When messaging security is switched on, users must be authorized to access topics.
Topics are contained in a topic space, which is one of the types of destination. Within the topic space, topics are organized into hierarchies based on the topic names. There can be more than one topic hierarchy within a topic space, and they are all joined to a "virtual root" which is created when the topic space is created. Once the topic space has been created, topics can be created within it simply by publishing on them.
When a connection accesses a topic, an access check is performed to ensure that the user associated with the connection has permission to access the topic space that contains the topic. If topic-level authorization is enabled, a second check is performed to ensure the user also has permission to access the topic itself. This allows finer-grained control of access to topics, as illustrated in the following diagram, which shows topic space tspace1, containing two hierarchies, one under sports and one under cars.
To make the authorization permissions easier to manage when there is a large number of topics, a role (see Role-based authorization) defined on a topic contains permissions for the topic itself and also, by default, for any topics that descend from it in the hierarchy, that is, a topic inherits roles from its parent topic. It follows that a role defined on the virtual root contains, by default, permissions for all of the topics in the topic space. In the above example, these permissions are contained in the Sender and Receiver roles defined on the virtual root of tspace1.
If required, you can define new roles or disallow role inheritance for any topic in the hierarchy.
For example, in the diagram above:
A topic does not need to exist when you define roles for it, you can define the roles before the topic itself is created at run-time. If you do define roles for a topic, it will still inherit roles from its parent unless you explicitly block the inheritance.
There can be more than one topic space within a bus. Each topic space is completely separate from any others, and topics in different topic spaces are not related even if they have the same name. So, for example, if topic space tspace1 and topic space tspace2 both contained a cars topic, but you just subscribed to the topic in tspace1, you would only be able to receive messages published to the cars topic in tspace1, and not to the cars topic in tspace2.