> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreflux.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Rules Overview

> Define access control, permissions, and governance rules for your MQTT infrastructure

## Securing Your Broker

Rules define **who can do what** in your Coreflux broker. They control access to system operations, topic publishing/subscribing, and administrative functions—ensuring only authorized users can perform sensitive actions.

<Tip>
  **Think of Rules like a security guard at a building entrance.** The guard checks your badge (permissions) and decides if you're allowed through the door (the operation). Rules do the same for every broker operation.
</Tip>

***

## When to Use Rules

Rules are essential when you need to:

| Scenario                                    | Rule Type                  |
| ------------------------------------------- | -------------------------- |
| Restrict who can create/delete users        | User Management Rules      |
| Control who deploys Actions, Models, Routes | Entity Management Rules    |
| Limit access to system configuration        | System Configuration Rules |
| Secure MQTT topic access                    | Publish/Subscribe Rules    |
| Protect administrative \$SYS topics         | System Topic Rules         |

***

## In This Section

* [Rules Syntax](/lot-language/rules/syntax) — Complete reference for conditions, scopes, and patterns

***

## How to Deploy a Rule

Rules can be deployed in two ways: through a **LoT Notebook** (recommended) or via **MQTT commands**.

<Tabs>
  <Tab title="LoT Notebook">
    The easiest way to manage rules is through a LoT Notebook. Just write your rule definition in a code cell and run it—the extension automatically detects `DEFINE RULE` and sends the proper command to the broker.

    ```lot theme={null}
    DEFINE RULE AllowActionCreation WITH PRIORITY 1 FOR ActionManagementCreation
        IF USER IS "root" OR USER IS "admin" THEN
            ALLOW
        ELSE
            DENY
    ```

    <Check>
      Click the **Run** button. The notebook recognizes the LoT code and deploys it instantly.
    </Check>

    This approach is ideal for:

    * Developing and testing rules interactively
    * Documenting your security configuration alongside the code
    * Sharing rule sets with your team as `.lotnb` files
  </Tab>

  <Tab title="MQTT Command">
    Deploy rules by publishing to the broker's command topic using any MQTT client.

    **Topic:** `$SYS/Coreflux/Command`

    **Payload:**

    ```bash theme={null}
    -addRule DEFINE RULE AllowActionCreation WITH PRIORITY 1 FOR ActionManagementCreation
        IF USER IS "root" OR USER IS "admin" THEN
            ALLOW
        ELSE
            DENY
    ```

    Subscribe to `$SYS/Coreflux/Command/Output` to receive the response confirming deployment.
  </Tab>
</Tabs>

***

## Removing Rules

Remove a rule by name using the `-removeRule` command. Publish to `$SYS/Coreflux/Command`:

```bash theme={null}
-removeRule AllowActionCreation
```

<Note>
  You can also use the **Coreflux Entities** panel in VS Code to view and remove deployed rules.
</Note>

***

## Updating Rules

To update an existing rule, deploy a new rule with the **same name**. The new definition replaces the existing one.

```lot theme={null}
-- Original rule (priority 1)
DEFINE RULE AllowActionCreation WITH PRIORITY 1 FOR ActionManagementCreation
    IF USER IS "root" THEN
        ALLOW
    ELSE
        DENY

-- Updated rule (same name, now includes admin)
DEFINE RULE AllowActionCreation WITH PRIORITY 1 FOR ActionManagementCreation
    IF USER IS "root" OR USER IS "admin" THEN
        ALLOW
    ELSE
        DENY
```

***

## Viewing Active Rules

To see all deployed rules, subscribe to the rules system topic:

```lot theme={null}
SUBSCRIBE "$SYS/Coreflux/Rules/#"
```

Or use the **Coreflux Entities** panel in VS Code if you have the LoT Notebooks extension installed.

***

## Default Rules Reference

Coreflux includes default rules that provide a secure starting configuration:

| Default Behavior           | Description                                               |
| -------------------------- | --------------------------------------------------------- |
| **Root access**            | The `root` user has full access to all operations         |
| **Management permissions** | Management operations require appropriate permission tags |
| **Open topics**            | Standard topic publish/subscribe is open for all users    |
| **Protected \$SYS**        | System topics are restricted to authorized users          |

<Note>
  Default rules establish a baseline security posture. Add custom rules to extend or override this behavior for your specific requirements.
</Note>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Rules Syntax" icon="code" href="/lot-language/rules/syntax">
    Learn conditions, scopes, and complete rule patterns.
  </Card>

  <Card title="LoT Notebooks" icon="book" href="/quick-start/vscode">
    Use notebooks for interactive rule development.
  </Card>
</CardGroup>