Data Security Posture Management (DSPM) service roles

With DSPM service roles, you can manage user access to the DSPM resources and their settings, as well as to the results of scans of sources for sensitive information.

dspm.inspectordspm.inspector

The dspm.inspector role enables creating DSPM data sources using the specified Yandex Cloud resources. To create a DSPM data source, assign this role to a user for the appropriate cloud resource.

dspm.auditordspm.auditor

The dspm.auditor role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

• View info on DSPM profiles.
• View info on DSPM data sources.
• View info on security scan jobs.
• View scan results and the info on the detected threats.

dspm.viewerdspm.viewer

The dspm.viewer role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

• View info on DSPM profiles.
• View info on DSPM data sources.
• View info on security scan jobs.
• View scan results and the info on the detected threats.

This role also includes the dspm.auditor permissions.

dspm.editordspm.editor

The dspm.editor role enables using DSPM profiles and managing data sources and security scans. With this role, you cannot view masked and unprocessed data.

Users with this role can:

• View info on DSPM profiles and use them.
• View info on DSPM data sources, as well as create, modify, use, and delete them.
• View info on security scan jobs, as well as create, modify, and delete such jobs.
• Run security scan jobs and view their results, as well as info on the detected threats.
• View the bucket metadata.

This role also includes the dspm.viewer permissions.

dspm.admindspm.admin

The dspm.admin role enables using DSPM profiles and managing data sources and security scans, which includes viewing masked and unprocessed data in the scan results.

Users with this role can:

• View info on DSPM profiles and use them.
• View info on DSPM data sources, as well as create, modify, use, and delete them.
• Use Yandex Cloud resources in DSPM data sources.
• View info on DSPM data categories.
• View info on security scan jobs, as well as create, modify, and delete such jobs.
• Run security scan jobs and view their results, as well as info on the detected threats.
• View the bucket metadata.

This role also includes the dspm.editor and dspm.inspector permissions.