PAM uses a grant-only (whitelist) permission scheme, where the first grant in the hierarchy wins.
Permissions are evaluated separately for publish and subscribe based on the following hierarchy:
- Subscribe-key level: Access for all users on all channels
- Channel level: Access for all users on a specified channel
- Auth-key level: Access for specified user(s) on a given channel