# Set up authorization rules for AWS IoT SiteWise Edge in EMQX
EMQX supports adding authorization rules based on identifiers such as username, IP address or client ID. This is useful if you want to limit the number of external applications connecting to various operations or topics.
**Topics**
+ [
# Configure authorization using the built-in database with Linux
](add-auth-rules-database-emqx-broker-linux.md)
+ [
# Configure authorization using the built-in database with Windows
](add-auth-rules-database-emqx-broker-windows.md)
+ [
# Update the EMQX deployment configuration for authorization
](update-emqx-broker-authorization.md)
+ [
# Add authorization rules through the EMQX Dashboard for users
](add-rules-emqx-broker.md)
# Configure authorization using the built-in database with Linux
When you configure authorization rules, there are two configuration choices that depend on your deployment setup.
+ **Docker** – If you're running a standard Docker installation without Litmus Edge, use the **Docker bridge gateway** configuration. This is typically the case when you've only deployed AWS IoT SiteWise components.
+ **Litmus Edge** – If you have Litmus Edge installed on your gateway, use the **Litmus Edge network subnet** configuration.
**Note**
If you initially configure the Docker bridge gateway and later install Litmus Edge, reconfigure the authorization rules using the Litmus Edge network subnet option to ensure proper communication between all components.
**To add basic authorization rules**
1. Verify that the EMQX broker is deployed and running.
1. Start a shell session on your gateway host.
------
#### [ Docker without Litmus Edge ]
For standard Docker installation without Litmus Edge, run:
```
/greengrass/v2/bin/swe-emqx-cli acl init
```
------
#### [ Litmus Edge network subnet ]
If you're using Litmus Edge, determine the Litmus Edge network subnet IP:
```
docker network inspect LitmusNetwork | grep IPAM -A9
```
Note the Subnet value from the output and run the following command. Replace `litmus_subnet_ip` with the Subnet value from the previous step.
```
/greengrass/v2/bin/swe-emqx-cli acl init litmus_subnet_ip
```
------
The tool automatically creates and applies authorization rules to allow connections from the provided IP address to the broker. It allows access to all topics. This includes the IoT SiteWise OPC UA collector and IoT SiteWise publisher.
1. Proceed to [Update the EMQX deployment configuration for authorization](update-emqx-broker-authorization.md).
# Configure authorization using the built-in database with Windows
This section covers configuring authorization rules using the built-in database for Windows deployments.
**To add basic authorization rules**
1. Verify that the EMQX broker is deployed and running.
1. Run the AWS IoT SiteWise EMQX CLI tool:
```
C:\greengrass\v2\bin\swe-emqx-cli.ps1 acl init
```
The tool automatically creates and applies ACL rules allowing connections from localhost (127.0.0.1) to the broker. It allows access to all topics. This includes the IoT SiteWise OPC UA collector and IoT SiteWise publisher.
1. Proceed to [Update the EMQX deployment configuration for authorization](update-emqx-broker-authorization.md).
# Update the EMQX deployment configuration for authorization
**To update the EMQX deployment configuration for authorization**
1. Navigate to the [AWS IoT SiteWise console](https://console.aws.amazon.com/iotsitewise/).
1. In the left navigation, choose **Edge gateways** in the **Edge** section.
1. Choose the gateway to configure.
1. In the **Edge gateway configuration** section, copy your **Greengrass core device** value. Save it for later use.
1. Open the [AWS IoT console](https://console.aws.amazon.com/iot/).
1. On the left navigation, under the **Manage** section, choose **Greengrass devices**, then **Deployments**.
1. Find the core device value you saved earlier and choose that link to open the deployment.
1. Choose the **Actions** dropdown button, then **Revise**.
1. Read the message that appears and then choose **Revise deployment**. The **Specify target** page appears.
1. Choose **Next** until you reach the **Configure components** step.
1. Select the `aws.greengrass.clientdevices.mqtt.EMQX` radio button.
1. Choose the **Configure component** button. A configuration page appears for the component.
1. Under **Configuration update**, choose **Reset to default configuration for component version: 2.\$1.\$1**.
1. Paste the following content in the **Configuration to merge** section based on your OS.
------
#### [ Linux ]
```
{
"emqxConfig": {
"authorization": {
"no_match": "deny",
"sources": [
{
"type": "built_in_database"
},
{
"type": "file",
"path": "data/authz/acl.conf"
}
]
},
"listeners": {
"tcp": {
"default": {
"enabled": true,
"enable_authn": false
}
},
"ssl": {
"default": {
"enabled": true,
"enable_authn": true,
"ssl_options": {
"verify": "verify_none",
"fail_if_no_peer_cert": false
}
}
}
},
"authentication": {
"enable": true,
"backend": "built_in_database",
"mechanism": "password_based",
"password_hash_algorithm": {
"iterations": 210000,
"mac_fun": "sha512",
"name": "pbkdf2"
},
"user_id_type": "username"
},
"dashboard": {
"listeners": {
"http": {
"bind": 18083
}
}
}
},
"authMode": "bypass",
"dockerOptions": "-p 8883:8883 -p 127.0.0.1:1883:1883 -p 127.0.0.1:18083:18083 -v emqx-data:/opt/emqx/data -e EMQX_NODE__NAME=emqx@local",
"requiresPrivilege": "true"
}
```
------
#### [ Windows ]
```
{
"emqxConfig": {
"authorization": {
"no_match": "deny",
"sources": [
{
"type": "built_in_database"
},
{
"type": "file",
"path": "C:\\greengrass\\v2\\work\\aws.greengrass.clientdevices.mqtt.EMQX\\v2\\data\\authz\\acl.conf"
}
]
},
"listeners": {
"tcp": {
"default": {
"enabled": true,
"enable_authn": false
}
},
"ssl": {
"default": {
"enabled": true,
"enable_authn": true,
"ssl_options": {
"verify": "verify_none",
"fail_if_no_peer_cert": false
}
}
}
},
"authentication": {
"enable": true,
"backend": "built_in_database",
"mechanism": "password_based",
"password_hash_algorithm": {
"iterations": 210000,
"mac_fun": "sha512",
"name": "pbkdf2"
},
"user_id_type": "username"
},
"dashboard": {
"listeners": {
"http": {
"bind": 18083
}
}
}
},
"authMode": "bypass",
"requiresPrivilege": "true"
}
```
------
1. Choose **Confirm**.
1. Choose **Next** until you reach the **Review** step.
1. Choose **Deploy**.
**Note**
From this point onward, you can't edit the ACL file to update the authorization rules. Alternatively, you can proceed to [Add authorization rules through the EMQX Dashboard for users](add-rules-emqx-broker.md) after a successful deployment.
# Add authorization rules through the EMQX Dashboard for users
You can add or update authorization rules using the EMQX Dashboard or the AWS IoT SiteWise EMQX CLI tool. The AWS IoT SiteWise EMQX CLI tool manages authorization using EMQX's built-in database.
**Note**
Adding authorization rules is an advanced configuration step that requires understanding of MQTT topic patterns and access control. For more information about creating authorization rules using EMQX's built-in database, see [Use Built-in Database](https://docs.emqx.com/en/emqx/latest/access-control/authz/mnesia.html) in the *EMQX Docs*.
**Note**
The EMQX-related instructions provided are for reference only. As EMQX documentation and features may change over time, and we do not maintain their documentation, we recommend consulting [EMQX's official documentation](https://docs.emqx.com/en/emqx/latest/) for the most current information.
------
#### [ EMQX dashboard ]
This procedure shows how you can add authorization rules on the EMQX dashboard.
The EMQX dashboard is only accessible from within the gateway host. If you try to connect from outside of the gateway host, you can't access the dashboard.
**To add authorization rules using the EMQX Dashboard**
1. Ensure that you are within the gateway host.
1. Open a browser window and visit [http://localhost:18083/](http://localhost:18083/).
1. Login to the the EMQX dashboard. This procedure assumes that you've changed your default login credentials to something of your choosing. For more information on intial setup, see [Enable username and password authentication](configure-emqx-broker.md#emqx-broker-username-password-auth).
1. Choose the shield icon, then **Authorization** from the dropdown menu.
1. Choose the **Permissions** button on the **Built-in Database** row.
1. In the Built-in Database authorization section, add or update the user authorization rules for your business needs. For more guidance on creating rules, see the [Use Built-in Database](https://docs.emqx.com/en/emqx/latest/access-control/authz/mnesia.html) section in the *EMQX Docs*.
------
#### [ AWS IoT SiteWise CLI tool using Linux ]
**To manage authorization rules using the AWS IoT SiteWise EMQX CLI tool in Linux:**
+ Add authorization rules for a user using the following format:
```
/greengrass/v2/bin/swe-emqx-cli auth add your-username your-action your-permission your-topic [your-action-permission-topic]
```
**Example Add authorization rules for a user**
This example shows how to add rules for a user named `system1`:
```
/greengrass/v2/bin/swe-emqx-cli auth add system1 \
publish allow "sensors/#" \
subscribe allow "control/#" \
all deny "#"
```
**Example : View authorization rules for a user**
To view authorization rules for the `system1` users, run the following command:
```
/greengrass/v2/bin/swe-emqx-cli auth list system1
```
**Example : View all existing authorization rules**
To view all of the authorization rules you currently have, run the following command:
```
/greengrass/v2/bin/swe-emqx-cli auth list
```
**Example : Delete all authorization rules for a user**
To delete all of the authorization rules applied to a particular user, run the following command:
```
/greengrass/v2/bin/swe-emqx-cli auth delete system1
```
You are prompted to confirm the deletion.
------
#### [ AWS IoT SiteWise CLI tool using Windows ]
**To manage authorization rules using the AWS IoT SiteWise EMQX CLI tool in Windows PowerShell:**
+ Add authorization rules for a user using the following format:
```
C:\greengrass\v2\bin\swe-emqx-cli.ps1 auth add your-username your-action your-permission your-topic [your-action-permission-topic]
```
**Example : Add authorization rules for a user**
This example shows how to add rules for a user named `system1`:
```
C:\greengrass\v2\bin\swe-emqx-cli.ps1 auth add system1 `
publish allow "sensors/#" `
subscribe allow "control/#" `
all deny "#"
```
**Example : View authorization rules for a user**
To view authorization rules for the `system1` users, run the following command:
```
C:\greengrass\v2\bin\swe-emqx-cli.ps1 auth list system1
```
**Example : View all existing authorization rules**
To view all of the authorization rules you currently have, run the following command:
```
C:\greengrass\v2\bin\swe-emqx-cli.ps1 auth list
```
**Example : Delete all authorization rules for a user**
To delete all of the authorization rules applied to a particular user, run the following command:
```
C:\greengrass\v2\bin\swe-emqx-cli.ps1 auth delete system1
```
You are prompted to confirm the deletion.
------