Access management in DataSphere

User access to Yandex DataSphere depends on relevant permissions granted within an organization. Organizations are managed using Yandex Cloud Organization.

The operations available to DataSphere users are determined by their roles. You can assign roles to a Yandex account, service account, federated users, user group, system group, or public group. For more information about access management in Yandex Cloud, see How access management works in Yandex Cloud.

Which resources you can assign a role forWhich resources you can assign a role for

Access control is implemented at the community and project level. You can also make resources available to all community users by publishing them in the community. The access permissions you grant apply to the whole hierarchy of resources. For example, if you assign a role for a DataSphere project to a user, all permissions will also apply to resources within that project. Learn more about relationships between DataSphere resources.

How to assign a roleHow to assign a role

You can assign a role to a user in the DataSphere interface:

• Adding a user to a community.
• Adding a user to a project.
• Share resources with community members.

You can also grant access permissions through the Cloud Organization interface in Cloud Center using Terraform and the Yandex Cloud API.

Which roles exist in the serviceWhich roles exist in the service

Service rolesService roles

datasphere.community-projects.viewerdatasphere.community-projects.viewer

The datasphere.community-projects.viewer role allows you to view information on projects, project settings, and project resources, as well as on granted access permissions for these projects.

In the DataSphere interface, users with the datasphere.community-projects.viewer role have the Viewer role in the Members tab on the community page.

datasphere.community-projects.developerdatasphere.community-projects.developer

The datasphere.community-projects.developer role allows you to work in projects and manage project resources.

Users with this role can:

• View info on projects, project settings, and project resources.
• Create, modify, and delete resources within projects.
• Run IDEs and code cells in projects.
• View info on granted access permissions for projects.

This role also includes the datasphere.community-projects.viewer permissions.

In the DataSphere interface, users with the datasphere.community-projects.developer role have the Developer role in the Members tab on the community page.

datasphere.community-projects.editordatasphere.community-projects.editor

The datasphere.community-projects.editor role allows you to work in projects, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:

• View info on projects, project settings, and project resources, as well as modify and delete projects.
• Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the Developer permissions (the datasphere.communities.developer role or higher).
• Run IDEs and code cells in projects.
• View info on granted access permissions for projects.

This role also includes the datasphere.community-projects.developer permissions.

In the DataSphere interface, users with the datasphere.community-projects.editor role have the Editor role in the Members tab on the community page.

datasphere.community-projects.admindatasphere.community-projects.admin

The datasphere.community-projects.admin role allows you to manage access to projects, work in them, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:

• View info on granted access permissions for projects and modify access permissions.
• View info on projects, project settings, and project resources, as well as modify and delete projects.
• Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the Developer role (datasphere.communities.developer) or higher.
• Run IDEs and code cells in projects.

This role also includes the datasphere.community-projects.editor permissions.

In the DataSphere interface, users with the datasphere.community-projects.admin role have the Admin role in the Members tab on the community page.

datasphere.communities.viewerdatasphere.communities.viewer

The datasphere.communities.viewer role allows you to view information on communities and projects, as well as on granted access permissions for them.

Users with this role can:

• View info on communities and granted access permissions for them.
• View info on community projects, project settings, and project resources, as well as on granted access permissions for these projects.
• View info on the relevant organization.

This role also includes the datasphere.community-projects.viewer permissions.

In the DataSphere interface, users with the datasphere.communities.viewer role have the Viewer role in the Members tab on the community page.

datasphere.communities.developerdatasphere.communities.developer

The datasphere.communities.developer role allows you to create new projects and publish project resources in communities, as well as view information on communities and projects.

Users with this role can:

• View info on communities and granted access permissions for them.
• Create new projects in communities.
• Publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role) or higher.
• View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
• View info on the relevant organization.

This role also includes the datasphere.communities.viewer permissions.

In the DataSphere interface, users with the datasphere.communities.developer role have the Developer role in the Members tab on the community page.

datasphere.communities.editordatasphere.communities.editor

The datasphere.communities.editor role allows you to link a billing account to communities, delete communities, and edit community settings, as well as manage community projects and resources.

Users with this role can:

• View info on communities and granted access permissions for them, as well as modify and delete communities.
• Link a billing account to communities.
• Create new projects in communities, as well as modify and delete projects.
• View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
• Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role) or higher.
• Run IDEs and code cells in projects.
• View info on the relevant organization.

This role also includes the datasphere.communities.developer and datasphere.community-projects.editor permissions.

In the DataSphere interface, users with the datasphere.communities.editor role have the Editor role in the Members tab on the community page.

datasphere.communities.admindatasphere.communities.admin

The datasphere.communities.admin role allows you to manage communities and community projects, as well as access to them.

Users with this role can:

• View info on communities, as well as modify and delete communities.
• View info on granted access permissions for communities and modify access permissions.
• Link a billing account to communities.
• Create new projects in communities, as well as modify and delete projects.
• View info on projects, project settings, and project resources.
• View info on granted access permissions for projects and modify access permissions.
• Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role or higher).
• Run IDEs and code cells in projects.
• View info on the relevant organization.

This role also includes the datasphere.communities.editor and datasphere.community-projects.admin permissions.

In the DataSphere interface, users with the datasphere.communities.admin role have the Admin role in the Members tab on the community page.

For example, Julia works with multiple teams and belongs to their communities with different access rights:

• In the Cat lovers community: Admin (the datasphere.communities.admin role).
• In the Counting fences community: Developer (the datasphere.communities.developer role).
• In the Top secret community: Viewer (the datasphere.communities.viewer role), but no Editor privilege in the Project_111 project of this community (the datasphere.community-projects.editor role).

Julia can:

• Share the resources of any project from the Cat lovers community in this community.
• Share the resources of any project from the Cat lovers community in the Counting fences community.
• She can also publish the Project_111 resources in the Cat lovers and Counting fences communities, but cannot share them in the Top secret community.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

• View info on a resource.
• View the resource metadata.
• View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role also includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role also includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role also includes the editor permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.

For more information about primitive roles, see the Yandex Cloud role reference.

What roles do I needWhat roles do I need

The table below lists the roles required to perform a particular action. You can always assign a role offering more permissions than the one specified. For example, you can assign the Editor role instead of Viewer.

Action	Required roles
Viewing data
Viewing a project, its settings, and users	Viewer for a project
Viewing a project, its settings, and users	Viewer for a community
Project management
Creating a project	Developer for a community
Running the IDE	Developer for a project
Using resources	Developer for a project
Creating resources	Developer for a project
Deleting resources	Developer for a project
Publishing resources in a community	Editor for a project and Developer for a community
Editing project settings	Editor for a project
Deleting a project	Editor for a project
Granting a role in a project	Admin for a project
Community management
Editing community settings	Editor for a community
Linking a billing account	Editor for a community and admin for a billing account
Deleting a community	Editor for a community
Granting a role in a community	Admin for a community

See alsoSee also

• Yandex Cloud Organization
• How access management works in Yandex Cloud
• Service accounts
• Learn more about inheriting roles