Access management in Yandex Cloud Billing
Billing account access
Access to the billing account can be provided via the Yandex Cloud Billing interface or the Yandex Cloud API. A billing account can be created by users with a registered Yandex or Yandex 360 account:
- If you or your employee have no account yet, create one on Yandex or Yandex 360.
- If using a social network profile to log in to Yandex, create a username and password.
The operations a user can perform on a billing account depend on the assigned role. You can assign roles to a Yandex account, service account, federated or local users, user group, system group, or public group.
Note
Access can only be granted to a user whose billing account has a cloud linked in Identity and Access Management.
Roles this service has
Service roles
billing.accounts.member
The billing.accounts.member role is granted automatically when a user is added to the service. It is required to display the selected billing account in the list of all user accounts.
billing.accounts.viewer
To use the billing.accounts.viewer role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View and download reporting (or closing) documents.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
billing.accounts.accountant
To use the billing.accounts.accountant role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Top up their personal account using a bank account.
This role includes the billing.accounts.viewer permissions.
billing.partners.editor
The billing.partners.editor role is assigned for a billing account. It grants permission to edit information about a partner and their products in the partner product catalog.
billing.accounts.editor
To use the billing.accounts.editor role, you need to assign it for a billing account. It enables you to get payment invoices, redeem promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View client offers.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Link clouds to a billing account.
- Rename billing accounts.
- Redeem promo codes.
On the Yandex Cloud partner portal, users with this role can:
- Link clouds to subaccounts.
This role includes the billing.accounts.viewer permissions.
billing.accounts.varWithoutDiscounts
To use the billing.accounts.varWithoutDiscounts role, you need to assign it for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View info on the access permissions granted for the relevant billing accounts.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Link clouds to a billing account.
- Rename billing accounts.
- Redeem promo codes.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (subaccounts).
- View the list of subaccounts and info on them.
- Activate subaccounts.
- Suspend subaccounts.
- Re-activate subaccounts.
- Link clouds to subaccounts.
- Manage access permissions to subaccounts.
- View the details of how the customers use services.
This role includes the billing.partners.editor permissions.
billing.accounts.admin
To use the billing.accounts.admin role, you need to assign it for a billing account. It enables managing access to a billing account (except for billing.accounts.owner).
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View client offers.
- View info on the access permissions granted for the relevant billing accounts and modify such permissions (except for assigning and revoking the
billing.accounts.ownerrole). - Activate, deactivate, or modify the technical support service plan, as well as change the billing account from which the payment is debited.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Link clouds to a billing account.
- Rename billing accounts.
- Redeem promo codes.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (subaccounts).
- View the list of subaccounts and info on them, including personal data.
- Activate subaccounts.
- Suspend subaccounts.
- Re-activate subaccounts.
- Link clouds to subaccounts.
- Manage access permissions to subaccounts.
- View the details of how the customers use services.
- View the list of partner discounts and info on them.
This role includes the billing.accounts.editor, billing.accounts.partnerAdmin, and billing.partners.editor permissions.
billing.accounts.owner
When creating your billing account, you get the billing.accounts.owner role automatically. Any user with the billing.accounts.owner role can revoke this role from the billing account creator and change the owner.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View client offers.
- View info on the access permissions granted for the relevant billing accounts and modify such permissions.
- Activate, deactivate, or modify the technical support service plan, as well as change the billing account from which the payment is debited.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Top up their personal account using a credit or debit card.
- Link clouds to a billing account.
- Rename billing accounts.
- Changing payer contact details.
- Change payment details.
- Change their credit or debit card details.
- Change the payment method.
- Redeem promo codes.
- Activate the trial period.
- Activate the paid version.
- Delete billing accounts.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (subaccounts).
- View the list of subaccounts and info on them, including personal data.
- Update subaccount records.
- Activate subaccounts.
- Suspend subaccounts.
- Re-activate subaccounts.
- Delete subaccounts without customer confirmation.
- Link clouds to subaccounts.
- Manage access permissions to subaccounts.
- View the details of how the customers use services.
- View the list of partner discounts and info on them.
This role includes the billing.accounts.admin and billing.accounts.varWithoutDiscounts permissions.
Primitive roles
Primitive roles are aggregator roles that define user permissions to access services. In Yandex Cloud Billing, these roles match the following billing.accounts.* roles:
auditor: Same asbilling.accounts.viewer(with some limitations).viewer: Same asbilling.accounts.viewer.editor: Same asbilling.accounts.editor.admin: Same asbilling.accounts.admin.
Primitive roles can only be assigned to users in the Users list.
Available operations
The table below provides a list of operations available to each role type.
| Operations | owner |
viewer |
accountant |
editor |
admin |
|---|---|---|---|---|---|
| Displaying a billing account in the list of all user accounts | |||||
| Viewing billing account information | |||||
| Viewing and receiving usage notifications | |||||
| Viewing and downloading reporting (closing) documents | |||||
| Viewing and downloading generated reconciliation reports | |||||
| Checking expenses | |||||
| Accessing usage details | |||||
| Topping up your personal account using a bank account | |||||
| Generating a new reconciliation report | |||||
| Activating promo codes | |||||
| Linking a cloud organization and other entities to a billing account | |||||
| Link with a cloud organization | |||||
| Creating details export | |||||
| Creating budget | |||||
| Resource allocation | |||||
| Renaming a billing account | |||||
| Viewing commercial offers | |||||
| Assigning roles to billing accounts | |||||
| Viewing and editing roles | |||||
| Managing technical support plan | |||||
| Changing payer contact details | |||||
| Changing billing details | |||||
| Changing bank cards | |||||
| Changing payment methods | |||||
| Activating paid version | |||||
| Topping up your personal account using a credit or debit card | |||||
| Accepting commercial offers |
Adding a user
The steps for adding a new billing account user depend on whether the billing account is associated with an organization.
Assign the required role for the billing account to a user or service account in your organization.
Note
To add a new billing account user, you need the billing.accounts.owner or billing.accounts.admin role.
-
Go to Yandex Cloud Billing.
- Select a billing account.
- Go to the Access management page.
- At the top right, click Add user.
- Select a user from the drop-down list. The list shows users whose clouds are linked to your billing account.
- Click Add.
The user or service account will get the billing.accounts.member role and included in the Users list. To grant billing account access, assign them the required role.
Assigning roles
The steps for assigning a role for a billing account depend on whether the billing account is linked to the organization.
A user with the billing.accounts.admin role can grant access to the billing account to any user or service account within the same organization. To do this:
-
Make sure that the user you need belongs to your organization. If not, add them.
-
Go to Yandex Cloud Billing.
-
Select a billing account.
-
In the left-hand panel, select Access management.
-
At the top right, click Assign roles. In the window that opens, do the following:
- Select a user, service account, or user group. If required, use the search bar.
- Click Add role and select the role.
- Click Save.
Note
If you assign the Yandex Cloud Billing service role to an organization, all billing accounts within this organization will also assume this role.
A user with the billing.accounts.admin role can grant access to the billing account to any user or service account on the Users list. To do this:
-
Go to Yandex Cloud Billing.
-
Select a billing account.
-
In the left-hand panel, select Access management.
-
Find the required user, service account, or user group in the users list or use the filter.
-
In the line with the required user, service account, or group, click and select Edit roles. In the window that opens, do the following:
- Click Add role.
- Select a role from the list.
- Click Save.
The role will be assigned without expiration.
Revoking roles
The steps for revoking a role for a billing account depend on whether the billing account is linked to the organization.
A user with the billing.accounts.admin role can revoke a billing account role from a user or service account in their organization at any time. To do this:
-
Go to Yandex Cloud Billing.
-
Select a billing account.
-
In the left-hand panel, select Access management.
-
Find the required user, service account, or user group in the users list or use the filter.
-
In the line with the required user, service account, or group, click and select Edit roles. In the window that opens, do the following:
- Click to the right of the role you want to revoke.
- Click Save. The role will be revoked.
A user with the billing.accounts.admin role can revoke a billing account role from a user or service account on the list at any time. To do this:
-
Go to Yandex Cloud Billing.
-
Select a billing account.
-
In the left-hand panel, select Access management.
-
Find the required user, service account, or user group in the users list or use the filter.
-
In the line with the required user, service account, or group, click and select Edit roles. In the window that opens, do the following:
- Click to the right of the role you want to revoke.
- Click Save. The role will be revoked.
Note
If the billing.accounts.member role is revoked, the user will not be able to access the billing account.
Deleting a billing account user
You can only delete users from billing accounts not linked to the organization. To do this:
-
Go to Yandex Cloud Billing.
-
Select a billing account.
-
In the left-hand panel, select Access management and find the user or service account in the list that opens.
Optionally, use the filter in the right part of the screen.
-
In the line with the user or service account, click and select Remove user.
-
This will delete the user from the list of the billing account users.
If the billing account is linked to the organization, simply revoke the role from the user or service account. You can also delete a user from the organization to revoke access to all its clouds and resources.
You can also deactivate a federated or local user. As a result, the user will lose access to the organization's resources until reactivated.