Skip to main content

Group Rules

Group rules assign clients to groups automatically based on matching conditions. The rules are edited inline on this page, with each rule as a row. Use New rule to add a row and the Save button in the page header to stage your changes, which take effect after you deploy. Each row has these columns:

  • Match By
  • Value
  • Groups
  • a remove control

The footer shows how many rules are configured.

What are group rules?

Group rules connect clients to the groups that grant their permissions. Each rule matches a connecting client by a condition and assigns it to one or more groups. A matched client inherits the ACL permissions of every group the rule assigns.

Match By

Each rule matches on one of three conditions, set in the Match By column. The Value field changes to suit the choice:

Certificate Fingerprint

Match a client by the fingerprint of its certificate. The Value is the fingerprint text, for example SHA256:....

MQTT Client ID

Match a client by the MQTT client identifier it sends during connection. The Value is the identifier to match. Use this for clients that connect with their own identifiers.

Client

Match a named client created on the Clients page. The Value becomes a picker where you select the client by name.

Groups

The Groups column is a multi-select. Pick one or more groups, shown as chips, for the matched client to join.

How group rules work

When a device connects to the MQTT broker:

  1. Identification: the broker identifies the client by its certificate fingerprint, its MQTT client ID, or its named client.
  2. Rule evaluation: the broker checks the group rules to find which groups the client should join.
  3. Permissions: the client inherits the ACL permissions of the assigned groups.
  4. Access control: the client can only access topics and run operations that the assigned groups allow.

Managing group rules

Unlike most sections in the MQTT service, group rules are edited directly on the page with no dialog or row menu:

Creating a group rule

Click New rule to add a row, then:

  • Choose the Match By condition (Certificate Fingerprint, MQTT Client ID, or Client)
  • Enter or pick the Value to match
  • Select the Groups to assign

Editing a group rule

Change the Match By, Value, or Groups directly on the row.

Deleting a group rule

Use the remove control on the row to drop the rule, which revokes those group assignments. In both cases, use Save to stage the change.

When changes apply

Changes to group rules do not affect devices that are already connected. The change applies the next time a device disconnects and reconnects.

Best practices

  • Group devices by what they do or what they need to reach.
  • Keep MQTT ID matches specific so a rule does not grant access you did not intend.
  • Review your rules now and then against your current devices and security needs.
  • Test rule changes in a controlled environment before you apply them to production devices.