Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Yandex Cloud role reference

Written by
Updated at December 3, 2025

Primitive roles

The chart below shows which primitive roles are available in Yandex Cloud and how they inherit each other's permissions. For example, the editor role includes all the permissions of the viewer role. You can find the description of each role under the chart.

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

  • View info on a resource.
  • View the resource metadata.
  • View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role includes the viewer permissions.

admin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role includes the editor permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.

Service roles

quota-manager.viewer

The quota-manager.viewer role enables viewing info on the Yandex Cloud service quotas and requests to increase such quotas, as well as on clouds.

quota-manager.requestOperator

The quota-manager.requestOperator role lets you create requests for new Yandex Cloud service quotas. This permission is also part of the admin and editor roles.

AI services

ai.auditor

The ai.auditor role enables viewing the quotas for Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex AI Studio, viewing the info on AI assistants, datasets, and text generation models in Yandex AI Studio, as well as reading folder metadata.

This role includes the ai.assistants.auditor, ai.datasets.auditor, and ai.models.auditor permissions.

ai.viewer

The ai.viewer role enables viewing the info on quotas for Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex AI Studio, on AI assistants, datasets, and text generation models in Yandex AI Studio, as well as on the relevant folder.

This role includes the ai.auditor, ai.assistants.viewer, ai.datasets.viewer, and ai.models.viewer permissions.

ai.editor

The ai.editor role enables using Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex AI Studio.

Users with this role can:

  • Use Yandex Translate to translate texts.
  • Use Yandex Vision OCR to analyze images.
  • Use Yandex SpeechKit for speech recognition and synthesis.
  • Use YandexGPT API language models for text generation, YandexART models for image generation, and AI assistants within Yandex AI Studio.
  • View info on datasets, as well as create, modify, and delete them.
  • Fine-tune text generation models in Yandex AI Studio, as well as create, modify, and delete such models.
  • View info on the relevant cloud and folder.
  • View information on Translate, Vision, SpeechKit, and AI Studio quotas.

This role includes the ai.viewer, ai.translate.user, ai.vision.user, ai.speechkit-stt.user, ai.speechkit-tts.user, ai.languageModels.user, ai.imageGeneration.user, ai.assistants.editor, and ai.datasets.editor permissions.

ai.admin

The ai.admin role enables using Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex AI Studio.

Users with this role can:

  • Use Yandex Translate to translate texts.
  • Use Yandex Vision OCR to analyze images.
  • Use Yandex SpeechKit for speech recognition and synthesis.
  • Use YandexGPT API language models for text generation, YandexART models for image generation, and AI assistants within Yandex AI Studio.
  • View info on datasets, as well as create, modify, and delete them.
  • Fine-tune text generation models in Yandex AI Studio, as well as create, modify, and delete such models.
  • View info on the relevant cloud and folder.
  • View information on Translate, Vision, SpeechKit, and AI Studio quotas.

This role includes the ai.editor, ai.assistants.admin, ai.datasets.admin, and ai.models.admin permissions.

Yandex Cloud partner program

billing.accounts.owner

When creating your billing account, you get the billing.accounts.owner role automatically. Any user with the billing.accounts.owner role can revoke this role from the billing account creator and change the owner.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them, including personal data.
  • Update subaccount records.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Delete subaccounts without customer confirmation.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View the list of partner discounts and info on them.

This role includes the billing.accounts.admin and billing.accounts.varWithoutDiscounts permissions.

billing.accounts.viewer

To use the billing.accounts.viewer role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.

In Yandex Cloud Billing, users with this role can:

billing.accounts.accountant

To use the billing.accounts.accountant role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.

In Yandex Cloud Billing, users with this role can:

This role includes the billing.accounts.viewer permissions.

billing.accounts.editor

To use the billing.accounts.editor role, you need to assign it for a billing account. It enables you to get payment invoices, redeem promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:

This role includes the billing.accounts.viewer permissions.

billing.accounts.varWithoutDiscounts

To use the billing.accounts.varWithoutDiscounts role, you need to assign it for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.

This role includes the billing.partners.editor permissions.

billing.accounts.admin

To use the billing.accounts.admin role, you need to assign it for a billing account. It enables managing access to a billing account (except for billing.accounts.owner).

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them, including personal data.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View the list of partner discounts and info on them.

This role includes the billing.accounts.editor, billing.accounts.partnerAdmin, and billing.partners.editor permissions.

billing.accounts.partnerViewer

To use the billing.accounts.partnerViewer role, you need to assign it for a billing account. It enables viewing partner info, except for personal data.

On the Yandex Cloud partner portal, users with this role can:

  • View the list of subaccounts and info on them (except for personal data).
  • View the list of partner discounts.
  • View the partner tools page.
  • View the list of accounts and info on them (except for personal data).
  • View the list of contacts and info on them (except for personal data).
  • View the list of partner deals and info on them (except for personal data).

billing.accounts.piiPartnerViewer

To use the billing.accounts.piiPartnerViewer role, you need to assign it for a billing account. It enables viewing subaccount and partner info, including personal data.

On the Yandex Cloud partner portal, users with this role can:

  • View info on the partner balance, discounts, and rebate withdrawals.
  • View details on partner consumption, including consumption in partner subaccounts.
  • View the list of partner discounts.
  • View the partner tools page.
  • View the list of accounts and info on them, including personal data.
  • View the list of subaccounts and info on them, including personal data.
  • View the list of contacts and info on them, including personal data.
  • View the list of partner deals and info on them, including personal data.

This role includes the billing.accounts.partnerViewer permissions.

billing.accounts.partnerEditor

To use the billing.accounts.partnerEditor role, you need to assign it for a billing account. It enables managing accounts, subaccounts, contacts, and partner deals. This role does not provide access to personal data.

On the Yandex Cloud partner portal, users with this role can:

  • Manage subaccounts regardless of the access permissions assigned at the organization level, excepting the permission to work with a partner.
  • View the list of subaccounts and info on them (except for personal data).
  • Create new subaccounts and update the existing ones, as well as suspend, resume, and delete subaccounts.
  • View the list of accounts and info on them (except for personal data), as well as edit such info.
  • View the list of contacts and info on them (except for personal data), as well as edit such contacts.
  • View the list of partner deals and info on them (except for personal data), as well as edit such info.
  • View the list of partner discounts.
  • View the partner tools page.

This role includes the billing.accounts.partnerViewer permissions.

billing.accounts.piiPartnerEditor

To use the billing.accounts.piiPartnerEditor role, you need to assign it for a billing account. It enables managing partner rebate withdrawals, as well as viewing subaccount and partner info, including personal data.

On the Yandex Cloud partner portal, users with this role can:

  • View info on the partner balance, discounts, and rebate withdrawals.
  • Create spending agreements for partner rebates and withdraw such rebates.
  • View details on partner consumption, including consumption in partner subaccounts.
  • View the list of partner discounts.
  • View the partner tools page.
  • View the list of accounts and info on them, including personal data.
  • View the list of subaccounts and info on them, including personal data.
  • View the list of contacts and info on them, including personal data.
  • View the list of partner deals and info on them, including personal data.

This role includes the billing.accounts.piiPartnerViewer permissions.

billing.accounts.partnerAdmin

To use the billing.accounts.partnerAdmin role, you need to assign it to a billing account. It enables access to all partner portal tools and all info stored on the portal, including personal data.

On the Yandex Cloud partner portal, users with this role can:

  • Manage subaccounts regardless of the access permissions assigned at the organization level, excepting the permission to work with a partner.
  • View the list of subaccounts and info on them, including personal data.
  • Create new subaccounts and update the existing ones, as well as suspend, resume, and delete subaccounts.
  • View the list of accounts and info on them, including personal data, as well as edit such info.
  • View the list of contacts and info on them, including personal data, as well as edit such contacts.
  • View the list of partner deals and info on them, including personal data, as well as edit such info.
  • View info on the partner balance, discounts, and rebate withdrawals.
  • Create spending agreements for partner rebates and withdraw such rebates.
  • View details on partner consumption, including consumption in partner subaccounts.
  • View the list of partner discounts.
  • View the partner tools page.

This role includes the billing.accounts.partnerEditor and billing.accounts.piiPartnerEditor permissions.

For more information, see Access management in Yandex Cloud partner program.

Yandex API Gateway

api-gateway.auditor

The api-gateway.auditor role allows you to view the list of API gateways and the details on access permissions assigned to such gateways. It also enables viewing the relevant folder metadata.

api-gateway.viewer

The api-gateway.viewer role allows you to view the list of API gateways, info on them, and the details on access permissions assigned to such gateways. It also enables viewing the relevant folder metadata.

This role includes the api-gateway.auditor permissions.

api-gateway.editor

The api-gateway.editor role enables managing API gateways and viewing info on them, as well as working with WebSocket API.

Users with this role can:

  • View the list of API gateways, info on them and on access permissions assigned to them, as well as use, modify, and delete such gateways.
  • Use the request rate limit.
  • View info on WebSocket connections and close them, as well as send data through such connections.
  • View info on the relevant folder.

This role includes the api-gateway.websocketWriter permissions.

api-gateway.websocketWriter

The api-gateway.websocketWriter role allows you to work with WebSocket API, as well as view the list of API gateways, info on them, and the details on access permissions assigned to such gateways.

Users with this role can:

This role includes the api-gateway.viewer permissions.

api-gateway.websocketBroadcaster

The api-gateway.websocketBroadcaster role enables transmitting data through WebSocket (which includes sending data to multiple clients concurrently), as well as viewing the list of API gateways, info on them and on access permissions assigned to them.

Users with this role can:

  • View info on WebSocket connections and close them, as well as send data through such connections, which includes transmitting data to multiple clients concurrently.
  • View the list of API gateways, info on them and on access permissions assigned to them.
  • View info on the relevant folder.

This role includes the api-gateway.websocketWriter permissions.

api-gateway.admin

The api-gateway.admin role enables managing API gateways and access to them, viewing info on API gateways, and working with WebSocket API.

Users with this role can:

  • View info on access permissions assigned for API gateways and modify such permissions.
  • View info on API gateways, as well as create, modify, and delete them.
  • View info on WebSocket connections and close them, as well as send data through such connections.
  • Use the request rate limit.
  • View info on the relevant folder.

This role includes the api-gateway.editor permissions.

For more information, see Access management in API Gateway.

Yandex Application Load Balancer

alb.auditor

The alb.auditor role enables you to view info on the Application Load Balancer resources and quotas.

Users with this role can:

alb.viewer

The alb.viewer role enables viewing the list of Application Load Balancer resources and the info on them and the relevant quotas.

Users with this role can:

This role includes the alb.auditor permissions.

alb.user

The alb.user role enables using L7 balancers, HTTP routers, backend groups, and target groups, as well as viewing info on the Application Load Balancer resources.

Users with this role can:

  • View the list of L7 balancers and info on them, as well as use them.
  • View the list of HTTP routers and the info on them, as well as use such routers.
  • View the list of virtual hosts and the info on them.
  • View the list of backend groups and info on them, as well as use them.
  • View the list of target groups and the info on them, as well as use them.
  • View info on the Application Load Balancer quotas.

You can assign this role for a folder.

alb.editor

The alb.editor role enables managing Application Load Balancer resources and internal network load balancers, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses.

Users with this role can:
  • View the list of L7 balancers and the info on them, as well as create, modify, delete, and use such balancers.
  • View the list of HTTP routers and the info on them, as well as create, modify, delete, and use such routers.
  • View the list of virtual hosts and info on them, as well as modify them.
  • View the list of backend groups and the info on them, as well as create, modify, delete, and use such groups.
  • View the list of L7 balancer target groups and network balancers and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of network load balancers and the info on them, as well as create internal network load balances (including those with UDP listeners), modify, delete, start, and stop them.
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View information on NAT gateways and connect them to route tables.
  • View the info on the used IP addresses in subnets, as well as create internal addresses.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View info on the relevant cloud and folder.
  • View info on the Application Load Balancer, Network Load Balancer, and Virtual Private Cloud quotas.

This role includes the load-balancer.privateAdmin and vpc.user permissions.

To connect a public IP address to a new or existing L7 balancer, you also need the vpc.publicAdmin role assigned for the network where the balancer resides.

alb.admin

The alb.admin role enables managing Application Load Balancer resources and internal network load balancers, as well as viewing info on cloud networks, subnets, route tables, gateways, security groups, IP addresses, and quotas.

Users with this role can:
  • View the list of L7 balancers and the info on them, as well as create, modify, delete, and use such balancers.
  • View the list of HTTP routers and the info on them, as well as create, modify, delete, and use such routers.
  • View the list of virtual hosts and info on them, as well as modify them.
  • View the list of backend groups and the info on them, as well as create, modify, delete, and use such groups.
  • View the list of L7 balancer target groups and network balancers and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of network load balancers and the info on them, as well as create internal network load balances (including those with UDP listeners), modify, delete, start, and stop them.
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View information on NAT gateways and connect them to route tables.
  • View the info on the used IP addresses in subnets, as well as create internal addresses.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View info on the relevant cloud and folder.
  • View info on the Application Load Balancer, Network Load Balancer, and Virtual Private Cloud quotas.

This role includes the alb.editor permissions.

To connect a public IP address to a new or existing L7 balancer, you also need the vpc.publicAdmin role assigned for the network where the balancer resides.

For more information, see Access management in Application Load Balancer.

Yandex Audit Trails

audit-trails.auditor

The audit-trails.auditor role enables viewing the list of trails and info on them, as well as the info on the relevant cloud, folder, and Audit Trails quotas.

audit-trails.viewer

The audit-trails.viewer role enables reading audit logs and viewing the list of trails and info on them, as well as the info on the relevant cloud, folder, and Audit Trails quotas.

This role includes the audit-trails.auditor permissions.

audit-trails.editor

The audit-trails.editor role enables managing trails and reading audit logs.

Users with this role can:

  • View the list of trails and info on them, as well as create, modify, and delete them.
  • Read audit logs.
  • View info on the relevant cloud and folder.
  • View info on the Audit Trails quotas.

This role includes the audit-trails.viewer permissions.

audit-trails.admin

The audit-trails.admin role enables managing trails and user access to them, as well as reading audit logs.

Users with this role can:

  • View info on access permissions assigned to trails and modify such permissions.
  • View the list of trails and info on them, as well as create, modify, and delete them.
  • Read audit logs.
  • View info on the relevant cloud and folder.
  • View info on the Audit Trails quotas.

This role includes the audit-trails.editor permissions.

audit-trails.configViewer

The audit-trails.configViewer role enables viewing the list of trails and info on them, as well as the info on the relevant cloud, folder, and Audit Trails quotas.

This role is no longer available. Please use audit-trails.auditor instead.

For more information, see Access management Audit Trails.

Yandex BareMetal

baremetal.auditor

The baremetal.auditor role enables viewing the Yandex BareMetal resource metadata.

Users with this role can:

baremetal.viewer

The baremetal.viewer role enables viewing info on the Yandex BareMetal resources.

Users with this role can:

This role includes the baremetal.auditor permissions.

baremetal.operator

The baremetal.operator role enables working on the BareMetal servers and viewing info on the Yandex BareMetal resources.

Users with this role can:

This role includes the baremetal.viewer permissions.

baremetal.editor

The baremetal.editor role enables managing BareMetal servers, private subnets, virtual routing and forwarding (VRF) segments, and OS server images.

Users with this role can:

  • View info on BareMetal servers and their configuration.
  • Start and stop renting BareMetal servers and change their settings.
  • View info on private subnets, as well as create, modify, and delete them.
  • View info on virtual routing and forwarding (VRF) segments, as well as create, modify, and delete them.
  • View info on the uploaded OS images for BareMetal servers, as well as upload, modify, and delete such images.
  • Re-install OS’s for BareMetal servers.
  • Use the KVM console.
  • Use IPMI to power the servers on, shut them down, and restart them.
  • View details on Yandex BareMetal quotas.
  • View info on the relevant folder.

This role includes the baremetal.operator permissions.

baremetal.admin

The baremetal.admin role enables managing BareMetal servers, private subnets, virtual routing and forwarding (VRF) segments, and OS server images.

Users with this role can:

  • View info on BareMetal servers and their configuration.
  • Start and stop renting BareMetal servers and change their settings.
  • View info on private subnets, as well as create, modify, and delete them.
  • View info on virtual routing and forwarding (VRF) segments, as well as create, modify, and delete them.
  • View info on the uploaded OS images for BareMetal servers, as well as upload, modify, and delete such images.
  • Re-install OS’s for BareMetal servers.
  • Use the KVM console.
  • Use IPMI to power the servers on, shut them down, and restart them.
  • View details on Yandex BareMetal quotas.
  • View info on the relevant folder.

This role includes the baremetal.editor permissions.

For more information, see Access management in Yandex BareMetal.

Yandex Cloud Interconnect

cic.auditor

The cic.auditor role enables viewing info on Cloud Interconnect resources.

Users with this role can:

cic.viewer

The cic.viewer role enables viewing info on Cloud Interconnect resources.

Users with this role can:

This role includes the cic.auditor permissions.

cic.editor

The cic.editor role enables managing trunk links and private and public connections, as well as viewing info on Cloud Interconnect quotas and resources.

Users with this role can:

This role includes the cic.viewer permissions.

cic.admin

The cic.admin role enables managing Cloud Interconnect resources.

Users with this role can:

This role includes the cic.editor permissions.

cic.secretViewer

The cic.secretViewer role enables getting Cloud Interconnect private and public connection secrets.

cic.secretEditor

The cic.secretEditor role enables getting and modifying Cloud Interconnect private and public connection secrets.

This role includes the cic.secretViewer permissions.

For more information, see Access management in Cloud Interconnect.

Yandex Cloud Router

cloud-router.auditor

The cloud-router.auditor role enables viewing info on Cloud Router resources.

Users with this role can:

  • View info on the routing instances.
  • View info on Cloud Router quotas.
  • View info on the relevant cloud.
  • View information on the relevant folder.

cloud-router.viewer

The cloud-router.viewer role enables viewing info on Cloud Router resources.

Users with this role can:

  • View info on the routing instances.
  • View info on Cloud Router quotas.
  • View info on the relevant cloud.
  • View information on the relevant folder.

This role includes the cloud-router.auditor permissions.

cloud-router.prefixEditor

The cloud-router.prefixEditor role enables managing cloud subnet IP prefixes in routing instances, as well as viewing info on Cloud Router resources.

Users with this role can:

This role includes the cloud-router.viewer permissions.

cloud-router.editor

The cloud-router.editor role enables managing routing instances, as well as viewing info on Cloud Router resources.

Users with this role can:

  • View info on routing instances, as well as create, modify, and delete them.
  • Add, modify, and remove cloud subnet IP prefixes in routing instances.
  • View info on Cloud Router quotas.
  • View info on the relevant cloud.
  • View information on the relevant folder.

This role includes the cloud-router.prefixEditor permissions.

cloud-router.admin

The cloud-router.admin role enables managing Cloud Router resources.

Users with this role can:

  • View info on routing instances, as well as create, modify, and delete them.
  • Add, modify, and remove cloud subnet IP prefixes in routing instances.
  • View info on Cloud Router quotas.
  • View info on the relevant cloud.
  • View information on the relevant folder.

This role includes the cloud-router.editor permissions.

For more information, see Access management in Cloud Router.

Yandex Certificate Manager

certificate-manager.auditor

The certificate-manager.auditor role enables viewing info on certificates and access permissions assigned to them.

Users with this role can:

certificate-manager.viewer

The certificate-manager.viewer role enables viewing info on certificates and access permissions assigned to them.

Users with this role can:

This role includes the certificate-manager.auditor permissions.

certificate-manager.editor

The certificate-manager.editor role enables managing certificates and viewing info on them, as well as on access permissions assigned to them, and on the Certificate Manager quotas.

Users with this role can:

This role includes the certificate-manager.viewer permissions.

certificate-manager.admin

The certificate-manager.admin role enables managing certificates and access to them, as well as getting the certificate contents.

Users with this role can:

  • View the list of certificates and dependent resources, as well as info on certificates.
  • View info on access permissions assigned to certificates and modify such permissions.
  • Add, modify, update, and delete certificates.
  • Get certificate contents.
  • View info on the Certificate Manager quotas.
  • View info on the relevant folder.

This role includes the certificate-manager.editor permissions.

certificate-manager.certificates.downloader

The certificate-manager.certificates.downloader role enables viewing the list of certificates and info on them, as well as getting the certificate contents.

For more information, see Access management in Certificate Manager.

Yandex Cloud Backup

backup.viewer

The backup.viewer role enables viewing information on virtual machines and BareMetal servers connected to Cloud Backup, on backup policies and backups, as well as on the relevant cloud, folder, and quotas.

Users with this role can:

  • View info on the connected backup providers.
  • View info on the access permissions granted for the relevant backup policies.
  • View info on backup policies and virtual machines and BareMetal servers linked to them.
  • View info on the virtual machines and BareMetal servers connected to Cloud Backup.
  • View info on backups.
  • View info on Cloud Backup quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder and its statistics.

To assign the backup.viewer role, you need the admin role for the cloud or backup.admin for the folder.

backup.editor

The backup.editor role enables managing the connection of virtual machines and BareMetal servers to Cloud Backup, managing backup policies, making backups, and restoring VMs and BareMetal servers from the existing backups.

Users with this role can:

  • View info on connected backup providers, as well as connect providers available in Cloud Backup.
  • Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines and BareMetal servers.
  • View info on the access permissions granted for the relevant backup policies.
  • View info on backup policies and virtual machines and BareMetal servers linked to them.
  • View info on virtual machines and BareMetal servers connected to Cloud Backup, as well as connect and disconnect VMs and BareMetal servers to and from it.
  • View info on backups, as well as delete them and use them to restore VMs and BareMetal servers.
  • View info on Cloud Backup quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder and its statistics.

This role includes the backup.viewer permissions.

To assign the backup.editor role, you need the admin role for the cloud or backup.admin for the folder.

backup.admin

The backup.admin role enables managing backup policies and access to them, managing the connection of virtual machines and BareMetal servers to Cloud Backup, making backups, and restoring VMs and BareMetal servers from the existing backups.

Users with this role can:

  • View info on the access permissions granted for the relevant backup policies and modify such permissions.
  • View info on connected backup providers, as well as connect providers available in Cloud Backup.
  • Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines and BareMetal servers.
  • View info on backup policies and virtual machines and BareMetal servers linked to them.
  • View info on virtual machines and BareMetal servers connected to Cloud Backup, as well as connect and disconnect VMs and BareMetal servers to and from it.
  • View info on backups, as well as delete them and use them to restore VMs and BareMetal servers.
  • View info on Cloud Backup quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder and its statistics.

This role includes the backup.editor permissions.

To assign the backup.admin role, you need the admin role for the cloud.

For more information, see Access management in Cloud Backup.

Yandex Cloud Billing

billing.accounts.member

The billing.accounts.member role is granted automatically when a user is added to the service. It is required to display the selected billing account in the list of all user accounts.

billing.accounts.owner

When creating your billing account, you get the billing.accounts.owner role automatically. Any user with the billing.accounts.owner role can revoke this role from the billing account creator and change the owner.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them, including personal data.
  • Update subaccount records.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Delete subaccounts without customer confirmation.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View the list of partner discounts and info on them.

This role includes the billing.accounts.admin and billing.accounts.varWithoutDiscounts permissions.

billing.accounts.viewer

To use the billing.accounts.viewer role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.

In Yandex Cloud Billing, users with this role can:

billing.accounts.accountant

To use the billing.accounts.accountant role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.

In Yandex Cloud Billing, users with this role can:

This role includes the billing.accounts.viewer permissions.

billing.accounts.editor

To use the billing.accounts.editor role, you need to assign it for a billing account. It enables you to get payment invoices, redeem promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:

This role includes the billing.accounts.viewer permissions.

billing.accounts.admin

To use the billing.accounts.admin role, you need to assign it for a billing account. It enables managing access to a billing account (except for billing.accounts.owner).

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them, including personal data.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View the list of partner discounts and info on them.

This role includes the billing.accounts.editor, billing.accounts.partnerAdmin, and billing.partners.editor permissions.

billing.accounts.varWithoutDiscounts

To use the billing.accounts.varWithoutDiscounts role, you need to assign it for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.

This role includes the billing.partners.editor permissions.

billing.partners.editor

The billing.partners.editor role is assigned for a billing account. It grants permission to edit information about a partner and their products in the partner product catalog.

For more information, see Access management in Yandex Cloud Billing.

Yandex Cloud CDN

cdn.viewer

The cdn.viewer role enables viewing info on the folder, origin groups, CDN resources, and Cloud CDN quotas.

cdn.editor

The cdn.editor role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.

Users with this role can:

This role includes the cdn.viewer permissions.

cdn.admin

The cdn.admin role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.

Users with this role can:

This role includes the cdn.editor permissions.

Moving forward, it will additionally include more features.

For more information, see Access management in Cloud CDN.

Yandex Cloud Desktop

vdi.viewer

The vdi.viewer role enables viewing info on desktops and desktop groups.

Users with this role can:

This role includes the vdi.auditor permissions.

vdi.desktopGroups.maintainer

The vdi.desktopGroups.maintainer role enables using any desktops in a desktop group.

Users with this role can:

  • Assign themselves one desktop in each desktop group.
  • Connect to their desktops.
  • Start, restart, and stop any desktops in a group.
  • Reset the password on any desktop in a group.

This role includes the vdi.desktopGroups.user permissions.

vdi.desktopGroups.user

The vdi.desktopGroups.user role enables using your desktops.

Users with this role can:

  • Assign themselves one desktop in each desktop group.
  • Connect to their desktops.
  • Start, restart, and stop any desktops in a group.
  • Reset the password on any desktop in a group.

vdi.editor

The vdi.editor role allows managing desktop groups and desktops as well as using your desktops.

Users with this role can:

  • View info on desktop groups, as well as create, update, and delete them. A user with this role can only add themselves as a user to a desktop group or keep this field empty.
  • View info on access permissions granted for desktop groups.
  • View info on desktop groups, as well as create, update, and delete them.
  • Assign themselves any number of desktops in a group.
  • Connect to their desktops.
  • Start, restart, and stop any desktops in a group.
  • Reset the password on any desktop in a group.
  • View info on the Cloud Desktop quotas.

This role includes the vdi.viewer and vdi.desktopGroups.user permissions.

vdi.admin

The vdi.admin role allows managing desktop groups and access to them, as well as managing and using desktops.

Users with this role can:

  • View info on desktop groups, as well as create, update, and delete them.
  • View info on and update access permissions granted for desktop groups.
  • View info on desktop groups, as well as create, update, and delete them.
  • Assign themselves or any other user any number of desktops in a desktop group.
  • Connect to their desktops.
  • Start, restart, and stop any desktops in a group.
  • Reset the password on any desktop in a group.
  • View info on the Cloud Desktop quotas.
  • View info on the relevant folder.

This role includes the vdi.editor and vdi.desktopGroups.maintainer permissions.

For more information, see Access management in Yandex Cloud Desktop.

Yandex Cloud DNS

dns.auditor

The dns.auditor role enables viewing info on DNS zones and access permissions assigned to them, as well as on the relevant folder and Cloud DNS quotas. This role does not provide access to resource records.

dns.viewer

The dns.viewer role enables viewing info on DNS zones and access permissions assigned to them, as well as on the resource records, the relevant folder, and Cloud DNS quotas.

This role includes the dns.auditor permissions.

dns.editor

The dns.editor role enables managing DNS zones and resource records, as well as viewing info on the relevant folder and Cloud DNS quotas.

Users with this role can:

  • View information on DNS zones as well as create, use, modify, and delete them.
  • View information on resource records as well as create, modify, and delete them.
  • Create nested public DNS zones.
  • View information on access permissions assigned for DNS zones.
  • View information on Cloud DNS quotas.
  • View information on the relevant folder.

This role includes the dns.viewer permissions.

dns.admin

The dns.admin role enables managing DNS zones and access to them, and resource records, as well as viewing info on the relevant folder and Cloud DNS quotas.

Users with this role can:

  • View information on access permissions assigned for DNS zones, as well as create, modify, and delete such permissions.
  • View information on DNS zones as well as create, use, modify, and delete them.
  • View information on resource records as well as create, modify, and delete them.
  • Create nested public DNS zones.
  • View information on Cloud DNS quotas.
  • View information on the relevant folder.

This role includes the dns.editor permissions.

For more information, see Access management in Cloud DNS.

Yandex Cloud Functions

functions.auditor

The functions.auditor role enables viewing info on functions, triggers, and connections to managed databases.

Users with this role can:

  • View the list of functions and info on them.
  • View the list of triggers and info on them.
  • View the list of database connections and info on them.
  • View info on granted access permissions for Cloud Functions resources.

functions.viewer

The functions.viewer role enables viewing info on functions, triggers, and connections to managed databases, as well as on Cloud Functions quotas.

Users with this role can:

  • View the list of functions and info on them.
  • View the list of triggers and info on them.
  • View the list of database connections and info on them.
  • View info on granted access permissions for Cloud Functions resources.
  • View info on Cloud Functions quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the functions.auditor permissions.

functions.functionInvoker

The functions.functionInvoker role enables invoking functions.

functions.editor

The functions.editor role enables managing functions, triggers, API gateways, and connections to managed databases.

Users with this role can:

  • View the list of functions and info on them, create functions and their versions, and modify, invoke, and delete functions.
  • View the function version environment variables and code.
  • View the list of triggers and info on them, as well as create, stop, run, modify, and delete them.
  • View the list of database connections and the info on them, as well as create, modify, and delete database connections and connect to databases through functions.
  • Create, modify, and delete API gateways.
  • View info on granted access permissions for Cloud Functions resources.
  • View info on Cloud Functions quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the functions.viewer permissions.

functions.mdbProxiesUser

The functions.mdbProxiesUser role enables connecting to managed databases through functions.

functions.admin

The functions.admin role enables managing functions, triggers, API gateways, and connections to managed databases, as well as access to those.

Users with this role can:

  • View info on the granted access permissions to the Cloud Functions resources and modify such access permissions.
  • View the list of functions and info on them, create functions and their versions, and modify, invoke, and delete functions.
  • View the function version environment variables and code.
  • View the list of triggers and info on them, as well as create, stop, run, modify, and delete them.
  • View the list of database connections and the info on them, as well as create, modify, and delete database connections and connect to databases through functions.
  • Create, modify, and delete API gateways.
  • View info on Cloud Functions quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the functions.editor permissions.

serverless.mdbProxies.user

The serverless.mdbProxies.user role enables connecting to managed databases through Cloud Functions.

This role is no longer available. Please use functions.mdbProxiesUser instead.

serverless.functions.invoker

The serverless.functions.invoker role enables invoking functions.

This role is no longer available. Please use functions.functionInvoker instead.

serverless.functions.admin

The serverless.functions.admin role enables managing functions, triggers, API gateways, and connections to managed databases, as well as access to those.

Users with this role can:

  • View info on the granted access permissions to the Cloud Functions resources and modify such access permissions.
  • View the list of functions and info on them, create functions and their versions, and modify, invoke, and delete functions.
  • View the function version environment variables and code.
  • View the list of triggers and info on them, as well as create, stop, run, modify, and delete them.
  • View the list of database connections and the info on them, as well as create, modify, and delete database connections and connect to databases through functions.
  • View the list of API gateways and info on them, as well as create, modify, and delete them.
  • View info on Cloud Functions quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role is no longer available. Please use functions.admin instead.

For more information, see Access management in Cloud Functions.

Yandex Cloud Logging

logging.viewer

The logging.viewer role enables viewing info on log groups and sinks and access permissions assigned to them, as well as on the relevant cloud and folder.

Users with this role can:

logging.editor

The logging.editor role enables viewing info on Cloud Logging resources and managing them.

Users with this role can:

  • View info on log groups, as well as create, modify, delete, and use them.
  • View info on log sinks, as well as create, modify, delete, and use them.
  • View info on access permissions assigned to Cloud Logging resources.
  • View info on log exports, run export, and create, modify, and delete exported files.
  • View information on the relevant cloud and folder.

This role includes the logging.viewer permissions.

logging.reader

The logging.reader role enables viewing log group entries and info on the Cloud Logging resources, as well as the cloud and folder metadata.

Users with this role can:

  • View log group entries.
  • View info on log groups.
  • View info on log sinks.
  • View info on access permissions assigned to Cloud Logging resources.
  • View info on log exports.
  • View information on the relevant cloud and folder.

This role includes the logging.viewer permissions.

logging.writer

The logging.writer role enables adding entries to log groups and viewing info on the Cloud Logging resources, as well as on the relevant cloud and folder.

Users with this role can:

  • Add entries to log groups.
  • View info on log groups.
  • View info on log sinks.
  • View info on access permissions assigned to Cloud Logging resources.
  • View info on log exports.
  • View information on the relevant cloud and folder.

This role includes the logging.viewer permissions.

logging.admin

The logging.admin role enables managing your Cloud Logging resources and access to them, as well as viewing and adding entries to log groups.

Users with this role can:

  • View info on access permissions assigned to Cloud Logging resources and modify such permissions.
  • View info on log groups, as well as create, modify, delete, and use them.
  • View info on log sinks, as well as create, modify, delete, and use them.
  • View info on log exports, run export, and create, modify, and delete exported files.
  • View and add entries to log groups.
  • View info on Cloud Logging quotas.
  • View information on the relevant cloud and folder.

This role includes the logging.editor, logging.reader, and logging.writer permissions.

For more information, see Access management in Cloud Logging.

Yandex Cloud Marketplace

Partner roles

marketplace.meteringAgent

The marketplace.meteringAgent role enables tracking Marketplace product usage.

This role allows a partner to:

  • Authenticate apps in the Metering API.
  • Track the installed app metrics to price the app usage.

You can assign this role to a service account under which you are going to send the usage metrics.

license-manager.saasSubscriptionSupervisor

The license-manager.saasSubscriptionSupervisor role enables viewing info on subscriptions and their links to resources, apps, and services, as well as creating such links.

This role is designed for SaaS products and can be assigned to a service account used to link subscriptions to resources, apps, and services.

marketplace.product.creator

The marketplace.product.creator role enables creating Marketplace products in the partner profile and managing access to such products.

marketplace.product.admin

The marketplace.product.admin role enables managing Marketplace products and access to them, as well as their versions, pricing, trial periods, forms, and moderation requests.

Users with this role can:

  • View info on the access permissions granted for products, as well as modify such permissions.
  • View info on products, as well as create and delete them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of product pricing plans and info on such plans, as well as create and edit plans.
  • View info on trial periods and create, modify, and delete them.
  • View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
  • View the list of product forms and info on them, as well as create, modify, and delete such forms.
  • View the list of product categories.

marketplace.publishers.reportViewer

The marketplace.publishers.reportViewer role enables viewing the reports on Marketplace products in the partner profile.

marketplace.publishers.viewer

The marketplace.publishers.viewer role enables viewing info on the partner profile and Marketplace products within it, as well as contacting tech support.

Users with this role can:

  • View the list of available partner profiles, info on them and on the access permissions granted for them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of moderation requests for products and info on such requests.
  • Create technical support requests, as well as view, leave comments, and close them.

This role includes the marketplace.publishers.member permissions.

marketplace.publishers.editor

The marketplace.publishers.editor role enables managing Marketplace products and access to them, as well as their versions, pricing, trial periods, forms, and moderation requests. It also enables contacting tech support.

Users with this role can:

  • View the list of available partner profiles, info on them and on the access permissions granted for them.
  • View info on the access permissions granted for products, as well as modify such permissions.
  • View info on products, as well as create and delete them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of product pricing plans and info on such plans, as well as create and edit plans.
  • View the list of product trial periods and info on them, as well as create, modify, and delete such periods.
  • View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
  • View the list of product forms and info on them, as well as create, modify, and delete such forms.
  • View the list of product categories.
  • Create technical support requests, as well as view, leave comments, and close them.

This role includes the marketplace.publishers.viewer and marketplace.product.admin permissions.

marketplace.publishers.admin

The marketplace.publishers.admin role enables managing access to the partner profile, as well as managing Marketplace products and access to them, their versions, pricing, trial periods, forms, and moderation requests. It also enables viewing reports on Marketplace products in the partner profile.

Users with this role can:

  • View the list of available partner profiles, info on them and on the access permissions granted for them, as well as modify such permissions.
  • View info on the access permissions granted for products, as well as modify such permissions.
  • View info on products, as well as create and delete them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of product pricing plans and info on such plans, as well as create and edit plans.
  • View info on trial periods and create, modify, and delete them.
  • View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
  • View the list of product forms and info on them, as well as create, modify, and delete such forms.
  • View the list of product categories.
  • View the reports on Marketplace products in the partner profile.
  • Create technical support requests, as well as view, leave comments, and close them.

This role includes the marketplace.publishers.editor and marketplace.publishers.reportViewer permissions.

marketplace.publishers.owner

The marketplace.publishers.owner role enables managing access to the partner profile, as well as managing Marketplace products and access to them, their versions, pricing, trial periods, forms, and moderation requests. It also enables viewing reports on Marketplace products in the partner profile.

This role is granted to the billing account owner when creating a partner profile and cannot be re-assigned.

Users with this role can:

  • View the list of available partner profiles, info on them and on the access permissions granted for them, as well as modify such permissions.
  • View info on the access permissions granted for products, as well as modify such permissions.
  • View info on products, as well as create and delete them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of product pricing plans and info on such plans, as well as create and edit plans.
  • View the list of product trial periods and info on them, as well as create, modify, and delete such periods.
  • View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
  • View the list of product forms and info on them, as well as create, modify, and delete such forms.
  • View the list of product categories.
  • View the reports on Marketplace products in the partner profile.
  • Create technical support requests, as well as view, leave comments, and close them.

This role includes the marketplace.publishers.admin permissions.

marketplace.publishers.member

The marketplace.publishers.member role provides the partner profile member access; however, it does not grant any access to the profile resources. To grant access to products or partner profile reports, you also need to assign the marketplace.publishers.viewer, marketplace.publishers.editor, marketplace.publishers.admin, or marketplace.publishers.owner role to the relevant user.

For more information, see Managing partner access in Marketplace.

User roles

license-manager.auditor

The license-manager.auditor role enables viewing information on subscriptions.

license-manager.viewer

The license-manager.viewer role enables viewing information on subscriptions and their links to a resource, app, or service.

This role includes the license-manager.auditor permissions.

license-manager.user

The license-manager.user role enables managing subscriptions, as well as viewing information on those and their links to resources, apps, or services.

Users with this role can:

  • View information on subscriptions and their links to resources, apps, or services.
  • Buy subscriptions.
  • Disable subscription auto-renew.
  • Link subscriptions to resources, apps, and services, as well as unlink them.
  • Move subscriptions from one folder to another.

This role includes the license-manager.viewer permissions.

license-manager.subscriptionAgent

The license-manager.subscriptionAgent role enables linking subscriptions to resources, apps, or services, as well as viewing info on subscriptions and their links to resources, apps, or services.

For more information, see User access management in Marketplace.

Yandex Identity Hub

organization-manager.auditor

The organization-manager.auditor role enables viewing info on the organization and its settings, identity federations that belong to the organization, user pools, SAML and OIDC applications, and the organization’s users and user groups.

Users with this role can:
  • View info on the Identity Hub organization and its settings.
  • View info on access permissions granted for the organization.
  • View the list of the organization’s users, info from the user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • View info on access permissions granted for entities in the Identity Hub organization.
  • View info on the organization’s identity federations.
  • View info on identity federation certificates.
  • View the list of federated user group mappings and info on them.
  • View info on the attributes of federated users.
  • View info on user pools and access permissions granted for them.
  • View info on the attributes of local users belonging to user pools.
  • View info on domains linked to the user pools.
  • View info on SAML and OIDC applications, as well as access permissions granted for them.
  • View the list of users added to SAML and OIDC applications.
  • Get the certificates of SAML applications.
  • View the list of organization users that are subscribed to technical notifications on organization events.
  • View info on MFA policies.
  • View info on the organization's OS Login settings.
  • View the list of OS Login profiles for users and service accounts.
  • View the list of the organization users' SSH keys and info on such keys.
  • View info on user groups and access permissions granted for them.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View info on the refresh tokens of the organization’s users and on the refresh token settings.
  • View info on the Identity Hub quotas.
  • View info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the iam.userAccounts.refreshTokenViewer, organization-manager.federations.auditor, organization-manager.osLogins.viewer, organization-manager.userpools.auditor, organization-manager.samlApplications.auditor, and organization-manager.oauthApplications.auditor permissions.

organization-manager.viewer

The organization-manager.viewer role enables viewing info on the organization and its settings, identity federations that belong to the organization, user pools, SAML and OIDC applications, and the organization’s users and user groups.

Users with this role can:
  • View info on the Identity Hub organization and its settings.
  • View info on access permissions granted for the organization.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View info on access permissions granted for entities in the Identity Hub organization.
  • View info on the organization’s identity federations.
  • View info on identity federation certificates.
  • View the list of federated user group mappings and info on them.
  • View info on the attributes of federated users.
  • View info on user pools and access permissions granted for them.
  • View info on the attributes of local users belonging to user pools.
  • View user audit events.
  • View info on domains linked to the user pools.
  • View info on SAML and OIDC applications, as well as access permissions granted for them.
  • View the list of users added to SAML and OIDC applications.
  • Get the certificates of SAML applications.
  • View the list of organization users that are subscribed to technical notifications on organization events.
  • View info on MFA policies.
  • View info on the organization's OS Login settings.
  • View the list of OS Login profiles for users and service accounts.
  • View the list of the organization users' SSH keys and info on such keys.
  • View info on user groups and access permissions granted for them.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View the list of and info on Identity Hub user groups associated with identity federations and user pools through synchronization with user groups in Active Directory or another external source.
  • View info on a subscription to the paid-for Identity Hub features.
  • View info on stats regarding the use of the quotes within a subscription to the paid-for Identity Hub features.
  • View the list of users who employ the Identity Hub authentication quota in the current reporting period.
  • View info on the refresh tokens of the organization’s users and on the refresh token settings.
  • View info on the Identity Hub quotas.
  • View info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the organization-manager.auditor, organization-manager.federations.viewer, organization-manager.users.viewer, organization-manager.samlApplications.viewer, organization-manager.oauthApplications.viewer, organization-manager.userpools.viewer, and organization-manager.idpInstances.billingViewer permissions.

organization-manager.editor

The organization-manager.editor role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, as well as users and user groups.

Users with this role can:
  • View and edit info on the relevant Identity Hub organization.
  • View and edit organization settings.
  • View info on access permissions granted for the organization.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View info on access permissions granted for entities in the Identity Hub organization.
  • View info on the identity federations in an organization and create, modify, and delete such federations.
  • Add and remove federated users.
  • View info on identity federation certificates and add, modify, and delete them.
  • Configure federated user group mapping.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View info on the attributes of federated user, as well as create, modify, and delete such attributes.
  • View info on user pools and access permissions granted for them.
  • Create, modify, and delete user pools.
  • View info on domains linked to user pools, as well as add, confirm, and remove domains.
  • Create, delete, activate, and deactivate local users belonging to user pools.
  • View info on the attributes of local users.
  • View user audit events.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • View info on SAML and OIDC applications, as well as access permissions granted for them.
  • Create, deactivate, activate, modify, and delete SAML and OIDC applications.
  • View the list of users added to SAML and OIDC applications.
  • Get certificates of SAML applications and create, modify, and delete such certificates.
  • View the list of organization users that are subscribed to technical notifications on organization events, as well as edit this list.
  • View info on MFA policies and create, modify, activate, deactivate, and delete such policies.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • View info on the organization's OS Login settings.
  • View the list of OS Login profiles for users and service accounts.
  • View the list of the organization users' SSH keys and info on such keys.
  • View info on user groups, as well as create, modify, and delete them.
  • View info on access permissions granted for user groups.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View the list of and info on Identity Hub user groups associated with identity federations and user pools through synchronization with user groups in Active Directory or another external source.
  • View info on a subscription to the paid-for Identity Hub features.
  • View info on stats regarding the use of the quotes within a subscription to the paid-for Identity Hub features.
  • View the list of users who employ the Identity Hub authentication quota in the current reporting period.
  • View and edit the refresh token settings in an organization.
  • View the info on the refresh tokens of the organization's users, as well as revoke such tokens.
  • View info on the Identity Hub quotas.
  • View info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the organization-manager.viewer, organization-manager.federations.editor, organization-manager.userpools.editor, organization-manager.samlApplications.editor, organization-manager.oauthApplications.editor, and organization-manager.groups.editor permissions.

To configure user group mapping, the role must be assigned for the Identity Hub groups you intend to map.

organization-manager.admin

The organization-manager.admin role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, users and user groups, and user access permissions to the organization and its resources.

Users with this role can:
  • Link a billing account to an Identity Hub organization.
  • View and edit info on the relevant Identity Hub organization.
  • View and edit organization settings.
  • View info on access permissions granted for the relevant organization and modify such permissions.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View info on access permissions granted for entities in the Identity Hub organization.
  • Remove users from the organization.
  • View info on invites to the organization sent to the users, as well as send and delete such invites.
  • View info on the identity federations in an organization and create, modify, and delete such federations.
  • Add and remove federated users.
  • View info on identity federation certificates and add, modify, and delete them.
  • Configure federated user group mapping.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View info on the attributes of federated user, as well as create, modify, and delete such attributes.
  • View info on user pools and create, modify, and delete them.
  • View info on access permissions granted for the relevant user pools and modify such permissions.
  • View info on domains linked to user pools, as well as add, confirm, and remove domains.
  • Create, delete, activate, and deactivate local users belonging to user pools.
  • View info on the attributes of local users.
  • View user audit events.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • View info on SAML and OIDC applications, as well as create, deactivate, activate, modify, and delete them.
  • View info on access permissions granted for SAML and OIDC applications, as well as modify such permissions.
  • View and edit the list of users added to SAML and OIDC applications.
  • Get certificates of SAML applications and create, modify, and delete such certificates.
  • View the list of organization users that are subscribed to technical notifications on organization events, as well as edit this list.
  • View info on MFA policies and create, modify, activate, deactivate, and delete such policies.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • View info on the organization's OS Login settings and modify them.
  • View the list of users' and service accounts' OS Login profiles, as well as create, modify, and delete such profiles.
  • View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.
  • View info on user groups, as well as create, modify, and delete them.
  • Add users and service accounts to and remove them from groups.
  • View info on access permissions granted for the relevant user groups and modify such permissions.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View the list of and info on Identity Hub user groups associated with identity federations and user pools through synchronization with user groups in Active Directory or another external source.
  • View the list of members belonging to Identity Hub user groups associated with user groups in Active Directory or another external source, as well as manage membership in such groups.
  • Associate user groups with identity federations and user pools through synchronization with user groups in Active Directory or another external source, as well as disassociate them.
  • Modify and delete Identity Hub user groups associated with user groups in Active Directory or another external source.
  • Link Identity Hub to a billing account.
  • View info on a subscription to the paid-for Identity Hub features.
  • View info on stats regarding the use of the quotes within a subscription to the paid-for Identity Hub features, as well as edit these quotas.
  • View the list of users who employ the Identity Hub authentication quota in the current reporting period.
  • View and edit the refresh token settings in an organization.
  • View the info on the refresh tokens of the organization's users, as well as revoke such tokens.
  • View info on the Identity Hub quotas.
  • View info on the effective tech support service plan.
  • View the list of technical support requests and info on them, as well as create and close such requests, leave comments, and attach files to them.
  • View, create, modify, and delete SourceCraft repositories.
  • Read files from a SourceCraft repository.
  • View, create, edit, and delete pull requests in SourceCraft repositories.
  • Merge pull requests in SourceCraft repositories.
  • Push changes to regular and protected SourceCraft repository branches.
  • View, create, and edit private and public issues in SourceCraft repositories.
  • Change the issue access type in SourceCraft repositories.
  • Add reactions to issues in SourceCraft repositories.
  • View, create, edit, and delete comments to pull requests and private and public issues in SourceCraft repositories, as well as mark such comments as resolved.
  • View, create, edit, and delete SourceCraft repository tags.
  • Manage access permissions for a SourceCraft repository.
  • View, get, create, modify, and delete secrets in SourceCraft repositories.

This role includes the organization-manager.editor, organization-manager.federations.admin, organization-manager.osLogins.admin, organization-manager.userpools.admin, organization-manager.samlApplications.admin, organization-manager.oauthApplications.admin, organization-manager.groups.memberAdmin, organization-manager.groups.externalCreator, organization-manager.groups.externalManager, organization-manager.idpInstances.billingAdmin, and src.repositories.admin permissions.

To configure user group mapping, the role must be assigned for the Identity Hub groups you intend to map.

organization-manager.organizations.owner

The organization-manager.organizations.owner role enables performing any actions with the organization resources and billing accounts, which includes creating billing accounts and linking them to clouds. This role also enables assigning additional organization owners.

Prior to assigning this role, make sure to check out the information on protecting privileged accounts.

organization-manager.federations.extGroupsViewer

The organization-manager.federations.extGroupsViewer role enables viewing the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.

organization-manager.federations.extGroupsManager

The organization-manager.federations.extGroupsManager role enables viewing the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source, as well as associating such groups with identity federations.

This role includes the organization-manager.federations.extGroupsViewer permissions.

organization-manager.federations.extGroupsCleaner

The organization-manager.federations.extGroupsCleaner role enables viewing the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source, as well as disassociating such groups from identity federations.

This role includes the organization-manager.federations.extGroupsViewer permissions.

organization-manager.federations.auditor

The organization-manager.federations.auditor role enables viewing info on the organization and its settings, the identity federations, and user group mappings.

Users with this role can:

organization-manager.federations.viewer

The organization-manager.federations.viewer role enables viewing info on the organization and its settings, the identity federations, and user group mappings.

Users with this role can:

  • View info on the Identity Hub organization and its settings.
  • View info on identity federations.
  • View info on certificates.
  • View the list of user group mappings and info on them.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.
  • View the attributes of federated and local users.

This role includes the organization-manager.federations.auditor and organization-manager.federations.extGroupsViewer permissions.

organization-manager.federations.editor

The organization-manager.federations.editor role enables managing identity federations, federated users, and certificates, as well as viewing info on the organization, its settings, and users.

Users with this role can:

  • View info on the Identity Hub organization and its settings.
  • View info on identity federations and create, modify, and delete such federations.
  • View info on certificates and create, modify, and delete them.
  • Add and remove federated users.
  • Revoke federated users' refresh tokens.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Configure mapping for federated user groups.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.
  • View the attributes of federated and local users.

This role includes the organization-manager.federations.viewer and organization-manager.federations.userAdmin permissions.

To configure user group mapping, the role must be assigned for the Identity Hub groups you intend to map.

organization-manager.federations.userAdmin

The organization-manager.federations.userAdmin role enables adding and removing federated users to/from an organization, revoking refresh tokens, managing user accounts’ MFA factors, and viewing the list of the organization’s users as well as info from their accounts.

Users with this role can:

  • Add and remove federated users.
  • Revoke federated users’ refresh tokens.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • View the list of the organization’s users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the attributes of federated and local users.

This role includes the iam.userAccounts.refreshTokenRevoker permissions.

organization-manager.federations.admin

The organization-manager.federations.admin role enables managing identity federations, federated users, and certificates, as well as viewing info on the organization, its settings, and users.

Users with this role can:

  • View info on the Identity Hub organization and its settings.
  • View info on identity federations and create, modify, and delete such federations.
  • View info on certificates and create, modify, and delete them.
  • Add and remove federated users.
  • Revoke federated users' refresh tokens.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Configure mapping for federated user groups.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.
  • Associate user groups with identity federations through synchronization with user groups in Active Directory or another external source, as well as disassociate them.
  • View the attributes of federated and local users.

This role includes the organization-manager.federations.editor, organization-manager.federations.extGroupsManager, and organization-manager.federations.extGroupsCleaner permissions.

To configure user group mapping, the role must be assigned for the Identity Hub groups you intend to map.

organization-manager.osLogins.viewer

The organization-manager.osLogins.viewer role enables viewing the organization's OS Login settings and the list of the users' and service accounts’ OS Login profiles, as well as viewing the list of the users' SSH keys and the info on them.

organization-manager.osLogins.admin

The organization-manager.osLogins.admin role enables managing the organization's OS Login settings, as well as the users' OS Login profiles and SSH keys.

Users with this role can:

  • View info on the organization's OS Login settings and modify them.
  • View the list of the organization users' and service accounts’ OS Login profiles, as well as create, modify, and delete such profiles.
  • View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.

This role includes the organization-manager.osLogins.viewer permissions.

organization-manager.groups.externalCreator

The organization-manager.groups.externalCreator role enables creating Identity Hub user groups when synchronizing with user groups in Active Directory or another external source.

organization-manager.groups.externalConverter

The organization-manager.groups.externalConverter role enables adding an attribute with an external group ID to Identity Hub user groups when synchronizing with user groups in Active Directory or another external source.

organization-manager.groups.externalManager

The organization-manager.groups.externalManager role enables managing Identity Hub user groups associated with user groups in Active Directory or another external source.

Users with this role can:

  • Associate Identity Hub user groups with user groups in Active Directory or another external source.
  • Modify and delete Identity Hub user groups associated with user groups in Active Directory or another external source.
  • View the list of members belonging to Identity Hub user groups associated with user groups in Active Directory or another external source, as well as manage membership in such groups.
  • View info on access permissions granted for Identity Hub user groups.

organization-manager.groups.editor

The organization-manager.groups.editor role enables managing user groups.

A role is assigned to an organization or user group.

Users with this role can:

organization-manager.groups.memberAdmin

The organization-manager.groups.memberAdmin role enables viewing the info on user groups, as well as viewing and modifying the lists of users and service accounts that are members of groups.

organization-manager.groups.admin

The organization-manager.groups.admin role enables managing user groups and access to them, as well as the users that belong to them.

A role is assigned to an organization or user group.

Users with this role can:

  • View info on user groups, as well as create, modify, and delete them.
  • View info on access permissions granted for the relevant user groups and modify such permissions.
  • View the list of users and service accounts belonging to user groups.
  • Add users and service accounts to and remove them from groups.

This role includes the organization-manager.groups.editor and organization-manager.groups.memberAdmin permissions.

organization-manager.users.viewer

The organization-manager.users.viewer role enables viewing the list of the organization’s users, info on them (including their phone number), the attributes and date of the latest verification for federated and local accounts via two-factor authentication, and the lists of groups to which the users belong.

organization-manager.passportUserAdmin

The organization-manager.passportUserAdmin role enables viewing info on the organization’s users, as well as inviting users with Yandex accounts to the organization and removing them from it.

Users with this role can:

  • Send and resend invites to the organization to new users with Yandex accounts, as well as view and delete such invites.
  • Delete user accounts from the organization.
  • View the list of the organization’s users, info from user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • View the attributes of the organization’s federated and local users.

organization-manager.oauthApplications.auditor

The organization-manager.samlApplications.auditor role enables viewing info on OIDC applications and the access permissions granted for them, as well as viewing the list of users added to OIDC applications.

organization-manager.oauthApplications.viewer

The organization-manager.samlApplications.viewer role enables viewing info on OIDC applications and the access permissions granted for them, as well as viewing the list of users added to OIDC applications.

This role includes the organization-manager.oauthApplications.auditor permissions.

organization-manager.oauthApplications.editor

The organization-manager.samlApplications.editor role enables managing OIDC applications and viewing the users added to them.

Users with this role can:

  • View info on OIDC applications and the access permissions granted for them.
  • Create, deactivate, activate, modify, and delete OIDC applications.
  • View the list of the users added to OIDC applications.

This role includes the organization-manager.oauthApplications.viewer permissions.

organization-manager.oauthApplications.userAdmin

The organization-manager.oauthApplications.userAdmin role enables viewing and editing the list of the users added to an OIDC application.

organization-manager.oauthApplications.admin

The organization-manager.oauthApplications.admin role enables managing OIDC applications and access to them, as well as users added to such OIDC applications.

Users with this role can:

  • View info on OIDC applications, as well as create, deactivate, activate, modify, and delete them.
  • View info on the access permissions granted for the relevant OIDC applications and modify such permissions.
  • View and edit the list of the users added to OIDC applications.

This role includes the organization-manager.oauthApplications.editor and organization-manager.oauthApplications.userAdmin permissions.

organization-manager.samlApplications.auditor

The organization-manager.samlApplications.auditor role enables viewing info on SAML applications and the access permissions granted for them, viewing the list of users added to SAML applications, and getting certificates for SAML applications.

organization-manager.samlApplications.viewer

The organization-manager.samlApplications.viewer role enables viewing info on SAML applications and the access permissions granted for them, viewing the list of users added to SAML applications, and getting certificates for SAML applications.

This role includes the organization-manager.samlApplications.auditor permissions.

organization-manager.samlApplications.editor

The organization-manager.samlApplications.editor role enables managing SAML applications and viewing the users added to them.

Users with this role can:

  • View info on SAML applications and the access permissions granted for them.
  • Create, deactivate, activate, modify, and delete SAML applications.
  • Get certificates of SAML applications and create, modify, and delete such certificates.
  • View the list of the users added to SAML applications.
  • View the list of the users added to OIDC applications.

This role includes the organization-manager.samlApplications.viewer permissions.

organization-manager.samlApplications.userAdmin

The organization-manager.samlApplications.userAdmin role enables viewing and editing the list of the users added to a SAML application.

organization-manager.samlApplications.admin

The organization-manager.samlApplications.admin role enables managing SAML applications and access to them, as well as users added to such SAML applications.

Users with this role can:

  • View info on SAML applications, as well as create, deactivate, activate, modify, and delete them.
  • View info on the access permissions granted for the relevant SAML applications and modify such permissions.
  • Get certificates of SAML applications and create, modify, and delete such certificates.
  • View and edit the list of the users added to SAML applications.
  • View the list of the users added to OIDC applications.

This role includes the organization-manager.samlApplications.editor and organization-manager.samlApplications.userAdmin permissions.

organization-manager.userpools.extGroupsViewer

The organization-manager.userpools.extGroupsViewer role enables viewing the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.

organization-manager.userpools.extGroupsManager

The organization-manager.userpools.extGroupsManager role enables viewing the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source, as well as associating such groups with user pools.

This role includes the organization-manager.userpools.extGroupsViewer permissions.

organization-manager.userpools.extGroupsCleaner

The organization-manager.userpools.extGroupsCleaner role enables viewing the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source, as well as disassociating such groups from user pools.

This role includes the organization-manager.userpools.extGroupsViewer permissions.

organization-manager.userpools.syncAgent

The organization-manager.userpools.syncAgent role enables synchronizing Identity Hub users and groups with users and groups in Active Directory or another external source.

Users with this role can:

  • View info on sync sessions between Identity Hub AD Sync Agent and Identity Hub, as well as create and modify such sessions.
  • View info on user pools and sync settings in user pools.
  • View the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
  • Associate user groups with user pools through synchronization with user groups in Active Directory or another external source.
  • View info on Identity Hub users, create, modify, activate, deactivate, and delete such users, as well as edit their passwords and other data.

This role includes the organization-manager.userpools.extGroupsManager permissions.

organization-manager.userpools.auditor

The organization-manager.userpools.auditor role enables viewing info on user pools and the organization’s users.

Users with this role can:

  • View info on user pools and access permissions granted for them.
  • View info on domains linked to user pools.
  • View the list of the organization’s users, info from user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the attributes of federated and local users.

organization-manager.userpools.viewer

The organization-manager.userpools.viewer role enables viewing info on user pools, as well as viewing the list of organization users and info on them.

Users with this role can:

  • View info on user pools and access permissions granted for them.
  • View info on domains linked to user pools.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • View user audit events.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
  • View the attributes of federated and local users.

This role includes the organization-manager.userpools.auditor and organization-manager.userpools.extGroupsViewer permissions.

organization-manager.userpools.editor

The organization-manager.userpools.editor role enables managing user pools and users that belong to them.

Users with this role can:

  • View info on user pools and access permissions granted for them.
  • Create, modify, and delete user pools.
  • View info on domains associated with user pools, as well as add, confirm, and remove domains.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • Create, delete, activate, and deactivate users belonging to user pools.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Revoke refresh tokens from users.
  • View user audit events.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
  • View the attributes of federated and local users.

This role includes the organization-manager.userpools.userAdmin and organization-manager.userpools.viewer permissions.

organization-manager.userpools.userAdmin

The organization-manager.userpools.userAdmin role enables managing organization users belonging to user pools.

Users with this role can:

  • View the list of the organization’s users, info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • Create, delete, activate, and deactivate local users belonging to user pools.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Revoke refresh tokens from users.
  • View the list of groups that users are members of.
  • View the attributes of federated and local users.

This role includes the iam.userAccounts.refreshTokenRevoker permissions.

organization-manager.userpools.admin

The organization-manager.userpools.admin role enables managing user pools and access to them, as well as users that belong to them.

Users with this role can:

  • View info on user pools and create, modify, and delete them.
  • View info on access permissions granted for the relevant user pools and modify such permissions.
  • View info on domains associated with user pools, as well as add, confirm, and remove domains.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • Create, delete, activate, and deactivate users belonging to user pools.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Revoke refresh tokens from users.
  • View user audit events.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
  • Associate user groups with user pools through synchronization with user groups in Active Directory or another external source, as well as disassociate them.
  • View the attributes of federated and local users.

This role includes the organization-manager.userpools.editor, organization-manager.userpools.extGroupsManager, and organization-manager.userpools.extGroupsCleaner permissions.

organization-manager.idpInstances.billingViewer

The organization-manager.idpInstances.billingViewer role enables viewing the list of users who employ the Identity Hub authentication quota in the current reporting period, as well as viewing info on a subscription to the paid-for Identity Hub features and stats regarding the use of the quotas within this subscription.

organization-manager.idpInstances.billingAdmin

The organization-manager.idpInstances.billingAdmin role enables managing a subscription to the paid-for Identity Hub features.

Users with this role can:

  • Link Identity Hub to a billing account.
  • View info on a subscription to the paid-for Identity Hub features.
  • View info on stats regarding the use of the quotes within a subscription to the paid-for Identity Hub features, as well as edit these quotas.
  • View the list of users who employ the Identity Hub authentication quota in the current reporting period.

This role includes the organization-manager.idpInstances.billingViewer permissions.

For more information, see Access management in Yandex Identity Hub.

Yandex Cloud Postbox

postbox.sender

The postbox.sender role allows you to send emails from Yandex Cloud Postbox.

postbox.auditor

The postbox.auditor role allows you to view information about Yandex Cloud Postbox addresses.

Users with this role can:

postbox.viewer

The postbox.viewer role allows you to view information about Yandex Cloud Postbox addresses.

Users with this role can:

This role includes the postbox.auditor permissions.

postbox.editor

The postbox.editor role allows you to manage Yandex Cloud Postbox addresses and send emails.

Users with this role can:

  • Create, modify, and delete addresses and their configurations.
  • View information about addresses and their configurations.
  • Get a list of addresses and their configurations.
  • Send emails.

This role includes the postbox.viewer permissions.

postbox.admin

The postbox.admin role allows you to manage Yandex Cloud Postbox addresses and send emails.

Users with this role can:

  • Create, modify, and delete addresses and their configurations.
  • View information about addresses and their configurations.
  • Get a list of addresses and their configurations.
  • Send emails.

This role includes the postbox.editor permissions.

For more information, see Access management in Yandex Cloud Postbox.

Yandex Cloud Registry

cloud-registry.auditor

The cloud-registry.auditor role enables viewing the artifact metadata, the info on registries and access permissions granted to them, as well as on the Cloud Registry quotas.

Users with this role can:

  • View the artifact metadata.
  • View info on registries.
  • View the list of registry IP permissions.
  • View info on the access permissions granted to registries and folders within registries.
  • View info on the Cloud Registry quotas.
  • View info on the relevant cloud and folder.

cloud-registry.viewer

Thecloud-registry.viewer role enables pulling artifacts, as well as viewing info on artifacts and registries, on the access permissions granted to registries, and on the Cloud Registry quotas.

Users with this role can:

  • View info on artifacts and pull them.
  • View info on registries.
  • View the list of registry IP permissions.
  • View info on the access permissions granted to registries and folders within registries.
  • View info on the Cloud Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the cloud-registry.auditor permissions.

cloud-registry.editor

The cloud-registry.editor role enables managing artifacts and registries, as well as viewing info on the access permissions granted to registries and Cloud Registry quotas.

Users with this role can:

  • View info on artifacts, as well as create, modify, download, and delete them.
  • View info on registries, as well as create, modify, and delete them.
  • Create and delete folders within registries.
  • View the list of registry IP permissions.
  • View info on the access permissions granted to registries and folders within registries.
  • View info on the Cloud Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the cloud-registry.viewer and cloud-registry.artifacts.pusher permissions.

cloud-registry.admin

The cloud-registry.admin role enables managing artifacts, registries, and access to registries, as well as viewing info on the Cloud Registry quotas.

Users with this role can:

  • View info on artifacts, as well as create, modify, download, and delete them.
  • View info on registries, as well as create, modify, and delete them.
  • View info on the access permissions granted to registries and folders within registries, as well as modify such permissions.
  • Create and delete folders within registries.
  • View the list of registry IP permissions.
  • View info on the Cloud Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the cloud-registry.editor permissions.

cloud-registry.artifacts.puller

The cloud-registry.artifacts.puller role enables pulling artifacts, as well as getting info on artifacts and registries.

cloud-registry.artifacts.pusher

The cloud-registry.artifacts.pusher role enables managing artifacts, as well as viewing info on the registries and managing folders within them.

Users with this role can:

  • View info on artifacts, as well as create, modify, download, and delete them.
  • View info on registries.
  • Create and delete folders within registries.

For more information, see Access management in Yandex Cloud Registry.

Yandex Cloud Video

video.auditor

The video.auditor role enables viewing info on Cloud Router resources or a separate channel’s resources, their settings, and their assigned access permissions.

video.viewer

The video.viewer role enables viewing info on Cloud Router resources or a separate channel’s resources, their settings, and their assigned access permissions.

Users with this role can:

This role includes the video.auditor permissions.

video.editor

The video.editor enables managing Cloud Video resources or a dedicated channel’s resources, as well as broadcasting video streams.

Users with this role can:

This role includes the video.viewer permissions.

video.admin

The video.admin role enables managing Cloud Video resources or a dedicated channel’s resources and assigning access permissions to all resources or a channel’s resources.

Users with this role can:

This role includes the video.editor permissions.

Yandex Compute Cloud

compute.auditor

The compute.auditor role allows you to view information on Compute Cloud resources and relevant operations, as well as on the amount of used resources and quotas. It does not allow you to access the serial port or serial console of an instance.

Users with this role can:

compute.viewer

The compute.viewer role allows you to view information on Compute Cloud resources and resource operations, as well as on access permissions assigned to the resources and on the amount of used resources and quotas. This role also grants access to instance metadata and serial port output.

Users with this role can:
  • View the instance serial port output.
  • View instance metadata.
  • View a list of instances, information on instances and on access permissions assigned to them.
  • View a list of instance groups and information on them.
  • View a list of instance placement groups, information on instance placement groups and on access permissions assigned to them.
  • View lists of instances in placement groups.
  • View a list of dedicated host groups, information on dedicated host groups and on access permissions assigned to them.
  • View lists of hosts and instances in dedicated host groups.
  • View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
  • View a list of disks, information on disks and on access permissions assigned to them.
  • View a list of file storages, information on file storages and on access permissions assigned to them.
  • View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access permissions assigned to them.
  • View lists of disks in placement groups.
  • View information on reserved instance pools.
  • View a list of images, information on images and on access permissions assigned to them.
  • View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
  • View a list of disk snapshots, information on disk snapshots and on access permissions assigned to them.
  • View information on disk snapshot schedules and on access permissions assigned to them.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View lists of resource operations for Compute Cloud, as well as information on these operations.
  • View information on the status of configuring access via OS Login on instances.
  • View information on available platforms.
  • View a list of availability zones, information on availability zones and on access permissions assigned to them.

This role includes the compute.auditor and compute.snapshotSchedules.viewer permissions.

compute.editor

The compute.editor role allows you to manage instances, instance groups, disks, images, GPU clusters, and other Compute Cloud resources.

Users with this role can:
  • Create, modify, start, restart, stop, move, and delete instances.
  • View a list of instances, information on instances and on access permissions assigned to them.
  • Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link security groups to instance network interfaces.
  • Create instances with custom FQDNs and create multi-interface instances.
  • Bind service accounts to instances and activate AWS v1 tokens on instances.
  • Use the instance serial port for reading and writing.
  • Simulate instance maintenance events.
  • View instance metadata.
  • View information on the status of configuring access via OS Login on instances and connect to instances via OS Login using SSH certificates or SSH keys.
  • View a list of instance groups, information on instance groups and on access permissions assigned to them, as well as use, create, modify, start, stop, and delete instance groups.
  • View a list of instance placement groups, information on instance placement groups and on access permissions assigned to them, as well as use, modify, and delete instance placement groups.
  • View lists of instances in placement groups.
  • View a list of dedicated host groups, information on dedicated host groups and on access permissions assigned to them, as well as use, modify, and delete dedicated host groups.
  • View lists of hosts and instances in dedicated host groups.
  • Modify scheduled maintenance windows for hosts in dedicated host groups.
  • Use GPU clusters, as well as create, modify, and delete them.
  • View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
  • View information on reserved instance pools, as well as create, use, modify, and delete them.
  • View a list of disks, information on disks and on access permissions assigned to them, as well as use, modify, move, and delete disks.
  • Create encrypted disks.
  • View and update disk links.
  • View a list of file storages, information on file storages and on access permissions assigned to them, as well as use, create, modify, and delete file storages.
  • View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access permissions assigned to them, as well as use, modify, and delete non-replicated disk placement groups.
  • View lists of disks in placement groups.
  • View a list of images, information on images and on access permissions assigned to them, as well as use, modify, and delete images.
  • Create, modify, delete, and update image families.
  • View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
  • View a list of disk snapshots, information on disk snapshots and on access permissions assigned to them, as well as use, modify, and delete disk snapshots.
  • View information on disk snapshot schedules and on access permissions assigned to them, as well as create, modify, and delete disk snapshot schedules.
  • View information on cloud networks and use them.
  • View information on subnets and use them.
  • View information on cloud resource addresses and use them.
  • View information on route tables and use them.
  • View information on security groups and use them.
  • View information on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View information on resource operations for Virtual Private Cloud.
  • View information on Virtual Private Cloud quotas.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
  • View information on available platforms and use them.
  • View a list of availability zones, information on availability zones and on access permissions assigned to them.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role includes the compute.operator, compute.osLogin, compute.snapshotSchedules.editor, compute.disks.user, and vpc.user permissions.

compute.admin

The compute.admin role allows you to manage instances, instance groups, disks, images, GPU clusters, and other Compute Cloud resources, as well as manage access to them.

Users with this role can:
  • Create, modify, start, restart, stop, move, and delete instances, as well as manage access to them.
  • View a list of instances, information on instances and on access permissions assigned to them.
  • Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link security groups to instance network interfaces.
  • Create instances with custom FQDNs and create multi-interface instances.
  • Bind service accounts to instances and activate AWS v1 tokens on instances.
  • Use the instance serial port for reading and writing.
  • Simulate instance maintenance events.
  • View instance metadata.
  • View information on the status of configuring access via OS Login on instances and connect to instances via OS Login using SSH certificates or SSH keys and run commands as a superuser (sudo).
  • Use, create, modify, start, stop, and delete instance groups, as well as manage access to instance groups.
  • View a list of instance groups, information on instance groups and on access permissions assigned to them.
  • Use, create, modify, and delete instance placement groups, as well as manage access to instance placement groups.
  • View a list of instance placement groups, information on instance placement groups and on access permissions assigned to them.
  • View lists of instances in placement groups.
  • Use, create, modify, and delete dedicated host groups, as well as manage access to dedicated host groups.
  • View a list of dedicated host groups, information on dedicated host groups and on access permissions assigned to them.
  • View lists of hosts and instances in dedicated host groups.
  • Modify scheduled maintenance windows for hosts in dedicated host groups.
  • Use, create, modify, and delete GPU clusters, as well as manage access to them.
  • View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
  • View information on reserved instance pools, as well as create, use, modify, and delete them.
  • Use, create, modify, move, and delete disks, as well as manage access to them.
  • Create encrypted disks.
  • View a list of disks, information on disks and on access permissions assigned to them.
  • View and update disk links.
  • Use, create, modify, and delete file storages, as well as manage access to them.
  • View a list of file storages, information on file storages and on access permissions assigned to them.
  • Use, create, modify, and delete non-replicated disk placement groups, as well as manage access to non-replicated disk placement groups.
  • View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access permissions assigned to them.
  • View lists of disks in placement groups.
  • Use, create, modify, and delete images, as well as manage access to them.
  • View a list of images, information on images and on access permissions assigned to them.
  • Create, modify, delete, and update image families, as well as manage access to them.
  • View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
  • Use, create, modify, and delete disk snapshots, as well as manage access to them.
  • View a list of disk snapshots, information on disk snapshots and on access permissions assigned to them.
  • Create, modify, and delete disk snapshot schedules, as well as manage access to them.
  • View information on disk snapshot schedules and on access permissions assigned to them.
  • View information on cloud networks and use them.
  • View information on subnets and use them.
  • View information on cloud resource addresses and use them.
  • View information on route tables and use them.
  • View information on security groups and use them.
  • View information on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View information on resource operations for Virtual Private Cloud.
  • View information on Virtual Private Cloud quotas.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
  • View information on available platforms and use them.
  • View a list of availability zones, information on availability zones and on access permissions assigned to them.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role includes the compute.editor and compute.osAdminLogin permissions.

compute.osLogin

The compute.osLogin role allows you to connect to instances via OS Login using SSH certificates or SSH keys.

compute.osAdminLogin

The compute.osAdminLogin role allows you to connect to instances using SSH certificates or SSH keys via OS Login and run commands as a superuser (sudo).

compute.disks.user

The compute.disks.user role allows you to view a list of disks and information on them, as well as use disks to create new resources, such as instances.

compute.images.user

The compute.images.user role allows you to view a list of images and information on them, get information on the latest image within the image family, as well as use images to create new resources, such as instances.

compute.operator

The compute.operator role allows you to start and stop instances and instance groups, as well as view information on Compute Cloud resources and resource operations, as well as on access permissions assigned to the resources and the amount of used resources and quotas.

Users with this role can:
  • Start, restart, and stop instances.
  • View a list of instances, information on instances and on access permissions assigned to them.
  • Start and stop instance groups.
  • View a list of instance groups and information on them.
  • View the instance serial port output.
  • View instance metadata.
  • View a list of instance placement groups, information on instance placement groups and on access permissions assigned to them.
  • View lists of instances in placement groups.
  • View a list of dedicated host groups, information on dedicated host groups and on access permissions assigned to them.
  • View lists of hosts and instances in dedicated host groups.
  • View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
  • View a list of disks, information on disks and on access permissions assigned to them.
  • View a list of file storages, information on file storages and on access permissions assigned to them.
  • View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access permissions assigned to them.
  • View lists of disks in placement groups.
  • View information on reserved instance pools.
  • View a list of images, information on images and on access permissions assigned to them.
  • View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
  • View a list of disk snapshots, information on disk snapshots and on access permissions assigned to them.
  • View information on disk snapshot schedules and on access permissions assigned to them.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View lists of resource operations for Compute Cloud, as well as information on these operations.
  • View information on the status of configuring access via OS Login on instances.
  • View information on available platforms.
  • View a list of availability zones, information on availability zones and on access permissions assigned to them.

This role includes the compute.viewer permissions.

compute.snapshotSchedules.viewer

The compute.snapshotSchedules.viewer role allows you to view information on scheduled disk snapshots.

Users with this role can:

compute.snapshotSchedules.editor

The compute.snapshotSchedules.editor role allows you to create, modify, and delete disk snapshot schedule, create and delete disk snapshots, as well as view information on disk snapshot operations.

Users with this role can:

  • View information on disk snapshot schedules and on access permissions assigned to them, as well as create, modify, and delete disk snapshot schedules.
  • View lists of disks and use disks to create snapshots.
  • View lists of disk snapshots, create and delete snapshots.
  • View a list of disk snapshot operations and information on them.

This role includes the compute.snapshotSchedules.viewer permissions.

For more information, see Access management in Compute Cloud.

Yandex Connection Manager

connection-manager.auditor

The connection-manager.auditor role allows you to view public details on connections and access permissions assigned to them. If you have this role assigned for a cloud, it will also enable viewing Connection Manager quotas.

connection-manager.viewer

The connection-manager.viewer role enables viewing info on connections and access permissions assigned to them, as well as on the Connection Manager quotas.

This role includes the connection-manager.auditor permissions.

connection-manager.editor

The connection-manager.editor role allows you to manage connections and view their details.

Users with this role can:

This role includes the connection-manager.viewer permissions.

connection-manager.admin

The connection-manager.admin role allows you to manage connections and access to those, as well as view connection details.

Users with this role can:

  • Create, use, edit, and delete connections, as well as manage access to them.
  • View connection details and info on connection access permissions.
  • View info on Connection Manager quotas.

This role includes the connection-manager.editor permissions.

For more information, see Access management in Connection Manager.

Yandex Container Registry

container-registry.viewer

The container-registry.viewer role enables viewing info on registries, Docker images, and repositories, as well as on the relevant folder, cloud, and Container Registry quotas.

Users with this role can:

  • View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
  • View info on repositories and the access permissions granted for them.
  • View the list of the Docker image auto-delete policies and info on them.
  • View the list of the testing results for Docker image auto-delete policies and info on such results.
  • View the list of Docker images in the registry and the info on them, as well as download Docker images from the registry.
  • View the Docker image vulnerability scan history and the info on the result of such scans.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

container-registry.editor

The container-registry.editor role enables managing registries, Docker images, repositories, and their settings.

Users with this role can:

  • View the list of registries and info on them, as well as create, modify, and delete them.
  • View info on the access permissions granted for registries, as well as on the access policy settings for IP addresses.
  • View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
  • View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
  • Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
  • View info on repositories and the access permissions granted for them, as well as create and delete repositories.
  • View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
  • Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the container-registry.viewer permissions.

container-registry.admin

The container-registry.admin role enables managing access to registries and repositories, as well as managing registries, Docker images, repositories and their settings.

Users with this role can:

  • View the list of registries and info on them, as well as create, modify, and delete them.
  • View info on granted access permissions to registries and modify such permissions.
  • View info on the access policy settings for IP address and modify such settings.
  • View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
  • View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
  • Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
  • View info on repositories, as well as create and delete them.
  • View info on granted access permissions to repositories and modify such permissions.
  • View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
  • Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the container-registry.editor permissions.

container-registry.images.pusher

The container-registry.images.pusher role enables managing Docker images and repositories, as well as viewing info on Docker images, repositories, and registries.

Users with this role can:

  • View the list of registries and info on them.
  • View the list of Docker images in the registry and info on them, as well as push, download, update, and delete them.
  • Create and delete repositories.

container-registry.images.puller

The container-registry.images.puller role enables downloading Docker images from the registry and viewing the list of registries and Docker images, as well as info on them.

container-registry.images.scanner

The container-registry.images.scanner role enables scanning Docker images for vulnerabilities, as well as viewing info on registries, Docker images, repositories, the relevant cloud and folder, and the Container Registry quotas.

Users with this role can:

  • View the list of Docker images in the registry and info on them, as well as download Docker images from the registry.
  • Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
  • View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
  • View info on repositories and the access permissions granted for them.
  • View the list of the Docker image auto-delete policies and info on them.
  • View the list of the testing results for Docker image auto-delete policies and info on such results.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the container-registry.viewer permissions.

For more information, see Access management in Container Registry.

Yandex DataLens

datalens.workbooks.limitedViewer

You can assign the datalens.workbooks.limitedViewer role to a workbook. With it, you can view all workbook's nested charts and dashboards and the info on the access permissions granted for such a workbook. In the DataLens UI, this role is referred to as Limited viewer. You may want to only assign this role through the DataLens UI.

datalens.workbooks.viewer

You can assign the datalens.workbooks.viewer role to a workbook. With it, you can view all workbook's nested objects and the info on the access permissions granted for such a workbook. In the DataLens UI, this role is referred to as Viewer. You may want to only assign this role through the DataLens UI.

This role includes the datalens.workbooks.limitedViewer permissions.

datalens.workbooks.editor

You can assign the datalens.workbooks.editor role to a workbook. With it, you can edit both the workbook and all its nested objects. In the DataLens UI, this role is referred to as Editor. You may want to only assign this role through the DataLens UI.

Users with this role can:

This role includes the datalens.workbooks.viewer permissions.

datalens.workbooks.admin

You can assign the datalens.workbooks.admin role to a workbook. With it, you can manage the relevant workbook and access to it, as well as all its nested objects. In the DataLens UI, this role is referred to as Admin. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the access permissions granted for the relevant workbook and modify such permissions.
  • Edit, move, create copies of, and delete the relevant workbook.
  • View and edit all workbook's nested objects.
  • Embed the workbook's nested private objects to websites and apps.
  • Publish the workbook's nested objects.

This role includes the datalens.workbooks.editor permissions.

datalens.collections.limitedViewer

You can assign the datalens.collections.limitedViewer role to a collection. It allows you to view the info on it and its nested collections and workbooks, which includes viewing charts and dashboards of the nested workbook workbooks. In the DataLens UI, this role is referred to as Limited viewer. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the relevant collection and its nested workbooks and collections.
  • View info on the access permissions granted for the appropriate collection, as well as for its nested collections and workbooks.
  • View charts and dashboards nested into the workbooks related to the appropriate collection and its nested collections.

This role includes the datalens.workbooks.limitedViewer permissions.

datalens.collections.viewer

You can assign the datalens.collections.viewer role to a collection. It allows you to view the info on it and its nested collections and workbooks, as well as view all nested workbook objects. In the DataLens UI, this role is referred to as Viewer. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the relevant collection and its nested workbooks and collections.
  • View info on the access permissions granted for the appropriate collection, as well as for its nested collections and workbooks.
  • View all nested objects of the workbooks related to the appropriate collection and its nested collections.

This role includes the datalens.collections.limitedViewer and datalens.workbooks.viewer permissions.

datalens.collections.editor

You can assign the datalens.collections.editor role to a collection. It allows you to edit the relevant collection and all its nested collections, workbooks, and all objects within such workbooks. In the DataLens UI, this role is referred to as Editor. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the relevant collection and its nested collections and workbooks.
  • Edit the relevant collection and all its nested collections and workbooks.
  • Create copies of the relevant collection and all its nested collections and workbooks.
  • Create new collections and workbooks within the relevant collection and all its nested ones.
  • View and edit all nested objects of the workbooks related to the appropriate collection and its nested collections.
  • View info on the access permissions granted for the appropriate collection, as well as for its nested collections and workbooks.

This role includes the datalens.collections.viewer and datalens.workbooks.editor permissions.

datalens.collections.admin

You can assign the datalens.collections.admin role to a collection. It allows you to manage the relevant collection and access to it, as well as all its nested collections, workbooks, and all objects within such workbooks. In the DataLens UI, this role is referred to as Admin. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the access permissions granted for the appropriate collection and for its nested collections and workbooks, as well as modify such access permissions.
  • View info on the relevant collection and its nested collections and workbooks.
  • Edit the relevant collection and all its nested collections and workbooks, as well as create copies of it.
  • Move and delete the relevant collection and all its nested collections and workbooks.
  • Create new collections and workbooks within the relevant collection.
  • View and edit all nested objects of the workbooks related to the appropriate collection and its nested collections.
  • Embed the private objects nested into workbooks related to the relevant collection and its nested ones, to websites and apps.
  • Publish the objects nested into the workbooks related to the appropriate collection and its nested collections.

This role includes the datalens.collections.editor and datalens.workbooks.admin permissions.

datalens.visitor

The datalens.visitor role grants access to DataLens. You can view and edit workbooks and collections if you have the appropriate roles that grant access to these workbooks and collections.

datalens.creator

The datalens.creator role grants access to DataLens with a permission to create workbooks and collections in the DataLens root. You can view and edit workbooks and collections created by other users only if you have access permissions to these workbooks and collections.

This role includes the datalens.visitor permissions.

datalens.admin

The datalens.admin role grants full access to DataLens and any of its workbooks and collections.

This role includes the datalens.creator permissions.

datalens.instances.user

The datalens.instances.user role grants access to DataLens as a user with permissions to create, read, and edit objects according to the permissions to objects and allows to view information on organization folders.

After you assign a service role, you can grant the user permissions to objects and directories in DataLens.

Tip

We recommend using the datalens.creator role instead of the datalens.instances.user one. The two roles grant identical permissions, but using datalens.creator is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.

datalens.instances.admin

The datalens.instances.admin role allows you to access DataLens as a DataLens instance administrator. Administrators have full access to all objects and folders in DataLens, as well as to DataLens settings. The role also allows you to view information on organization folders.

This role includes the datalens.instances.user permissions.

Tip

We recommend using the datalens.admin role instead of the datalens.instances.admin one. The two roles grant identical permissions, but using datalens.admin is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.

For more information, see Yandex DataLens roles.

Yandex Data Processing

dataproc.agent

The dataproc.agent role allows the service account linked to the Yandex Data Processing cluster to notify Data Proc of the cluster host state. You can assign this role to a service account linked to the Yandex Data Processing cluster.

Service accounts with this role can:

  • Notify Yandex Data Processing of the cluster host state.
  • Get info on jobs and their progress statuses.
  • Get info on log groups and add entries to them.

Currently, you can only assign this role for a folder or cloud.

dataproc.auditor

The dataproc.auditor role allows you to view information on Yandex Data Processing clusters.

dataproc.viewer

The dataproc.viewer role allows you to view information on Yandex Data Processing clusters and jobs.

dataproc.user

The dataproc.user role grants access to the Yandex Data Processing component web interfaces and enables creating jobs and viewing info on Yandex Cloud managed DB clusters.

Users with this role can:

This role includes the dataproc.viewer and mdb.viewer permissions.

dataproc.provisioner

The dataproc.provisioner role grants access to the API to create, update, and delete Yandex Data Processing cluster objects.

Users with this role can:
  • View information on DNS zones as well as create, use, modify, and delete them.
  • View information on resource records as well as create, modify, and delete them.
  • Create nested public DNS zones.
  • View info on granted access permissions for DNS zones.
  • View information on available platforms and use them.
  • Create, modify, start, restart, stop, move, and delete instances.
  • View the list of instances, information on instances and on granted access permissions for them.
  • Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link security groups to instance network interfaces.
  • Create instances with custom FQDNs and create multi-interface instances.
  • Bind service accounts to instances and activate AWS v1 tokens on instances.
  • View the list of service accounts and info on them, as well as perform operations on behalf of a service account.
  • Use the instance serial port for reading and writing.
  • Simulate instance maintenance events.
  • View instance metadata.
  • View information on the status of configuring access via OS Login on instances and connect to instances via OS Login using SSH certificates or SSH keys.
  • View the list of instance groups, information on instance groups and on granted access permissions for them, as well as use, create, modify, start, stop, and delete instance groups.
  • View the list of instance placement groups, information on instance placement groups and on granted access permissions for them, as well as use, modify, and delete instance placement groups.
  • View lists of instances in placement groups.
  • View the list of dedicated host groups, information on dedicated host groups and on granted access permissions for them, as well as use, modify, and delete dedicated host groups.
  • View lists of hosts and instances in dedicated host groups.
  • Modify scheduled maintenance windows for hosts in dedicated host groups.
  • Use GPU clusters, as well as create, modify, and delete them.
  • View info on GPU clusters and instances included in GPU clusters, as well as on granted access permissions for these clusters.
  • View the list of disks, information on disks and on granted access permissions for them, as well as use, modify, move, and delete disks.
  • Create encrypted disks.
  • View and update disk links.
  • View the list of file storages, information on file storages and on granted access permissions for them, as well as use, create, modify, and delete file storages.
  • View the list of non-replicated disk placement groups, information on non-replicated disk placement groups and on granted access permissions for them, as well as use, modify, and delete non-replicated disk placement groups.
  • View lists of disks in placement groups.
  • View the list of images, information on images and on granted access permissions for them, as well as use, modify, and delete images.
  • Create, modify, delete, and update image families.
  • View info on image families, on images within families, on the latest family image, as well as on granted access permissions for image families.
  • View the list of disk snapshots, information on disk snapshots and on granted access permissions for them, as well as use, modify, and delete disk snapshots.
  • View info on disk snapshot schedules and on granted access permissions for them, as well as create, modify, and delete disk snapshot schedules.
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View information on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View info on Monitoring metrics and their labels, as well as download metrics.
  • View the list of Monitoring dashboards and widgets, as well as the info on those.
  • View the Monitoring notification history.
  • View info on log groups.
  • View info on log sinks.
  • View info on granted access permissions for Cloud Logging resources.
  • View info on log exports.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View info on the Cloud DNS, Virtual Private Cloud, and Monitoring quotas.
  • View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
  • View information on resource operations for Virtual Private Cloud.
  • View the list of availability zones, information on availability zones and on granted access permissions for them.
  • View info on the relevant cloud and folder.

This role includes the iam.serviceAccounts.user, dns.editor, compute.editor, monitoring.viewer, and logging.viewer permissions.

dataproc.editor

The dataproc.editor role allows you to manage Yandex Data Processing clusters, run jobs, and view information on them. It also grants access to the Data Proc component web interfaces.

Users with this role can:

This role includes the dataproc.user permissions.

dataproc.admin

The dataproc.admin role allows you to manage Yandex Data Processing clusters, run jobs, and view information on them. It also grants access to the Data Processing component web interfaces.

Users with this role can:

This role includes the dataproc.editor permissions.

mdb.dataproc.agent

The mdb.dataproc.agent role allows the service account linked to the Yandex Data Processing cluster to notify Data Processing of the cluster host state.

Service accounts with this role can:

  • Notify Yandex Data Processing of the cluster host state.
  • Get info on jobs and their progress statuses.
  • Get info on log groups and add entries to them.

You can assign this role to a service account linked to the Yandex Data Processing cluster.

This role is no longer available. Please use dataproc.agent instead.

managed-metastore.auditor

The managed-metastore.auditor role allows you to view information on Apache Hive™ Metastore clusters and the Yandex Cloud managed DB service quotas.

managed-metastore.viewer

The managed-metastore.viewer role allows you to view information on Apache Hive™ Metastore clusters and their runtime logs, as well as details on the Yandex Cloud managed DB service quotas.

Users with this role can:

  • View info on Apache Hive™ Metastore clusters.
  • View Apache Hive™ Metastore cluster logs.
  • View info on the Yandex Cloud managed DB service quotas.
  • View info on the relevant cloud and folder.

This role includes the managed-metastore.auditor permissions.

managed-metastore.editor

The managed-metastore.editor role allows you to manage Apache Hive™ Metastore clusters, as well as view their runtime logs and information on the Yandex Cloud managed DB service quotas.

Users with this role can:

  • View info on Apache Hive™ Metastore clusters, as well as create, modify, run, stop, and delete them.
  • Export and import Apache Hive™ Metastore clusters.
  • View Apache Hive™ Metastore cluster logs.
  • View info on the Yandex Cloud managed DB service quotas.
  • View info on the relevant cloud and folder.

This role includes the managed-metastore.viewer permissions.

To create clusters, you also need the vpc.user role.

managed-metastore.admin

The managed-metastore.admin role allows you to manage Apache Hive™ Metastore clusters, as well as view their runtime logs and information on service quotas of Yandex Cloud managed DBs.

Users with this role can:

  • View info on Apache Hive™ Metastore clusters, as well as create, modify, run, stop, and delete them.
  • Export and import Apache Hive™ Metastore clusters.
  • View Apache Hive™ Metastore cluster logs.
  • View info on the Yandex Cloud managed DB service quotas.
  • View info on the relevant cloud and folder.

This role includes the managed-metastore.editor permissions.

To create clusters, you also need the vpc.user role.

managed-metastore.integrationProvider

The managed-metastore.integrationProvider role allows the Apache Hive™ Metastore cluster to work with user resources required for its operation on behalf of the service account. You can assign this role to a service account linked to a Apache Hive™ Metastore cluster.

Users with this role can:

  • Add entries to log groups.
  • View info on log groups.
  • View info on log sinks.
  • View info on granted access permissions for Cloud Logging resources.
  • View info on log exports.
  • View info on Monitoring metrics and their labels, as well as upload and download metrics.
  • View the list of Monitoring dashboards and widgets and info on them, as well as create, modify, and delete them.
  • View the Monitoring notification history.
  • View details on Monitoring quotas.
  • View info on the relevant cloud and folder.

This role includes the logging.writer and monitoring.editor permissions.

For more information, see Access management in Yandex Data Processing.

Yandex DataSphere

datasphere.community-projects.viewer

The datasphere.community-projects.viewer role allows you to view information on projects, project settings, and project resources, as well as on granted access permissions for these projects.

In the DataSphere interface, users with the datasphere.community-projects.viewer role have the Viewer role in the Members tab on the community page.

datasphere.community-projects.developer

The datasphere.community-projects.developer role allows you to work in projects and manage project resources.

Users with this role can:

  • View info on projects, project settings, and project resources.
  • Create, modify, and delete resources within projects.
  • Run IDEs and code cells in projects.
  • View info on granted access permissions for projects.

This role includes the datasphere.community-projects.viewer permissions.

In the DataSphere interface, users with the datasphere.community-projects.developer role have the Developer role in the Members tab on the community page.

datasphere.community-projects.editor

The datasphere.community-projects.editor role allows you to work in projects, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:

  • View info on projects, project settings, and project resources, as well as modify and delete projects.
  • Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the Developer permissions (the datasphere.communities.developer role or higher).
  • Run IDEs and code cells in projects.
  • View info on granted access permissions for projects.

This role includes the datasphere.community-projects.developer permissions.

In the DataSphere interface, users with the datasphere.community-projects.editor role have the Editor role in the Members tab on the community page.

datasphere.community-projects.admin

The datasphere.community-projects.admin role allows you to manage access to projects, work in them, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:

  • View info on granted access permissions for projects and modify access permissions.
  • View info on projects, project settings, and project resources, as well as modify and delete projects.
  • Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the Developer role (datasphere.communities.developer) or higher.
  • Run IDEs and code cells in projects.

This role includes the datasphere.community-projects.editor permissions.

In the DataSphere interface, users with the datasphere.community-projects.admin role have the Admin role in the Members tab on the community page.

datasphere.communities.viewer

The datasphere.communities.viewer role allows you to view information on communities and projects, as well as on granted access permissions for them.

Users with this role can:

This role includes the datasphere.community-projects.viewer permissions.

In the DataSphere interface, users with the datasphere.communities.viewer role have the Viewer role in the Members tab on the community page.

datasphere.communities.developer

The datasphere.communities.developer role allows you to create new projects and publish project resources in communities, as well as view information on communities and projects.

Users with this role can:

  • View info on communities and granted access permissions for them.
  • Create new projects in communities.
  • Publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role) or higher.
  • View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
  • View info on the relevant organization.

This role includes the datasphere.communities.viewer permissions.

In the DataSphere interface, users with the datasphere.communities.developer role have the Developer role in the Members tab on the community page.

datasphere.communities.editor

The datasphere.communities.editor role allows you to link a billing account to communities, delete communities, and edit community settings, as well as manage community projects and resources.

Users with this role can:

  • View info on communities and granted access permissions for them, as well as modify and delete communities.
  • Link a billing account to communities.
  • Create new projects in communities, as well as modify and delete projects.
  • View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
  • Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role) or higher.
  • Run IDEs and code cells in projects.
  • View info on the relevant organization.

This role includes the datasphere.communities.developer and datasphere.community-projects.editor permissions.

In the DataSphere interface, users with the datasphere.communities.editor role have the Editor role in the Members tab on the community page.

datasphere.communities.admin

The datasphere.communities.admin role allows you to manage communities and community projects, as well as access to them.

Users with this role can:

  • View info on communities, as well as modify and delete communities.
  • View info on granted access permissions for communities and modify access permissions.
  • Link a billing account to communities.
  • Create new projects in communities, as well as modify and delete projects.
  • View info on projects, project settings, and project resources.
  • View info on granted access permissions for projects and modify access permissions.
  • Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role or higher).
  • Run IDEs and code cells in projects.
  • View info on the relevant organization.

This role includes the datasphere.communities.editor and datasphere.community-projects.admin permissions.

In the DataSphere interface, users with the datasphere.communities.admin role have the Admin role in the Members tab on the community page.

datasphere.user

The datasphere.user role allows you to run code cells in projects, view information on DataSphere projects and quotas, as well as on the relevant cloud and folder.

The datasphere.user role is deprecated and no longer in use.

data-sphere.user

The data-sphere.user role is no longer available.

datasphere.admin

The datasphere.admin role allows you to manage communities, community projects and access to them, and use cloud networks and Virtual Private Cloud resources.

Users with this role can:
  • View info on communities, as well as modify and delete communities.
  • View info on granted access permissions for communities and modify access permissions.
  • Link a billing account to communities.
  • Create new projects in communities, as well as modify and delete projects.
  • View info on projects, project settings, and project resources.
  • View info on granted access permissions for projects and modify access permissions.
  • Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role or higher).
  • Run IDEs and code cells in projects.
  • View the list of service accounts and use them.
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View info on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View info on the DataSphere and Virtual Private Cloud quotas.
  • View info on the relevant organization, cloud, and folder.

The datasphere.admin role is deprecated and no longer in use.

data-sphere.admin

The data-sphere.admin role is no longer available.

For more information, see Access management in DataSphere.

Yandex Data Streams

yds.auditor

The yds.auditor role enables viewing metadata of streams in Yandex Data Streams, establishing YDB database connections, and viewing info on YDB databases and the relevant access permissions granted for them, as well as on the YDB database schema objects and backups.

Users with this role can:

  • View streams metadata in Yandex Data Streams.
  • Establish YDB database connections.
  • View the list of YDB databases and info on them, as well as on the relevant access permissions granted for them.
  • View info on YDB database backups and the relevant access permissions granted for them.
  • View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.auditor permissions.

yds.viewer

The yds.viewer role enables reading data from streams in Yandex Data Streams and viewing their settings, as well as establishing connections to YDB databases, querying them for reading, and viewing info on YDB databases and the relevant access permissions granted for them.

Users with this role can:

  • View metadata of streams in Yandex Data Streams and read data from those steams.
  • Establish connections to YDB databases and query them for reading.
  • View the list of YDB databases and info on them, as well as on the relevant access permissions granted for them.
  • View info on YDB database backups and the relevant access permissions granted for them.
  • View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.viewer permissions.

yds.writer

The yds.writer role enables writing data to streams in Yandex Data Streams and connecting to YDB databases.

yds.editor

The yds.editor role enables creating, modifying, and deleting streams in Yandex Data Streams, as well as reading and writing data from and to those streams.

Users with this role can:

  • View info on data streams and create, modify, and delete them.
  • Read and write data from and to streams in Yandex Data Streams.
  • View the list of YDB databases, info on them, and the relevant access permissions granted for them, as well as create, run, stop, modify, and delete YDB databases.
  • Establish connections to YDB databases and query them for reading and writing.
  • View info on YDB database backups and the relevant access permissions granted for them, as well as create and delete them, and use them to restore databases.
  • View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them, as well as create, modify, and delete such objects.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.editor and yds.writer permissions.

yds.admin

The yds.admin role enables creating, modifying, and deleting streams in Yandex Data Streams, as well as reading and writing data from and to those streams.

Users with this role can:

  • View info on data streams and create, modify, and delete them.
  • Read and write data from and to streams in Yandex Data Streams.
  • View the list of YDB databases and info on them, as well as create, run, stop, modify, and delete them.
  • View info on granted access permissions for the relevant YDB databases and modify such permissions.
  • Establish connections to YDB databases and query them for reading and writing.
  • View info on YDB database backups, as well as create and delete them and use them to restore YDB databases.
  • View info on granted access permissions to backups and modify such permissions.
  • View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them, as well as create, modify, and delete such objects.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.admin permissions.

For more information, see Access management in Data Streams.

Yandex Data Transfer

data-transfer.auditor

The data-transfer.auditor role allows you to view the service metadata, including the information on the relevant folder, endpoints, and transfers, as well as on Data Transfer quotas.

Currently, this role can only be assigned for working with a folder or a cloud.

data-transfer.viewer

The data-transfer.viewer role allows you to view information on the relevant folder, endpoints, and transfers, as well as on Data Transfer quotas.

This role includes the data-transfer.auditor permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

data-transfer.privateAdmin

The data-transfer.privateAdmin role allows you to manage endpoints and transfers for transferring data only within Yandex Cloud networks, as well as to view information on the relevant folder and Data Transfer quotas.

Users with this role can:

  • View information on transfers, as well as create, modify, delete, activate, use, and deactivate transfers for transferring data within Yandex Cloud networks.
  • View information on endpoints, as well as create, modify, and delete endpoints in Yandex Cloud.
  • View information on the relevant folder.
  • View information on Data Transfer quotas.

This role includes the data-transfer.viewer permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

data-transfer.admin

The data-transfer.admin role allows you to manage endpoints and transfers for transferring data within Yandex Cloud networks and over the internet, as well as to view information on the relevant folder and Data Transfer quotas.

Users with this role can:

  • View information on transfers, as well as create, modify, delete, activate, use, and deactivate transfers for transferring data both within Yandex Cloud networks and over the internet.
  • View information on endpoints, as well as create, modify, and delete endpoints both within and outside Yandex Cloud.
  • View information on the relevant folder.
  • View information on Data Transfer quotas.

This role includes the data-transfer.privateAdmin permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

For more information, see Access management in Data Transfer.

Yandex Identity and Access Management

iam.serviceAccounts.user

The iam.serviceAccounts.user role enables viewing the list of service accounts and info on them, as well as performing operations on behalf of a service account.

For example, if you specify a service account when creating an instance group, IAM will check whether you have a permission to use this service account.

iam.serviceAccounts.admin

The iam.serviceAccounts.admin role enables managing service accounts and access to them and their keys, as well as getting IAM tokens for service accounts.

Users with this role can:

  • View the list of service accounts and info on them, as well as create, use, modify, and delete them.
  • View info on access permissions assigned for service accounts and modify such permissions.
  • Get IAM tokens for service accounts.
  • View the list of service account API keys and info on them, as well as create, modify, and delete them.
  • View the list of service account static access keys and info on them, as well as create, modify, and delete them.
  • View info on service account authorized keys, as well as create, modify, and delete them.
  • View info on the relevant folder and its settings.

iam.serviceAccounts.accessKeyAdmin

The iam.serviceAccounts.accessKeyAdmin role enables managing static access keys for service accounts.

Users with this role can:

iam.serviceAccounts.apiKeyAdmin

The iam.serviceAccounts.apiKeyAdmin role enables managing API keys for service accounts.

Users with this role can:

  • View the list of service account API keys and information on them.
  • Create, update, and delete API keys for service accounts.

iam.serviceAccounts.authorizedKeyAdmin

The iam.serviceAccounts.authorizedKeyAdmin role enables viewing info on service account authorized keys, as well as create, modify, and delete them.

iam.serviceAccounts.keyAdmin

The iam.serviceAccounts.keyAdmin role enables managing static access keys, API keys, and authorized keys for service accounts.

Users with this role can:

  • View the list of service account static access keys and info on them, as well as create, modify, and delete them.
  • View the list of service account API keys and info on them, as well as create, modify, and delete them.
  • View info on service account authorized keys, as well as create, modify, and delete them.

This role includes the iam.serviceAccounts.accessKeyAdmin, iam.serviceAccounts.apiKeyAdmin, and iam.serviceAccounts.authorizedKeyAdmin permissions.

iam.serviceAccounts.tokenCreator

The iam.serviceAccounts.tokenCreator role enables getting IAM tokens for service accounts.

With such an IAM token one can impersonate to a service account and perform operations allowed for it.

This role does not allow you to modify access permissions or delete a service account.

iam.serviceAccounts.federatedCredentialViewer

The iam.serviceAccounts.federatedCredentialViewer role enables viewing the list of federation credentials in workload identity federations and info on such credentials.

iam.serviceAccounts.federatedCredentialEditor

The iam.serviceAccounts.federatedCredentialEditor role enables viewing the list of federation credentials in workload identity federations and info on such credentials, as well as create and delete those.

This role includes the iam.serviceAccounts.federatedCredentialViewer permissions.

iam.workloadIdentityFederations.auditor

The iam.workloadIdentityFederations.auditor role enables viewing the workload identity federation metadata.

iam.workloadIdentityFederations.viewer

The iam.workloadIdentityFederations.viewer role enables viewing info on workload identity federations.

This role includes the iam.workloadIdentityFederations.auditor permissions.

iam.workloadIdentityFederations.user

The iam.workloadIdentityFederations.user role enables using workload identity federations.

iam.workloadIdentityFederations.editor

The iam.workloadIdentityFederations.editor role enables viewing info on workload identity federations, as well as creating, modifying, and deleting such federations.

This role includes the iam.workloadIdentityFederations.viewer permissions.

iam.workloadIdentityFederations.admin

The iam.workloadIdentityFederations.admin role enables viewing info on workload identity federations, as well as creating, modifying, using, and deleting such federations.

This role includes the iam.workloadIdentityFederations.editor and iam.workloadIdentityFederations.user permissions.

iam.userAccounts.refreshTokenViewer

The iam.userAccounts.refreshTokenViewer role enables viewing the lists of federated users’ refresh tokens. To use this role, you need to assign it for an organization.

iam.userAccounts.refreshTokenRevoker

The iam.userAccounts.refreshTokenRevoker role enables revoking federated users’ refresh tokens. To use this role, you need to assign it for an organization.

iam.auditor

The iam.auditor role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:

  • View the list of service accounts and information on them.
  • View info on access permissions assigned for service accounts.
  • View the list of service account API keys and information on them.
  • View the list of service account static access keys and information on them.
  • View info on service account authorized keys.
  • View the list of operations and the info on IAM resource operations.
  • View info on Identity and Access Management quotas.
  • View info on the relevant cloud and its settings.
  • View info on the relevant folder and its settings.

iam.viewer

The iam.viewer role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:

  • View the list of service accounts and information on them.
  • View info on access permissions assigned for service accounts.
  • View the list of service account API keys and information on them.
  • View the list of service account static access keys and information on them.
  • View info on service account authorized keys.
  • View the list of operations and the info on IAM resource operations.
  • View info on Identity and Access Management quotas.
  • View info on the relevant cloud and its settings.
  • View info on the relevant folder and its settings.

This role includes the iam.auditor permissions.

iam.editor

The iam.editor role allows you to manage service accounts and their keys, manage folders, and view info on IAM resource operations and quotas.

Users with this role can:

  • View the list of service accounts and info on them, as well as create, use, modify, and delete them.
  • View the list of service account API keys and info on them, as well as create, modify, and delete them.
  • View the list of service account static access keys and info on them, as well as create, modify, and delete them.
  • View info on service account authorized keys, as well as create, modify, and delete them.
  • View info on access permissions assigned for service accounts.
  • View the list of operations and the info on IAM resource operations.
  • View info on Identity and Access Management quotas.
  • View info on the relevant cloud and its settings.
  • View info on the relevant folders and their settings.
  • Create, modify, delete, and setup folders.

This role includes the iam.viewer permissions.

iam.admin

The iam.admin role enables managing service accounts and access to them and their keys, as well as managing folders, viewing info on IAM resource operations and quotas, and getting IAM tokens for service accounts.

Users with this role can:

  • View the list of service accounts and info on them, as well as create, use, modify, and delete them.
  • View info on access permissions assigned for service accounts and modify such permissions.
  • Get IAM tokens for service accounts.
  • View the list of service account API keys and info on them, as well as create, modify, and delete them.
  • View the list of service account static access keys and info on them, as well as create, modify, and delete them.
  • View info on service account authorized keys, as well as create, modify, and delete them.
  • View info on identity federations.
  • View the list of operations and the info on Identity and Access Management resource operations.
  • View info on Identity and Access Management quotas.
  • View info on the relevant cloud and its settings.
  • View info on the relevant folders and their settings.
  • Create, modify, delete, and setup folders.

This role includes the iam.editor and iam.serviceAccounts.admin permissions.

For more information, see Access management in Identity and Access Management.

Yandex IoT Core

iot.devices.writer

The iot.devices.writer role grants permission to send gRPC messages to Yandex IoT Core on behalf of a device.

iot.registries.writer

The iot.registries.writer role grants permission to send gRPC messages to Yandex IoT Core on behalf of a registry.

iot.auditor

The iot.auditor role allows you to view metadata about devices and device registries, as well as brokers and quotas in Yandex IoT Core.

iot.viewer

The iot.viewer role allows you to view all Yandex IoT Core resources.

iot.editor

The iot.editor role allows users to create, edit, and delete all Yandex IoT Core resources.

For more information, see Access management in Yandex IoT Core.

Yandex AI Studio

ai.playground.user

The ai.playground.user role enables using AI Playground in the Yandex Cloud console, as well as listing all available models.

ai.languageModels.user

The ai.languageModels.user role enables using the YandexGPT API language models for text generation within Yandex AI Studio, as well as viewing info on the relevant cloud, folder, and quotas.

ai.imageGeneration.user

The ai.imageGeneration.user role enables using the YandexART image generation models within Yandex AI Studio, as well as viewing info on the relevant cloud, folder, and quotas.

ai.assistants.auditor

The ai.assistants.auditor role enables viewing information on AI assistants, their users and threads, as well as on the uploaded files and their indexes.

Users with this role can:

  • View info on AI assistants.
  • View info on AI assistant users and their threads.
  • View info on uploaded files and their search indexes.
  • View info on quotas for Yandex AI Studio.
  • View info on the relevant cloud.
  • View info on the relevant folder.

ai.assistants.viewer

The ai.assistants.viewer role enables reading threads and files, searching for files within a directory using indexes, and viewing information on AI assistants, uploaded files, and their indexes.

Users with this role can:

  • View info on AI assistants.
  • View info on AI assistant users.
  • View info on AI assistant user threads and read them.
  • View info on uploaded files and view them.
  • View info on file search indexes and search for files within a directory using these indexes.
  • View info on quotas for Yandex AI Studio.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the ai.assistants.auditor permissions.

ai.assistants.editor

The ai.assistants.editor role enables managing AI assistants, their users and threads, as well as files with additional information and search indexes of those files.

Users with this role can:

  • View info on AI assistants, as well as create, modify, use, and delete them.
  • View info on AI assistant users, as well as create, modify, and delete them.
  • View info on AI assistant user threads, as well as create, modify, read, write, and delete them.
  • View info on uploaded files, as well as create, update, view, and delete them.
  • View info on file search indexes and create, modify, and delete them, as well as search for files within a directory using these indexes.
  • View info on quotas for Yandex AI Studio.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the ai.assistants.viewer permissions.

ai.assistants.admin

The ai.assistants.admin role enables managing AI assistants, their users and threads, as well as files with additional information and search indexes of such files.

Users with this role can:

  • View info on AI assistants, as well as create, modify, use, and delete them.
  • View info on AI assistant users, as well as create, modify, and delete them.
  • View info on AI assistant user threads, as well as create, modify, read, write, and delete them.
  • View info on uploaded files, as well as create, update, view, and delete them.
  • View info on file search indexes and create, modify, and delete them, as well as search for files within a directory using these indexes.
  • View info on quotas for Yandex AI Studio.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the ai.assistants.editor permissions.

ai.datasets.auditor

The ai.datasets.auditor role enables viewing the dataset metadata.

ai.datasets.viewer

The ai.datasets.viewer role enables viewing the info on datasets.

This role includes the ai.datasets.auditor permissions.

ai.datasets.user

The ai.datasets.user role enables viewing info on datasets and using them to fine-tune models in AI Studio.

This role includes the ai.datasets.viewer permissions.

ai.datasets.editor

The ai.datasets.editor role enables viewing info on datasets, creating, modifying, and deleting them, as well as using them to fine-tune models in AI Studio.

This role includes the ai.datasets.user permissions.

ai.datasets.admin

The ai.datasets.admin role enables viewing info on datasets, creating, modifying, and deleting them, as well as using them to fine-tune models in AI Studio.

This role includes the ai.datasets.editor permissions.

ai.models.auditor

The ai.datasets.auditor role enables viewing the text generation model metadata in Yandex AI Studio.

ai.models.viewer

The ai.models.viewer role enables viewing info on the text generation models in Yandex AI Studio.

This role includes the ai.models.auditor permissions.

ai.models.user

The ai.models.user role enables viewing info on the text generation models in Yandex AI Studio, as well as using Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex AI Studio.

Users with this role can:

This role includes the ai.models.viewer permissions.

ai.models.editor

The ai.models.editor role enables you to manage the fine-tuning of the text generation models in Yandex AI Studio, as well as to use Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex AI Studio.

Users with this role can:

This role includes the ai.models.user permissions.

ai.models.admin

The ai.models.admin role enables you to manage the fine-tuning of the text generation models in Yandex AI Studio, as well as to use Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex AI Studio.

Users with this role can:

This role includes the ai.models.editor permissions.

serverless.mcpGateways.auditor

The serverless.mcpGateways.auditor role allows the user to view info on MCP servers and their access permissions.

serverless.mcpGateways.viewer

The serverless.mcpGateways.viewer role allows the user to view info on MCP servers and their access permissions.

This role includes the serverless.mcpGateways.auditor permissions.

serverless.mcpGateways.invoker

The serverless.mcpGateways.invoker role allows the user to access MCP servers, including access via MCP Hub.

serverless.mcpGateways.anonymousInvoker

The serverless.mcpGateways.anonymousInvoker role allows the user to access MCP servers, including access via MCP Hub.

serverless.mcpGateways.editor

The serverless.mcpGateways.editor role allows the user to create, modify and delete MCP servers, view info on them and their access permissions.

This role includes the serverless.mcpGateways.viewer permissions.

serverless.mcpGateways.admin

The serverless.mcpGateways.admin role allows the user to manage MCP servers and access to them.

Users with this role can:

  • View MCP server info, create, update, and delete MCP servers.
  • View MCP server access permission info, modify MCP server access permissions.
  • Access MCP servers, including external ones, via MCP Hub.

This role includes the serverless.mcpGateways.editor, serverless.mcpGateways.invoker, and serverless.mcpGateways.anonymousInvoker permissions.

For more information, see Access management in Yandex AI Studio.

Yandex Key Management Service

kms.keys.user

The kms.keys.user role enables viewing the list of symmetric encryption keys and information on them, as well as using such keys.

kms.keys.encrypter

The kms.keys.encrypter role enables viewing info on symmetric encryption keys and using such keys to encrypt data.

kms.keys.decrypter

The kms.keys.decrypter role enables viewing info on symmetric encryption keys and using such keys to decrypt data.

kms.keys.encrypterDecrypter

The kms.keys.encrypterDecrypter role enables viewing info on symmetric encryption keys and using such keys to encrypt or decrypt data.

This role includes the kms.keys.encrypter and kms.keys.decrypter permissions.

kms.asymmetricEncryptionKeys.publicKeyViewer

The kms.asymmetricEncryptionKeys.publicKeyViewer role enables viewing info on asymmetric encryption key pairs, as well as getting a public key from an encryption key pair.

kms.asymmetricSignatureKeys.publicKeyViewer

The kms.asymmetricSignatureKeys.publicKeyViewer role enables viewing info on digital signature key pairs, as well as getting a public key from a digital signature key pair.

kms.asymmetricSignatureKeys.signer

The kms.asymmetricSignatureKeys.signer role enables signing data with a private key from a digital signature key pair.

kms.asymmetricEncryptionKeys.decrypter

The kms.asymmetricEncryptionKeys.decrypter role enables decrypting data with a private key from an asymmetric encryption key pair.

kms.auditor

The kms.auditor role enables viewing info on encryption keys and key pairs and access permissions assigned to them.

Users with this role can:

kms.viewer

The kms.viewer role enables viewing info on encryption and digital signature keys and key pairs, access permissions assigned to them, and KMS quotas.

Users with this role can:

This role includes the kms.auditor permissions.

kms.editor

The kms.editor role allows you to create encryption and digital signature keys and key pairs as well as use them to encrypt, decrypt, and sign data.

Users with this role can:

  • View the list of symmetric encryption keys, info on them and their access permissions, as well as create, rotate, and modify symmetric key metadata, including rotation periods.
  • Encrypt and decrypt data using symmetric encryption keys.
  • View info on asymmetric encryption key pairs and access permissions assigned to them as well as create such key pairs or modify their metadata.
  • Get a public key and decrypt data using a private key from an asymmetric encryption key pair.
  • View info on digital signature key pairs and access permissions assigned to them as well as create such key pairs or modify their metadata.
  • Get a public key and sign data using a private key from a digital signature key pair.
  • View details on the Key Management Service quotas.

kms.admin

The kms.admin role enables managing encryption and digital signature keys and key pairs, as well as managing access to such keys or key pairs and using them to encrypt, decrypt, and sign data.

Users with this role can:

  • View info on access permissions assigned to symmetric encryption keys and modify such permissions.
  • View the list of symmetric encryption keys and details on them, as well as create, activate, deactivate, rotate, and delete symmetric encryption keys, or change their default version and metadata (including rotation period).
  • Encrypt and decrypt data using symmetric encryption keys.
  • View info on access permissions assigned to asymmetric encryption key pairs and modify such permissions.
  • View details on asymmetric encryption key pairs as well as create, activate, deactivate, and delete such key pairs, or modify their metadata.
  • Get a public key and decrypt data using a private key from an asymmetric encryption key pair.
  • View info on access permissions assigned to digital signature key pairs and modify such permissions.
  • View details on digital signature key pairs as well as create, activate, deactivate, and delete such key pairs, or modify their metadata.
  • Get a public key and sign data using a private key from a digital signature key pair.
  • View details on Key Management Service quotas.
  • View info on the relevant folder.

This role includes the kms.editor permissions.

For more information, see Access management in Key Management Service.

Yandex Load Testing

loadtesting.viewer

The loadtesting.viewer role allows you to view info on load generators and tests, as well as folder metadata.

Users with this role can:

  • View info on load tests and reports on their run.
  • View info on load test configurations.
  • View info on load test regression dashboards.
  • View info on agents.
  • View info on Yandex Object Storage buckets used in load tests.
  • View info on the relevant folder.

loadtesting.editor

The loadtesting.editor role enables managing agents, load tests and their settings, data stores, and regression dashboards. It also allows you to register agents created outside Load Testing.

Users with this role can:

  • View info on load tests and reports on their run.
  • Create, modify, delete, run and stop load tests and load test data into them.
  • View info on load test configurations, as well as create, modify, and delete such configurations.
  • View info on agents and create, modify, delete, run, restart, and stop them.
  • Register external agents in Load Testing.
  • View info on Yandex Object Storage buckets used in load tests, upload test data to them, and create, modify, and delete buckets.
  • View info on regression dashboards, as well as create, modify, and delete such dashboards.
  • View information on the relevant folder.

This role includes the loadtesting.viewer, loadtesting.loadTester, and loadtesting.externalAgent permissions.

loadtesting.admin

The loadtesting.admin role enables managing agents, load tests and their settings, data stores, and regression dashboards. It also allows you to register agents created outside Load Testing.

Users with this role can:

  • View info on load tests and reports on their run.
  • Create, modify, delete, run and stop load tests and load test data into them.
  • View info on load test configurations, as well as create, modify, and delete such configurations.
  • View info on agents and create, modify, delete, run, restart, and stop them.
  • Register external agents in Load Testing.
  • View info on Yandex Object Storage buckets used in load tests, upload test data to them, and create, modify, and delete buckets.
  • View info on regression dashboards, as well as create, modify, and delete such dashboards.
  • View information on the relevant folder.

This role includes the loadtesting.editor permissions.

loadtesting.loadTester

The loadtesting.loadTester role enables managing agents, load tests and their settings, data stores, and regression dashboards.

Users with this role can:

  • View info on load tests and reports on their run.
  • Create, modify, delete, run and stop load tests and load test data into them.
  • View info on load test configurations, as well as create, modify, and delete such configurations.
  • View info on agents and create, modify, delete, run, restart, and stop them.
  • View info on Yandex Object Storage buckets used in load tests, upload test data to them, and create, modify, and delete buckets.
  • View info on regression dashboards, as well as create, modify, and delete such dashboards.
  • View information on the relevant folder.

loadtesting.generatorClient

The loadtesting.generatorClient role allows you to create, modify, and run load tests using an agent, as well as enables uploading test results to the storage.

Users with this role can:

  • Create, edit, and run load tests.
  • Create and edit load test configurations.
  • Upload the test result data to the storage.

Assign this role to the service account under which you create a VM with an agent.

loadtesting.externalAgent

The loadtesting.externalAgent role enables registering external agents in Load Testing, as well as creating, modifying, and running load tests using an agent.

Users with this role can:

  • Register external agents in Load Testing.
  • Create, edit, and run load tests.
  • Create and edit load test configurations.
  • Upload the test result data to the storage.

This role includes the loadtesting.generatorClient permissions.

Assign this role to the service account under which you create a VM with an agent.

For more information, see Access management in Load Testing.

Yandex Lockbox

lockbox.auditor

The lockbox.auditor role enables viewing info on secrets and on access permissions assigned to them, as well as details on Yandex Lockbox quotas and folder metadata.

lockbox.viewer

The lockbox.viewer role enables viewing info on secrets and access permissions assigned to them, as well as info on the relevant folder and Yandex Lockbox quotas.

This role includes the lockbox.auditor permissions.

lockbox.editor

The lockbox.editor role enables managing secrets and their versions, as well as viewing info on access permissions assigned to secrets.

Users with this role can:

  • View info on secrets and on access permissions assigned to them, as well as create, activate, deactivate, and delete secrets.
  • Modify secret version metadata, create and delete secret versions, as well as change current secret versions, schedule deleting a secret version, or cancel a scheduled deletion.
  • View information on the relevant folder.
  • View details on Yandex Lockbox quotas.

This role includes the lockbox.viewer permissions.

lockbox.admin

The lockbox.admin role enables managing secrets, their versions, and access to them, as well as viewing secret contents.

Users with this role can:

  • View info on access permissions assigned to secrets and modify such permissions.
  • View info on secrets, including secret contents.
  • Create, activate, deactivate, and delete secrets.
  • Modify secret version metadata, create and delete secret versions, as well as change current secret versions, schedule deleting a secret version, or cancel a scheduled deletion.
  • View information on the relevant folder.
  • View details on Yandex Lockbox quotas.

This role includes the lockbox.editor and lockbox.payloadViewer permissions.

lockbox.payloadViewer

The lockbox.payloadViewer role enables viewing secret contents.

For more information, see Access management in Yandex Lockbox.

Managed databases

mdb.auditor

The mdb.auditor role grants the minimum permissions required to view information about managed database clusters (without access to data or runtime logs).

Users with this role can view information about managed database clusters, quotas, and folders.

This role includes the managed-opensearch.auditor, managed-kafka.auditor, managed-mysql.auditor, managed-sqlserver.auditor, managed-postgresql.auditor, managed-greenplum.auditor, managed-clickhouse.auditor, managed-redis.auditor, and managed-mongodb.auditor permissions.

mdb.viewer

The mdb.viewer role grants read access to managed database clusters and cluster runtime logs.

Users with this role can read from databases, inspect the logs of managed database clusters, and view information about clusters, quotas, and folders.

This role includes the mdb.auditor, managed-opensearch.viewer, managed-kafka.viewer, managed-mysql.viewer, managed-sqlserver.viewer, managed-postgresql.viewer, managed-greenplum.viewer, managed-clickhouse.viewer, managed-redis.viewer, managed-mongodb.viewer, and dataproc.viewer permissions.

mdb.admin

The mdb.admin role grants full access to managed database clusters.

Users with this role can create, edit, delete, run, and stop managed database clusters, manage cluster access, create cluster backups and restore clusters from such backups, read and write to databases, and view information about clusters, runtime logs, quotas, and folders.

This role includes the mdb.viewer, vpc.user, managed-opensearch.admin, managed-kafka.admin, managed-mysql.admin, managed-sqlserver.admin, managed-postgresql.admin, managed-greenplum.admin, managed-clickhouse.admin, managed-redis.admin, managed-mongodb.admin, and dataproc.admin permissions.

mdb.restorer

The mdb.restorer role enables restoring managed database clusters from backups and grants read access to clusters and cluster runtime logs.

Users with this role can restore managed database clusters from backups, read from databases, inspect cluster logs, and view information about clusters, quotas, and folders.

This role includes the mdb.viewer, managed-elasticsearch.restorer, managed-opensearch.restorer, managed-kafka.restorer, managed-mysql.restorer, managed-sqlserver.restorer, managed-postgresql.restorer, managed-spqr.restorer, managed-greenplum.restorer, managed-clickhouse.restorer, managed-redis.restorer, and managed-mongodb.restorer permissions.

Yandex Managed Service for Apache Airflow™

managed-airflow.auditor

The managed-airflow.auditor role allows you to view information about the Apache Airflow™ clusters.

managed-airflow.viewer

The managed-airflow.viewer role allows you to view information about the Apache Airflow™ clusters.

This role includes the managed-airflow.auditor permissions.

managed-airflow.user

The managed-airflow.user role enables performing basic operations on the Apache Airflow™ clusters.

Users with this role can:

This role includes the managed-airflow.viewer permissions.

managed-airflow.editor

The managed-airflow.editor role allows you to manage the Apache Airflow™ clusters, as well as get information about quotas and service resource operations.

Users with this role can:

This role includes the managed-airflow.user permissions.

To create Apache Airflow™ clusters, you also need the vpc.user role.

managed-airflow.admin

The managed-airflow.admin role allows you to manage the Apache Airflow™ clusters and get information about quotas and service resource operations.

Users with this role can:

This role includes the managed-airflow.editor permissions.

To create Apache Airflow™ clusters, you also need the vpc.user role.

managed-airflow.integrationProvider

The managed-airflow.integrationProvider role allows the Apache Airflow™ cluster to work with user resources required for its operation on behalf of the service account. You can assign this role to a service account linked to the Apache Airflow™ cluster.

Service accounts with this role can:

This role includes the logging.writer, monitoring.editor, storage.viewer, and lockbox.viewer permissions.

The role does not provide access to Yandex Lockbox secret contents. To grant the Apache Airflow™ cluster access to Yandex Lockbox secret contents, additionally assign the lockbox.payloadViewer role to the service account either for the relevant folder or for specific secrets.

For more information, see Access management in Managed Service for Apache Airflow™.

Yandex Managed Service for Apache Kafka®

managed-kafka.auditor

The managed-kafka.auditor role allows you to view information about Apache Kafka® clusters, as well as quotas and resource operations for Managed Service for Apache Kafka®.

managed-kafka.viewer

The managed-kafka.viewer role allows you to view information about Apache Kafka® clusters and their logs, as well as information on quotas and resource operations for Managed Service for Apache Kafka®.

This role includes the managed-kafka.auditor permissions.

managed-kafka.restorer

The managed-kafka.restorer role allows you to restore Apache Kafka® clusters from backups, view information about clusters and their logs, as well as information on quotas and resource operations for Managed Service for Apache Kafka®.

This role includes the managed-kafka.viewer permissions.

managed-kafka.editor

The managed-kafka.editor role allows you to manage Apache Kafka® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • View information about Apache Kafka® clusters, as well as create, modify, delete, run, and stop them.
  • Restore Apache Kafka® clusters from backups.
  • View Apache Kafka® cluster logs.
  • View information about quotas of Managed Service for Apache Kafka®.
  • View information about resource operations for Managed Service for Apache Kafka®.

This role includes the managed-kafka.viewer, managed-kafka.restorer, and managed-kafka.interfaceUser permissions.

To create Apache Kafka® clusters, you also need the vpc.user role.

managed-kafka.admin

The managed-kafka.admin role allows you to manage Apache Kafka® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Manage access to Apache Kafka® clusters.
  • View information about Apache Kafka® clusters, as well as create, modify, delete, run, and stop them.
  • Restore Apache Kafka® clusters from backups.
  • View Apache Kafka® cluster logs.
  • View information about quotas of Managed Service for Apache Kafka®.
  • View information about resource operations for Managed Service for Apache Kafka®.

This role includes the managed-kafka.editor permissions.

To create Apache Kafka® clusters, you also need the vpc.user role.

managed-kafka.interfaceUser

The managed-kafka.interfaceUser role enables using Kafka UI for Apache Kafka®.

For more information, see Access management in Managed Service for Apache Kafka®.

Yandex Managed Service for ClickHouse®

managed-clickhouse.auditor

The managed-clickhouse.auditor role allows you to view information about ClickHouse® clusters, as well as quotas and resource operations for Managed Service for ClickHouse®.

managed-clickhouse.viewer

The managed-clickhouse.viewer role allows you to view information about ClickHouse® clusters and their logs, as well as information on quotas and resource operations for Managed Service for ClickHouse®.

This role includes the managed-clickhouse.auditor permissions.

managed-clickhouse.restorer

The managed-clickhouse.restorer role allows you to restore ClickHouse® clusters from backups, view information about ClickHouse® clusters and their logs, as well as information on quotas and resource operations for Managed Service for ClickHouse®.

This role includes the managed-clickhouse.viewer permissions.

managed-clickhouse.editor

The managed-clickhouse.editor role allows you to manage ClickHouse® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • View information about ClickHouse® clusters, as well as create, modify, delete, run, and stop them.
  • Restore ClickHouse® clusters from backups.
  • View ClickHouse® cluster logs.
  • View information about quotas of Managed Service for ClickHouse®.
  • View information about operations with resources of Managed Service for ClickHouse®.

This role includes the managed-clickhouse.viewer and managed-clickhouse.restorer permissions.

To create ClickHouse® clusters, you also need the vpc.user role.

managed-clickhouse.admin

The managed-clickhouse.admin role allows you to manage ClickHouse® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Manage access to ClickHouse® clusters.
  • View information about ClickHouse® clusters, as well as create, modify, delete, run, and stop them.
  • Restore ClickHouse® clusters from backups.
  • View ClickHouse® cluster logs.
  • View information about quotas of Managed Service for ClickHouse®.
  • View information about operations with resources of Managed Service for ClickHouse®.

This role includes the managed-clickhouse.editor permissions.

To create ClickHouse® clusters, you also need the vpc.user role.

For more information, see Access management in Managed Service for ClickHouse®.

Yandex Managed Service for GitLab

gitlab.auditor

The gitlab.auditor role enables viewing info on the Managed Service for GitLab instances and quotas.

gitlab.viewer

The gitlab.viewer role enables viewing info on the Managed Service for GitLab instances and quotas.

This role includes the gitlab.auditor permissions.

gitlab.editor

The gitlab.editor role enables managing the Managed Service for GitLab instances and migrating them to other availability zones.

Users with this role can:

  • View info on the Managed Service for GitLab instances, as well as create, modify, and delete such instances.
  • Migrate instances to another availability zones.
  • View info on the quotas for Managed Service for GitLab.

This role includes the gitlab.viewer permissions.

To create Managed Service for GitLab instances, you also need the vpc.user role.

gitlab.admin

The gitlab.admin role enables managing the Managed Service for GitLab instances and migrating them to other availability zones.

Users with this role can:

  • View info on the Managed Service for GitLab instances, as well as create, modify, and delete such instances.
  • Migrate instances to another availability zones.
  • View info on the quotas for Managed Service for GitLab.

This role includes the gitlab.editor permissions.

To create Managed Service for GitLab instances, you also need the vpc.user role.

For more information, see Access management in Managed Service for GitLab.

Yandex MPP Analytics for PostgreSQL

managed-greenplum.auditor

The managed-greenplum.auditor role allows you to view information about Greenplum® clusters and hosts, as well as quotas and resource operations for Yandex MPP Analytics for PostgreSQL.

managed-greenplum.viewer

The managed-greenplum.viewer role allows you to view information about Greenplum® clusters and hosts, their logs, as well as information about quotas and service resource operations.

Users with this role can:

  • View information about Greenplum® clusters.
  • View information about Greenplum® cluster hosts.
  • View information about Greenplum® cluster backups.
  • View Greenplum® cluster logs.
  • View information about the results of Greenplum® cluster performance diagnostics.
  • View information about quotas of Yandex MPP Analytics for PostgreSQL.
  • View information about resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the managed-greenplum.auditor permissions.

managed-greenplum.restorer

The managed-greenplum.restorer role allows you to restore Greenplum® clusters from backups, view information about Greenplum® clusters and hosts, their logs, as well as information about quotas and service resource operations.

Users with this role can:

  • View information about Greenplum® cluster backups and restore clusters from backups.
  • View information about Greenplum® clusters.
  • View information about Greenplum® cluster hosts.
  • View Greenplum® cluster logs.
  • View information about the results of Greenplum® cluster performance diagnostics.
  • View information about quotas of Yandex MPP Analytics for PostgreSQL.
  • View information about resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the managed-greenplum.viewer permissions.

managed-greenplum.editor

The managed-greenplum.editor role allows you to manage Greenplum® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • View information about Greenplum® clusters, as well as create, modify, delete, run, and stop them.
  • View information about Greenplum® cluster hosts, as well as create, modify, and delete them.
  • View information about Greenplum® cluster backups, create and delete such backups, as well as restore clusters from backups.
  • View Greenplum® cluster logs.
  • View information about the results of Greenplum® cluster performance diagnostics.
  • View information about quotas of Yandex MPP Analytics for PostgreSQL.
  • View information about resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the managed-greenplum.viewer and managed-greenplum.restorer permissions.

To create Greenplum® clusters, you also need the vpc.user role.

managed-greenplum.admin

The managed-greenplum.admin role allows you to manage Greenplum® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Manage access to Greenplum® clusters.
  • View information about Greenplum® clusters, as well as create, modify, delete, run, and stop them.
  • View information about Greenplum® cluster hosts, as well as create, modify, and delete them.
  • View information about Greenplum® cluster backups, create and delete such backups, as well as restore clusters from backups.
  • View Greenplum® cluster logs.
  • View information about the results of Greenplum® cluster performance diagnostics.
  • View information about quotas of Yandex MPP Analytics for PostgreSQL.
  • View information about resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the managed-greenplum.editor permissions.

To create Greenplum® clusters, you also need the vpc.user role.

For more information, see Access management in Yandex MPP Analytics for PostgreSQL.

Yandex Managed Service for Kubernetes

k8s.viewer

The k8s.viewer role enables you to view information about Kubernetes clusters and node groups.

k8s.editor

The k8s.editor role enables you to create, delete, edit, stop, and start Kubernetes clusters and node groups.

It includes the k8s.viewer role.

k8s.admin

The k8s.admin role enables you to create, delete, edit, stop, and start Kubernetes clusters and node groups.

It includes the k8s.editor role.

k8s.cluster-api.viewer

Users with the k8s.cluster-api.viewer role get the yc:viewer group and the view role in Kubernetes RBAC for all namespaces in a cluster.

k8s.cluster-api.editor

Users with the k8s.cluster-api.editor role get the yc:editor group and the edit role in Kubernetes RBAC for all namespaces in a cluster.

k8s.cluster-api.cluster-admin

Users with the k8s.cluster-api.cluster-admin role get the yc:admin group and the cluster-admin role in Kubernetes RBAC.

k8s.tunnelClusters.agent

k8s.tunnelClusters.agent is a special role for creating Kubernetes clusters with tunnel mode. It enables you to create node groups, disks, and internal load balancers. You can use previously created Yandex Key Management Service keys to encrypt and decrypt secrets. It includes the following roles:

  • compute.admin
  • iam.serviceAccounts.user
  • k8s.viewer
  • kms.keys.encrypterDecrypter
  • load-balancer.privateAdmin

k8s.clusters.agent

k8s.clusters.agent is a special role for the Kubernetes cluster service account. It enables you to create node groups, disks, and internal load balancers. You can use previously created Yandex Key Management Service keys to encrypt and decrypt secrets and connect previously created security groups. When combined with the load-balancer.admin role, it enables you to create a network load balancer with a public IP address. It includes the following roles:

  • k8s.tunnelClusters.agent
  • vpc.privateAdmin

For more information, see Access management in Managed Service for Kubernetes.

Yandex StoreDoc

managed-mongodb.auditor

The managed-mongodb.auditor role allows you to view information about Yandex StoreDoc hosts and clusters, as well as quotas and resource operations for Yandex StoreDoc.

managed-mongodb.viewer

The managed-mongodb.viewer role allows you to view information about clusters, hosts, shards, databases, Yandex StoreDoc users, cluster logs, as well as about quotas and service resource operations.

Users with this role can:

  • View information about Yandex StoreDoc clusters.
  • View information about Yandex StoreDoc cluster hosts.
  • View information about Yandex StoreDoc cluster shards.
  • View information about Yandex StoreDoc databases.
  • View information about Yandex StoreDoc users.
  • View information about Yandex StoreDoc cluster backups.
  • View information about Yandex StoreDoc alerts.
  • View Yandex StoreDoc cluster logs.
  • View information about the results of Yandex StoreDoc cluster performance diagnostics.
  • View information about quotas of Yandex StoreDoc.
  • View information about resource operations for Yandex StoreDoc.

This role includes the managed-mongodb.auditor permissions.

managed-mongodb.restorer

The managed-mongodb.restorer role allows you to restore Yandex StoreDoc clusters from backups, view information about clusters, hosts, shards, databases, Yandex StoreDoc users, cluster logs, as well as about quotas and service resource operations.

Users with this role can:

  • View information about Yandex StoreDoc cluster backups and restore clusters from backups.
  • View information about Yandex StoreDoc clusters.
  • View information about Yandex StoreDoc cluster hosts.
  • View information about Yandex StoreDoc cluster shards.
  • View information about Yandex StoreDoc databases.
  • View information about Yandex StoreDoc users.
  • View information about Yandex StoreDoc alerts.
  • View Yandex StoreDoc cluster logs.
  • View information about the results of Yandex StoreDoc cluster performance diagnostics.
  • View information about quotas of Yandex StoreDoc.
  • View information about resource operations for Yandex StoreDoc.

This role includes the managed-mongodb.viewer permissions.

managed-mongodb.editor

The managed-mongodb.editor role allows you to manage Yandex StoreDoc clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Create, modify, delete, run and stop Yandex StoreDoc clusters and view information about them.
  • Create, modify, and delete Yandex StoreDoc cluster hosts and view information about them.
  • Create and delete Yandex StoreDoc cluster shards and view information about them.
  • Create and delete Yandex StoreDoc databases and view information about them.
  • Create, modify, and delete Yandex StoreDoc users and view information about them.
  • Create Yandex StoreDoc cluster backups, view information about such backups, as well as restore clusters from backups.
  • Create, modify, and delete Yandex StoreDoc alerts and view information about them.
  • View Yandex StoreDoc cluster logs.
  • View information about the results of Yandex StoreDoc cluster performance diagnostics.
  • View information about quotas of Yandex StoreDoc.
  • View information about resource operations for Yandex StoreDoc.

This role includes the managed-mongodb.viewer and managed-mongodb.restorer permissions.

To create Yandex StoreDoc clusters, you also need the vpc.user role.

managed-mongodb.admin

The managed-mongodb.admin role allows you to manage Yandex StoreDoc clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Manage access to Yandex StoreDoc clusters.
  • Create, modify, delete, run, and stop Yandex StoreDoc clusters and view information about them.
  • Create, modify, and delete Yandex StoreDoc cluster hosts and view information about them.
  • Create and delete Yandex StoreDoc cluster shards and view information about them.
  • Create and delete Yandex StoreDoc databases and view information about them.
  • Create, modify, and delete Yandex StoreDoc users and view information about them.
  • Create Yandex StoreDoc cluster backups, view information about such backups, as well as restore clusters from backups.
  • Create, modify, and delete Yandex StoreDoc alerts and view information about them.
  • View Yandex StoreDoc cluster logs.
  • View information about the results of Yandex StoreDoc cluster performance diagnostics.
  • View information about quotas of Yandex StoreDoc.
  • View information about resource operations for Yandex StoreDoc.

This role includes the managed-mongodb.editor permissions.

To create Yandex StoreDoc clusters, you also need the vpc.user role.

For more information, see Access management in Yandex StoreDoc.

Yandex Managed Service for MySQL®

managed-mysql.auditor

The managed-mysql.auditor role allows you to view information on MySQL® hosts and clusters, as well as quotas and resource operations for Managed Service for MySQL®.

managed-mysql.viewer

The managed-mysql.viewer role allows you to view information on MySQL® clusters, hosts, databases, users, and cluster logs, as well as on quotas and resource operations.

Users with this role can:

  • View information on MySQL® clusters.
  • View information on MySQL® cluster hosts.
  • View information on MySQL® databases.
  • View information on MySQL® users.
  • View information on MySQL® cluster backups.
  • View information on MySQL® alerts.
  • View MySQL® cluster logs.
  • View information on the results of MySQL® cluster performance diagnostics.
  • View information on quotas of Managed Service for MySQL®.
  • View information on resource operations for Managed Service for MySQL®.

This role includes the managed-mysql.auditor permissions.

managed-mysql.restorer

The managed-mysql.restorer role allows you to restore MySQL® clusters from backups, view information on MySQL® clusters, hosts, databases, users, and cluster logs, as well as on quotas and resource operations.

Users with this role can:

  • View information on MySQL® cluster backups and restore clusters from backups.
  • View information on MySQL® clusters.
  • View information on MySQL® cluster hosts.
  • View information on MySQL® databases.
  • View information on MySQL® users.
  • View information on MySQL® alerts.
  • View MySQL® cluster logs.
  • View information on the results of MySQL® cluster performance diagnostics.
  • View information on quotas of Managed Service for MySQL®.
  • View information on resource operations for Managed Service for MySQL®.

This role includes the managed-mysql.viewer permissions.

managed-mysql.editor

The managed-mysql.editor role allows you to manage MySQL® clusters and view their logs, as well as get information on service quotas and resource operations.

Users with this role can:

  • View information on MySQL® clusters, as well as create, modify, delete, run, and stop them.
  • View information on MySQL® cluster hosts, as well as create, modify, and delete them.
  • View information on MySQL® databases, as well as create, modify, and delete them.
  • View information on MySQL® users, as well as create, modify, and delete them.
  • View information on MySQL® cluster backups, create and delete such backups, as well as restore clusters from backups.
  • View information on MySQL® alerts, as well as create, modify, and delete them.
  • View MySQL® cluster logs.
  • View information on the results of MySQL® cluster performance diagnostics.
  • View information on quotas of Managed Service for MySQL®.
  • View information on resource operations for Managed Service for MySQL®.

This role includes the managed-mysql.viewer and managed-mysql.restorer permissions.

To create MySQL® clusters, you also need the vpc.user role.

managed-mysql.admin

The managed-mysql.admin role allows you to manage MySQL® clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • Manage access to MySQL® clusters.
  • View information on MySQL® clusters, as well as create, modify, delete, run, and stop them.
  • View information on MySQL® cluster hosts, as well as create, modify, and delete them.
  • View information on MySQL® databases, as well as create, modify, and delete them.
  • View information on MySQL® users, as well as create, modify, and delete them.
  • View information on MySQL® cluster backups, create and delete such backups, as well as restore clusters from backups.
  • View information on MySQL® alerts, as well as create, modify, and delete them.
  • View MySQL® cluster logs.
  • View information on the results of MySQL® cluster performance diagnostics.
  • View information on quotas of Managed Service for MySQL®.
  • View information on resource operations for Managed Service for MySQL®.

This role includes the managed-mysql.editor permissions.

To create MySQL® clusters, you also need the vpc.user role.

For more information, see Access management in Managed Service for MySQL®.

Yandex Managed Service for OpenSearch

managed-opensearch.auditor

The managed-opensearch.auditor role allows you to view information on OpenSearch clusters, as well as quotas and resource operations for Managed Service for OpenSearch.

managed-opensearch.viewer

The managed-opensearch.viewer role allows you to view information on OpenSearch clusters and their logs, as well as on quotas and resource operations for Managed Service for OpenSearch.

This role includes the managed-opensearch.auditor permissions.

managed-opensearch.restorer

The managed-opensearch.restorer role allows you to restore OpenSearch clusters from backups, view information on OpenSearch clusters and their logs, as well as view information on quotas and resource operations for Managed Service for OpenSearch.

This role includes the managed-opensearch.viewer permissions.

managed-opensearch.editor

The managed-opensearch.editor role allows you to manage OpenSearch clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • View information on OpenSearch clusters, as well as create, modify, delete, run, and stop them.
  • Restore OpenSearch clusters from backups.
  • View OpenSearch cluster logs.
  • View information on quotas of Managed Service for OpenSearch.
  • View information on resource operations for Managed Service for OpenSearch.

This role includes the managed-opensearch.viewer and managed-opensearch.restorer permissions.

To create OpenSearch clusters, you also need the vpc.user role.

managed-opensearch.admin

The managed-opensearch.admin role allows you to manage OpenSearch clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • Manage access to OpenSearch clusters.
  • View information on OpenSearch clusters, as well as create, modify, delete, run, and stop them.
  • Restore OpenSearch clusters from backups.
  • View OpenSearch cluster logs.
  • View information on quotas of Managed Service for OpenSearch.
  • View information on resource operations for Managed Service for OpenSearch.

This role includes the managed-opensearch.editor permissions.

To create OpenSearch clusters, you also need the vpc.user role.

For more information, see Managing access to Managed Service for OpenSearch.

Yandex Managed Service for PostgreSQL

managed-postgresql.auditor

The managed-postgresql.auditor role allows you to view information on PostgreSQL hosts and clusters, as well as quotas and resource operations for Managed Service for PostgreSQL.

managed-postgresql.viewer

The managed-postgresql.viewer role allows you to view information on PostgreSQL clusters, hosts, databases, users, and cluster logs, as well as on quotas and resource operations.

Users with this role can:

  • View information on PostgreSQL clusters.
  • View information on PostgreSQL cluster hosts.
  • View information on PostgreSQL databases.
  • View information on PostgreSQL users.
  • View information on PostgreSQL cluster backups.
  • View information on PostgreSQL alerts.
  • View PostgreSQL cluster logs.
  • View information on the results of PostgreSQL cluster performance diagnostics.
  • View information on quotas of Managed Service for PostgreSQL.
  • View information on resource operations for Managed Service for PostgreSQL.

This role includes the managed-postgresql.auditor permissions.

managed-postgresql.restorer

The managed-postgresql.restorer role allows you to restore PostgreSQL clusters from backups, view information on PostgreSQL clusters, hosts, databases, users, and cluster logs, as well as on quotas and resource operations.

Users with this role can:

  • View information on PostgreSQL cluster backups and restore clusters from backups.
  • View information on PostgreSQL clusters.
  • View information on PostgreSQL cluster hosts.
  • View information on PostgreSQL databases.
  • View information on PostgreSQL users.
  • View information on PostgreSQL alerts.
  • View PostgreSQL cluster logs.
  • View information on the results of PostgreSQL cluster performance diagnostics.
  • View information on quotas of Managed Service for PostgreSQL.
  • View information on resource operations for Managed Service for PostgreSQL.

This role includes the managed-postgresql.viewer permissions.

managed-postgresql.editor

The managed-postgresql.editor role allows you to manage PostgreSQL clusters and view their logs, as well as get information on service quotas and resource operations.

Users with this role can:

  • View information on PostgreSQL clusters, as well as create, modify, delete, run, and stop them.
  • View information on PostgreSQL cluster hosts, as well as create, modify, and delete them.
  • View information on PostgreSQL databases, as well as create, modify, and delete them.
  • View information on PostgreSQL users, as well as create, modify, and delete them.
  • View information on PostgreSQL cluster backups, create and delete such backups, as well as restore clusters from backups.
  • View information on PostgreSQL alerts, as well as create, modify, and delete them.
  • View PostgreSQL cluster logs.
  • View information on the results of PostgreSQL cluster performance diagnostics.
  • View information on quotas of Managed Service for PostgreSQL.
  • View information on resource operations for Managed Service for PostgreSQL.

This role includes the managed-postgresql.viewer and managed-postgresql.restorer permissions.

To create PostgreSQL clusters, you also need the vpc.user role.

managed-postgresql.admin

The managed-postgresql.admin role allows you to manage PostgreSQL clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • Manage access to PostgreSQL clusters.
  • View information on PostgreSQL clusters, as well as create, modify, delete, run, and stop them.
  • View information on PostgreSQL cluster hosts, as well as create, modify, and delete them.
  • View information on PostgreSQL databases, as well as create, modify, and delete them.
  • View information on PostgreSQL users, as well as create, modify, and delete them.
  • View information on PostgreSQL cluster backups, create and delete such backups, as well as restore clusters from backups.
  • View information on PostgreSQL alerts, as well as create, modify, and delete them.
  • View PostgreSQL cluster logs.
  • View information on the results of PostgreSQL cluster performance diagnostics.
  • View information on quotas of Managed Service for PostgreSQL.
  • View information on resource operations for Managed Service for PostgreSQL.

This role includes the managed-postgresql.editor permissions.

To create PostgreSQL clusters, you also need the vpc.user role.

For more information, see Access management in Managed Service for PostgreSQL.

Yandex Managed Service for Sharded PostgreSQL

managed-spqr.auditor

The managed-spqr.auditor role enables viewing info on Sharded PostgreSQL hosts and clusters, on access permissions granted for clusters, as well as on quotas and resource operations for Managed Service for Sharded PostgreSQL.

managed-spqr.viewer

The managed-spqr.viewer role enables viewing info on Sharded PostgreSQL clusters, hosts, databases, users, cluster logs, quotas, and resource operations.

Users with this role can:

  • View info on Sharded PostgreSQL clusters and access permissions granted for them.
  • View info on Sharded PostgreSQL cluster hosts.
  • View info on databases in Sharded PostgreSQL clusters.
  • View info on users in Sharded PostgreSQL clusters.
  • View info on Sharded PostgreSQL cluster backups.
  • View Sharded PostgreSQL cluster logs.
  • View info on the Managed Service for Sharded PostgreSQL quotas.
  • View info on resource operations for Managed Service for Sharded PostgreSQL.

This role includes the managed-spqr.auditor permissions.

managed-spqr.restorer

The managed-spqr.restorer role enables restoring Sharded PostgreSQL clusters from backups, as well as viewing info on clusters, hosts, databases, users, cluster logs, quotas, and resource operations.

Users with this role can:

  • View info on Sharded PostgreSQL cluster backups and restore clusters from backups.
  • View info on Sharded PostgreSQL clusters and access permissions granted for them.
  • View info on Sharded PostgreSQL cluster hosts.
  • View info on databases in Sharded PostgreSQL clusters.
  • View info on users in Sharded PostgreSQL clusters.
  • View Sharded PostgreSQL cluster logs.
  • View info on the Managed Service for Sharded PostgreSQL quotas.
  • View info on resource operations for Managed Service for Sharded PostgreSQL.

This role includes the managed-spqr.viewer permissions.

managed-spqr.editor

The managed-spqr.editor role enables managing Sharded PostgreSQL clusters and viewing their logs, as well as getting info on quotas and service resource operations.

Users with this role can:

  • View info on Sharded PostgreSQL clusters and access permissions granted for them.
  • Create, modify, delete, run, and stop Sharded PostgreSQL clusters.
  • View info on SQL Server cluster hosts, as well as create, modify, and delete them.
  • View info on databases in Sharded PostgreSQL clusters as well as create, modify, and delete such databases.
  • View info on users in Sharded PostgreSQL clusters as well as create, modify, and delete such users.
  • View info on Sharded PostgreSQL cluster backups, create and delete such backups, as well as restore clusters from backups.
  • View Sharded PostgreSQL cluster logs.
  • View info on the Managed Service for Sharded PostgreSQL quotas.
  • View info on resource operations for Managed Service for Sharded PostgreSQL.

This role includes the managed-spqr.viewer and managed-spqr.restorer permissions.

managed-spqr.admin

The managed-spqr.admin role enables managing Sharded PostgreSQL clusters and viewing their logs, as well as getting info on quotas and service resource operations.

Users with this role can:

  • View info on Sharded PostgreSQL clusters as well as create, modify, restore, delete, run, and stop them.
  • View info on access permissions granted for Sharded PostgreSQL clusters and modify such permissions.
  • View info on SQL Server cluster hosts, as well as create, modify, and delete them.
  • View info on databases in Sharded PostgreSQL clusters as well as create, modify, and delete such databases.
  • View info on users in Sharded PostgreSQL clusters as well as create, modify, and delete such users.
  • View info on Sharded PostgreSQL cluster backups, create and delete such backups, as well as restore clusters from backups.
  • View Sharded PostgreSQL cluster logs.
  • View info on the Managed Service for Sharded PostgreSQL quotas.
  • View info on resource operations for Managed Service for Sharded PostgreSQL.

This role includes the managed-spqr.editor permissions.

For more information, see Access management in Managed Service for Sharded PostgreSQL.

Yandex Managed Service for Valkey™

managed-redis.auditor

The managed-redis.auditor role allows you to view information on Valkey™ hosts and clusters, as well as quotas and resource operations for Yandex Managed Service for Valkey™.

managed-redis.viewer

The managed-redis.viewer role allows you to view information on Valkey™ hosts and clusters and their logs, as well as on quotas and resource operations.

Users with this role can:

  • View information on Valkey™ clusters.
  • View information on Valkey™ cluster hosts.
  • View information on Valkey™ cluster shards.
  • View information on Valkey™ cluster backups.
  • View information on Valkey™ alerts.
  • View Valkey™ cluster logs.
  • View information on quotas of Yandex Managed Service for Valkey™.
  • View information on resource operations for Yandex Managed Service for Valkey™.

This role includes the managed-redis.auditor permissions.

managed-redis.restorer

The managed-redis.restorer role allows you to restore Valkey™ clusters from backups, view information on Valkey™ hosts and clusters and their logs, as well as on quotas and resource operations.

Users with this role can:

  • View information on Valkey™ cluster backups and restore clusters from backups.
  • View information on Valkey™ clusters.
  • View information on Valkey™ cluster hosts.
  • View information on Valkey™ cluster shards.
  • View information on Valkey™ alerts.
  • View Valkey™ cluster logs.
  • View information on quotas of Yandex Managed Service for Valkey™.
  • View information on resource operations for Yandex Managed Service for Valkey™.

This role includes the managed-redis.viewer permissions.

managed-redis.editor

The managed-redis.editor role allows you to manage Valkey™ clusters and view their logs, as well as get information on service quotas and resource operations.

Users with this role can:

  • View information on Valkey™ clusters, as well as create, modify, delete, run, and stop them.
  • View information on Valkey™ cluster hosts, as well as create, modify, and delete them.
  • View information on Valkey™ cluster shards, as well as create and delete them.
  • View information on Valkey™ cluster backups, create cluster backups, and restore clusters from backups.
  • View information on Valkey™ alerts, as well as create, modify, and delete them.
  • View Valkey™ cluster logs.
  • View information on quotas of Yandex Managed Service for Valkey™.
  • View information on resource operations for Yandex Managed Service for Valkey™.

This role includes the managed-redis.viewer and managed-redis.restorer permissions.

To create Valkey™ clusters, you also need the vpc.user role.

managed-redis.admin

The managed-redis.admin role allows you to manage Valkey™ clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • Manage access to Valkey™ clusters.
  • View information on Valkey™ clusters, as well as create, modify, delete, run, and stop them.
  • View information on Valkey™ cluster hosts, as well as create, modify, and delete them.
  • View information on Valkey™ cluster shards, as well as create and delete them.
  • View information on Valkey™ cluster backups, create cluster backups, and restore clusters from backups.
  • View information on Valkey™ alerts, as well as create, modify, and delete them.
  • View Valkey™ cluster logs.
  • View information on quotas of Yandex Managed Service for Valkey™.
  • View information on resource operations for Yandex Managed Service for Valkey™.

This role includes the managed-redis.editor permissions.

To create Valkey™ clusters, you also need the vpc.user role.

For more information, see Access management in Yandex Managed Service for Valkey™.

Yandex Managed Service for SQL Server

managed-sqlserver.auditor

The managed-sqlserver.auditor role allows you to view information on SQL Server clusters, hosts, users, databases, cluster backups, as well as on quotas and resource operations for Managed Service for SQL Server.

managed-sqlserver.viewer

The managed-sqlserver.viewer role allows you to view SQL Server cluster logs, as well as information on SQL Server clusters, hosts, users, databases, and DB backups.

Users with this role can:

  • View info on SQL Server clusters.
  • View info on SQL Server cluster hosts.
  • View info on SQL Server users.
  • View info on SQL Server databases.
  • View info on SQL Server cluster backups.
  • View SQL Server cluster logs.
  • View info on resource operations for Managed Service for SQL Server.
  • View info on the quotas for Managed Service for SQL Server.

This role includes the managed-sqlserver.auditor permissions.

managed-sqlserver.restorer

The managed-sqlserver.restorer role allows you to restore SQL Server clusters from backups, view SQL Server cluster logs, as well as information on SQL Server clusters, hosts, users, databases, and cluster backups.

Users with this role can:

  • Restore SQL Server clusters from backups.
  • View info on SQL Server clusters.
  • View info on SQL Server cluster hosts.
  • View info on SQL Server users.
  • View info on SQL Server databases.
  • View info on SQL Server DB backups.
  • View SQL Server cluster logs.
  • View info on resource operations for Managed Service for SQL Server.
  • View info on the quotas for Managed Service for SQL Server.

This role includes the managed-sqlserver.viewer permissions.

managed-sqlserver.editor

The managed-sqlserver.editor role allows you to manage SQL Server clusters, hosts, users, and databases, create cluster backups and restore clusters from backups, as well as view SQL Server cluster logs.

Users with this role can:

  • View info on SQL Server clusters, as well as use, create, start, stop, modify, and delete them.
  • View info on SQL Server cluster hosts, as well as create, modify, and delete them.
  • View info on SQL Server users, as well as create, modify, and delete them.
  • View info on SQL Server databases, as well as create, modify, and delete them.
  • View info on SQL Server cluster backups, create such backups and restore clusters from backups.
  • View SQL Server cluster logs.
  • View info on resource operations for Managed Service for SQL Server.
  • View info on the quotas for Managed Service for SQL Server.

This role includes the managed-sqlserver.viewer and managed-sqlserver.restorer permissions.

managed-sqlserver.admin

The managed-sqlserver.admin role allows you to manage SQL Server clusters, hosts, users, and databases, create cluster backups, restore clusters from backups, as well as view SQL Server cluster logs.

Users with this role can:

  • View info on SQL Server clusters, as well as use, create, start, stop, modify, and delete them.
  • View info on SQL Server cluster hosts, as well as create, modify, and delete them.
  • View info on SQL Server users, as well as create, modify, and delete them.
  • View info on SQL Server databases, as well as create, modify, and delete them.
  • View info on SQL Server cluster backups, create such backups, as well as restore clusters from backups.
  • View SQL Server cluster logs.
  • View info on resource operations for Managed Service for SQL Server.
  • View info on the quotas for Managed Service for SQL Server.

This role includes the managed-sqlserver.editor permissions.

Yandex Managed Service for YDB

ydb.auditor

The ydb.auditor role enables establishing connections to databases, viewing info on databases and access permissions granted to them, as well as on the database schema objects and backups.

Users with this role can:

  • Establish database connections.
  • View the list of databases and info on them, as well as on the access permissions granted to them.
  • View info on database backups and the access permissions granted to them.
  • View the list of database schema objects, such as tables, indexes, and folders, and info on them.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

ydb.viewer

The ydb.viewer role enables establishing connections to databases and querying them for reading, viewing info on databases and access permissions granted to them, as well as on the database schema objects and backups.

Users with this role can:

  • Establish connections with databases and query them for reading.
  • View the list of databases and info on them, as well as on the access permissions granted to them.
  • View info on database backups and the access permissions granted to them.
  • View the list of database schema objects, such as tables, indexes, and folders, and info on them.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.auditor permissions.

ydb.editor

The ydb.editor role enables managing databases, schema objects, and database backups, as well as querying DBs for both reading and writing.

Users with this role can:

  • View the list of databases, info on them and the access permissions granted to them, as well as create, run, stop, modify, and delete DBs.
  • Establish connections with databases and query them for reading and writing.
  • View info on database backups and the access permissions granted to them, as well as create and delete them and use them to restore databases.
  • View the list of schema objects, such as tables, indexes, and folders, and info on those, as well as create, modify, and delete such objects.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.viewer permissions.

ydb.admin

The ydb.admin role enables managing databases and access to them, as well as schema objects and database backups. It also allows you to query DBs for both reading and writing.

Users with this role can:

  • View the list of databases and info on them, as well as create, run, stop, modify, and delete them.
  • View info on granted access permissions to databases and modify such permissions.
  • Establish connections with databases and query them for reading and writing.
  • View info on database backups, as well as create and delete them and use them to restore databases.
  • View info on granted access permissions to backups and modify such permissions.
  • View the list of schema objects, such as tables, indexes, and folders, and info on those, as well as create, modify, and delete such objects.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.editor permissions.

ydb.kafkaApi.client

The ydb.kafkaApi.client role allows you to work with ydb over the Kafka API protocol using plain authentication over an SSL connection.

For more information, see Access management in Managed Service for YDB.

Yandex Message Queue

ymq.reader

The ymq.reader role grants permission to read and delete messages, set message visibility timeouts, and clear a queue of messages. It allows you to get a list of queues and queue information.

ymq.writer

The ymq.writer role grants permission to write messages to a queue and create new queues. It allows you to get a list of queues and queue information.

ymq.admin

The ymq.admin role includes access rights of the ymq.reader and ymq.writer roles and allows updating queue attributes and deleting queues. It allows you to get a list of queues and queue information.

For more information, see Access management in Message Queue.

Yandex Monitoring

monitoring.viewer

The monitoring.viewer role enables downloading metrics and viewing info on metrics, dashboards, and widgets.

Users with this role can:

monitoring.editor

The monitoring.editor role enables managing dashboards and widgets, uploading and downloading metrics, and viewing the notification history and quota details.

Users with this role can:

This role includes the monitoring.viewer permissions.

monitoring.admin

The monitoring.admin role enables managing dashboards and widgets, uploading and downloading metrics, and viewing the notification history, info on quotas, and folder metadata.

Users with this role can:

This role includes the monitoring.editor permissions.

For more information, see Access management in Monitoring.

Yandex Network Load Balancer

load-balancer.auditor

The load-balancer.auditor role enables viewing the list of target groups and network load balancers, as well as viewing the info on them and on the Network Load Balancer quotas.

Users with this role can:

  • View the list of target groups and the info on them.
  • View the list of network load balancers and the info on them.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer quotas.

load-balancer.viewer

The load-balancer.viewer role enables viewing the list of target groups and network load balancers, as well as viewing the info on them, the list of operations on them, the info on the relevant cloud and folder, and the Network Load Balancer quotas.

Users with this role can:

  • View the list of target groups and the info on them.
  • View the list of network load balancers and the info on them.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer quotas.

This role includes the load-balancer.auditor permissions.

load-balancer.privateAdmin

The load-balancer.privateAdmin role enables managing internal network load balancers and target groups, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses.

Users with this role can:

  • View the list of network load balancers and the info on them, as well as create internal network load balances (including those with UDP listeners), modify, delete, start, and stop them.
  • View the list of target groups and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of cloud networks and the info on them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View the info on the used IP addresses in subnets, as well as create internal addresses.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer and Virtual Private Cloud quotas.

This role includes the load-balancer.viewer and vpc.viewer permissions.

load-balancer.editor

The load-balancer.editor role enables managing internal and external network load balancers and target groups, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses. The role does not allow creating public IP addresses.

Users with this role can:

  • View the list of network load balancers and info on them.
  • Create internal and external network load balancers and those with UDP listeners, as well as modify, delete, start, and stop load balancers.
  • View the list of target groups and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of cloud networks and info on them, as well as set up external access to them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View the info on the used IP addresses, create private addresses and use them.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer and Virtual Private Cloud quotas.

This role includes the load-balancer.privateAdmin permissions.

load-balancer.admin

The load-balancer.admin role enables managing internal and external network load balancers and target groups, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses.

Users with this role can:

  • View the list of network load balancers and info on them.
  • Create internal and external network load balancers and those with UDP listeners, as well as modify, delete, start, and stop load balancers.
  • View the list of target groups and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of cloud networks and info on them, as well as set up external access to them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View the info on the used IP addresses, create private and public addresses, and use them.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer and Virtual Private Cloud quotas.

This role includes the load-balancer.editor permissions.

For more information, see Access management in Network Load Balancer.

Yandex Object Storage

storage.viewer

The storage.viewer role allows you to read data in buckets, view info on buckets and objects inside them, as well as info on the Object Storage folder and quotas.

Users with this role can:

storage.configViewer

The storage.configViewer role allows you to view the settings info of buckets and objects inside them but not the data inside the bucket.

Users with this role can:

storage.configurer

The storage.configurer role allows you to manage object lifecycle, static website hosting, access policy, and CORS settings. It does not allow you to manage access control list (ACL) or public access settings, nor does it provide access to bucket data.

Users with this role can:
  • View bucket access policy info, create, modify, and delete bucket access policies.
  • View bucket CORS configuration info and modify the CORS configuration.
  • View bucket static website hosting configuration info and modify the static website hosting configuration.
  • View bucket access protocol info and change the access protocol.
  • View bucket action logging settings and change the logging settings.
  • View bucket encryption settings and change the encryption settings.
  • View bucket region info.
  • View object lifecycle configuration info and change the lifecycle configuration.
  • View bucket versioning settings.
  • View folder info.

storage.uploader

The storage.uploader role allows you to upload objects into buckets with or without overwriting the previously uploaded ones, read data in buckets, view info on buckets and objects inside them, as well as info on the Object Storage folder and quotas. The role does not allow you to delete objects or configure buckets.

Users with this role can:
  • View the list of buckets.
  • View the lists of objects in buckets, object info and content.
  • Upload objects into a bucket.
  • View info on access permissions assigned for buckets and objects inside them.
  • View bucket CORS configuration info.
  • View bucket static website hosting configuration info.
  • View bucket access protocol info.
  • View bucket action logging settings.
  • View bucket versioning settings.
  • View bucket encryption settings.
  • View bucket default storage class info.
  • View bucket labels.
  • View bucket region info.
  • View object lifecycle configuration info.
  • View lists of object versions and version info.
  • View info on object version locks and set up such locks.
  • View object and object version labels, modify such labels.
  • View info on current multipart uploads of objects and their parts, delete partially uploaded objects.
  • View cloud, folder, and Object Storage statistics.
  • View info on Object Storage quotas.
  • View folder info.

This role includes the storage.viewer permissions.

storage.editor

The storage.editor role allows any operations with buckets and objects: creating, deleting, and editing them. The role does not allow managing access control list (ACL) settings and creating public buckets.

Users with this role can:
  • View the list of buckets, create and delete buckets.
  • View the lists of objects in buckets, object info and content.
  • View info on access permissions assigned for buckets and objects inside them.
  • Upload objects into a bucket, delete objects and object versions.
  • View bucket CORS configuration info and modify the CORS configuration.
  • View bucket static website hosting configuration info and modify the static website hosting configuration.
  • View bucket access protocol info and change the access protocol.
  • View bucket action logging settings and change the logging settings.
  • View bucket versioning settings.
  • View bucket encryption settings and change the encryption settings.
  • View bucket default storage class info, change the default storage class.
  • View and modify bucket labels.
  • View bucket region info.
  • View object lifecycle configuration info and change the lifecycle configuration.
  • View lists of object versions and version info.
  • Restore object versions in versioning-enabled buckets.
  • View info on object version locks and set up such locks.
  • View object and object version labels, modify and delete such labels.
  • View info on current multipart uploads of objects and their parts, delete partially uploaded objects.
  • View cloud, folder, and Object Storage statistics.
  • View info on Object Storage quotas.
  • View folder info.

This role includes the storage.uploader permissions.

storage.admin

The storage.admin role allows you to manage Object Storage.

Users with this role can:
  • View the list of buckets.
  • Create buckets, including public ones, and delete buckets.
  • View the lists of objects in buckets, object info and content.
  • View info on access permissions assigned for buckets and objects inside them, modify access permissions for buckets and objects.
  • View bucket access policy info, create, modify, and delete bucket access policies.
  • Assign an access control list (ACL).
  • Set up access to a bucket via a service connection from a Virtual Private Cloud.
  • Upload objects into a bucket, delete objects and object versions.
  • View bucket CORS configuration info and modify the CORS configuration.
  • View bucket static website hosting configuration info and modify the static website hosting configuration.
  • View bucket access protocol info and change the access protocol.
  • View bucket action logging settings and change the logging settings.
  • View bucket versioning settings and change the versioning settings.
  • View bucket encryption settings and change the encryption settings.
  • View bucket default storage class info, change the default storage class.
  • View and modify bucket labels.
  • View bucket region info.
  • View object lifecycle configuration info and change the lifecycle configuration.
  • View lists of object versions and version info.
  • Restore object versions in versioning-enabled buckets.
  • View info on object version locks and set up such locks.
  • Bypass governance-mode retention.
  • View object and object version labels, modify and delete such labels.
  • View info on current multipart uploads of objects and their parts, delete partially uploaded objects.
  • View cloud, folder, and Object Storage statistics.
  • View info on Object Storage quotas.
  • View folder info.

This role includes the storage.editor, storage.configViewer, and storage.configurer permissions.

For more information, see Managing access with Yandex Identity and Access Management.

Yandex Query

yq.auditor

The yq.auditor role allows you to view the service metadata, including the information on folder, connections, bindings, and queries.

yq.viewer

Users with the yq.viewer role can view queries and their results.

This role includes the yq.auditor permissions.

yq.editor

Users assigned the yq.editor role can view, edit, and delete their connections and queries, as well as run the queries they create. The yq.editor role includes all permissions of the yq.viewer role.

yq.admin

The yq.admin role allows you to manage any Query resources, including those labeled as private. The yq.admin role includes all permissions of the yq.editor role.

yq.invoker

Users with the yq.invoker role can run queries in Query. The role is designed to automate query execution by service accounts. For example, you can use it to run queries by an event or on schedule.

For more information, see Access management in Query.

Yandex Resource Manager

resource-manager.auditor

The resource-manager.auditor role enables viewing cloud and folder metadata, as well as the info on the access permissions granted to clouds and folders.

Users with this role can:

  • View info on clouds and their settings, as well as on the access permissions granted to clouds.
  • View info on folders and their settings, as well as on the access permissions granted to folders.
  • View info on the Resource Manager quotas.

resource-manager.viewer

The resource-manager.viewer role enables viewing info on clouds and folders, as well as on the access permissions to clouds and folders.

Users with this role can:

  • View info on clouds and their settings, as well as on the access permissions to clouds.
  • View info on folders and their settings, as well as on the access permissions to folders.
  • View info on the Resource Manager quotas.

This role includes the resource-manager.auditor permissions.

resource-manager.editor

The resource-manager.editor role enables managing clouds and folders, as well as viewing the info on the access permissions granted to clouds and folders.

Users with this role can:

  • View info on clouds, their settings, and the access permissions to such clouds, as well as create, modify, and delete clouds.
  • View info on folders, their settings, and the access permissions to such folders, as well as create, modify, and delete folders.
  • View info on the Resource Manager quotas.

This role includes the resource-manager.viewer permissions.

resource-manager.admin

The resource-manager.admin role enables managing clouds and folders, as well as access to those.

Users with this role can:

  • View info on granted access permissions to clouds and modify such permissions.
  • View info on clouds and their settings, as well as create, modify, and delete clouds.
  • View info on granted access permissions to folders and modify such permissions.
  • View info on folders and their settings, as well as create, modify, and delete folders.
  • View info on the Resource Manager quotas.

This role includes the resource-manager.editor permissions.

resource-manager.clouds.member

The resource-manager.clouds.member role enables viewing info on the relevant cloud and contacting the Yandex Cloud support.

The role can only be assigned for a cloud.

Users with this role can:

  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.
  • View info on clouds and their settings.

resource-manager.clouds.owner

The resource-manager.clouds.owner role enables running any operations within the cloud and its child resources.

It also allows you to manage linking the cloud to a billing account (for that purpose, you also need permissions for that billing account). For more information on managing access to a billing account, see the Yandex Cloud Billing documentation.

By default, the users with this role get notifications on what happens to the cloud and its folders.

You can only assign this role for a cloud. Any user creating a cloud automatically gets such a role for the cloud.

This role includes the admin and resource-manager.clouds.member permissions.

For more information, see Access management in Resource Manager.

Yandex Search API

search-api.executor

The search-api.executor role enables using Yandex Search API and running search queries via API v1.

search-api.webSearch.user

The search-api.webSearch.user role enables running search queries in Yandex Search API via API v2, as well as viewing info on the cloud, folder, and Yandex Search API quotas.

search-api.auditor

The search-api.auditor role enables viewing info on the registered IP addresses and Yandex Search API quotas, as well as on the relevant clouds and folders.

search-api.viewer

The search-api.viewer role enables viewing info on the registered IP addresses and Yandex Search API quotas, as well as on the relevant clouds and folders.

This role includes the search-api.auditor permissions.

search-api.editor

The search-api.editor role enables managing registered IP addresses and running search queries in Yandex Search API via API v1 and API v2.

Users with this role can:

This role includes the search-api.viewer, search-api.webSearch.user , and search-api.executor permissions.

search-api.admin

The search-api.admin role enables managing registered IP addresses and running search queries in Yandex Search API via API v1 and API v2.

Users with this role can:

This role includes the search-api.editor permissions.

For more information, see Access management in Yandex Search API.

Yandex Security Deck

General Yandex Security Deck roles

security-deck.worker

The security-deck.worker role allows the user to view info on DSPM scan area, as well as info on KSPM and CSPM controlled resources in Security Deck.

Users with this role can:

  • View the organization info, view the list of and info on clouds, folders, and buckets in the scan area configured by the DSPM user, view data in buckets subject to scanning.
  • View the list of clouds and folders and their info as controlled resources of a Security Deck workspace for KSPM.
  • View the list of Kubernetes clusters and info on them and their settings as controlled resources of a Security Deck workspace for KSPM.
  • View the organization info, view the list of clouds and folders and their info as controlled resources of a Security Deck workspace for CSPM.

The role is issued to the service account to perform the DSPM scan, KSPM or CSPM check. The role extends to an organization, cloud, folder, or bucket (if using DSPM).

The role does not allow viewing data in encrypted buckets. To scan an encrypted bucket, additionally assign to the service account the kms.keys.decrypter role for the encryption key or for the folder, cloud, or organization this key resides in.

This role includes the dspm.worker, kspm.worker, and cspm.worker permissions.

Note

The role cannot guarantee access to a bucket with a Yandex Object Storage access policy applied.

security-deck.auditor

The security-deck.auditor role enables viewing info on DSPM, CSPM, and KSPM resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • View info on DSPM profiles.
  • View info on DSPM data sources.
  • View info on DSPM security scan jobs.
  • View info on data types and categories.
  • View DSPM scan results and info on detected threats.
  • View info on Security Deck workspaces and resources managed in them, as well as on access permissions granted for them.
  • View info on connectors.
  • View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings.
  • View info on the KSPM settings and operations, as well as the list of exceptions from rules.
  • View info on alert sinks and access permissions granted for them.

This role includes the dspm.auditor, cspm.auditor, kspm.auditor, and security-deck.alertSinks.auditor permissions.

security-deck.viewer

The security-deck.viewer role enables viewing info on events of access to organization resources by Yandex Cloud employees, on DSPM, CSPM, and KSPM resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:
  • View the list of events when Yandex Cloud employees access organization resources.
  • Approve or disapprove the result of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
  • View info on DSPM profiles.
  • View info on DSPM data sources.
  • View info on DSPM security scan jobs.
  • View info on data types and categories.
  • View DSPM scan results and info on detected threats.
  • View info on Security Deck workspaces and resources managed in them, as well as on access permissions granted for them.
  • View info on connectors.
  • View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings, the results of such checks, and exceptions from check rules.
  • View info on the KSPM settings, Managed Service for Kubernetes clusters connected to KSPM, exceptions from rules, exceptions from the control scope, KSPM users, and KSPM operations.
  • View info on alert sinks and access permissions granted for them.
  • View info on alerts and access permissions granted for them.
  • View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.

This role includes the access-transparency.viewer, dspm.viewer, cspm.viewer, kspm.viewer, and security-deck.alertSinks.viewer permissions.

security-deck.editor

The security-deck.editor role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well DSPM, CSPM, and KSPM resources. With this role, you cannot view masked and unprocessed data.

Users with this role can:
  • Select a billing account in Access Transparency.
  • View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
  • View the list of events when Yandex Cloud employees access organization resources.
  • Approve or disapprove the result of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
  • View info on DSPM profiles and use them.
  • View info on DSPM data sources, as well as create, modify, use, and delete them.
  • View info on DSPM security scan jobs, as well as create, modify, and delete such jobs.
  • Run DSPM security scan jobs and view their results, as well as info on detected threats.
  • View info on DSPM data types and categories.
  • View bucket metadata.
  • View info on Security Deck workspaces and resources managed in them, as well as on access permissions granted for them.
  • Create, modify, and delete Security Deck workspaces.
  • View info on connectors, as well as create, use, modify, and delete them.
  • View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings.
  • View CSPM check results.
  • Create, suspend, resume, update, and delete CSPM checks.
  • View exceptions from CSPM check rules, create and delete such exceptions.
  • Engage, set up, and disconnect KSPM, as well as create, modify, and delete exceptions from rules and exceptions from the control scope.
  • View info on Managed Service for Kubernetes clusters connected to KSPM, KSPM users, and KSPM operations.
  • View info on alert sinks and access permissions granted for them.
  • Create, use, modify, and delete alert sinks.
  • View info on alerts and access permissions granted for them.
  • View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
  • Create, modify, and delete alerts.
  • View the list of comments to alerts, as well as create, modify, and delete such comments.

This role includes the access-transparency.editor, dspm.editor, cspm.editor, kspm.editor, and security-deck.alertSinks.editor permissions.

security-deck.admin

The security-deck.admin role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well DSPM, CSPM, and KSPM resources. With this role, you can view masked and unprocessed data in scan results.

Users with this role can:
  • Select a billing account in Access Transparency.
  • View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
  • View the list of events when Yandex Cloud employees access organization resources.
  • Approve or disapprove the result of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
  • View info on DSPM profiles and use them.
  • View info on DSPM data sources, as well as create, modify, use, and delete them.
  • Use Yandex Cloud resources in DSPM data sources.
  • View info on DSPM data types and categories.
  • View info on DSPM security scan jobs, as well as create, modify, and delete such jobs.
  • Run DSPM security scan jobs, view their result and info on detected threats, which includes viewing masked and unprocessed data in the scan results.
  • View bucket metadata.
  • View info on Security Deck workspaces and resources managed in them, as well as create, update, and delete Security Deck workspaces.
  • View info on access permissions granted for Security Deck workspaces and modify such permissions.
  • View info on connectors, as well as create, use, modify, and delete them.
  • View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings.
  • View CSPM check results.
  • Create, suspend, resume, update, and delete CSPM checks.
  • View exceptions from CSPM check rules, create and delete such exceptions.
  • Engage, set up, and disconnect KSPM, as well as create, modify, and delete exceptions from rules and exceptions from the control scope.
  • View info on Managed Service for Kubernetes clusters connected to KSPM, KSPM users, and KSPM operations.
  • View info on alert sinks, as well as create, use, modify, and delete them.
  • View info on access permissions granted for alert sinks and modify such permissions.
  • View info on alerts, as well as create, modify, and delete them.
  • View info on access permissions granted for alerts and modify such permissions.
  • View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
  • View the list of comments to alerts, as well as create, modify, and delete such comments.

This role includes the access-transparency.admin, dspm.admin, cspm.admin, kspm.admin, and security-deck.alertSinks.admin permissions.

For more information, see General Yandex Security Deck roles.

YCDR roles

ycdr.admin

The ycdr.admin role enables viewing dashboards.

You need to assign this role for the organization.

For Yandex Cloud Detection and Response to process alerts from Security Deck, you also need to assign the security-deck.editor role for the folder, from which the alerts are being collected.

For more information, see Access management in YCDR.

DSPM roles

dspm.worker

The dspm.worker role enables viewing info on an organization, viewing the list of clouds, folders, and buckets in a scan zone specified by the user and info on them, as well as viewing data in buckets being scanned.

The role is granted to the service account that will be used to perform scans for an organization, cloud, folder, or bucket.

The role does not enable viewing data in encrypted buckets. To scan an encrypted bucket, additionally grant the kms.keys.decrypter role to your service account either for the encryption key at hand or for the folder, cloud, or organization hosting this key.

Note

The role cannot guarantee access to a bucket if it has a Yandex Object Storage access policy applied to it.

dspm.inspector

The dspm.inspector role enables creating DSPM data sources using the specified Yandex Cloud resources. To create a DSPM data source, assign this role to a user for the appropriate cloud resource.

The dspm.inspector role is deprecated and no longer in use.

dspm.auditor

The dspm.auditor role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • View info on DSPM profiles.
  • View info on DSPM data sources.
  • View info on security scan jobs.

dspm.viewer

The dspm.viewer role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • View info on DSPM profiles.
  • View info on DSPM data sources.
  • View info on security scan jobs.

This role includes the dspm.auditor permissions.

dspm.editor

The dspm.editor role enables using DSPM profiles and managing data sources and security scans. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • View info on DSPM profiles and use them.
  • View info on DSPM data sources, as well as create, modify, use, and delete them.
  • View info on security scan jobs, as well as create, run, modify, and delete such jobs.

This role includes the dspm.viewer permissions.

dspm.admin

The dspm.admin role enables using DSPM profiles and managing data sources and security scans, which includes viewing masked and unprocessed data in the scan results.

Users with this role can:

  • View info on DSPM profiles and use them.
  • View info on DSPM data sources, as well as create, modify, use, and delete them.
  • Use Yandex Cloud resources in DSPM data sources.
  • View info on DSPM data categories.
  • View info on security scan jobs, as well as create, modify, and delete such jobs.
  • Run security scan jobs and view their results and info on detected threats, which includes viewing masked and unprocessed data in the scan results.

This role includes the dspm.editor permissions.

For more information, see Access management in DSPM.

KSPM roles

kspm.worker

The kspm.worker role allows the user to view info on Managed Service for Kubernetes clusters and install KSPM components in them.

The role is issued to the service account to perform cluster checks and extends to an organization, cloud, or folder. This service account should be specified when creating the workspace.

kspm.auditor

The kspm.auditor role allows the user to view info on KSPM settings, KSPM operations, and the list of exceptions from the rules.

kspm.viewer

The kspm.viewer role allows the user to view info on KSPM settings, Managed Service for Kubernetes clusters connected to KSPM, exceptions from the rules, exceptions from the scope of control, KSPM users, and KSPM operations.

This role includes the kspm.auditor permissions.

kspm.editor

The kspm.editor role allows the user to engage, set up, and disconnect KSPM, create, modify, and delete exceptions from the rules and exceptions from the scope of control, view info on Managed Service for Kubernetes clusters connected to KSPM, KSPM users, and KSPM operations.

This role includes the kspm.viewer permissions.

kspm.admin

The kspm.admin role allows the user to engage, set up, and disconnect KSPM, create, modify, and delete exceptions from the rules and exceptions from the scope of control, view info on Managed Service for Kubernetes clusters connected to KSPM, KSPM users, and KSPM operations.

This role includes the kspm.editor permissions.

For more information, see Access management in KSPM.

CSPM roles

cspm.worker

The cspm.worker role allows the user to view the organization info, view the list of clouds and folders and their info as controlled resources of a Security Deck workspace.

The role is issued to the service account to perform checks for compliance with security standards configured in CSPM settings and extends to an organization, cloud, or folder.

cspm.auditor

The cspm.auditor role allows the user to view info on cloud infrastructure checks for compliance with security standards configured in CSPM settings.

cspm.viewer

The cspm.viewer role allows the user to view info on cloud infrastructure checks for compliance with security standards configured in CSPM settings, the results of such checks, and exceptions from related rules.

This role includes the cspm.auditor permissions.

cspm.editor

The cspm.editor role allows the user to manage cloud infrastructure checks for compliance with CSPM security standards and exceptions from related rules.

Users with this role can:

  • View info on cloud infrastructure checks for compliance with security standards configured in CSPM settings.
  • View the results of CSPM checks.
  • Create, suspend, resume, update, and delete CSPM checks.
  • View exceptions from CSPM check rules, create and delete such exceptions.

This role includes the cspm.viewer permissions.

cspm.admin

The cspm.admin role allows the user to manage cloud infrastructure checks for compliance with CSPM security standards and exceptions from related rules.

Users with this role can:

  • View info on cloud infrastructure checks for compliance with security standards configured in CSPM settings.
  • View the results of CSPM checks.
  • Create, suspend, resume, update, and delete CSPM checks.
  • View exceptions from CSPM check rules, create and delete such exceptions.

This role includes the cspm.editor permissions.

For more information, see Access management in CSPM.

Access Transparency roles

access-transparency.viewer

The access-transparency.viewer role enables viewing the list of subscriptions to the events when Yandex Cloud employees access organization resources and approving or disapproving the result of the neural network-driven analysis of such events.

access-transparency.editor

The access-transparency.editor role enables selecting a billing account in Access Transparency, managing subscriptions to the events when Yandex Cloud employees access organization resources, viewing the list of such events, and approving or disapproving the result of the neural network-driven analysis of such events.

This role includes the access-transparency.billingProvider and access-transparency.subscriptionManager permissions.

access-transparency.admin

The access-transparency.admin role enables selecting a billing account in Access Transparency, managing subscriptions to the events when Yandex Cloud employees access organization resources, viewing the list of such events, and approving or disapproving the result of the neural network-driven analysis of such events.

This role includes the access-transparency.editor permissions.

access-transparency.billingProvider

The access-transparency.billingProvider role enables selecting a billing account in Access Transparency.

access-transparency.subscriptionManager

The access-transparency.subscriptionManager role enables managing subscriptions to the events when Yandex Cloud employees access organization resources, viewing the list of such events, and approving or disapproving the result of the neural network-driven analysis of such events.

This role includes the access-transparency.viewer permissions.

For more information, see Access management in Access Transparency.

Alerts roles

security-deck.alertSinks.user

The security-deck.alertSinks.user role enables viewing info on alert sinks and using them.

security-deck.alertSinks.auditor

The security-deck.alertSinks.auditor role enables viewing info on alert sinks and access permissions granted for them.

security-deck.alertSinks.viewer

The security-deck.alertSinks.viewer role enables viewing info on alerts and alert sinks as well as on access permissions granted for them.

Users with this role can:

  • View info on alert sinks and access permissions granted for them.
  • View info on alerts and access permissions granted for them.
  • View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.

This role includes the security-deck.alertSinks.auditor permissions.

security-deck.alertSinks.editor

The security-deck.alertSinks.editor role enables managing alert sinks, alerts, and comments in them.

Users with this role can:

  • View info on alert sinks and access permissions granted for them.
  • Create, use, modify, and delete alert sinks.
  • View info on alerts and access permissions granted for them.
  • View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
  • Create, modify, and delete alerts.
  • View the list of comments to alerts, as well as create, modify, and delete such comments.

This role includes the security-deck.alertSinks.viewer and security-deck.alertSinks.user permissions.

security-deck.alertSinks.admin

The security-deck.alertSinks.admin role enables managing alert sinks and alerts, as well as access to them.

Users with this role can:

  • View info on alert sinks, as well as create, use, modify, and delete them.
  • View info on access permissions granted for alert sinks and modify such permissions.
  • View info on alerts, as well as create, modify, and delete them.
  • View info on access permissions granted for alerts and modify such permissions.
  • View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
  • View the list of comments to alerts, as well as create, modify, and delete such comments.

This role includes the security-deck.alertSinks.editor permissions.

For more information, see Access management in Alerts.

Yandex Serverless Containers

serverless-containers.auditor

The serverless-containers.auditor role enables viewing info on containers, except for the info on the revision environment variables.

serverless-containers.viewer

The serverless-containers.viewer role enables viewing info on containers, as well as on the relevant cloud and folder.

Users with this role can:

This role includes the serverless-containers.auditor permissions.

serverless-containers.editor

The serverless-containers.editor role enables managing containers and viewing info on them, as well as on the relevant cloud and folder.

Users with this role can:

This role includes the serverless-containers.viewer permissions.

serverless-containers.admin

The serverless-containers.admin role enables managing containers and access to them, as well as viewing info on containers and the relevant cloud and folder.

Users with this role can:

This role includes the serverless-containers.editor permissions.

serverless-containers.containerInvoker

The serverless-containers.containerInvoker role enables invoking containers.

serverless.containers.viewer

The serverless.containers.viewer role enables viewing info on containers, as well as on the relevant cloud and folder.

Users with this role can:

  • View info on containers, including the revision environment variables.
  • View info on granted access permissions to containers.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role is no longer available. Please use serverless-containers.viewer instead.

serverless.containers.editor

The serverless.containers.editor role enables managing containers and viewing info on them, as well as on the relevant cloud and folder.

Users with this role can:

  • Create, invoke, modify, and delete containers.
  • View info on containers, including the revision environment variables, as well as on the granted access permissions to containers.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role is no longer available. Please use serverless-containers.editor instead.

serverless.containers.admin

The serverless.containers.admin role enables managing containers and access to them, as well as viewing info on containers and the relevant cloud and folder.

Users with this role can:

  • Create, invoke, modify, and delete containers.
  • View info on granted access permissions to containers and modify such permissions.
  • View info on containers, including the revision environment variables.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role is no longer available. Please use serverless-containers.admin instead.

serverless.containers.invoker

The serverless.containers.invoker role enables invoking containers.

This role is no longer available. Please use serverless-containers.containerInvoker instead.

For more information, see Access management in Serverless Containers.

Yandex Serverless Integrations

Yandex EventRouter roles

serverless.eventrouter.auditor

The serverless.eventrouter.auditor role enables viewing info on buses, connectors, and rules, as well as access permissions granted for them.

serverless.eventrouter.viewer

The serverless.eventrouter.viewer role enables viewing info on buses, connectors, and rules, as well as access permissions granted for them.

This role includes the serverless.eventrouter.auditor permissions.

serverless.eventrouter.supplier

The serverless.eventrouter.supplier enables sending user events to buses and transmitting audit events.

Users with this role can:

serverless.eventrouter.editor

The serverless.eventrouter.editor role enables managing buses, connectors, and rules, as well as sending user and audit events to buses.

Users with this role can:

  • View info on buses and access permissions granted for them, as well as create, modify, and delete buses.
  • View info on connectors and access permissions granted for them, as well as create, modify, and delete connectors.
  • View info on rules and access permissions granted for them, as well as create, modify, and delete rules.
  • Send user events to buses using the EventService/Send gRPC API call.
  • Send user events to buses using the EventService/Put gRPC API call.
  • Transmit audit events.

This role includes the serverless.eventrouter.viewer and serverless.eventrouter.supplier permissions.

serverless.eventrouter.admin

The serverless.eventrouter.admin role enables managing buses, connectors, rules, and access to them, as well as sending user and audit events to buses.

Users with this role can:

  • View info on buses as well as create, modify, and delete them.
  • View info on access permissions granted for buses and modify such permissions.
  • View info on connectors as well as create, modify, and delete them.
  • View info on access permissions granted for connectors and modify such permissions.
  • View info on rules as well as create, modify, and delete them.
  • View info on access permissions granted for rules and modify such permissions.
  • Send user events to buses using the EventService/Send gRPC API call.
  • Send user events to buses using the EventService/Put gRPC API call.
  • Transmit audit events.
  • View info on the EventRouter quotes.

This role includes the serverless.eventrouter.editor permissions.

For more information, see Access management in EventRouter.

Yandex Workflows roles

serverless.workflows.auditor

The serverless.workflows.auditor role enables viewing info on workflows and the history of their executions, as well as info on the Yandex Workflows quotes.

serverless.workflows.viewer

The serverless.workflows.viewer role enables viewing info on workflows and the history of their executions, as well as info on the Yandex Workflows quotes.

This role includes the serverless.workflows.auditor permissions.

serverless.workflows.executor

The serverless.workflows.executor role enables executing, pausing, resuming, and stopping workflows.

serverless.workflows.editor

The serverless.workflows.editor role enables managing workflows.

Users with this role can:

  • View info on workflows as well as create, update, and delete them.
  • Execute, pause, resume, and stop workflows.
  • View the history of workflow executions.
  • View info on the Yandex Workflows quotes.

This role includes the serverless.workflows.viewer and serverless.workflows.executor permissions.

serverless.workflows.admin

The serverless.workflows.admin role enables managing workflows.

Users with this role can:

  • View info on workflows as well as create, update, and delete them.
  • Execute, pause, resume, and stop workflows.
  • View the history of workflow executions.
  • View info on the Yandex Workflows quotes.

This role includes the serverless.workflows.editor permissions.

For more information, see Access management in Workflows.

Yandex SmartCaptcha

smart-captcha.auditor

The smart-captcha.auditor role enables viewing info on CAPTCHAs and access permissions assigned to them.

smart-captcha.viewer

The smart-captcha.viewer role enables viewing info on CAPTCHAs and access permissions assigned to them, as well as getting CAPTCHA keys.

This role includes the smart-captcha.auditor permissions.

smart-captcha.editor

The smart-captcha.editor role enables you to manage CAPTCHAs, view info on them, and get CAPTCHA keys.

Users with this role can:

This role includes the smart-captcha.viewer permissions.

smart-captcha.admin

The smart-captcha.admin role enables managing CAPTCHAs and access to them, as well as getting CAPTCHA keys.

Users with this role can:

This role includes the smart-captcha.editor permissions.

For more information, see Access management in SmartCaptcha.

Yandex Smart Web Security

smart-web-security.auditor

The smart-web-security.auditor role allows you to view information on security profiles in Smart Web Security and the metadata of the relevant cloud and folder.

Users with this role can:

  • View info on security profiles in Smart Web Security.
  • View info on access permissions assigned for security profiles.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

To assign the smart-web-security.auditor role, you need the admin role for the cloud or smart-web-security.admin role for the folder.

smart-web-security.viewer

The smart-web-security.viewer role allows you to view information on security profiles in Smart Web Security, as well as on the relevant cloud and folder.

Users with this role can:

  • View info on security profiles in Smart Web Security.
  • View info on access permissions assigned for security profiles.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the smart-web-security.auditor permissions.

To assign the smart-web-security.viewer role, you either need the admin role for the cloud or the smart-web-security.admin one for the folder.

smart-web-security.user

The smart-web-security.user role allows you to view information on security profiles in Smart Web Security and use them.

Users with this role can:

  • View info on security profiles in Smart Web Security and use them in other Yandex Cloud services.
  • View info on access permissions assigned for security profiles.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the smart-web-security.viewer permissions.

To assign the smart-web-security.user role, you need either the admin role for the cloud or the smart-web-security.admin one for the folder.

smart-web-security.editor

The smart-web-security.editor role allows you to use security profiles in Smart Web Security and manage them.

Users with this role can:

  • View info on security profiles in Smart Web Security, create, modify, and delete them, as well as use these security profiles in other Yandex Cloud services.
  • View info on access permissions assigned for security profiles.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the smart-web-security.user permissions.

To assign the smart-web-security.editor role, you need the admin role for the cloud or the smart-web-security.admin one for the folder.

smart-web-security.admin

The smart-web-security.admin role allows you to use security profiles in Smart Web Security, manage them, and manage access to them.

Users with this role can:

  • View info on access permissions assigned for security profiles and modify such permissions.
  • View info on security profiles in Smart Web Security, create, modify, and delete them, as well as use these security profiles in other Yandex Cloud services.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the smart-web-security.editor permissions.

To assign the smart-web-security.admin role, you need the admin role for the cloud.

For more information, see Access management in Smart Web Security.

Yandex SpeechKit

ai.speechkit-stt.user

The ai.speechkit-stt.user role allows you to use Yandex SpeechKit for speech recognition, as well as view info on the relevant cloud, folder, and quotas.

ai.speechkit-tts.user

The ai.speechkit-tts.user role allows you to use Yandex SpeechKit for speech synthesis, as well as view info on the relevant cloud, folder, and quotas.

For more information, see Access management in SpeechKit.

Yandex SpeechSense

speech-sense.auditor

The speech-sense.auditor role enables you to view names, descriptions, and lists of members of a project or a space with all of its projects. The role does not provide access to project data.

speech-sense.viewer

The speech-sense.viewer role enables you to view project or space characteristics, the list of their members, connections, and dashboards.

The speech-sense.viewer role includes all permissions of the speech-sense.auditor role.

speech-sense.editor

The speech-sense.editor role enables you to edit a project, its description, dashboards, and alerts, create and edit its classifiers, and run analyses. When assigned for a space, the role allows you to edit the space and create projects, connections, and dictionaries within it.

The speech-sense.editor role includes all permissions of the speech-sense.viewer role.

speech-sense.admin

The speech-sense.admin role assigned for a space or project enables you to perform any action in them: view dialogs, edit connections, or run analyses. The role grants permission to assign roles to other users.

The speech-sense.admin role includes all permissions of the speech-sense.editor and speech-sense.data.editor roles.

speech-sense.spaces.creator

The speech-sense.spaces.creator role allows you to create spaces in SpeechSense.

speech-sense.data.viewer

The speech-sense.data.viewer role allows you to view a project's name or description, the list of connections, dashboards, and project members. It also enables you to search inside documents, listen to dialogs, and view their text transcripts. When assigned for a space, this role enables you to view all of its projects without editing them.

speech-sense.data.editor

The speech-sense.data.editor role enables you to upload dialogs to project or space connections, evaluate these dialogs and comment on them in the system.

The speech-sense.data.editor role includes all permissions of the speech-sense.data.viewer role.

Users with roles like speech-sense.data.* can view and rate the contents of documents but do not have access to aggregate information.

For more information, see Access management in SpeechSense.

Yandex Translate

ai.translate.user

The ai.translate.user role allows you to use Yandex Translate to translate texts, as well as view info on the relevant cloud, folder, and quotas.

For more information, see Access management in Translate.

Yandex Virtual Private Cloud

vpc.auditor

The vpc.auditor roles allows you to view service metadata, including information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

Users with this role can:
  • View the list of cloud networks and the info on them.
  • View the list of subnets and info on them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

vpc.viewer

The vpc.viewer role allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on the quotas and resource operations.

Users with this role can:
  • View the list of cloud networks and the info on them.
  • View the list of subnets and info on them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.auditor permissions.

vpc.user

The vpc.user role allows you to use cloud networks, subnets, route tables, gateways, security groups, and IP addresses, get information on these resources, as well as on the quotas and resource operations.

Users with this role can:
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View information on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.externalAddresses.user

The vpc.externalAddresses.user role allows you to view the list of private and public addresses of the cloud resources; it also enables viewing info on such addresses, using them, and managing the external network connectivity.

vpc.admin

The vpc.admin role allows you to manage cloud networks, subnets, route tables, NAT gateways, security groups, internal and public IP addresses, as well as external network connectivity.

Users with this role can:
  • View the list of cloud networks and info on them, as well as create, modify, and delete them.
  • Configure external access to cloud networks.
  • Manage connectivity of multiple cloud networks.
  • Manage multi-interface instances that provide connectivity between multiple networks.
  • View the list of subnets and info on them, as well as create, modify, and delete them.
  • View the list of route tables and info on them, as well as create, modify, and delete them.
  • Link route tables to subnets.
  • View information on NAT gateways, as well as create, modify, and delete them.
  • View the list of security groups and info on them, as well as create, modify, and delete them.
  • Create and delete default security groups in cloud networks.
  • Create and delete security group rules, as well as edit their metadata.
  • Configure DHCP in subnets.
  • View the list of cloud resource addresses and info on them, as well as create, update, and delete internal and public IP addresses.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.privateAdmin, vpc.publicAdmin, and vpc.securityGroups.admin permissions.

vpc.bridgeAdmin

The vpc.bridgeAdmin role allows you to use subnets and manage connectivity of multiple cloud networks. This role also allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

Users with this role can:
  • Manage connectivity of multiple cloud networks.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud networks and the info on them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.privateAdmin

The vpc.privateAdmin role allows you to manage cloud networks, subnets, and route tables, as well as view information on the quotas, resources, and resource operations. This role also allows you to manage connectivity within Yandex Cloud, while it does not allow doing so from the internet.

Users with this role can:
  • View the list of cloud networks and info on them, as well as create, modify, and delete them.
  • View the list of subnets and info on them, as well as create, modify, and delete them.
  • View the list of route tables and info on them, as well as create, modify, and delete them.
  • Link route tables to subnets.
  • View the list of security groups and info on them, as well as create default security groups within cloud networks.
  • Configure DHCP in subnets.
  • View the list of cloud resource addresses and info on them, as well as create internal IP addresses.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.publicAdmin

The vpc.publicAdmin role allows you to manage NAT gateways, public IP addresses, and external network connectivity, as well as view information on the quotas, resources, and resource operations. This role grants administrator privileges for multi-interface instances that provide connectivity between multiple networks.

Users with this role can:
  • View the list of cloud networks and info on them, as well as set up external access to them.
  • Manage connectivity of multiple cloud networks.
  • Manage multi-interface instances that provide connectivity between multiple networks.
  • View the list of subnets and info on them, as well as modify them.
  • View information on NAT gateways, as well as create, modify, and delete them.
  • View the list of cloud resource addresses and info on them, as well as create, update, and delete public IP addresses.
  • View the list of route tables and info on them, as well as link them to subnets.
  • View the list of security groups and the info on them.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.viewer permissions.

You can assign a role for a cloud or folder.

Warning

If a network and subnet are in different folders, the vpc.publicAdmin role is checked for the folder where the network is located.

vpc.gateways.viewer

The vpc.gateways.viewer role allows you to view information on NAT gateways.

vpc.gateways.user

The vpc.gateways.user role allows you to view information on NAT gateways and connect them to route tables.

vpc.gateways.editor

The vpc.gateways.editor role allows you to create, modify, and delete NAT gateways, as well as connect them to route tables.

vpc.securityGroups.user

The vpc.securityGroups.user role allows you to assign security groups to network interfaces and view information on the resources, quotas, and resource operations.

Users with this role can:
  • Assign security groups to instance network interfaces.
  • Get a list of cloud networks and view information on them.
  • Get a list of subnets and view information on them.
  • Get a list of cloud resource addresses and view information on them.
  • Get a list of route tables and view information on them.
  • Get a list of security groups and view information on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.securityGroups.admin

The vpc.securityGroups.admin role allows you to manage security groups and view information on the resources, quotas, and resource operations.

Users with this role can:
  • View information on security groups, as well as create, modify, and delete them.
  • Create and delete default security groups in cloud networks.
  • Create and delete security group rules, as well as edit their metadata.
  • Get a list of cloud networks and view information on them.
  • Get a list of subnets and view information on them.
  • Get a list of cloud resource addresses and view information on them.
  • Get a list of route tables and view information on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.privateEndpoints.viewer

The vpc.privateEndpoints.viewer role enables viewing info on the service connections.

vpc.privateEndpoints.editor

The vpc.privateEndpoints.editor role enables viewing info on the service connections, as well as creating, modifying, and deleting such connections.

This role includes the vpc.privateEndpoints.viewer permissions.

vpc.privateEndpoints.admin

The vpc.privateEndpoints.admin role enables viewing info on the service connections, as well as creating, modifying, and deleting such connections.

This role includes the vpc.privateEndpoints.editor permissions.

For more information, see Access management in Virtual Private Cloud.

Yandex Vision OCR

ai.vision.user

The ai.vision.user role allows you to use Yandex Vision OCR to analyze images, as well as view info on the relevant cloud, folder, and quotas.

For more information, see Access management in Vision OCR.

Yandex WebSQL

websql.executedQueries.auditor

The websql.executedQueries.auditor role enables viewing the metadata of a published query from the history as well as information on access permissions assigned to it.

websql.savedQueries.auditor

The websql.savedQueries.auditor role enables viewing the metadata of a published saved query as well as information on access permissions assigned to it.

websql.executedQueries.viewer

The websql.executedQueries.viewer role enables viewing info on a published query from the history and access permissions assigned to it.

This role includes the websql.executedQueries.auditor permissions.

websql.savedQueries.viewer

The websql.savedQueries.viewer role enables viewing info on a published saved query and access permissions assigned to it.

This role includes the websql.savedQueries.auditor permissions.

websql.executedQueries.editor

The websql.executedQueries.editor role enables viewing info on a published query from the history and delete such a query.

Users with this role can:

  • View info on a published query from the history and delete such a query.
  • View info on the access permissions assigned to a published query from the history.

This role includes the websql.executedQueries.viewer permissions.

websql.savedQueries.editor

The websql.savedQueries.editor role enables modifying and deleting a published saved query.

Users with this role can:

  • View info on a published saved query, as well as modify and delete it.
  • View info on the access permissions assigned to a published saved query.

This role includes the websql.savedQueries.viewer permissions.

websql.executedQueries.admin

The websql.executedQueries.admin role enables managing a published query from the history and access to such a query.

Users with this role can:

  • View info on the access permissions assigned to a published query from the history and modify such permissions.
  • View info on a published query from the history and delete such a query.

This role includes the websql.executedQueries.editor permissions.

websql.savedQueries.admin

The websql.savedQueries.admin role enables managing a published saved query and access to it.

Users with this role can:

  • View info on the access permissions assigned to a published saved query and modify such permissions.
  • View info on a published saved query, as well as modify and delete it.

This role includes the websql.savedQueries.editor permissions.

websql.auditor

The websql.auditor role enables viewing the metadata of all published queries within WebSQL as well as information on access permissions assigned to them.

This role includes the websql.savedQueries.auditor and websql.executedQueries.auditor permissions.

websql.viewer

The websql.viewer role enables viewing info on all published queries within WebSQL and access permissions assigned to them.

Users with this role can:

  • View info on the published saved queries and access permissions assigned to them.
  • View info on the published queries from the history and access permissions assigned to them.

This role includes the websql.savedQueries.viewer and websql.executedQueries.viewer permissions.

websql.user

The websql.user role enables viewing info on the published queries within WebSQL, as well as create, modify, and delete such queries.

Users with this role can:

  • View info on the published saved queries and access permissions assigned to them.
  • Privately save queries and modify and delete privately saved queries.
  • View info on the published queries from the history and access permissions assigned to them.
  • Save the run queries to private history and delete them from history.

This role includes the websql.viewer permissions.

websql.editor

The websql.editor role enables managing published and private queries within WebSQL.

Users with this role can:

  • View info on the published saved queries and access permissions assigned to them, as well as modify and delete such queries.
  • Save queries privately, as well as modify, delete, and publish private saved queries.
  • View info on the published queries from the history and access permissions assigned to them, as well as modify and delete such queries.
  • Save the run queries to private history, as well publish private queries from the history and delete them.

This role includes the websql.user, websql.savedQueries.editor, and websql.executedQueries.editor permissions.

websql.admin

The websql.admin role enables managing private queries and publishing them, as well as manage published queries and access to those.

Users with this role can:

  • View info on the access permissions assigned to the published saved queries and modify such permissions.
  • View info on the published saved queries, as well as modify and delete them.
  • Save queries privately, as well as modify, delete, and publish private saved queries.
  • View info on the access permissions assigned to the published queries from the history and modify such permissions.
  • View info on the published queries from the history and delete them.
  • Save the run queries to private history, as well publish private queries from the history and delete them.

This role includes the websql.editor, websql.savedQueries.admin, and websql.executedQueries.admin permissions.

For more information, see Access management in WebSQL.

Yandex Wiki

wiki.viewer

The wiki.viewer role is assigned for an organization.

It grants permission to view pages in the organization's Yandex Wiki.

wiki.admin

The wiki.admin role is assigned for an organization.

It grants permission to edit pages, set up access rights for other users, edit the list of authors, and appoint a page's owner.

ClickHouse® is a registered trademark of ClickHouse, Inc.

Previous
Pricing policy
Next
Overview