ALLOW / DENY Functional Keywords

Feature	Since Version	Notes
ALLOW	>v1.4.4	Grants permission in Rules
DENY	>v1.4.4	Revokes permission in Rules

Overview

• Description: These keywords are used exclusively within the THEN or ELSE block of a DEFINE RULE statement. They specify the outcome of the permission check: ALLOW grants the permission for the operation defined in the rule's scope, while DENY revokes it.

Signature

• Syntax:

  ALLOW
  

  DENY
  

Parameters

• These keywords do not take parameters themselves but act as the consequence within an IF statement inside a DEFINE RULE.

Usage Examples

Used within DEFINE RULE blocks.

Basic Example

Allow a specific user to publish to any topic.

DEFINE RULE AllowAdminPublish WITH PRIORITY 1 FOR Publish
    IF USER IS "admin" THEN
        ALLOW
    ELSE
        DENY // Deny for everyone else by default in this rule
    ENDIF

Intermediate Example

Allow users with a specific role to subscribe to system topics.

DEFINE RULE AllowMonitorSubscribeSystem WITH PRIORITY 5 FOR Subscribe TO TOPIC "$SYS/#"
    IF USER HAS MonitorRole THEN
        ALLOW
    ELSE
        DENY
    ENDIF

Advanced Example (Default Deny)

Rules often work with a default deny policy. This rule explicitly denies publishing to config topics unless the user is an admin.

DEFINE RULE DenyConfigPublishForNonAdmins WITH PRIORITY 10 FOR Publish TO TOPIC "config/#"
    IF USER IS "admin" THEN
        ALLOW // Explicitly allow admin
    ELSE
        DENY  // Explicitly deny others
    ENDIF

Notes & Additional Information

• ALLOW and DENY are the terminal actions within a DEFINE RULE's IF block.
• The final permission depends on the evaluation of all matching rules based on their PRIORITY.
• A common pattern is to have a low-priority rule that denies an operation by default, and higher-priority rules that grant ALLOW based on specific conditions.

Related Documentation

• Functional Keywords Index
• Defining Constructs: DEFINE RULE
• IF / THEN / ELSE
• USER IS / USER HAS