The broker required create permission for user sessions performing a passive declare (i.e. a declare that should not create, but should merely verify existence).
This resulted in clients that were not actually trying to create an exchange receiving permission errors due to the lack of create permission.
if the declare is passive, the permission required was changed to access rather than create.
Clients using but never creating exchanges need not have create permission granted.