Resources that roles can be assigned for
Yandex Cloud uses roles to manage access permissions.
Yandex Cloud users can only perform operations on resources within the permissions of the roles assigned to them. With no roles assigned, almost no operations are allowed.
Inheriting access permissions
Roles are assigned for Yandex Cloud resources. The standard permission inheritance model applies to resources of most Yandex Cloud services:
- Organization access permissions apply to the organization's resources:
- Federations.
- User groups.
- Organization clouds.
- Permissions to access the cloud apply to all folders within the cloud.
- Folder access permissions apply to all resources in the folder.
Exceptions to permission inheritance rules
Some Yandex Cloud services do not support the standard role inheritance model. Here are the services in which you need to specifically assign roles to users:
- Yandex Cloud Billing
- Yandex Tracker
- Yandex DataLens
- Yandex Wiki
- Yandex Forms
- Yandex DataSphere
- Yandex SpeechSense
Granular role assignment
Some Yandex Cloud services allow you to assign roles in a more granular way, i.e., for individual resources within a service. For example, in Yandex Compute Cloud, you can assign roles for the following resources:
- VM instance
- Instance group
- Dedicated host group
- VM placement group
- Non-replicated disk placement group
- VM disk
- GPU cluster
- Image
- Snapshot schedule
- Disk snapshot
- File storage
Note that some interfaces do not support granular assignment of roles for resources. For example, you can assign a role for a Compute Cloud instance group using the management console, Yandex Cloud CLI or API, but not with Terraform.
For more information about resources you can assign roles for, available roles, and specifics of their assignment, see the Access management page for the relevant service, e.g., Access management in Compute Cloud.