Access management in Data Streams

Data Streams uses roles to manage access rights.

Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. As long as a user has no roles assigned, almost all operations are forbidden.

To enable access to Yandex Data Streams resources (data streams, Yandex Managed Service for YDB databases storing the data streams, and database users), assign the required roles from the list below to a Yandex account, service account, federated users, user group, system group, or public group. Currently, a role can only be assigned for a parent resource (folder or cloud). Roles are inherited by nested resources.

Roles for a resource can be assigned by users who have the yds.admin role or one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Assigning rolesAssigning roles

To assign a user a role:

1. Add the required user if needed.
2. In the management console, on the left, select a cloud.
3. Go to the Access bindings tab.
4. Click Configure access.
5. In the window that opens, select User accounts.
6. Select a user from the list or search by user.
7. Click Add role and select a role for the cloud.
8. Click Save.

Which roles exist in the serviceWhich roles exist in the service

The list below shows all roles considered when verifying access permissions in Data Streams.

Service rolesService roles

yds.vieweryds.viewer

Users with the yds.viewer role can read data from Data Streams streams and view their settings. The yds.viewer role also includes all permissions of the ydb.viewer role.

yds.writeryds.writer

The yds.writer role allows writing data to Data Streams streams.

yds.editoryds.editor

The yds.editor role enables you to write data to and read data from Data Streams streams, as well as view their settings. The yds.editor role also includes all permissions of the ydb.editor role.

yds.adminyds.admin

Users with the yds.admin role can manage resource access rights, e.g., allow other users to create Data Streams streams or view information about them.

The yds.admin role also includes all permissions of the ydb.admin role.

Primitive rolesPrimitive roles

viewerviewer

A user with the viewer role can view information about resources, e.g., lists of data streams and databases they are created in, their properties.

editoreditor

A user with the editor role can manage any resources, e.g., create a stream or delete it. In addition, this role allows writing application data to streams.

The editor role also includes all permissions of the viewer role.

adminadmin

Users with the admin role can manage resource access rights, for example, allow other users to create streams or view information about them.

The admin role also includes all permissions of the editor role.