Access management in Yandex Cloud Billing
Billing account access
Billing account access is provided through Yandex Cloud Billing. A billing account can be created by users with a registered Yandex or Yandex 360 account:
- If you or your employee have no account yet, create one on Yandex
or Yandex 360 . - If using a social network profile to log in to Yandex, create a username and password
.
The operations a user can perform on a billing account depend on the assigned role. You can assign roles to a Yandex account, service account, federated users, user group, system group, or public group.
Note
Access can only be granted to a user whose billing account has a cloud linked in Identity and Access Management.
Which roles exist in the service
Service roles
billing.accounts.owner
When creating your billing account, you get the billing.accounts.owner
role automatically. It cannot be revoked, but you can assign it to other users and then revoke from them.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View info on the access permissions granted for the relevant billing accounts and modify such permissions.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Top up their personal account using a credit or debit card.
- Link clouds to a billing account.
- Rename billing accounts.
- Changing payer contact details.
- Change payment details.
- Change their credit or debit card details.
- Change the payment method.
- Activate promo codes.
- Activate the trial period.
- Activate the paid version.
- Delete billing accounts.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (sub-accounts).
- View the list of sub-accounts and info on them.
- Update sub-account records.
- Activate sub-accounts.
- Suspend sub-accounts.
- Re-activate sub-accounts.
- Delete sub-accounts without customer confirmation.
- Link clouds to sub-accounts.
- Manage access permissions to sub-accounts.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View assigned specializations.
- View the list of partner commissions and info on them.
- View the history of crediting referral program commissions.
- Withdraw referral program commissions.
- View the status of settlements with the referrer company.
- View the list of referral links.
- Create referral links.
- Activate referral links.
- Modify referral links.
This role also includes the billing.accounts.admin
permissions.
billing.accounts.viewer
To use the billing.accounts.viewer
role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View and download reporting (or closing) documents.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
On the Yandex Cloud partner portal, users with this role can:
- View the list of sub-accounts and info on them.
- View the details of how the customers use services.
- View assigned specializations.
- View the list of partner commissions and info on them.
- View the history of crediting referral program commissions.
- View the status of settlements with the referrer company.
- View the list of referral links.
billing.accounts.accountant
To use the billing.accounts.accountant
role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Top up their personal account using a bank account.
On the Yandex Cloud partner portal, users with this role can:
- View the list of sub-accounts and info on them.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View assigned specializations.
- View the list of partner commissions and info on them.
- View the history of crediting referral program commissions.
- View the status of settlements with the referrer company.
- View the list of referral links.
This role also includes the billing.accounts.viewer
permissions.
billing.accounts.editor
To use the billing.accounts.editor
role, you need to assign it for a billing account. It enables you to get payment invoices, redeem promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Link clouds to a billing account.
- Rename billing accounts.
- Redeem promo codes.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (sub-accounts).
- View the list of sub-accounts and info on them.
- Activate sub-accounts.
- Suspend sub-accounts.
- Re-activate sub-accounts.
- Link clouds to sub-accounts.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View assigned specializations.
- View the list of partner commissions and info on them.
- View the history of crediting referral program commissions.
- Withdraw referral program commissions.
- View the status of settlements with the referrer company.
- View the list of referral links.
- Create referral links.
- Activate referral links.
- Modify referral links.
This role also includes the billing.accounts.viewer
permissions.
billing.accounts.admin
To use the billing.accounts.admin
role, you need to assign it for a billing account. It enables managing access to a billing account (except for billing.accounts.owner
).
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View info on the access permissions granted for the relevant billing accounts and modify such permissions (except for assigning and revoking the
billing.accounts.owner
role). - View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Link a cloud to a billing account.
- Rename billing accounts.
- Redeem promo codes.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (sub-accounts).
- View the list of sub-accounts and info on them.
- Activate sub-accounts.
- Suspend sub-accounts.
- Re-activate sub-accounts.
- Link clouds to sub-accounts.
- Manage access permissions to sub-accounts.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View assigned specializations.
- View the list of partner commissions and info on them.
- View the history of crediting referral program commissions.
- Withdraw referral program commissions.
- View the status of settlements with the referrer company.
- View the list of referral links.
- Create referral links.
- Activate referral links.
- Modify referral links.
This role also includes the billing.accounts.editor
and billing.partners.editor
permissions.
billing.accounts.member
The billing.accounts.member
role is granted automatically when a user is added to the service. It is required to display the selected billing account in the list of all user accounts.
billing.accounts.varWithoutDiscounts
To use the billing.accounts.varWithoutDiscounts
role, you need to assign it for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts.
In Yandex Cloud Billing, users with this role can:
- Display billing accounts in the list of all accounts.
- View billing account data.
- View info on the access permissions granted for the relevant billing accounts.
- View and download reporting (or closing) documents.
- Generate new reconciliation reports.
- View and download generated reconciliation reports.
- Get and view notifications on consumption.
- Monitor expenses.
- View usage details.
- Export details.
- Create budgets.
- Reserve resource usage.
- Top up their personal account using a bank account.
- Link clouds to a billing account.
- Rename billing accounts.
- Redeem promo codes.
On the Yandex Cloud partner portal, users with this role can:
- Create customer records (sub-accounts).
- View the list of sub-accounts and info on them.
- Activate sub-accounts.
- Suspend sub-accounts.
- Re-activate sub-accounts.
- Link clouds to sub-accounts.
- Manage access permissions to sub-accounts.
- View the details of how the customers use services.
- View rebate credit history.
- Withdraw rebate.
- View the history of crediting referral program commissions.
- Withdraw referral program commissions.
- View the status of settlements with the referrer company.
- Create referral links.
- Activate referral links.
- Modify referral links.
This role also includes the billing.partners.editor
permissions.
billing.partners.editor
The billing.partners.editor
role is assigned for a billing account. It grants permission to edit information about a partner and their products in the partner product catalog.
Primitive roles
Primitive roles are aggregator roles that define user permissions to access services. In Yandex Cloud Billing, these roles match the following billing.accounts.*
roles:
auditor
: Same asbilling.accounts.viewer
with some limitations.viewer
: Same asbilling.accounts.viewer
.editor
: Same asbilling.accounts.editor
.admin
: Same asbilling.accounts.admin
.
Primitive roles can only be assigned to users in the Users list.
Available operations
The table below provides a list of operations available to each role type.
Operations | owner |
viewer |
accountant |
editor |
admin |
---|---|---|---|---|---|
Displaying a billing account in the list of all user accounts | |||||
Viewing billing account information | |||||
Viewing and receiving usage notifications | |||||
Viewing and downloading reporting (closing) documents | |||||
Viewing and downloading generated reconciliation reports | |||||
Checking expenses | |||||
Accessing usage details | |||||
Topping up your personal account using a bank account | |||||
Generating a new reconciliation report | |||||
Activating promo codes | |||||
Linking clouds to billing accounts | |||||
Creating details export | |||||
Creating budget | |||||
Resource allocation | |||||
Renaming a billing account | |||||
Assigning roles to billing accounts | |||||
Viewing and editing roles | |||||
Changing payer contact information | |||||
Changing billing details | |||||
Changing bank cards | |||||
Changing payment methods | |||||
Activating trial period | |||||
Activating paid version | |||||
Topping up your personal account using a bank card |
Adding a user
The steps for adding a new billing account user depend on whether this billing account is added to your organization.
Assign the required role for the billing account to a user or service account in your organization.
Note
To add a new billing account user, you need the billing.accounts.owner
or billing.accounts.admin
role.
-
Go to Yandex Cloud Billing
. - Select a billing account.
- Go to the Access management page.
- At the top right, click Add user.
- Select a user from the drop-down list. The list shows users whose clouds are linked to your billing account.
- Click Add.
The user or service account will get the billing.accounts.member
role and included in the Users list. To grant billing account access, assign them the required role.
Assigning roles
The steps for assigning a billing account role depend on whether this billing account is added to your organization.
A user with the billing.accounts.admin
role can grant access to the billing account to any user or service account within the same organization. To do this:
-
Make sure that the user you need belongs to your organization. If not, add them.
-
Go to Yandex Cloud Billing
. -
Select a billing account.
-
In the left-hand panel, select
Access management. -
At the top right, click Assign bindings. In the window that opens:
- Select a user, service account, or user group. If required, use the search bar.
- Click Add role and select the role.
- Click Save.
Note
If you assign the Yandex Cloud Billing service role to an organization, all billing accounts within this organization will also assume this role.
A user with the billing.accounts.admin
role can grant access to the billing account to any user or service account on the Users list. To do this:
-
Go to Yandex Cloud Billing
. -
Select a billing account.
-
In the left-hand panel, select
Access management. -
Find the required user, service account, or user group in the users list or use the filter.
-
In the line with the required user, service account, or group, click
and select Edit roles. In the window that opens:- Click Add role.
- Select a role from the list.
- Click Save.
The role will be assigned without expiration.
Revoking roles
The steps for revoking a billing account role depend on whether this billing account is added to your organization.
A user with the billing.accounts.admin
role can revoke a billing account role from a user or service account in their organization at any time. To do this:
-
Go to Yandex Cloud Billing
. -
Select a billing account.
-
In the left-hand panel, select
Access management. -
Find the required user, service account, or user group in the users list or use the filter.
-
In the line with the required user, service account, or group, click
and select Edit roles. In the window that opens:- Click
to the right of the role you want to revoke. - Click Save. The role will be revoked.
- Click
A user with the billing.accounts.admin
role can revoke a billing account role from a user or service account on the list at any time. To do this:
-
Go to Yandex Cloud Billing
. -
Select a billing account.
-
In the left-hand panel, select
Access management. -
Find the required user, service account, or user group in the users list or use the filter.
-
In the line with the required user, service account, or group, click
and select Edit roles. In the window that opens:- Click
to the right of the role you want to revoke. - Click Save. The role will be revoked.
- Click
Note
If the billing.accounts.member
role is revoked, the user will not be able to access the billing account.
Deleting users
You can only delete users from those billing accounts that are not added to an organization. To do this:
-
Go to Yandex Cloud Billing
. - Select a billing account.
- Find the user or service account in the list.
- In the line with the user or service account you need, click
and select Remove user. - This deletes the user from the list of the billing account users.
If the billing account is added to an organization, you can simply revoke the required role from a user or service account. You can remove a user from the organization to prevent them from accessing any of its clouds or resources.