> ## Documentation Index > Fetch the complete documentation index at: https://docs.streamnative.io/llms.txt > Use this file to discover all available pages before exploring further. # Grant permissions In Apache Pulsar, authorization is a critical security feature that controls what users can do within the system. By granting permissions, you can ensure that users only have access to the resources and actions they need, enhancing the security and integrity of your messaging infrastructure. ## Key Concepts **Role**: A role is an identifier that represents a user or an application. Permissions are granted to roles, not individual users directly. **Actions**: Actions are the operations that a role is permitted to perform. Common actions include producing and consuming messages. ## Permission Levels Pulsar allows you to grant permissions at two main levels: * **Namespace Level**: When you grant permissions at the namespace level, the role receives those permissions for all topics within that namespace. This is useful for granting broad access to a set of related topics. * **Topic Level**: For more granular control, you can grant permissions directly on a specific topic. This restricts the role's access to only that individual topic. ## Available Actions The following actions can be granted to roles: * `produce`: Allows the role to publish messages to a topic. * `consume`: Allows the role to subscribe to and consume messages from a topic. * `sources`: Allows the role to interact with Pulsar IO sources. * `sinks`: Allows the role to interact with Pulsar IO sinks. * `functions`: Allows the role to manage Pulsar Functions. * `packages`: Allows the role to manage packages. ## Grant Permissions with pulsar-admin You can use the `pulsar-admin` command-line tool to manage permissions. ### Grant Namespace Permissions To grant permissions on all topics within a namespace, use the `pulsar-admin namespaces grant-permission` command. **Command Syntax:** ```bash theme={null} ./bin/pulsar-admin namespaces grant-permission \ --role \ --actions \ / ``` **Parameters:** * `--role `: The role to which you are granting permissions. * `--actions `: A comma-separated list of actions to grant (e.g., `produce,consume`). * `/`: The target namespace. **Example:** To grant the role `my-app` permission to produce and consume messages on all topics in the `my-namespace` namespace under the `my-tenant` tenant, run the following command: ```bash theme={null} ./bin/pulsar-admin namespaces grant-permission \ --role my-app \ --actions produce,consume \ my-tenant/my-namespace ``` ### Grant Topic Permissions To grant permissions on a single topic, use the `pulsar-admin topics grant-permission` command. **Command Syntax:** ```bash theme={null} ./bin/pulsar-admin topics grant-permission \ -r \ -a \ ``` **Parameters:** * `-r, --role `: The role to which you are granting permissions. * `-a, --actions `: A comma-separated list of actions to grant. * ``: The full name of the topic, in the format `persistent:////`. **Example:** To grant the role `my-specific-app` permission to only produce messages to the topic `my-topic` in the `my-namespace` namespace and `my-tenant` tenant, use this command: ```bash theme={null} ./bin/pulsar-admin topics grant-permission \ -r my-specific-app \ -a produce \ persistent://my-tenant/my-namespace/my-topic ``` For more information about authorization and access control in Pulsar, see the [Apache Pulsar documentation](https://pulsar.apache.org/docs/en/security-authorization/).