ACL Examples and Use Cases

This page provides practical examples and use cases for implementing ACLs in Confluent Cloud.

ACL examples

The following examples demonstrate common ACL patterns for different use cases in Confluent Cloud:

Producer access to specific topics

Grant a service account permission to produce messages to specific topics:

confluent kafka acl create --allow --service-account sa-1234 \
  --operations write --topic my-topic

Consumer access to topics and consumer groups

Grant a service account permission to consume from topics and use consumer groups:

# Grant read access to the topic
confluent kafka acl create --allow --service-account sa-1234 \
  --operations read --topic my-topic

# Grant read access to the consumer group
confluent kafka acl create --allow --service-account sa-1234 \
  --operations read --consumer-group my-consumer-group

Topic creation permissions

Grant a service account permission to create topics:

confluent kafka acl create --allow --service-account sa-1234 \
  --operations create --topic "*"

Prefix-based access control

Grant access to all topics with a specific prefix:

confluent kafka acl create --allow --service-account sa-1234 \
  --operations read,write --topic "prod-" --prefix

DENY ACL for security

Explicitly deny access to sensitive topics:

confluent kafka acl create --deny --service-account sa-1234 \
  --operations read,write --topic sensitive-data

Cluster-level permissions

Grant cluster management permissions:

confluent kafka acl create --allow --service-account sa-1234 \
  --operations describe --cluster

Host-restricted ACLs

Restrict access to specific IP addresses:

# Allow access only from specific IP
confluent kafka acl create --allow --service-account sa-1234 \
  --operations read,write --topic my-topic --host "192.168.1.100"

# Allow access from IP range
confluent kafka acl create --allow --service-account sa-1234 \
  --operations read,write --topic my-topic --host "192.168.1.*"

ACL use cases

Multi-tenant environments

Use ACLs to isolate different teams or applications within the same cluster. For more information about multi-tenancy and client quotas, see Multi-Tenancy and Client Quotas on Confluent Cloud.

# Team A access
confluent kafka acl create --allow --service-account team-a \
  --operations read,write --topic "team-a-" --prefix

# Team B access
confluent kafka acl create --allow --service-account team-b \
  --operations read,write --topic "team-b-" --prefix

Data pipeline security

Secure data pipelines by granting specific permissions to each component:

# Source connector permissions
confluent kafka acl create --allow --service-account source-connector \
  --operations write --topic "raw-data"

# Processing application permissions
confluent kafka acl create --allow --service-account processor \
  --operations read --topic "raw-data"
confluent kafka acl create --allow --service-account processor \
  --operations write --topic "processed-data"

# Sink connector permissions
confluent kafka acl create --allow --service-account sink-connector \
  --operations read --topic "processed-data"

Compliance and audit requirements

Implement strict access controls for compliance:

# Grant minimal required permissions
confluent kafka acl create --allow --service-account compliance-app \
  --operations read --topic "audit-logs"

# Deny access to sensitive topics
confluent kafka acl create --deny --service-account compliance-app \
  --operations read,write --topic "pii-data"

Related content

• ACL Overview - ACL concepts and best practices
• ACL Operations - ACL operations and implementation details
• Troubleshoot ACL Issues - Troubleshooting ACL issues
• ACL Reference - ACL reference information