Help to secure Vernemq Broker for client to publish and subscribe

Hi All
We like to secure VerneMQ using authentication and authorization to control client to publish and subscribe

Here is our requirement

  1. 2000 unique Clients (1900 client run on Edge devices and 100 client on Premise) register to publish and subscribe to VerneMQ Broker Cluster Docker containers running on Premise

  2. Unique Client Id has the following format
    where service_type = trafficcontrol, cav, adaptive, sensor, cornerstone,tco, basicconsumer,
    for example trafficcontrol219517053241900

  3. Service_type publish and subscribe access Roles
    service_type = trafficcontrol can publish sp/prod/bc/tcu/rt-veh/# and subscribe sp/prod/#
    service_type = cav can publish sp/prod/req/tcu/cav/# and subscribe sp/prod/#
    service_type = adaptive can publish sp/prod/req/tcu/adaptive/# and subscribe sp/prod/#
    service_type = sensor can publish sp/prod/bc/sdd/rt-veh/#
    service_type = adaptive can publish sp/prod/req/tcu/adaptive/# and subscribe sp/prod/#
    service_type = cornerstone can publish sp/prod/rep/cts/# and subscribe sp/prod/#
    service_type = tco can publish sp/prod/req/tco/# and subscribe sp/prod/rep/tco/#
    service_type = basicconsumer can subscribe sp/prod/bc/sdd/rt-veh/#
    service_type = advancecomsumer can subscribe sp/prod/#

    where req = Request action, rep = Reply/Response/ action, bc = broadcast or notification actions

  4. We more then 100 customers world wide

Can you please advise best practice to setup secure VerneMQ Broker cluster using authentication and authorization with ACL either by Database or file base on our requirement.

I looked at links Auth using files - VerneMQ and Auth using a database - VerneMQ

but I do not understand how to configre authorization with ACL using database or file
For authentication, I was think to generate Client Certificates using openssl with Certificate Authority (CA)

Thank you for your help and support

Regards, Bao