If EMS Administrator executes the following TIBCO EMS admin tool command,

grant queue > user=test browse

Where,

'>' is the queue to grant the permission and this queue DOES NOT exist in the queues.conf file (i.e., this is not static queue)

'test' is the user name

'browse' is administrative permission.

then the EMS server will create a dynamic destination called ">". This will lead to the situation where the EMS server will allow creation of dynamic destinations and any destination requested by a client will be created dynamically.This is expected behavior by the EMS server. Here is the clarification:

EMS administrators can define permissions on wild card destinations in acl.conf ONLY IF the corresponding queues.conf or topics.conf has a match for those entrys.

Suppose the EMS server's acl.conf contains the line

“QUEUE=MY.QUEUE.> GROUP=mygroup PERM=receive,send,browse”.

The EMS server will take this line into consideration only when there is already a defined static queue which is a superset of “MY.QUEUE.>” or at least one queue that matches “MY.QUEUE.>”, e.g., “MY.QUEUE.1”. Here the EMS server will automatically create a dynamic queue “MY.QUEUE.>” so the connecting client application will be able to create dynamic destinations that matches the queue “MY.QUEUE.>”, i.e., “MY.QUEUE.2”, though it is not statically defined in the server's configuration file.

The reason for this is when an admin grants permission on a wildcard that is “larger” than what is in queues.conf (or topics.conf) the admin is implicitly granting full permission to create dynamic destinations. Therefore this is not considered to be a defect.

In EMS 5.0, a new feature was added whereby EMS administrators can have their own access control plug-in so that if they want to have behavior different than what is provided by default, they can implement their own plug-in. Otherwise, with the current versions of EMS, the workaround is matching the queue.conf entry with ACL instead of matching by wildcard.