Access management in DataSphere
User access to Yandex DataSphere depends on relevant permissions granted within an organization. Organizations are managed using Yandex Cloud Organization.
The operations available to DataSphere users are determined by their roles. You can assign roles to a Yandex account, service account, federated users, user group, system group, or public group. For more information about access management in Yandex Cloud, see How access management works in Yandex Cloud.
Which resources you can assign a role for
Access control is implemented at the community and project level. You can also make resources available to all community users by publishing them in the community. The access permissions you grant apply to the whole hierarchy of resources. For example, if you assign a role for a DataSphere project to a user, all permissions will also apply to resources within that project. Learn more about relationships between DataSphere resources.
How to assign a role
You can assign a role to a user in the DataSphere interface:
You can also grant access permissions through the Cloud Organization interface in Cloud Center
Which roles exist in the service
Service roles
datasphere.community-projects.viewer
The datasphere.community-projects.viewer
role allows you to view information on projects, project settings, and project resources, as well as on granted access permissions for these projects.
In the DataSphere interface, users with the datasphere.community-projects.viewer
role have the Viewer
role in the Members tab on the community page.
datasphere.community-projects.developer
The datasphere.community-projects.developer
role allows you to work in projects and manage project resources.
Users with this role can:
- View info on projects, project settings, and project resources.
- Create, modify, and delete resources within projects.
- Run IDEs and code cells in projects.
- View info on granted access permissions for projects.
This role also includes the datasphere.community-projects.viewer
permissions.
In the DataSphere interface, users with the datasphere.community-projects.developer
role have the Developer
role in the Members tab on the community page.
datasphere.community-projects.editor
The datasphere.community-projects.editor
role allows you to work in projects, modify and delete them, as well as manage project resources and share them within the community.
Users with this role can:
- View info on projects, project settings, and project resources, as well as modify and delete projects.
- Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the
Developer
permissions (thedatasphere.communities.developer
role or higher). - Run IDEs and code cells in projects.
- View info on granted access permissions for projects.
This role also includes the datasphere.community-projects.developer
permissions.
In the DataSphere interface, users with the datasphere.community-projects.editor
role have the Editor
role in the Members tab on the community page.
datasphere.community-projects.admin
The datasphere.community-projects.admin
role allows you to manage access to projects, work in them, modify and delete them, as well as manage project resources and share them within the community.
Users with this role can:
- View info on granted access permissions for projects and modify access permissions.
- View info on projects, project settings, and project resources, as well as modify and delete projects.
- Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the
Developer
role (datasphere.communities.developer
) or higher. - Run IDEs and code cells in projects.
This role also includes the datasphere.community-projects.editor
permissions.
In the DataSphere interface, users with the datasphere.community-projects.admin
role have the Admin
role in the Members tab on the community page.
datasphere.communities.viewer
The datasphere.communities.viewer
role allows you to view information on communities and projects, as well as on granted access permissions for them.
Users with this role can:
- View info on communities and granted access permissions for them.
- View info on community projects, project settings, and project resources, as well as on granted access permissions for these projects.
- View info on the relevant organization.
This role also includes the datasphere.community-projects.viewer
permissions.
In the DataSphere interface, users with the datasphere.communities.viewer
role have the Viewer
role in the Members tab on the community page.
datasphere.communities.developer
The datasphere.communities.developer
role allows you to create new projects and publish project resources in communities, as well as view information on communities and projects.
Users with this role can:
- View info on communities and granted access permissions for them.
- Create new projects in communities.
- Publish project resources in the communities where the user has the
Developer
permissions (thedatasphere.communities.developer
role) or higher. - View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
- View info on the relevant organization.
This role also includes the datasphere.communities.viewer
permissions.
In the DataSphere interface, users with the datasphere.communities.developer
role have the Developer
role in the Members tab on the community page.
datasphere.communities.editor
The datasphere.communities.editor
role allows you to link a billing account to communities, delete communities, and edit community settings, as well as manage community projects and resources.
Users with this role can:
- View info on communities and granted access permissions for them, as well as modify and delete communities.
- Link a billing account to communities.
- Create new projects in communities, as well as modify and delete projects.
- View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
- Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the
Developer
permissions (thedatasphere.communities.developer
role) or higher. - Run IDEs and code cells in projects.
- View info on the relevant organization.
This role also includes the datasphere.communities.developer
and datasphere.community-projects.editor
permissions.
In the DataSphere interface, users with the datasphere.communities.editor
role have the Editor
role in the Members tab on the community page.
datasphere.communities.admin
The datasphere.communities.admin
role allows you to manage communities and community projects, as well as access to them.
Users with this role can:
- View info on communities, as well as modify and delete communities.
- View info on granted access permissions for communities and modify access permissions.
- Link a billing account to communities.
- Create new projects in communities, as well as modify and delete projects.
- View info on projects, project settings, and project resources.
- View info on granted access permissions for projects and modify access permissions.
- Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the
Developer
permissions (thedatasphere.communities.developer
role or higher). - Run IDEs and code cells in projects.
- View info on the relevant organization.
This role also includes the datasphere.communities.editor
and datasphere.community-projects.admin
permissions.
In the DataSphere interface, users with the datasphere.communities.admin
role have the Admin
role in the Members tab on the community page.
For example, Julia works with multiple teams and belongs to their communities with different access rights:
- In the
Cat loverscommunity:Admin
(thedatasphere.communities.admin
role).- In the
Counting fencescommunity:Developer
(thedatasphere.communities.developer
role).- In the
Top secretcommunity:Viewer
(thedatasphere.communities.viewer
role), but noEditor
privilege in theProject_111project of this community (thedatasphere.community-projects.editor
role).Julia can:
- Share the resources of any project from the
Cat loverscommunity in this community.- Share the resources of any project from the
Cat loverscommunity in theCounting fencescommunity.- She can also publish the
Project_111resources in theCat loversandCounting fencescommunities, but cannot share them in theTop secretcommunity.
Primitive roles
Primitive roles allow users to perform actions in all Yandex Cloud services.
auditor
The auditor
role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.
For instance, users with this role can:
- View info on a resource.
- View the resource metadata.
- View the list of operations with a resource.
auditor
is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.
viewer
The viewer
role grants the permissions to read the info on any Yandex Cloud resources.
This role also includes the auditor
permissions.
Unlike auditor
, the viewer
role provides access to service data in read mode.
editor
The editor
role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.
For instance, users with this role can create, modify, and delete resources.
This role also includes the viewer
permissions.
admin
The admin
role enables assigning any roles, except for resource-manager.clouds.owner
and organization-manager.organizations.owner
, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).
Prior to assigning the admin
role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.
This role also includes the editor
permissions.
Instead of primitive roles, we recommend using service roles. This ensures more selective access control and implementation of the principle of least privilege.
For more information about primitive roles, see the Yandex Cloud role reference.
What roles do I need
The table below lists the roles required to perform a particular action. You can always assign a role offering more permissions than the one specified. For example, you can assign the Editor
role instead of Viewer
.
Action |
Required roles |
Viewing data |
|
Viewing a project, its settings, and users |
|
Viewing a project, its settings, and users |
|
Project management |
|
|
|
Running the IDE |
|
Using resources |
|
Creating resources |
|
Deleting resources |
|
Publishing resources in a community |
|
|
|
|
|
Granting a role in a project |
|
Community management |
|
Editing community settings |
|
|
|
|
|
Granting a role in a community |
|