Role-Based Access Control

Role-based access control (RBAC) is an access management pattern that assigns permissions to roles, then assigns those roles to clients or groups of clients.

RBAC simplifies access management in deployments with many devices. Instead of individual per-client permission definitions, define a role once and apply it to all clients of the same type.

How RBAC Works

  1. Define a role with one or more Permissions that specify the allowed topics.

  2. Assign the role to one or more MQTT clients or client groups.

  3. When a client connects, the broker applies the permissions from its assigned role.

Example

A factory deployment has three device types: sensors, controllers, and monitors.

  • The sensor role grants publish permission for factory/+/telemetry.

  • The controller role grants publish and subscribe permission for factory/+/commands.

  • The monitor role grants subscribe permission for factory/#.

Each device connects with the credentials of its assigned role. The broker enforces the corresponding permissions automatically.

RBAC in the HiveMQ Platform

The HiveMQ Platform uses RBAC at two levels:

  • MQTT client access: Roles define what MQTT clients can publish to or subscribe to on each broker. Configure these roles in the access management settings for the broker.

  • Platform user access: Roles define what team members can do in the HiveMQ Platform interface. For more information, see Organization.