%%--------------------------------------------------------------------
%% EMQX ACL configuration
%%--------------------------------------------------------------------

%% =========================
%% Device user permissions
%% =========================

%% Devices can publish ONLY to their own namespace
{allow, {user, "device"}, publish, ["device/${clientid}/meta/#"]}.
{allow, {user, "device"}, publish, ["device/${clientid}/property/#"]}.
{allow, {user, "device"}, publish, ["device/${clientid}/command/#"]}.

%% Devices can receive commands
{allow, {user, "device"}, subscribe, ["device/${clientid}/command/#"]}.


%% =========================
%% Authenticated users
%% =========================

{allow, {user, "bob"}, subscribe, ["device/#"]}.

%% Any authenticated user can read all device topics
{allow, {user, all}, subscribe, ["device/+/meta/#"]}.
{allow, {user, all}, subscribe, ["device/+/property/#"]}.
{allow, {user, all}, subscribe, ["device/+/command/#"]}.

%% Any authenticated user can publish commands to any device
{allow, {user, all}, publish, ["device/+/command/+"]}.


%% =========================
%% Response topic mechanism
%% =========================

%% Clients can SUBSCRIBE to their own response inbox
{allow, {user, all}, subscribe, ["client/${clientid}/responses/#"]}.

%% Authenticated users can PUBLISH to any client response inbox
{allow, {user, all}, publish, ["client/+/responses/#"]}.

%% (No subscribe permission for others -> enforced by default deny)


%% =========================
%% Unauthenticated users
%% =========================

%% Allow anonymous users to read ONLY meta topics
{allow, {ipaddr, "0.0.0.0/0"}, subscribe, ["device/+/meta/#"]}.


%% =========================
%% Default deny
%% =========================

{deny, all}.