Skip to main content
Deploying rules: In a LoT Notebook, just write the rule and run the cell—the extension handles the rest. For MQTT clients, use the -addRule broker command.

Rule Structure

Every rule follows this structure: 
DEFINE RULE <RuleName> WITH PRIORITY <number> FOR <Scope> [TO TOPIC "<pattern>"]
    IF <condition> THEN
        ALLOW
    ELSE
        DENY
ComponentDescription
RuleNameUnique identifier for the rule
PRIORITYEvaluation order (lower numbers = higher priority)
ScopeThe operation type this rule controls
TO TOPICOptional topic pattern for Publish/Subscribe rules
conditionLogic that determines access (user checks, permissions)

Conditions

Rules evaluate conditions to decide whether to ALLOW or DENY an operation.

User Identity Checks

Check if the current user matches a specific username: 
USER IS "root"
USER IS "admin"

Permission Checks

Check if the user has a specific permission tag: 
USER HAS AllowedUserManagement
USER HAS AllowedSystemConfiguration
USER HAS AllowedAssetManipulation

Combining Conditions

Use OR and AND to create complex conditions: 
IF USER HAS AllowedUserManagement OR USER IS "root" THEN
    ALLOW

IF USER HAS AllowedSystemConfiguration AND USER IS "admin" THEN
    ALLOW

Operation Scopes

Rules control different categories of operations. Each scope targets specific broker functionality.

User Management

Control who can manage broker users:
ScopeControls
UserManagementCreationCreating new users
UserManagementRemoveDeleting users
UserManagementUpdateModifying user parameters
UserManagementPasswordChangeChanging user passwords
This example allows users with the AllowedUserManagement permission or the root user to create new accounts: 
DEFINE RULE AllowUserCreation WITH PRIORITY 1 FOR UserManagementCreation
    IF USER HAS AllowedUserManagement OR USER IS "root" THEN
        ALLOW
    ELSE
        DENY

Entity Management

Control who can create and manage LoT entities:
ScopeControls
ActionManagementCreationCreating Actions
ActionManagementRemoveDeleting Actions
ActionManagementRunManually running Actions
ModelManagementCreationCreating Models
ModelManagementRemoveDeleting Models
RouteManagementCreationCreating Routes
RouteManagementRemoveDeleting Routes
RuleManagementCreationCreating Rules
RuleManagementRemoveDeleting Rules
This example restricts Action creation to administrators and the root user: 
DEFINE RULE AllowActionAdd WITH PRIORITY 1 FOR ActionManagementCreation
    IF USER HAS AllowedSystemConfiguration OR USER IS "root" OR USER IS "admin" THEN
        ALLOW
    ELSE
        DENY

Asset Management

Control who can manage installed assets (plugins, extensions):
ScopeControls
AssetManagementCreationInstalling assets
AssetManagementRemoveUninstalling assets
AssetManagementStartStarting assets
AssetManagementStopStopping assets
AssetManagementPolicySetSetting asset policies
This example allows asset installation only for users with the appropriate permission: 
DEFINE RULE AllowAssetInstall WITH PRIORITY 1 FOR AssetManagementCreation
    IF USER HAS AllowedAssetManipulation OR USER IS "root" THEN
        ALLOW
    ELSE
        DENY

System Operations

Control access to system-level operations:
ScopeControls
SystemConfigurationChanging broker configuration
ShellCommandExecuting shell commands
CommandCallCalling broker commands
This example restricts configuration changes to authorized administrators: 
DEFINE RULE AllowConfigurationChange WITH PRIORITY 1 FOR SystemConfiguration
    IF USER HAS AllowedSystemConfiguration OR USER IS "root" THEN
        ALLOW
    ELSE
        DENY

Log Management

Control who can manage log traces:
ScopeControls
LogManagementCreationCreating log traces
LogManagementRemoveDeleting log traces
LogManagementUpdateModifying log traces
This example allows log trace management for users with logging permissions: 
DEFINE RULE AllowLogTraceCreation WITH PRIORITY 1 FOR LogManagementCreation
    IF USER HAS AllowedLogManagement OR USER IS "root" THEN
        ALLOW
    ELSE
        DENY

Topic Access Rules

Control who can publish to or subscribe from specific MQTT topics.

Standard Topics

Use Publish and Subscribe with TO TOPIC to control access: 
DEFINE RULE AllowPublishTopic WITH PRIORITY 1 FOR Publish TO TOPIC "#"
    ALLOW

DEFINE RULE AllowSubscribeTopic WITH PRIORITY 1 FOR Subscribe TO TOPIC "#"
    ALLOW

System Topics ($SYS)

Use PublishSys and SubscribeSys for system topic access: 
DEFINE RULE AllowSubscribeSysClient WITH PRIORITY 1 FOR SubscribeSys TO TOPIC "$SYS/#"
    IF USER IS "root" THEN
        ALLOW
    ELSE
        DENY

DEFINE RULE AllowPublishSysCommand WITH PRIORITY 1 FOR PublishSys TO TOPIC "$SYS/Coreflux/Command"
    IF USER HAS AllowedAssetManipulation OR USER HAS AllowedSystemConfiguration THEN
        ALLOW
    ELSE
        DENY
System topics ($SYS/#) contain sensitive broker information and command interfaces. Restrict access to administrative users only.

Permission Tags

Permission tags are assigned to users and checked with USER HAS. These are the standard permission tags:
Permission TagGrants Access To
AllowedUserManagementUser creation, removal, updates
AllowedSystemConfigurationSystem config, rules, shell commands
AllowedAssetManipulationAsset install, start, stop, policies
AllowedLogManagementLog trace creation, removal, updates
AllowedModelManagementModel creation and removal
You can define custom permission tags for your organization. Assign them to users through the broker’s user management system.

Priority and Evaluation

Rules are evaluated in priority order (lower number = higher priority). The first matching rule determines the outcome. 
// This rule is evaluated first (priority 1)
DEFINE RULE DenyGuestUsers WITH PRIORITY 1 FOR ActionManagementCreation
    IF USER IS "guest" THEN
        DENY

// This rule is evaluated second (priority 2)
DEFINE RULE AllowAdminUsers WITH PRIORITY 2 FOR ActionManagementCreation
    IF USER IS "admin" THEN
        ALLOW
Use lower priority numbers for more specific rules (like denying specific users) and higher numbers for general allow/deny rules.

Complete Examples

A typical production setup with role-based access control:
// Only root can manage users
DEFINE RULE RestrictUserManagement WITH PRIORITY 1 FOR UserManagementCreation
    IF USER IS "root" THEN
        ALLOW
    ELSE
        DENY

// Admins and root can deploy Actions
DEFINE RULE AllowActionDeployment WITH PRIORITY 1 FOR ActionManagementCreation
    IF USER IS "root" OR USER IS "admin" THEN
        ALLOW
    ELSE
        DENY

// Users with permission can manage models
DEFINE RULE AllowModelManagement WITH PRIORITY 1 FOR ModelManagementCreation
    IF USER HAS AllowedModelManagement OR USER IS "admin" THEN
        ALLOW
    ELSE
        DENY

// Everyone can publish to non-system topics
DEFINE RULE OpenPublish WITH PRIORITY 1 FOR Publish TO TOPIC "#"
    ALLOW

// Restrict $SYS subscriptions to root
DEFINE RULE ProtectSysTopics WITH PRIORITY 1 FOR SubscribeSys TO TOPIC "$SYS/#"
    IF USER IS "root" THEN
        ALLOW
    ELSE
        DENY

Best Practices

Create restrictive rules first, then add specific allow rules for authorized users. This prevents accidental access.
Check USER HAS <permission> rather than USER IS "<name>" when possible. This makes it easier to manage access as users change.
Always restrict access to $SYS/# topics. These contain broker commands and sensitive system information.
Use clear, descriptive rule names that explain their purpose. AllowAdminActionCreation is better than Rule1.

Next Steps

Actions Guide

Build event-driven automation with Actions.

Models Guide

Structure your MQTT data with Models.