Access management in Query

Query uses roles to manage access rights.

Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. As long as a user has no roles assigned, almost all operations are forbidden.

To allow access to Yandex Query resources, assign the required roles from the list below to a Yandex account, service account, federated users, user group, system group, or public group. Currently, a role can only be assigned for a parent resource (folder or cloud). Roles are inherited by nested resources.

Roles for a resource can be assigned by users who have the yq.admin role or one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Assigning rolesAssigning roles

To assign a user a role:

1. Add the required user if needed.
2. In the management console, on the left, select a cloud.
3. Go to the Access bindings tab.
4. Click Configure access.
5. In the window that opens, select User accounts.
6. Select a user from the list or search by user.
7. Click Add role and select a role for the cloud.
8. Click Save.

Which roles exist in the serviceWhich roles exist in the service

You can manage access to Query objects using both service and primitive roles. The chart below shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. You can find the description of each role under the chart.

The list below shows all roles considered when verifying access permissions in Query.

Service rolesService roles

yq.auditoryq.auditor

The yq.auditor role allows you to view the service metadata, including the information on folder, connections, bindings, and queries.

yq.vieweryq.viewer

Users with the yq.viewer role can view queries and their results.

This role includes the yq.auditor permissions.

yq.editoryq.editor

Users assigned the yq.editor role can view, edit, and delete their connections and queries, as well as run the queries they create. The yq.editor role includes all permissions of the yq.viewer role.

yq.adminyq.admin

The yq.admin role allows you to manage any Query resources, including those labeled as private. The yq.admin role includes all permissions of the yq.editor role.

yq.invokeryq.invoker

Users with the yq.invoker role can run queries in Query. The role is designed to automate query execution by service accounts. For example, you can use it to run queries by an event or on schedule.

Primitive rolesPrimitive roles

viewerviewer

Users with the viewer role can view information about resources, such as query runs.

editoreditor

Users with the editor role can manage any resource, such as creating or deleting a query. The editor role includes all permissions of the viewer role.

adminadmin

Users with the admin role can manage resource access rights, such as permitting other users to create queries. The admin role includes all permissions of the editor role.