I didn't find any information about how security roles affect use of Service Bus Explorer, but when I tested it with a user that has the general "Reader" role it looks like they were able to get into the tool, but could not perform any actions. Preventing this user from Send and Receive operations seems logical, but I was hoping that they would be able to Peek messages.
It would be nice if this feature honored the role-based access controls to determine, based on user, whether to allow Send, Receive, and Peek. I would expect Peek to be more broadly available than Send and Receive. The concern I have with the OSS tool and that this feature seems to share is that it requires the RootManageSharedAccessKey, which sort of give the keys to the kingdom to any user that has it. I'd like to be able to give users the ability to view/monitor/troubleshoot (Peek seems handy for this) without the ability to change either messages or resources.
Thanks!