Access management in Yandex Data Processing

Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. As long as a user has no roles assigned, almost all operations are forbidden.

To enable access to Yandex Data Processing resources (clusters and subclusters), assign the required roles from the list below to a Yandex account, service account, federated users, user group, system group, or public group. Currently, a role can only be assigned for a parent resource (folder or cloud). Roles are inherited by nested resources.

Roles for a resource can be assigned by users who have the mdb.admin role or one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Assigning rolesAssigning roles

To assign a user a role:

1. Add the required user if needed.
2. In the management console, on the left, select a cloud.
3. Go to the Access bindings tab.
4. Click Configure access.
5. In the window that opens, select User accounts.
6. Select a user from the list or search by user.
7. Click Add role and select a role for the cloud.
8. Click Save.

Which roles exist in the serviceWhich roles exist in the service

The list below shows all roles considered when verifying access permissions in Yandex Data Processing.

Service rolesService roles

dataproc.agentdataproc.agent

The dataproc.agent role allows the service account linked to the Yandex Data Proc cluster to notify Data Proc of the cluster host state. You can assign this role to a service account linked to the Yandex Data Proc cluster.

Service accounts with this role can:

• Notify Yandex Data Proc of the cluster host state.
• Get info on jobs and their progress statuses.
• Get info on log groups and add entries to them.

Currently, you can only assign this role for a folder or cloud.

dataproc.auditordataproc.auditor

The dataproc.auditor role allows you to view information on Yandex Data Proc clusters.

dataproc.viewerdataproc.viewer

The dataproc.viewer role allows you to view information on Yandex Data Proc clusters and jobs.

dataproc.userdataproc.user

The dataproc.user role grants access to the Yandex Data Proc component web interfaces and enables creating jobs and viewing info on Yandex Cloud managed DB clusters.

Users with this role can:

• View info on Yandex Data Proc clusters and jobs, as well as create jobs.
• Use the web interface to access the Yandex Data Proc components.
• View info on ClickHouse®, Greenplum®, Apache Kafka®, MongoDB, MySQL®, PostgreSQL, Redis, OpenSearch, and SQL Server clusters.
• View info on Greenplum®, MongoDB, MySQL®, PostgreSQL, Redis, and SQL Server cluster hosts.
• View info on database backups for Greenplum®, MongoDB, MySQL®, PostgreSQL, Redis, and SQL Server clusters.
• View info on MongoDB, MySQL®, PostgreSQL, and SQL Server cluster users.
• View info on MongoDB, MySQL®, PostgreSQL, and SQL Server DBs.
• View info on MongoDB, MySQL®, PostgreSQL, and Redis alerts.
• View info on the results of Greenplum®, MongoDB, MySQL®, and PostgreSQL cluster performance diagnostics.
• View info on MongoDB and Redis cluster shards.
• View Greenplum®, MongoDB, MySQL®, PostgreSQL, Redis, and SQL Server cluster logs.
• View info on Managed Service for ClickHouse®, Managed Service for Apache Kafka®, Managed Service for OpenSearch, Managed Service for Greenplum®, Managed Service for MongoDB, Managed Service for MySQL®, Managed Service for PostgreSQL, Managed Service for Redis, and SQL Server quotas.
• View info on resource operations for all Yandex Cloud managed DB services.
• View info on the relevant folder.

This role also includes the dataproc.viewer and mdb.viewer permissions.

dataproc.provisionerdataproc.provisioner

The dataproc.provisioner role grants access to the API to create, update, and delete Yandex Data Proc cluster objects.

Users with this role can:

• View information on DNS zones as well as create, use, modify, and delete them.
• View information on resource records as well as create, modify, and delete them.
• Create nested public DNS zones.
• View info on granted access permissions for DNS zones.
• View information on available platforms and use them.
• Create, modify, start, restart, stop, move, and delete instances.
• View the list of instances, information on instances and on granted access permissions for them.
• Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link security groups to instance network interfaces.
• Create instances with custom FQDNs and create multi-interface instances.
• Bind service accounts to instances and activate AWS v1 tokens on instances.
• View the list of service accounts and info on them, as well as perform operations on behalf of a service account.
• Use the instance serial port for reading and writing.
• Simulate instance maintenance events.
• View instance metadata.
• View information on the status of configuring access via OS Login on instances and connect to instances via OS Login using SSH certificates or SSH keys.
• View the list of instance groups, information on instance groups and on granted access permissions for them, as well as use, create, modify, start, stop, and delete instance groups.
• View the list of instance placement groups, information on instance placement groups and on granted access permissions for them, as well as use, modify, and delete instance placement groups.
• View lists of instances in placement groups.
• View the list of dedicated host groups, information on dedicated host groups and on granted access permissions for them, as well as use, modify, and delete dedicated host groups.
• View lists of hosts and instances in dedicated host groups.
• Modify scheduled maintenance windows for hosts in dedicated host groups.
• Use GPU clusters, as well as create, modify, and delete them.
• View info on GPU clusters and instances included in GPU clusters, as well as on granted access permissions for these clusters.
• View the list of disks, information on disks and on granted access permissions for them, as well as use, modify, move, and delete disks.
• Create encrypted disks.
• View and update disk links.
• View the list of file storages, information on file storages and on granted access permissions for them, as well as use, create, modify, and delete file storages.
• View the list of non-replicated disk placement groups, information on non-replicated disk placement groups and on granted access permissions for them, as well as use, modify, and delete non-replicated disk placement groups.
• View lists of disks in placement groups.
• View the list of images, information on images and on granted access permissions for them, as well as use, modify, and delete images.
• Create, modify, delete, and update image families.
• View info on image families, on images within families, on the latest family image, as well as on granted access permissions for image families.
• View the list of disk snapshots, information on disk snapshots and on granted access permissions for them, as well as use, modify, and delete disk snapshots.
• View info on disk snapshot schedules and on granted access permissions for them, as well as create, modify, and delete disk snapshot schedules.
• View the list of cloud networks and info on them, as well as use them.
• View the list of subnets and info on them, as well as use them.
• View the list of cloud resource addresses and info on them, as well as use such addresses.
• View the list of route tables and info on them, as well as use them.
• View the list of security groups and info on them, as well as use them.
• View information on NAT gateways and connect them to route tables.
• View information on the IP addresses used in subnets.
• View info on Monitoring metrics and their labels, as well as download metrics.
• View the list of Monitoring dashboards and widgets, as well as the info on those.
• View the Monitoring notification history.
• View info on log groups.
• View info on log sinks.
• View info on granted access permissions for Cloud Logging resources.
• View info on log exports.
• View information on Compute Cloud resource and quota consumption and disk limits in the management console.
• View info on the Cloud DNS, Virtual Private Cloud, and Monitoring quotas.
• View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
• View information on resource operations for Virtual Private Cloud.
• View the list of availability zones, information on availability zones and on granted access permissions for them.
• View info on the relevant cloud and folder.

This role also includes the iam.serviceAccounts.user, dns.editor, compute.editor, monitoring.viewer, and logging.viewer permissions.

dataproc.editordataproc.editor

The dataproc.editor role allows you to manage Yandex Data Proc clusters, run jobs, and view information on them. It also grants access to the Data Proc component web interfaces.

Users with this role can:

• View info on Yandex Data Proc clusters, as well as create, modify, run, stop, and delete them.
• View info on jobs and create them.
• Use the web interface to access the Yandex Data Proc components.
• View info on ClickHouse®, Greenplum®, Apache Kafka®, MongoDB, MySQL®, PostgreSQL, Redis, OpenSearch, and SQL Server clusters.
• View info on Greenplum®, MongoDB, MySQL®, PostgreSQL, Redis, and SQL Server cluster hosts.
• View info on database backups for Greenplum®, MongoDB, MySQL®, PostgreSQL, Redis, and SQL Server clusters.
• View info on MongoDB, MySQL®, PostgreSQL, and SQL Server cluster users.
• View info on MongoDB, MySQL®, PostgreSQL, and SQL Server DBs.
• View info on MongoDB, MySQL®, PostgreSQL, and Redis alerts.
• View info on the results of Greenplum®, MongoDB, MySQL®, and PostgreSQL cluster performance diagnostics.
• View info on MongoDB and Redis cluster shards.
• View Greenplum®, MongoDB, MySQL®, PostgreSQL, Redis, and SQL Server cluster logs.
• View info on Managed Service for ClickHouse®, Managed Service for Apache Kafka®, Managed Service for OpenSearch, Managed Service for Greenplum®, Managed Service for MongoDB, Managed Service for MySQL®, Managed Service for PostgreSQL, Managed Service for Redis, and SQL Server quotas.
• View info on resource operations for all Yandex Cloud managed DB services.
• View info on the relevant folder.

This role also includes the dataproc.user permissions.

dataproc.admindataproc.admin

The dataproc.admin role allows you to manage Yandex Data Proc clusters, run jobs, and view information on them. It also grants access to the Data Proc component web interfaces.

Users with this role can:

• View info on Yandex Data Proc clusters, as well as create, modify, run, stop, and delete them.
• View info on jobs and create them.
• Use the web interface to access the Yandex Data Proc components.
• View info on ClickHouse®, Greenplum®, Apache Kafka®, MongoDB, MySQL®, PostgreSQL, Redis, OpenSearch, and SQL Server clusters.
• View info on Greenplum®, MongoDB, MySQL®, PostgreSQL, Redis, and SQL Server cluster hosts.
• View info on database backups for Greenplum®, MongoDB, MySQL®, PostgreSQL, Redis, and SQL Server clusters.
• View info on MongoDB, MySQL®, PostgreSQL, and SQL Server cluster users.
• View info on MongoDB, MySQL®, PostgreSQL, and SQL Server DBs.
• View info on MongoDB, MySQL®, PostgreSQL, and Redis alerts.
• View info on the results of Greenplum®, MongoDB, MySQL®, and PostgreSQL cluster performance diagnostics.
• View info on MongoDB and Redis cluster shards.
• View Greenplum®, MongoDB, MySQL®, PostgreSQL, Redis, and SQL Server cluster logs.
• View info on Managed Service for ClickHouse®, Managed Service for Apache Kafka®, Managed Service for OpenSearch, Managed Service for Greenplum®, Managed Service for MongoDB, Managed Service for MySQL®, Managed Service for PostgreSQL, Managed Service for Redis, and SQL Server quotas.
• View info on resource operations for all Yandex Cloud managed DB services.
• View info on the relevant folder.

This role also includes the dataproc.editor permissions.

mdb.auditormdb.auditor

The mdb.auditor role grants the minimum permissions required to view information about managed database clusters (without access to data or runtime logs).

Users with this role can view information about managed database clusters, quotas, and folders.

This role also includes the managed-opensearch.auditor, managed-kafka.auditor, managed-mysql.auditor, managed-sqlserver.auditor, managed-postgresql.auditor, managed-greenplum.auditor, managed-clickhouse.auditor, managed-redis.auditor, and managed-mongodb.auditor permissions.

mdb.viewermdb.viewer

The mdb.viewer role grants read access to managed database clusters and cluster runtime logs.

Users with this role can read from databases, inspect the logs of managed database clusters, and view information about clusters, quotas, and folders.

This role also includes the mdb.auditor, managed-opensearch.viewer, managed-kafka.viewer, managed-mysql.viewer, managed-sqlserver.viewer, managed-postgresql.viewer, managed-greenplum.viewer, managed-clickhouse.viewer, managed-redis.viewer, managed-mongodb.viewer, and dataproc.viewer permissions.

mdb.adminmdb.admin

The mdb.admin role grants full access to managed database clusters.

Users with this role can create, edit, delete, run, and stop managed database clusters, manage cluster access, read and write to databases, and view information about clusters, runtime logs, quotas, and folders.

This role also includes the mdb.viewer, vpc.user, managed-opensearch.admin, managed-kafka.admin, managed-mysql.admin, managed-sqlserver.admin, managed-postgresql.admin, managed-greenplum.admin, managed-clickhouse.admin, managed-redis.admin, managed-mongodb.admin, and dataproc.admin permissions.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

• View info on a resource.
• View the resource metadata.
• View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

Currently, the auditor role is available for all Yandex Cloud services, except for:

• Yandex Data Streams
• Yandex Query

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role also includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role also includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role also includes the editor permissions.

Instead of primitive roles, we recommend using service roles. This ensures more selective access control and implementation of the principle of least privilege.

For more information about primitive roles, see the Yandex Cloud role reference.