles
Contents
Introduction
All connections to TIBCO Cloud™ Messaging use token-based authentication over TLS to secure them.
Role-based access control is a feature of TIBCO Cloud Messaging which allows administrators to use the roles REST API or user interface to secure application access to services and functionality provided by TIBCO Cloud Messaging.
To use roles, administrators simply create a role with the desired access controls and then distribute a configuration file generated for that role to client applications.
TIBCO Cloud Messaging subscriptions have a default administrative role.
Role
A role is a unique name, a set of claims, and a description (with the latter two inputs being optional). Use roles to organize applications by access rights.
A role without claims is an administrative role. An administrative role allows access to all services and supported functionality. A role with claims is a restricted role. A restricted role grants access to only those services and functionality indicated by the role’s claims.
Administrators cannot modify a role after creating it, but they can delete it. Applications using a deleted role cannot connect to TIBCO Cloud Messaging.
Client configuration
The client configuration file contains all the information client applications need to securely connect to TIBCO Cloud Messaging. Generate the client configuration file using the roles REST API or user interface.
Role Name and Description
A unique name is a required property of a role. The maximum length of a role name is 60 characters. The characters in a role name can only be letters a-z, A-Z, numbers 0-9, periods ., hyphens -, and underscores _.
A role description is optional. The maximum length of a role description is 500 characters.
Claims
Claims describe the services and functionality a role has access to. There are three claim types: services, entitlements, and channels.
Services
The services claim indicates which messaging products an application using the role has access to. The available services are ems, eftl, ftl, pulsar, and kafka. An empty services claim means applications using this role can access any messaging product enabled on the subscription.
Entitlements
The entitlements claim indicates the messaging product functionality an application using the role has access to. An empty entitlement claim means applications using this role can access any functionality supported by the subscription. Currently, there are two entitlements, pub and sub, which grant access to the publish and subscribe functionality of the various messaging products.
Channels
A channel represents a separate data partition with distinct connection properties. Channels have names that follow the pattern channel[N], for example, channel1 and channel7. When generating a configuration, the channel name plays a significant part in determining the value of a number of configuration fields.
The channel claim can be any combination of channels enabled on the subscription, for example, channel1, channel2, and channel5. An empty channel claim means applications using this role can access any channel supported by the subscription.
Default TIBCO Cloud Messaging subscriptions have a single channel named channel. The channel claim only applies to subscriptions updated to support multiple channels.
Claims Support Matrix
This table indicates whether a messaging product supports a particular claim type. TIBCO Cloud Messaging access control ignores unsupported claims (unless otherwise noted).
| Product | Name | Service | Entitlements | Channel | Note |
|---|---|---|---|---|---|
| TIBCO Enterprise Message Service™ | ems | Yes | Yes | No | None |
| TIBCO eFTL™ | eftl | Yes | Yes | Yes | None |
| TIBCO FTL® | ftl | Yes | No* | Yes | If the service claim includes ftl, the entitlements must be empty or include both pub and sub. |
| Apache Pulsar™ | pulsar | Yes | Yes | Yes | None |
| Apache Kafka® | kafka | Yes | No | Yes | None |