In a production setting, you do not want every user being able to subscribe to every device, execute every direct method and update every device twin. However, you are the only one to know which user is authorized to subscribe to devices or even just subscribe to a single telemetry.