Eventstore users groups

  1. What is the difference between Operations and Administrator group?
  2. We need to support the following

Case 1: Write events (From a service) - Uses TCP

Case 2: Create subscription groups, receive events , replay (From another service) - Uses TCP and Http (only for replay)

What group should we use? And do you have any security guidance?


I think I found a defect as well. I am using EventStore 4.0 and the 3.9.5 version of the client.

  1. The default admin user created a stream and subscription group

  2. I created a new admin user

  3. The new admin user can connect to the subscription group

  4. I deleted the subscription group and tried to create it again as the new admin user . Got an access denied exception.

According to the documention “Members of $admins always have access to everything, this permission cannot be removed.” . So looks like this may be a defect.

Hi Anand,

With regards to your question about the different roles :

Admin users can read, write and subscribe to any stream, can manage other users and can perform any activity on the Event Store database (such as scavenges etc.) Admins can also read system streams - a system stream is any stream beginning with “$”

Ops users are able to perform activities such as scavenge and shutdown on Event Store, but behave like a standard user when it comes to reading and writing.

Standard users belonging to other groups are able to read, write and subscribe to any stream that they have access to. By default, any user can read from any stream that isn’t a system stream. Access to streams can be changed by setting the stream’s ACL.

For your use case, you might want to create your own groups for users that can write and subscribe to the streams you are interested in, and set the ACL on those streams when they are created.

You should not need to create an admin user to do this.

With regards to your admin user creating a subscription :

  1. Can your new admin user read from the stream without a problem? What about other users?

  2. Did you set any custom ACL’s on the stream you are subscribing to?

Thanks !! We will investigate setting up a new group.

We did not change the default ACL setting.

I did notice both the new admin and ops user was able to connect to the subscription group. I will try to see if they can receive/write events and get back.