Hi Andreas, The problem is that in qpidd you never publish directly to queue or read directly from an exchange. You always publish to exchange and read from a queue. In reality what you see as publishing directly to an queue is sending the message to an exchange named "" (as in empty string) with a routing key which should be the name of your queue. The same when you try to read directly from an exchange the client acutally creates a queue and a binding to the exchange for you. That is why the ACL rules such as "publish queue" or "consume exchange" do not exist.
In your case ... if your group wants to publish to queue name QU1, you should add a rule which looks something like this: acl allow group1 publish exchange name=amq.default routingkey=QU1 where the exchange name "amq.default" will be substituted for the exchange without name (as per https://issues.apache.org/jira/browse/QPID-4727) To read directly from an exchange you need several ACL rights: - to create a queue acl allow group1 create queue name=* - to delete a queue when you are closing the connection acl allow group1 delete queue name=* - to consume from the queue acl allow group1 consume queue name=* - to bind the exchange acl allow group1 bind exchange name=EX1 Depending on your client you might be able to specify the queue name in more detail. For example the qpid-receive client (using the old Qpid C++ API) would create the queue named similar to "EX1_8f4ea08f-d211-41c0-97cf-652cd5ef9a11". But different clients might do it differently. Hope this helps. Jakub On Fri, Nov 10, 2017 at 3:46 PM, andi welchlin <andi.welch...@gmail.com> wrote: > Hello everyone, > > I looked into ACL documentation of Qpid C++ broker (1.36.0) and tested it a > bit. > > > I would like to allow for one usergroup to write to a queue with a specific > name, but deny it for all other users. > > But I saw that i can not do the following: > > acl allow group1 publish queue name=QU1 > > > I understood that the publish keyword can only be used for exchanges. > > > I also would like to restrict reading from an exchange with a specific name > and allow it only for one usergroup. > > But the following seems also not to be allowed: > > acl allow group1 consume exchange name=EX1 > > > "consume" is only allowed for queues. > > > How can I reach these two requirements? > > > Kind Regards, > Andreas >