Access management in Yandex Cloud Billing
Billing account access
Access to the billing account can be provided via the Yandex Cloud Billing interface or the Yandex Cloud API. A billing account can be created by users with a registered Yandex or Yandex 360 account:
- If you or your employee have no account yet, create one on Yandex or Yandex 360.
- If using a social network profile to log in to Yandex, create a username and password.
The operations a user can perform on a billing account depend on the assigned role. You can assign roles to a Yandex account, service account, federated users, user group, system group, or public group.
Note
Access can only be granted to a user whose billing account has a cloud linked in Identity and Access Management.
Roles existing in this service
Service roles
billing.accounts.owner
When creating your billing account, you get the billing.accounts.owner role automatically. It cannot be revoked, but you can assign it to other users and then revoke from them.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View client offers.
- View info on the access permissions granted for the relevant billing accounts and modify such permissions.
- Activate, deactivate, or modify the technical support service plan, as well as change the billing account from which the payment is debited.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Top up their personal account using a credit or debit card.
- Link clouds to a billing account.
- Rename billing accounts.
- Changing payer contact details.
- Change payment details.
- Change their credit or debit card details.
- Change the payment method.
- Redeem promo codes.
- Activate the trial period.
- Activate the paid version.
- Delete billing accounts.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (subaccounts).
- View the list of subaccounts and info on them.
- Update subaccount records.
- Activate subaccounts.
- Suspend subaccounts.
- Re-activate subaccounts.
- Delete subaccounts without customer confirmation.
- Link clouds to subaccounts.
- Manage access permissions to subaccounts.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View assigned specializations.
- View the list of partner discounts and info on them.
- View the history of crediting referral program bonuses.
- Withdraw referral program bonuses.
- View the status of settlements with the referrer company.
- View the list of referral links.
- Create referral links.
- Activate referral links.
- Modify referral links.
This role also includes the billing.accounts.admin permissions.
billing.accounts.viewer
To use the billing.accounts.viewer role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View and download reporting (or closing) documents.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
On the Yandex Cloud partner portal, users with this role can:
- View the list of subaccounts and info on them.
- View the details of how the customers use services.
- View assigned specializations.
- View the list of partner discounts and info on them.
- View the history of crediting referral program bonuses.
- View the status of settlements with the referrer company.
- View the list of referral links.
billing.accounts.accountant
To use the billing.accounts.accountant role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Top up their personal account using a bank account.
On the Yandex Cloud partner portal, users with this role can:
- View the list of subaccounts and info on them.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View assigned specializations.
- View the list of partner discounts and info on them.
- View the history of crediting referral program bonuses.
- View the status of settlements with the referrer company.
- View the list of referral links.
This role also includes the billing.accounts.viewer permissions.
billing.accounts.editor
To use the billing.accounts.editor role, you need to assign it for a billing account. It enables you to get payment invoices, redeem promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View client offers.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Link clouds to a billing account.
- Rename billing accounts.
- Redeem promo codes.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (subaccounts).
- View the list of subaccounts and info on them.
- Activate subaccounts.
- Suspend subaccounts.
- Re-activate subaccounts.
- Link clouds to subaccounts.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View assigned specializations.
- View the list of partner discounts and info on them.
- View the history of crediting referral program bonuses.
- Withdraw referral program bonuses.
- View the status of settlements with the referrer company.
- View the list of referral links.
- Create referral links.
- Activate referral links.
- Modify referral links.
This role also includes the billing.accounts.viewer permissions.
billing.accounts.admin
To use the billing.accounts.admin role, you need to assign it for a billing account. It enables managing access to a billing account (except for billing.accounts.owner).
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View client offers.
- View info on the access permissions granted for the relevant billing accounts and modify such permissions (except for assigning and revoking the
billing.accounts.ownerrole). - Activate, deactivate, or modify the technical support service plan, as well as change the billing account from which the payment is debited.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Link clouds to a billing account.
- Rename billing accounts.
- Redeem promo codes.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (subaccounts).
- View the list of subaccounts and info on them.
- Activate subaccounts.
- Suspend subaccounts.
- Re-activate subaccounts.
- Link clouds to subaccounts.
- Manage access permissions to subaccounts.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View assigned specializations.
- View the list of partner discounts and info on them.
- View the history of crediting referral program bonuses.
- Withdraw referral program bonuses.
- View the status of settlements with the referrer company.
- View the list of referral links.
- Create referral links.
- Activate referral links.
- Modify referral links.
This role also includes the billing.accounts.editor and billing.partners.editor permissions.
billing.accounts.member
The billing.accounts.member role is granted automatically when a user is added to the service. It is required to display the selected billing account in the list of all user accounts.
billing.accounts.varWithoutDiscounts
To use the billing.accounts.varWithoutDiscounts role, you need to assign it for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View info on the access permissions granted for the relevant billing accounts.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Link clouds to a billing account.
- Rename billing accounts.
- Redeem promo codes.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (subaccounts).
- View the list of subaccounts and info on them.
- Activate subaccounts.
- Suspend subaccounts.
- Re-activate subaccounts.
- Link clouds to subaccounts.
- Manage access permissions to subaccounts.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View the history of crediting referral program bonuses.
- Withdraw referral program bonuses.
- View the status of settlements with the referrer company.
- Create referral links.
- Activate referral links.
- Modify referral links.
This role also includes the billing.partners.editor permissions.
billing.partners.editor
The billing.partners.editor role is assigned for a billing account. It grants permission to edit information about a partner and their products in the partner product catalog.
Primitive roles
Primitive roles are aggregator roles that define user permissions to access services. In Yandex Cloud Billing, these roles match the following billing.accounts.* roles:
auditor: Same asbilling.accounts.viewerwith some limitations.viewer: Same asbilling.accounts.viewer.editor: Same asbilling.accounts.editor.admin: Same asbilling.accounts.admin.
Primitive roles can only be assigned to users in the Users list.
Available operations
The table below provides a list of operations available to each role type.
| Operations | owner |
viewer |
accountant |
editor |
admin |
|---|---|---|---|---|---|
| Displaying a billing account in the list of all user accounts | |||||
| Viewing billing account information | |||||
| Viewing and receiving usage notifications | |||||
| Viewing and downloading reporting (closing) documents | |||||
| Viewing and downloading generated reconciliation reports | |||||
| Checking expenses | |||||
| Accessing usage details | |||||
| Topping up your personal account using a bank account | |||||
| Generating a new reconciliation report | |||||
| Activating promo codes | |||||
| Linking clouds to billing accounts | |||||
| Creating details export | |||||
| Creating budget | |||||
| Resource allocation | |||||
| Renaming a billing account | |||||
| Viewing commercial offers | |||||
| Assigning roles to billing accounts | |||||
| Viewing and editing roles | |||||
| Managing technical support plan | |||||
| Changing payer contact details | |||||
| Changing billing details | |||||
| Changing bank cards | |||||
| Changing payment methods | |||||
| Activating trial period | |||||
| Activating paid version | |||||
| Topping up your personal account using a credit or debit card | |||||
| Accepting commercial offers |
Adding a user
The steps for adding a new billing account user depend on whether this billing account is added to your organization.
Assign the required role for the billing account to a user or service account in your organization.
Note
To add a new billing account user, you need the billing.accounts.owner or billing.accounts.admin role.
-
Go to Yandex Cloud Billing.
- Select a billing account.
- Go to the Access management page.
- At the top right, click Add user.
- Select a user from the drop-down list. The list shows users whose clouds are linked to your billing account.
- Click Add.
The user or service account will get the billing.accounts.member role and included in the Users list. To grant billing account access, assign them the required role.
Assigning roles
The steps for assigning a billing account role depend on whether this billing account is added to your organization.
A user with the billing.accounts.admin role can grant access to the billing account to any user or service account within the same organization. To do this:
-
Make sure that the user you need belongs to your organization. If not, add them.
-
Go to Yandex Cloud Billing.
-
Select a billing account.
-
In the left-hand panel, select Access management.
-
At the top right, click Assign roles. In the window that opens:
- Select a user, service account, or user group. If required, use the search bar.
- Click Add role and select the role.
- Click Save.
Note
If you assign the Yandex Cloud Billing service role to an organization, all billing accounts within this organization will also assume this role.
A user with the billing.accounts.admin role can grant access to the billing account to any user or service account on the Users list. To do this:
-
Go to Yandex Cloud Billing.
-
Select a billing account.
-
In the left-hand panel, select Access management.
-
Find the required user, service account, or user group in the users list or use the filter.
-
In the line with the required user, service account, or group, click and select Edit roles. In the window that opens:
- Click Add role.
- Select a role from the list.
- Click Save.
The role will be assigned without expiration.
Revoking roles
The steps for revoking a billing account role depend on whether this billing account is added to your organization.
A user with the billing.accounts.admin role can revoke a billing account role from a user or service account in their organization at any time. To do this:
-
Go to Yandex Cloud Billing.
-
Select a billing account.
-
In the left-hand panel, select Access management.
-
Find the required user, service account, or user group in the users list or use the filter.
-
In the line with the required user, service account, or group, click and select Edit roles. In the window that opens:
- Click to the right of the role you want to revoke.
- Click Save. The role will be revoked.
A user with the billing.accounts.admin role can revoke a billing account role from a user or service account on the list at any time. To do this:
-
Go to Yandex Cloud Billing.
-
Select a billing account.
-
In the left-hand panel, select Access management.
-
Find the required user, service account, or user group in the users list or use the filter.
-
In the line with the required user, service account, or group, click and select Edit roles. In the window that opens:
- Click to the right of the role you want to revoke.
- Click Save. The role will be revoked.
Note
If the billing.accounts.member role is revoked, the user will not be able to access the billing account.
Deleting a user
You can only delete users from those billing accounts that are not added to an organization. To do this:
-
Go to Yandex Cloud Billing.
- Select a billing account.
- Find the user or service account in the list.
- In the line with the user or service account, click and select Remove user.
- This deletes the user from the list of the billing account users.
If the billing account is added to an organization, you can simply revoke the required role from a user or service account. You can remove a user from the organization to prevent them from accessing any of its clouds or resources.