View Source

Prerequisites

Knowledge of Ignition and Module installation process: Cirrus Link Module Installation
Have Ignition 8.0.16 or greater installed
Have MQTT Distributor 4.0.10 or later installed

Abstract

Access Control Lists (ACLs) control what topics a given username/password pair is allowed to publish and subscribe on. ACLs should be designed with a 'principal of least privilege' model while also considering device management and maintenance. For example gateways and devices in the field should be limited to publishing and subscribing only on the topics for which they should be expected to. The same should be true of 'consumer' applications that will be either sending commands to devices in the field or consuming data coming from those devices. It is also important to note that a username is not limited to a single MQTT client.

If you are new to MQTT topics, the Eclipse Foundation's Paho project provides good information here on the basics of wildcards.

Definition

ACLs are defined by the following format: [R|W|RW] topic where:

R = Read or 'subscribe' privileges

W = Write or 'publish' privileges

RW = Read and Write (subscribe and publish) privileges

topic = The topic or wildcard topic representing the scope of the privilege

Examples

RW #

This allows clients connecting using this username/password to publish and subscribe on any topic

R #

This allows clients connecting using this username/password to subscribe on any topic but not publish on any topics

W #

This allows clients connecting using this username/password to publish on any topic but not subscribe on any topics

Examples for MQTT Transmission ACLs

W spBv1.0/GroupID/+/EdgeNodeID/#

This allows clients connecting using this username/password to publish on spBv1.0/GroupID/+/EdgeNodeID/# topic

R STATE/PrimaryHostID, R spBv1.0/GroupID/+/EdgeNodeID/#

This allows clients connecting using this username/password to subscribe on both TATE/PrimaryHostID and spBv1.0/GroupID/+/EdgeNodeID/# topics.

W device_one/temp/#,R state/#

This allows clients connecting using this username/password to publish on device_one/temp/# and subscribe on state/# topics

Additional Resources

Inductive Automation's Ignition download with free trial
- Current Ignition Release
Cirrus Link Solutions Modules for Ignition
- Ignition Strategic Partner Modules
Questions about this tutorial?
- Check out the Cirrus Link Forum: https://forum.cirrus-link.com/
- Contact support: support@cirrus-link.com
Sales questions
- Email: sales@cirrus-link.com
- Phone: +1 (844) 924-7787
About Cirrus Link
- https://www.cirrus-link.com/about-us/