Configuring Access Control

XMPP PubSub supports a variety of different access control mechanisms for event nodes that can be found in the XEP-0060 Spec. As part of Mortar.io, the most commonly used access control functions have to do with configuring the access model of event nodes and then managing affiliations for those nodes.

Both command line tools and the website provide ways to manage the access control lists of a user.

Configuring a Node's Access Model

Using command line tools
Each event node in XMPP supports the following access models:

  • Open
    • Any entity may subscribe to the node (i.e., without the necessity for subscription approval) and any entity may retrieve items from the node (i.e., without being subscribed)
  • Authorize
    • The node owner must approve all subscription requests, and only subscribers may retrieve items from the node.
  • Whitelist
    • An entity may subscribe or retrieve items only if on a whitelist managed by the node owner.
  • Roster
    • Any entity in the specified roster group(s) may subscribe to the node and retrieve items from the node. This can be used to create groups.

Blacklist functionality can be achieved by making a particular JID as an Outcast to the Whitelist or Roster.


"./mio_acl_node_configure" Command line utility to condigure the access_model control list of an event node
Usage: ./mio_acl_node_configure <-event event_node> [-title node_title] [-access_model access_model_model] <-u username> <-p password> [-verbose]
    -event event_node = name of event node to create
    -title node_title = title of event node
    -access access_model = access model of the node, either "open", "whitelist", "presence" or "roster" 
    -u username = JID (give the full JID, i.e. user@domain)
    -p password = JID user password
    -help = print this usage and exit
    -verbose = print info

Node Affiliations

Each node has affiliations with the corresponding privileges as shown in table 1.

Affiliations and Privileges

The ways in which an entity changes its affiliation with a node are well-defined. Typically, action by an owner is required to make an affiliation state transition. Affiliation changes and their triggering actions are specified in the following table.

Affiliations and State Chart

You can query affiliations with the following command line tool:


"./mio_acl_affiliations_query" Command line utility to list all current affiliations of a JID or event node. If no node is specified, the user's affiliations will be listed.
Usage: ./mio_acl_affiliations_query [-event event_node] <-u username> <-p password> [-verbose] [-stanza]
    -event event_node = name of node to query
    -u username = JID (give the full JID, i.e. user@domain)
    -p password = JID user password
    -help = print this usage and exit
    -verbose = print info
    -stanza = only print the affiliations stanza

Adding another JID as a publisher

In order for a JID to be able to publish data to an event node, they need to have publish access. This can be added with the following command line tool.


./mio_acl_publisher_add <-event event_node> <-publisher publisher_JID> <-u username> <-p password> [-verbose]

Publish access can be removed as follows:


./mio_acl_publisher_remove <-event event_node> <-publisher publisher_JID> <-u username> <-p password> [-verbose]
    -publisher publisher_JID = Full JID of publisher to remove
    -event event_node = name of node to add publisher to
    -u username = JID (give the full JID, i.e. user@domain)
    -p password = JID user password
    -help = print this usage and exit
    -verbose = print info


Making another JID an owner

In order for a JID to have permission to modify an event nodes access model or affiliations list that JID needs to be an owner. An owner JID (the creator of the event node by default) can make other JIDs owners with the following tool.


./mio_acl_owner_add <-event event_node> <-publisher publisher_JID> <-u username> <-p password> [-verbose]
    -publisher publisher_JID = Full JID of owner to add
    -event event_node = name of node to add publisher to
    -u username = JID (give the full JID, i.e. user@domain)
    -p password = JID user password
    -help = print this usage and exit
    -verbose = print info


To remove ownership and/or publish permissions you simple use:


./mio_acl_affiliation_remove <-event event_node> <-publisher publisher_JID> <-u username> <-p password> [-verbose]
    -publisher publisher_JID = Full JID of affiliation to remove
    -event event_node = name of node to add publisher to
    -u username = JID (give the full JID, i.e. user@domain)
    -p password = JID user password
    -help = print this usage and exit
    -verbose = print info


Using the website

affiliations_and_privs.png - Affiliations and Privileges (86.6 KB) Anthony Rowe, 06/26/2015 03:03 PM

affiliation_state_chart.png - Affiliations and State Chart (153 KB) Anthony Rowe, 06/26/2015 03:03 PM