diff --git a/roles/rabbit/queue/defaults/main.yml b/roles/rabbit/queue/defaults/main.yml
index 867170cb95..6f479eeb7f 100644
--- a/roles/rabbit/queue/defaults/main.yml
+++ b/roles/rabbit/queue/defaults/main.yml
@@ -8,4 +8,3 @@ thresholds:
   warning:  10000
   critical: 100000
 nagios_server: noc01.iad2.fedoraproject.org
-sent_topics: null
diff --git a/roles/rabbit/queue/tasks/main.yml b/roles/rabbit/queue/tasks/main.yml
index f58d519ec7..9d67509953 100644
--- a/roles/rabbit/queue/tasks/main.yml
+++ b/roles/rabbit/queue/tasks/main.yml
@@ -30,53 +30,10 @@
     - fedora-messaging
     - rabbitmq_cluster
 
-- name: Validate the user parameter
-  assert:
-    that:
-    - username != "admin"
-    - username != "guest"
-    - username != "nagios-monitoring"
-    fail_msg: "This user name is reserved"
-  tags:
-    - fedora-messaging
-    - rabbitmq_cluster
-
-- name: Prepare the topic permissions dict
-  set_fact:
-    topic_permissions:
-      - vhost: "{{ vhost }}"
-        read_priv: .*
-        write_priv: "{{ sent_topics }}"
-  tags:
-    - fedora-messaging
-    - rabbitmq_cluster
-  when: env == "staging" and sent_topics
-
-- debug:
-    msg: "Topic permissions: {{ topic_permissions|default([]) }}"
-  when: topic_permissions is defined
-  tags:
-    - fedora-messaging
-    - rabbitmq_cluster
-
-# See https://www.rabbitmq.com/access-control.html#permissions for details on
-# the RabbitMQ permissions configuration.
-- name: Create the {{ username }} user in RabbitMQ
-  delegate_to: "{{ rabbitmq_server }}"
-  community.rabbitmq.rabbitmq_user:
-    user: "{{ username }}"
-    vhost: "{{ vhost }}"
-    # Read from queues prefixed with their name and bind to the topic exchange
-    read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username }}.*)$"
-    # Write to queues prefixed with their name and any prefixes in
-    # write_queues, and publish to the topic exchange
-    write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$"
-    configure_priv: "^$"  # No configuration permissions
-    topic_permissions: "{{ topic_permissions|default([]) }}"
-    state: present
-  tags:
-    - fedora-messaging
-    - rabbitmq_cluster
+- include_role:
+    name: rabbit/user
+  vars:
+    publish_only: false
 
 - name: Create the {{ queue_name }} queue in RabbitMQ
   delegate_to: "{{ rabbitmq_server }}"
diff --git a/roles/rabbit/user/defaults/main.yml b/roles/rabbit/user/defaults/main.yml
index 23f125e072..83c8d74150 100644
--- a/roles/rabbit/user/defaults/main.yml
+++ b/roles/rabbit/user/defaults/main.yml
@@ -1,3 +1,22 @@
 rabbitmq_server: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
 vhost: /pubsub
-sent_topics: null
+publish_only: true
+
+# Read privileges:
+# If publish_only: no reading. Otherwise, read from queues prefixed
+# with their name and bind to the topic exchange
+read_priv: "{{ publish_only|ternary('^$', '^(zmq\\.topic)|^(amq\\.topic)|(' + username + '.*)$') }}"
+
+# Write privileges:
+# If publish_only: only write to the exchange. Otherwise, write to
+# queues prefixed with their name and any prefixes in write_queues,
+# and publish to the topic exchange
+write_priv: "^(amq\\.topic){% if not publish_only %}|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}{% endif %}$"
+
+# Topic authorization:
+# Ref: https://www.rabbitmq.com/access-control.html#topic-authorisation
+sent_topics: .*
+topic_permissions:
+  - vhost: "{{ vhost }}"
+    read_priv: .*
+    write_priv: "{{ sent_topics }}"
diff --git a/roles/rabbit/user/tasks/main.yml b/roles/rabbit/user/tasks/main.yml
index 275e3a2ad5..dd9059368e 100644
--- a/roles/rabbit/user/tasks/main.yml
+++ b/roles/rabbit/user/tasks/main.yml
@@ -24,35 +24,24 @@
     - fedora-messaging
     - rabbitmq_cluster
 
-- name: Prepare the topic permissions dict
-  set_fact:
-    topic_permissions:
-      - vhost: "{{ vhost }}"
-        read_priv: .*
-        write_priv: "{{ sent_topics }}"
-  tags:
-    - config
-    - fedora-messaging
-    - rabbitmq_cluster
-  when: env == "staging" and sent_topics
-
 - debug:
     msg: "Topic permissions: {{ topic_permissions|default([]) }}"
   tags:
     - config
     - fedora-messaging
     - rabbitmq_cluster
-  when: topic_permissions is defined
 
+# See https://www.rabbitmq.com/access-control.html#permissions for details on
+# the RabbitMQ permissions configuration.
 - name: Create the user in RabbitMQ
   delegate_to: "{{ rabbitmq_server }}"
   community.rabbitmq.rabbitmq_user:
     user: "{{ username }}"
     vhost: "{{ vhost }}"
-    read_priv: "^$"  # Publish only, no reading
-    write_priv: "amq\\.topic"
+    read_priv: "{{ read_priv }}"
+    write_priv: "{{ write_priv }}"
     configure_priv: "^$"  # No configuration permissions
-    topic_permissions: "{{ topic_permissions|default([]) }}"
+    topic_permissions: "{{ (env == 'staging')|ternary(topic_permissions, []) }}"
     state: present
   tags:
     - config