创建和删除Azure服务总线主题的最低权限？

Question

I am creating an app which needs to create and delete subscriptions to an already created topic in azure service bus.

does my share access token need manage permissions on the topic to create and delete subscriptions? I've does some preliminary googling, and none of the articles I can find shows the correlation of the three roles (manage, send, listen) to the subscription entity.

Thanks!

update I have created a Shared Access Policy directly on the topic, then I have the following code written to reach out to the Topic, create subscriptions, then cancel/dispose of them via an IDisposable interface:

public class SubscriptionHandler : IDisposable
{
    protected NamespaceManager SubManager { get; set; }
    protected SubscriptionDescription SubDetails { get; set; }
    public SubscriptionClient Client { get; }

    public SubscriptionHandler(AuthDetails details)
    {
        try
        {
            var connectionString = ConfigurationManager.AppSettings["Microsoft.ServiceBus.ConnectionString"];
            SubManager = NamespaceManager.CreateFromConnectionString(connectionString);
            SubDetails = new SubscriptionDescription("topic", $"record{details.ID}.Other{details.OtherID}");
            if (!SubManager.SubscriptionExists(SubDetails.TopicPath, SubDetails.Name))
            {   //setting subscription to receive all bookings that are for the given businessID
                SubManager.CreateSubscription(SubDetails, new SqlFilter($"ID = {details.ID}"));
            }

            Client = SubscriptionClient.CreateFromConnectionString(connectionString, SubDetails.TopicPath, SubDetails.Name);
        }catch (Exception ex)
        {
            throw;
        }
    }

    public void Dispose()
    {
        if(Client != null)
        {
            Client.Close(); // telling subscription we are no longer going to recieve messages
        }

        if (SubManager != null && SubManager.SubscriptionExists(SubDetails.TopicPath, SubDetails.Name))
        {
            SubManager.DeleteSubscription(SubDetails.TopicPath, SubDetails.Name);
        }
    }

however, I am still getting unauthorized exception thrown on the

SubManager.CreateSubscription(SubDetails, new SqlFilter($"ID = {details.ID}")); call. I copied the connection string from the SharedAccessPolicy connection strings, then removed the EntityPath name value pair.... What am I doing wrong?

Answer 1

does my share access token need manage permissions on the topic to create and delete subscriptions?

As the official document mentioned about Rights required for Service Bus operations , the Create a subscription and Delete subscription operations need Manage permission on the topic.

Without the Manage permission, you would get the 401 response as follows when you deal with the Create/Delete subscription operation: