Access management in DataSphere
User access to Yandex DataSphere depends on relevant permissions granted within an organization. Organizations are managed using Yandex Cloud Organization.
The list of operations available to DataSphere users is determined by the roles they have. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information about managing access to Yandex Cloud, see How access management works in Yandex Cloud.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Which resources you can assign a role for
Access control is implemented at the community and project level. You can also make resources available to all community users. Once granted, access permissions apply to the whole hierarchy of resources. For example, if you give a user a role for a DataSphere project, all the permissions will also be valid for the resources within this project. Learn more about relationships between DataSphere resources.
How to assign a role
You can assign a role to a user in the DataSphere interface:
You can also grant access rights through the Cloud Organization interface.
Which roles exist in the service
Service roles
datasphere.community-projects.viewer
The datasphere.community-projects.viewer
role allows you to view information on projects, project settings, and project resources, as well as on granted access permissions for these projects.
In the DataSphere interface, users with the datasphere.community-projects.viewer
role have the Viewer
role in the Members tab on the community page.
datasphere.community-projects.developer
The datasphere.community-projects.developer
role allows you to work in projects and manage project resources.
Users with this role can:
- View info on projects, project settings, and project resources.
- Create, modify, and delete resources within projects.
- Run IDEs and code cells in projects.
- View info on granted access permissions for projects.
This role also includes the datasphere.community-projects.viewer
permissions.
In the DataSphere interface, users with the datasphere.community-projects.developer
role have the Developer
role in the Members tab on the community page.
datasphere.community-projects.editor
The datasphere.community-projects.editor
role allows you to work in projects, modify and delete them, as well as manage project resources and share them within the community.
Users with this role can:
- View info on projects, project settings, and project resources, as well as modify and delete projects.
- Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the
Developer
permissions (thedatasphere.communities.developer
role or higher). - Run IDEs and code cells in projects.
- View info on granted access permissions for projects.
This role also includes the datasphere.community-projects.developer
permissions.
In the DataSphere interface, users with the datasphere.community-projects.editor
role have the Editor
role in the Members tab on the community page.
datasphere.community-projects.admin
The datasphere.community-projects.admin
role allows you to manage access to projects, work in them, modify and delete them, as well as manage project resources and share them within the community.
Users with this role can:
- View info on granted access permissions for projects and modify access permissions.
- View info on projects, project settings, and project resources, as well as modify and delete projects.
- Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the
Developer
role (datasphere.communities.developer
) or higher. - Run IDEs and code cells in projects.
This role also includes the datasphere.community-projects.editor
permissions.
In the DataSphere interface, users with the datasphere.community-projects.admin
role have the Admin
role in the Members tab on the community page.
datasphere.communities.viewer
The datasphere.communities.viewer
role allows you to view information on communities and projects, as well as on granted access permissions for them.
Users with this role can:
- View info on communities and granted access permissions for them.
- View info on community projects, project settings, and project resources, as well as on granted access permissions for these projects.
- View info on the relevant organization.
This role also includes the datasphere.community-projects.viewer
permissions.
In the DataSphere interface, users with the datasphere.communities.viewer
role have the Viewer
role in the Members tab on the community page.
datasphere.communities.developer
The datasphere.communities.developer
role allows you to create new projects and publish project resources in communities, as well as view information on communities and projects.
Users with this role can:
- View info on communities and granted access permissions for them.
- Create new projects in communities.
- Publish project resources in the communities where the user has the
Developer
permissions (thedatasphere.communities.developer
role) or higher. - View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
- View info on the relevant organization.
This role also includes the datasphere.communities.viewer
permissions.
In the DataSphere interface, users with the datasphere.communities.developer
role have the Developer
role in the Members tab on the community page.
datasphere.communities.editor
The datasphere.communities.editor
role allows you to link a billing account to communities, delete communities, and edit community settings, as well as manage community projects and resources.
Users with this role can:
- View info on communities and granted access permissions for them, as well as modify and delete communities.
- Link a billing account to communities.
- Create new projects in communities, as well as modify and delete projects.
- View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
- Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the
Developer
permissions (thedatasphere.communities.developer
role) or higher. - Run IDEs and code cells in projects.
- View info on the relevant organization.
This role also includes the datasphere.communities.developer
and datasphere.community-projects.editor
permissions.
In the DataSphere interface, users with the datasphere.communities.editor
role have the Editor
role in the Members tab on the community page.
datasphere.communities.admin
The datasphere.communities.admin
role allows you to manage communities and community projects, as well as access to them.
Users with this role can:
- View info on communities, as well as modify and delete communities.
- View info on granted access permissions for communities and modify access permissions.
- Link a billing account to communities.
- Create new projects in communities, as well as modify and delete projects.
- View info on projects, project settings, and project resources.
- View info on granted access permissions for projects and modify access permissions.
- Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the
Developer
permissions (thedatasphere.communities.developer
role or higher). - Run IDEs and code cells in projects.
- View info on the relevant organization.
This role also includes the datasphere.communities.editor
and datasphere.community-projects.admin
permissions.
In the DataSphere interface, users with the datasphere.communities.admin
role have the Admin
role in the Members tab on the community page.
For example, Julia works with multiple teams and belongs to their communities with different access rights:
- In the
Cat loverscommunity:Admin
(thedatasphere.communities.admin
role).- In the
Counting fencescommunity:Admin
(thedatasphere.communities.admin
role).- In the
Top secretcommunity:Developer
(thedatasphere.communities.developer
role), but noAdmin
privilege in theProject_111project of this community (thedatasphere.community-projects.admin
role).Julia can share the resources of any
Cat loversorCounting fencesprojects in any of these communities. She can also publishProject_111resources in these communities, but can't share them in theTop secretcommunity.
Primitive roles
auditor
Grants permission to view service configuration and metadata without access to data.
viewer
Enables you to view information about resources.
editor
Allows managing (creating, editing, and deleting) resources.
admin
Allows you to manage your resources and access to them.
For more information about primitive roles, see the Yandex Cloud role reference.
What roles do I need
The table below lists the roles needed to perform a particular action. You can always assign a role granting more permissions than the role specified. For example, you can assign Editor
instead of Viewer
.
Action |
Roles required |
Viewing information |
|
Viewing a project, their settings and users |
|
Viewing a community, their settings and users |
|
Managing a project |
|
|
|
Running an IDE |
|
Using resources |
|
Creating resources |
|
Deleting resources |
|
Publishing resources in a community |
|
|
|
|
|
Granting a role in a project |
|
Managing a community |
|
Editing community settings |
|
|
|
|
|
Granting a role in a community |
|