Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Yandex Cloud role reference

Written by
Updated at June 9, 2025

Primitive roles

The chart below shows which primitive roles are available in Yandex Cloud and how they inherit each other's permissions. For example, the editor role includes all the permissions of the viewer role. You can find the description of each role under the chart.

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

  • View info on a resource.
  • View the resource metadata.
  • View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role includes the viewer permissions.

admin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role includes the editor permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.

Service roles

quota-manager.viewer

The quota-manager.viewer role enables viewing info on the Yandex Cloud service quotas and requests to increase such quotas, as well as on clouds.

quota-manager.requestOperator

The quota-manager.requestOperator role lets you create requests for new Yandex Cloud service quotas. This permission is also part of the admin and editor roles.

AI services

ai.auditor

The ai.auditor role enables viewing the quotas for Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models, viewing the info on AI assistants, datasets, and text generation models in Yandex Foundation Models, as well as reading folder metadata.

This role includes the ai.assistants.auditor, ai.datasets.auditor, and ai.models.auditor permissions.

ai.viewer

The ai.viewer role enables viewing the info on quotas for Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models, on AI assistants, datasets, and text generation models in Yandex Foundation Models, as well as on the relevant folder.

This role includes the ai.auditor, ai.assistants.viewer, ai.datasets.viewer, and ai.models.viewer permissions.

ai.editor

The ai.editor role enables using Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models.

Users with this role can:

  • Use Yandex Translate to translate texts.
  • Use Yandex Vision OCR to analyze images.
  • Use Yandex SpeechKit for speech recognition and synthesis.
  • Use YandexGPT API language models for text generation, YandexART models for image generation, and AI assistants within Yandex Foundation Models.
  • View info on datasets, as well as create, modify, and delete them.
  • Fine-tune text generation models in Yandex Foundation Models, as well as create, modify, and delete such models.
  • View info on the relevant cloud and folder.
  • View information on Translate, Vision, SpeechKit, and Foundation Models quotas.

This role includes the ai.viewer, ai.translate.user, ai.vision.user, ai.speechkit-stt.user, ai.speechkit-tts.user, ai.languageModels.user, ai.imageGeneration.user, ai.assistants.editor, and ai.datasets.editor permissions.

ai.admin

The ai.admin role enables using Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models.

Users with this role can:

  • Use Yandex Translate to translate texts.
  • Use Yandex Vision OCR to analyze images.
  • Use Yandex SpeechKit for speech recognition and synthesis.
  • Use YandexGPT API language models for text generation, YandexART models for image generation, and AI assistants within Yandex Foundation Models.
  • View info on datasets, as well as create, modify, and delete them.
  • Fine-tune text generation models in Yandex Foundation Models, as well as create, modify, and delete such models.
  • View info on the relevant cloud and folder.
  • View information on Translate, Vision, SpeechKit, and Foundation Models quotas.

This role includes the ai.editor, ai.assistants.admin, ai.datasets.admin, and ai.models.admin permissions.

Yandex Cloud partner program

billing.accounts.owner

When creating your billing account, you get the billing.accounts.owner role automatically. It cannot be revoked, but you can assign it to other users and then revoke from them.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them, including personal data.
  • Update subaccount records.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Delete subaccounts without customer confirmation.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View rebate credit history.
  • Withdraw rebate.
  • View assigned specializations.
  • View the list of partner discounts and info on them.
  • View the history of crediting referral program bonuses.
  • Withdraw referral program bonuses.
  • View the status of settlements with the referrer company.
  • View the list of referral links.
  • Create referral links.
  • Activate referral links.
  • Modify referral links.

This role includes the billing.accounts.admin and billing.accounts.varWithoutDiscounts permissions.

billing.accounts.viewer

To use the billing.accounts.viewer role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:

billing.accounts.accountant

To use the billing.accounts.accountant role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:

This role includes the billing.accounts.viewer permissions.

billing.accounts.editor

To use the billing.accounts.editor role, you need to assign it for a billing account. It enables you to get payment invoices, redeem promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • View the details of how the customers use services.
  • View rebate credit history.
  • Withdraw rebate.
  • View assigned specializations.
  • View the list of partner discounts and info on them.
  • View the history of crediting referral program bonuses.
  • Withdraw referral program bonuses.
  • View the status of settlements with the referrer company.
  • View the list of referral links.
  • Create referral links.
  • Activate referral links.
  • Modify referral links.

This role includes the billing.accounts.viewer permissions.

billing.accounts.varWithoutDiscounts

To use the billing.accounts.varWithoutDiscounts role, you need to assign it for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View rebate credit history.
  • Withdraw rebate.
  • View the history of crediting referral program bonuses.
  • Withdraw referral program bonuses.
  • View the status of settlements with the referrer company.
  • Create referral links.
  • Activate referral links.
  • Modify referral links.

This role includes the billing.partners.editor permissions.

billing.accounts.admin

To use the billing.accounts.admin role, you need to assign it for a billing account. It enables managing access to a billing account (except for billing.accounts.owner).

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them, including personal data.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View rebate credit history.
  • Withdraw rebate.
  • View assigned specializations.
  • View the list of partner discounts and info on them.
  • View the history of crediting referral program bonuses.
  • Withdraw referral program bonuses.
  • View the status of settlements with the referrer company.
  • View the list of referral links.
  • Create referral links.
  • Activate referral links.
  • Modify referral links.

This role includes the billing.accounts.editor, billing.accounts.partnerAdmin, and billing.partners.editor permissions.

billing.accounts.partnerViewer

To use the billing.accounts.partnerViewer role, you need to assign it for a billing account. It enables viewing partner info, except for personal data.

On the Yandex Cloud partner portal, users with this role can:

  • View the list of subaccounts and info on them (except for personal data).
  • View the list of partner discounts.
  • View the partner tools page.
  • View the list of accounts and info on them (except for personal data).
  • View the list of contacts and info on them (except for personal data).
  • View the list of partner deals and info on them (except for personal data).

billing.accounts.piiPartnerViewer

To use the billing.accounts.piiPartnerViewer role, you need to assign it for a billing account. It enables viewing subaccount and partner info, including personal data.

On the Yandex Cloud partner portal, users with this role can:

  • View info on the partner balance, discounts, and rebate withdrawals.
  • View details on partner consumption, including consumption in partner subaccounts.
  • View the list of partner discounts.
  • View the partner tools page.
  • View the list of accounts and info on them, including personal data.
  • View the list of subaccounts and info on them, including personal data.
  • View the list of contacts and info on them, including personal data.
  • View the list of partner deals and info on them, including personal data.

This role includes the billing.accounts.partnerViewer permissions.

billing.accounts.partnerEditor

To use the billing.accounts.partnerEditor role, you need to assign it for a billing account. It enables managing accounts, subaccounts, contacts, and partner deals. This role does not provide access to personal data.

On the Yandex Cloud partner portal, users with this role can:

  • Manage subaccounts regardless of the access permissions assigned at the organization level, excepting the permission to work with a partner.
  • View the list of subaccounts and info on them (except for personal data).
  • Create new subaccounts and update the existing ones, as well as suspend, resume, and delete subaccounts.
  • View the list of accounts and info on them (except for personal data), as well as edit such info.
  • View the list of contacts and info on them (except for personal data), as well as edit such contacts.
  • View the list of partner deals and info on them (except for personal data), as well as edit such info.
  • View the list of partner discounts.
  • View the partner tools page.

This role includes the billing.accounts.partnerViewer permissions.

billing.accounts.piiPartnerEditor

To use the billing.accounts.piiPartnerEditor role, you need to assign it for a billing account. It enables managing partner rebate withdrawals, as well as viewing subaccount and partner info, including personal data.

On the Yandex Cloud partner portal, users with this role can:

  • View info on the partner balance, discounts, and rebate withdrawals.
  • Create spending agreements for partner rebates and withdraw such rebates.
  • View details on partner consumption, including consumption in partner subaccounts.
  • View the list of partner discounts.
  • View the partner tools page.
  • View the list of accounts and info on them, including personal data.
  • View the list of subaccounts and info on them, including personal data.
  • View the list of contacts and info on them, including personal data.
  • View the list of partner deals and info on them, including personal data.

This role includes the billing.accounts.piiPartnerViewer permissions.

billing.accounts.partnerAdmin

To use the billing.accounts.partnerAdmin role, you need to assign it to a billing account. It enables access to all partner portal tools and all info stored on the portal, including personal data.

On the Yandex Cloud partner portal, users with this role can:

  • Manage subaccounts regardless of the access permissions assigned at the organization level, excepting the permission to work with a partner.
  • View the list of subaccounts and info on them, including personal data.
  • Create new subaccounts and update the existing ones, as well as suspend, resume, and delete subaccounts.
  • View the list of accounts and info on them, including personal data, as well as edit such info.
  • View the list of contacts and info on them, including personal data, as well as edit such contacts.
  • View the list of partner deals and info on them, including personal data, as well as edit such info.
  • View info on the partner balance, discounts, and rebate withdrawals.
  • Create spending agreements for partner rebates and withdraw such rebates.
  • View details on partner consumption, including consumption in partner subaccounts.
  • View the list of partner discounts.
  • View the partner tools page.

This role includes the billing.accounts.partnerEditor and billing.accounts.piiPartnerEditor permissions.

For more information, see Access management in Yandex Cloud partner program.

Yandex API Gateway

api-gateway.auditor

The api-gateway.auditor role allows you to view the list of API gateways and the details on access permissions assigned to such gateways. It also enables viewing the relevant folder metadata.

api-gateway.viewer

The api-gateway.viewer role allows you to view the list of API gateways, info on them, and the details on access permissions assigned to such gateways. It also enables viewing the relevant folder metadata.

This role includes the api-gateway.auditor permissions.

api-gateway.editor

The api-gateway.editor role enables managing API gateways and viewing info on them, as well as working with WebSocket API.

Users with this role can:

  • View the list of API gateways, info on them and on access permissions assigned to them, as well as use, modify, and delete such gateways.
  • Use the request rate limit.
  • View info on WebSocket connections and close them, as well as send data through such connections.
  • View info on the relevant folder.

This role includes the api-gateway.websocketWriter permissions.

api-gateway.websocketWriter

The api-gateway.websocketWriter role allows you to work with WebSocket API, as well as view the list of API gateways, info on them, and the details on access permissions assigned to such gateways.

Users with this role can:

This role includes the api-gateway.viewer permissions.

api-gateway.websocketBroadcaster

The api-gateway.websocketBroadcaster role enables transmitting data through WebSocket (which includes sending data to multiple clients concurrently), as well as viewing the list of API gateways, info on them and on access permissions assigned to them.

Users with this role can:

  • View info on WebSocket connections and close them, as well as send data through such connections, which includes transmitting data to multiple clients concurrently.
  • View the list of API gateways, info on them and on access permissions assigned to them.
  • View info on the relevant folder.

This role includes the api-gateway.websocketWriter permissions.

api-gateway.admin

The api-gateway.admin role enables managing API gateways and access to them, viewing info on API gateways, and working with WebSocket API.

Users with this role can:

  • View info on access permissions assigned for API gateways and modify such permissions.
  • View info on API gateways, as well as create, modify, and delete them.
  • View info on WebSocket connections and close them, as well as send data through such connections.
  • Use the request rate limit.
  • View info on the relevant folder.

This role includes the api-gateway.editor permissions.

For more information, see Access management in API Gateway.

Yandex Application Load Balancer

alb.auditor

The alb.auditor role enables you to view info on the Application Load Balancer resources and quotas.

Users with this role can:

alb.viewer

The alb.viewer role enables viewing the list of Application Load Balancer resources and the info on them and the relevant quotas.

Users with this role can:

This role includes the alb.auditor permissions.

alb.user

The alb.user role enables using L7 balancers, HTTP routers, backend groups, and target groups, as well as viewing info on the Application Load Balancer resources.

Users with this role can:

  • View the list of L7 balancers and info on them, as well as use them.
  • View the list of HTTP routers and the info on them, as well as use such routers.
  • View the list of virtual hosts and the info on them.
  • View the list of backend groups and info on them, as well as use them.
  • View the list of target groups and the info on them, as well as use them.
  • View info on the Application Load Balancer quotas.

You can assign this role for a folder.

alb.editor

The alb.editor role enables managing Application Load Balancer resources and internal network load balancers, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses.

Users with this role can:
  • View the list of L7 balancers and the info on them, as well as create, modify, delete, and use such balancers.
  • View the list of HTTP routers and the info on them, as well as create, modify, delete, and use such routers.
  • View the list of virtual hosts and info on them, as well as modify them.
  • View the list of backend groups and the info on them, as well as create, modify, delete, and use such groups.
  • View the list of L7 balancer target groups and network balancers and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of network load balancers and the info on them, as well as create internal network load balances (including those with UDP listeners), modify, delete, start, and stop them.
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View information on NAT gateways and connect them to route tables.
  • View the info on the used IP addresses in subnets, as well as create internal addresses.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View info on the relevant cloud and folder.
  • View info on the Application Load Balancer, Network Load Balancer, and Virtual Private Cloud quotas.

This role includes the load-balancer.privateAdmin and vpc.user permissions.

To connect a public IP address to a new or existing L7 balancer, you also need the vpc.publicAdmin role assigned for the network where the balancer resides.

alb.admin

The alb.admin role enables managing Application Load Balancer resources and internal network load balancers, as well as viewing info on cloud networks, subnets, route tables, gateways, security groups, IP addresses, and quotas.

Users with this role can:
  • View the list of L7 balancers and the info on them, as well as create, modify, delete, and use such balancers.
  • View the list of HTTP routers and the info on them, as well as create, modify, delete, and use such routers.
  • View the list of virtual hosts and info on them, as well as modify them.
  • View the list of backend groups and the info on them, as well as create, modify, delete, and use such groups.
  • View the list of L7 balancer target groups and network balancers and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of network load balancers and the info on them, as well as create internal network load balances (including those with UDP listeners), modify, delete, start, and stop them.
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View information on NAT gateways and connect them to route tables.
  • View the info on the used IP addresses in subnets, as well as create internal addresses.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View info on the relevant cloud and folder.
  • View info on the Application Load Balancer, Network Load Balancer, and Virtual Private Cloud quotas.

This role includes the alb.editor permissions.

To connect a public IP address to a new or existing L7 balancer, you also need the vpc.publicAdmin role assigned for the network where the balancer resides.

For more information, see Access management in Application Load Balancer.

Yandex Audit Trails

audit-trails.auditor

The audit-trails.auditor role enables viewing the list of trails and info on them, as well as the info on the relevant cloud, folder, and Audit Trails quotas.

audit-trails.viewer

The audit-trails.viewer role enables reading audit logs and viewing the list of trails and info on them, as well as the info on the relevant cloud, folder, and Audit Trails quotas.

This role includes the audit-trails.auditor permissions.

audit-trails.editor

The audit-trails.editor role enables managing trails and reading audit logs.

Users with this role can:

  • View the list of trails and info on them, as well as create, modify, and delete them.
  • Read audit logs.
  • View info on the relevant cloud and folder.
  • View info on the Audit Trails quotas.

This role includes the audit-trails.viewer permissions.

audit-trails.admin

The audit-trails.admin role enables managing trails and user access to them, as well as reading audit logs.

Users with this role can:

  • View info on access permissions assigned to trails and modify such permissions.
  • View the list of trails and info on them, as well as create, modify, and delete them.
  • Read audit logs.
  • View info on the relevant cloud and folder.
  • View info on the Audit Trails quotas.

This role includes the audit-trails.editor permissions.

audit-trails.configViewer

The audit-trails.configViewer role enables viewing the list of trails and info on them, as well as the info on the relevant cloud, folder, and Audit Trails quotas.

This role is no longer available. Please use audit-trails.auditor instead.

For more information, see Access management Audit Trails.

Yandex BareMetal

baremetal.auditor

The baremetal.auditor role enables viewing the Yandex BareMetal resource metadata.

Users with this role can:

baremetal.viewer

The baremetal.viewer role enables viewing info on the Yandex BareMetal resources.

Users with this role can:

This role includes the baremetal.auditor permissions.

baremetal.operator

The baremetal.operator role enables working on the BareMetal servers and viewing info on the Yandex BareMetal resources.

Users with this role can:

This role includes the baremetal.viewer permissions.

baremetal.editor

The baremetal.editor role enables managing BareMetal servers, private subnets, virtual routing and forwarding (VRF) segments, and OS server images.

Users with this role can:

  • View info on BareMetal servers and their configuration.
  • Start and stop renting BareMetal servers and change their settings.
  • View info on private subnets, as well as create, modify, and delete them.
  • View info on virtual routing and forwarding (VRF) segments, as well as create, modify, and delete them.
  • View info on the uploaded OS images for BareMetal servers, as well as upload, modify, and delete such images.
  • Re-install OS’s for BareMetal servers.
  • Use the KVM console.
  • Use IPMI to power the servers on, shut them down, and restart them.
  • View details on Yandex BareMetal quotas.
  • View info on the relevant folder.

This role includes the baremetal.viewer permissions.

baremetal.admin

The baremetal.admin role enables managing BareMetal servers, private subnets, virtual routing and forwarding (VRF) segments, and OS server images.

Users with this role can:

  • View info on BareMetal servers and their configuration.
  • Start and stop renting BareMetal servers and change their settings.
  • View info on private subnets, as well as create, modify, and delete them.
  • View info on virtual routing and forwarding (VRF) segments, as well as create, modify, and delete them.
  • View info on the uploaded OS images for BareMetal servers, as well as upload, modify, and delete such images.
  • Re-install OS’s for BareMetal servers.
  • Use the KVM console.
  • Use IPMI to power the servers on, shut them down, and restart them.
  • View details on Yandex BareMetal quotas.
  • View info on the relevant folder.

This role includes the baremetal.editor permissions.

For more information, see Access management in Yandex BareMetal.

Yandex Certificate Manager

certificate-manager.auditor

The certificate-manager.auditor role enables viewing info on certificates and access permissions assigned to them.

Users with this role can:

certificate-manager.viewer

The certificate-manager.viewer role enables viewing info on certificates and access permissions assigned to them.

Users with this role can:

This role includes the certificate-manager.auditor permissions.

certificate-manager.editor

The certificate-manager.editor role enables managing certificates and viewing info on them, as well as on access permissions assigned to them, and on the Certificate Manager quotas.

Users with this role can:

This role includes the certificate-manager.viewer permissions.

certificate-manager.admin

The certificate-manager.admin role enables managing certificates and access to them, as well as getting the certificate contents.

Users with this role can:

  • View the list of certificates and dependent resources, as well as info on certificates.
  • View info on access permissions assigned to certificates and modify such permissions.
  • Add, modify, update, and delete certificates.
  • Get certificate contents.
  • View info on the Certificate Manager quotas.
  • View info on the relevant folder.

This role includes the certificate-manager.editor permissions.

certificate-manager.certificates.downloader

The certificate-manager.certificates.downloader role enables viewing the list of certificates and info on them, as well as getting the certificate contents.

For more information, see Access management in Certificate Manager.

Yandex Cloud Backup

backup.viewer

The backup.viewer role enables viewing information on virtual machines and BareMetal servers connected to Cloud Backup, on backup policies and backups, as well as on the relevant cloud, folder, and quotas.

Users with this role can:

  • View info on the connected backup providers.
  • View info on the access permissions granted for the relevant backup policies.
  • View info on backup policies and virtual machines and BareMetal servers linked to them.
  • View info on the virtual machines and BareMetal servers connected to Cloud Backup.
  • View info on backups.
  • View info on Cloud Backup quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder and its statistics.

To assign the backup.viewer role, you need the admin role for the cloud or backup.admin for the folder.

backup.editor

The backup.editor role enables managing the connection of virtual machines and BareMetal servers to Cloud Backup, managing backup policies, making backups, and restoring VMs and BareMetal servers from the existing backups.

Users with this role can:

  • View info on connected backup providers, as well as connect providers available in Cloud Backup.
  • Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines and BareMetal servers.
  • View info on the access permissions granted for the relevant backup policies.
  • View info on backup policies and virtual machines and BareMetal servers linked to them.
  • View info on virtual machines and BareMetal servers connected to Cloud Backup, as well as connect and disconnect VMs and BareMetal servers to and from it.
  • View info on backups, as well as delete them and use them to restore VMs and BareMetal servers.
  • View info on Cloud Backup quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder and its statistics.

This role includes the backup.viewer permissions.

To assign the backup.editor role, you need the admin role for the cloud or backup.admin for the folder.

backup.admin

The backup.admin role enables managing backup policies and access to them, managing the connection of virtual machines and BareMetal servers to Cloud Backup, making backups, and restoring VMs and BareMetal servers from the existing backups.

Users with this role can:

  • View info on the access permissions granted for the relevant backup policies and modify such permissions.
  • View info on connected backup providers, as well as connect providers available in Cloud Backup.
  • Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines and BareMetal servers.
  • View info on backup policies and virtual machines and BareMetal servers linked to them.
  • View info on virtual machines and BareMetal servers connected to Cloud Backup, as well as connect and disconnect VMs and BareMetal servers to and from it.
  • View info on backups, as well as delete them and use them to restore VMs and BareMetal servers.
  • View info on Cloud Backup quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder and its statistics.

This role includes the backup.editor permissions.

To assign the backup.admin role, you need the admin role for the cloud.

For more information, see Access management in Cloud Backup.

Yandex Cloud Billing

billing.accounts.member

The billing.accounts.member role is granted automatically when a user is added to the service. It is required to display the selected billing account in the list of all user accounts.

billing.accounts.owner

When creating your billing account, you get the billing.accounts.owner role automatically. It cannot be revoked, but you can assign it to other users and then revoke from them.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them, including personal data.
  • Update subaccount records.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Delete subaccounts without customer confirmation.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View rebate credit history.
  • Withdraw rebate.
  • View assigned specializations.
  • View the list of partner discounts and info on them.
  • View the history of crediting referral program bonuses.
  • Withdraw referral program bonuses.
  • View the status of settlements with the referrer company.
  • View the list of referral links.
  • Create referral links.
  • Activate referral links.
  • Modify referral links.

This role includes the billing.accounts.admin and billing.accounts.varWithoutDiscounts permissions.

billing.accounts.viewer

To use the billing.accounts.viewer role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:

billing.accounts.accountant

To use the billing.accounts.accountant role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:

This role includes the billing.accounts.viewer permissions.

billing.accounts.editor

To use the billing.accounts.editor role, you need to assign it for a billing account. It enables you to get payment invoices, redeem promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • View the details of how the customers use services.
  • View rebate credit history.
  • Withdraw rebate.
  • View assigned specializations.
  • View the list of partner discounts and info on them.
  • View the history of crediting referral program bonuses.
  • Withdraw referral program bonuses.
  • View the status of settlements with the referrer company.
  • View the list of referral links.
  • Create referral links.
  • Activate referral links.
  • Modify referral links.

This role includes the billing.accounts.viewer permissions.

billing.accounts.admin

To use the billing.accounts.admin role, you need to assign it for a billing account. It enables managing access to a billing account (except for billing.accounts.owner).

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them, including personal data.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View rebate credit history.
  • Withdraw rebate.
  • View assigned specializations.
  • View the list of partner discounts and info on them.
  • View the history of crediting referral program bonuses.
  • Withdraw referral program bonuses.
  • View the status of settlements with the referrer company.
  • View the list of referral links.
  • Create referral links.
  • Activate referral links.
  • Modify referral links.

This role includes the billing.accounts.editor, billing.accounts.partnerAdmin, and billing.partners.editor permissions.

billing.accounts.varWithoutDiscounts

To use the billing.accounts.varWithoutDiscounts role, you need to assign it for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts.

In Yandex Cloud Billing, users with this role can:
On the Yandex Cloud partner portal, users with this role can:
  • Create customer records (subaccounts).
  • View the list of subaccounts and info on them.
  • Activate subaccounts.
  • Suspend subaccounts.
  • Re-activate subaccounts.
  • Link clouds to subaccounts.
  • Manage access permissions to subaccounts.
  • View the details of how the customers use services.
  • View rebate credit history.
  • Withdraw rebate.
  • View the history of crediting referral program bonuses.
  • Withdraw referral program bonuses.
  • View the status of settlements with the referrer company.
  • Create referral links.
  • Activate referral links.
  • Modify referral links.

This role includes the billing.partners.editor permissions.

billing.partners.editor

The billing.partners.editor role is assigned for a billing account. It grants permission to edit information about a partner and their products in the partner product catalog.

For more information, see Access management in Yandex Cloud Billing.

Yandex Cloud CDN

cdn.viewer

The cdn.viewer role enables viewing info on the folder, origin groups, CDN resources, and Cloud CDN quotas.

cdn.editor

The cdn.editor role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.

Users with this role can:

This role includes the cdn.viewer permissions.

cdn.admin

The cdn.admin role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.

Users with this role can:

This role includes the cdn.editor permissions.

Moving forward, it will additionally include more features.

For more information, see Access management in Cloud CDN.

Yandex Cloud Desktop

vdi.viewer

The vdi.viewer role allows using desktops and viewing information on desktops and desktop groups.

Users with this role can:

  • View information on desktop groups and access permissions granted for such groups.
  • View information on desktops and use them.
  • View information on Cloud Desktop quotas.

vdi.editor

The vdi.editor role allows managing desktop groups and desktops as well as using desktops.

Users with this role can:

  • View information on desktop groups, create, update, and delete desktop groups.
  • View information on access permissions granted for desktop groups.
  • View information on desktops and use them.
  • Create, update, start, restart, stop, and delete desktops.
  • View information on Cloud Desktop quotas.

This role includes the vdi.viewer permissions.

vdi.admin

The vdi.admin role allows managing desktop groups and access to them, as well as managing and using desktops.

Users with this role can:

  • View information on and update access permissions granted for desktop groups.
  • View information on desktop groups, create, update, and delete desktop groups.
  • View information on desktops and use them.
  • Create, update, start, restart, stop, and delete desktops.
  • View information on Cloud Desktop quotas.
  • View info on the relevant folder.

This role includes the vdi.editor permissions.

For more information, see Access management in Yandex Cloud Desktop.

Yandex Cloud DNS

dns.auditor

The dns.auditor role enables viewing info on DNS zones and access permissions assigned to them, as well as on the relevant folder and Cloud DNS quotas. This role does not provide access to resource records.

dns.viewer

The dns.viewer role enables viewing info on DNS zones and access permissions assigned to them, as well as on the resource records, the relevant folder, and Cloud DNS quotas.

This role includes the dns.auditor permissions.

dns.editor

The dns.editor role enables managing DNS zones and resource records, as well as viewing info on the relevant folder and Cloud DNS quotas.

Users with this role can:

  • View information on DNS zones as well as create, use, modify, and delete them.
  • View information on resource records as well as create, modify, and delete them.
  • Create nested public DNS zones.
  • View information on access permissions assigned for DNS zones.
  • View information on Cloud DNS quotas.
  • View information on the relevant folder.

This role includes the dns.viewer permissions.

dns.admin

The dns.admin role enables managing DNS zones and access to them, and resource records, as well as viewing info on the relevant folder and Cloud DNS quotas.

Users with this role can:

  • View information on access permissions assigned for DNS zones, as well as create, modify, and delete such permissions.
  • View information on DNS zones as well as create, use, modify, and delete them.
  • View information on resource records as well as create, modify, and delete them.
  • Create nested public DNS zones.
  • View information on Cloud DNS quotas.
  • View information on the relevant folder.

This role includes the dns.editor permissions.

For more information, see Access management in Cloud DNS.

Yandex Cloud Functions

functions.auditor

The functions.auditor role enables viewing info on the functions, triggers, and connections to managed databases.

Users with this role can:

  • View the list of functions and info on them.
  • View the list of triggers and info on them.
  • View the list of database connections and info on them.
  • View info on granted access permissions for Cloud Functions resources.

functions.viewer

The functions.viewer role enables viewing info on functions, including the function version code and environment variables, as well as on triggers and connections to managed databases.

Users with this role can:

This role includes the functions.auditor permissions.

functions.functionInvoker

The functions.functionInvoker role enables invoking functions.

functions.editor

The functions.editor role enables managing functions, triggers, API gateways, and connections to managed databases.

Users with this role can:

  • View the list of functions and info on them, create functions and their versions, and modify, invoke, and delete functions.
  • View the function version environment variables and code.
  • View the list of triggers and info on them, as well as create, stop, run, modify, and delete them.
  • View the list of database connections and the info on them, as well as create, modify, and delete database connections and connect to databases through functions.
  • Create, modify, and delete API gateways.
  • View info on granted access permissions for Cloud Functions resources.
  • View info on Cloud Functions quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the functions.viewer permissions.

functions.mdbProxiesUser

The functions.mdbProxiesUser role enables connecting to managed databases through functions.

functions.admin

The functions.admin role enables managing functions, triggers, API gateways, and connections to managed databases, as well as access to those.

Users with this role can:

  • View info on the granted access permissions to the Cloud Functions resources and modify such access permissions.
  • View the list of functions and info on them, create functions and their versions, and modify, invoke, and delete functions.
  • View the function version environment variables and code.
  • View the list of triggers and info on them, as well as create, stop, run, modify, and delete them.
  • View the list of database connections and the info on them, as well as create, modify, and delete database connections and connect to databases through functions.
  • Create, modify, and delete API gateways.
  • View info on Cloud Functions quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the functions.editor permissions.

serverless.mdbProxies.user

The serverless.mdbProxies.user role enables connecting to managed databases through Cloud Functions.

This role is no longer available. Please use functions.mdbProxiesUser instead.

serverless.functions.invoker

The serverless.functions.invoker role enables invoking functions.

This role is no longer available. Please use functions.functionInvoker instead.

serverless.functions.admin

The serverless.functions.admin role enables managing functions, triggers, API gateways, and connections to managed databases, as well as access to those.

Users with this role can:

  • View info on the granted access permissions to the Cloud Functions resources and modify such access permissions.
  • View the list of functions and info on them, create functions and their versions, and modify, invoke, and delete functions.
  • View the function version environment variables and code.
  • View the list of triggers and info on them, as well as create, stop, run, modify, and delete them.
  • View the list of database connections and the info on them, as well as create, modify, and delete database connections and connect to databases through functions.
  • View the list of API gateways and info on them, as well as create, modify, and delete them.
  • View info on Cloud Functions quotas.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role is no longer available. Please use functions.admin instead.

For more information, see Access management in Cloud Functions.

Yandex Cloud Logging

logging.viewer

The logging.viewer role enables viewing info on log groups and sinks and access permissions assigned to them, as well as on the relevant cloud and folder.

Users with this role can:

logging.editor

The logging.editor role enables viewing info on Cloud Logging resources and managing them.

Users with this role can:

  • View info on log groups, as well as create, modify, delete, and use them.
  • View info on log sinks, as well as create, modify, delete, and use them.
  • View info on access permissions assigned to Cloud Logging resources.
  • View info on log exports, run export, and create, modify, and delete exported files.
  • View information on the relevant cloud and folder.

This role includes the logging.viewer permissions.

logging.reader

The logging.reader role enables viewing log group entries and info on the Cloud Logging resources, as well as the cloud and folder metadata.

Users with this role can:

  • View log group entries.
  • View info on log groups.
  • View info on log sinks.
  • View info on access permissions assigned to Cloud Logging resources.
  • View info on log exports.
  • View information on the relevant cloud and folder.

This role includes the logging.viewer permissions.

logging.writer

The logging.writer role enables adding entries to log groups and viewing info on the Cloud Logging resources, as well as on the relevant cloud and folder.

Users with this role can:

  • Add entries to log groups.
  • View info on log groups.
  • View info on log sinks.
  • View info on access permissions assigned to Cloud Logging resources.
  • View info on log exports.
  • View information on the relevant cloud and folder.

This role includes the logging.viewer permissions.

logging.admin

The logging.admin role enables managing your Cloud Logging resources and access to them, as well as viewing and adding entries to log groups.

Users with this role can:

  • View info on access permissions assigned to Cloud Logging resources and modify such permissions.
  • View info on log groups, as well as create, modify, delete, and use them.
  • View info on log sinks, as well as create, modify, delete, and use them.
  • View info on log exports, run export, and create, modify, and delete exported files.
  • View and add entries to log groups.
  • View info on Cloud Logging quotas.
  • View information on the relevant cloud and folder.

This role includes the logging.editor, logging.reader, and logging.writer permissions.

For more information, see Access management in Cloud Logging.

Yandex Cloud Marketplace

Partner roles

marketplace.meteringAgent

The marketplace.meteringAgent role enables tracking Marketplace product usage.

This role allows a partner to:

  • Authenticate apps in the Metering API.
  • Track the installed app metrics to price the app usage.

You can assign this role to a service account under which you are going to send the usage metrics.

license-manager.saasSubscriptionSupervisor

The license-manager.saasSubscriptionSupervisor role enables viewing info on subscriptions and their links to resources, apps, and services, as well as creating such links.

This role is designed for SaaS products and can be assigned to a service account used to link subscriptions to resources, apps, and services.

marketplace.product.creator

The marketplace.product.creator role enables creating Marketplace products in the partner profile and managing access to such products.

marketplace.product.admin

The marketplace.product.admin role enables managing Marketplace products and access to them, as well as their versions, pricing, trial periods, forms, and moderation requests.

Users with this role can:

  • View info on the access permissions granted for products, as well as modify such permissions.
  • View info on products, as well as create and delete them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of product pricing plans and info on such plans, as well as create and edit plans.
  • View info on trial periods and create, modify, and delete them.
  • View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
  • View the list of product forms and info on them, as well as create, modify, and delete such forms.
  • View the list of product categories.

marketplace.publishers.reportViewer

The marketplace.publishers.reportViewer role enables viewing the reports on Marketplace products in the partner profile.

marketplace.publishers.viewer

The marketplace.publishers.viewer role enables viewing info on the partner profile and Marketplace products within it, as well as contacting tech support.

Users with this role can:

  • View the list of available partner profiles, info on them and on the access permissions granted for them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of moderation requests for products and info on such requests.
  • Create technical support requests, as well as view, leave comments, and close them.

This role includes the marketplace.publishers.member permissions.

marketplace.publishers.editor

The marketplace.publishers.editor role enables managing Marketplace products and access to them, as well as their versions, pricing, trial periods, forms, and moderation requests. It also enables contacting tech support.

Users with this role can:

  • View the list of available partner profiles, info on them and on the access permissions granted for them.
  • View info on the access permissions granted for products, as well as modify such permissions.
  • View info on products, as well as create and delete them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of product pricing plans and info on such plans, as well as create and edit plans.
  • View the list of product trial periods and info on them, as well as create, modify, and delete such periods.
  • View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
  • View the list of product forms and info on them, as well as create, modify, and delete such forms.
  • View the list of product categories.
  • Create technical support requests, as well as view, leave comments, and close them.

This role includes the marketplace.publishers.viewer and marketplace.product.admin permissions.

marketplace.publishers.admin

The marketplace.publishers.admin role enables managing access to the partner profile, as well as managing Marketplace products and access to them, their versions, pricing, trial periods, forms, and moderation requests. It also enables viewing reports on Marketplace products in the partner profile.

Users with this role can:

  • View the list of available partner profiles, info on them and on the access permissions granted for them, as well as modify such permissions.
  • View info on the access permissions granted for products, as well as modify such permissions.
  • View info on products, as well as create and delete them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of product pricing plans and info on such plans, as well as create and edit plans.
  • View info on trial periods and create, modify, and delete them.
  • View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
  • View the list of product forms and info on them, as well as create, modify, and delete such forms.
  • View the list of product categories.
  • View the reports on Marketplace products in the partner profile.
  • Create technical support requests, as well as view, leave comments, and close them.

This role includes the marketplace.publishers.editor and marketplace.publishers.reportViewer permissions.

marketplace.publishers.owner

The marketplace.publishers.owner role enables managing access to the partner profile, as well as managing Marketplace products and access to them, their versions, pricing, trial periods, forms, and moderation requests. It also enables viewing reports on Marketplace products in the partner profile.

This role is granted to the billing account owner when creating a partner profile and cannot be re-assigned.

Users with this role can:

  • View the list of available partner profiles, info on them and on the access permissions granted for them, as well as modify such permissions.
  • View info on the access permissions granted for products, as well as modify such permissions.
  • View info on products, as well as create and delete them.
  • View the list of product versions and info on them, as well as create, modify, and delete versions.
  • View the list of product pricing plans and info on such plans, as well as create and edit plans.
  • View the list of product trial periods and info on them, as well as create, modify, and delete such periods.
  • View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
  • View the list of product forms and info on them, as well as create, modify, and delete such forms.
  • View the list of product categories.
  • View the reports on Marketplace products in the partner profile.
  • Create technical support requests, as well as view, leave comments, and close them.

This role includes the marketplace.publishers.admin permissions.

marketplace.publishers.member

The marketplace.publishers.member role provides the partner profile member access; however, it does not grant any access to the profile resources. To grant access to products or partner profile reports, you also need to assign the marketplace.publishers.viewer, marketplace.publishers.editor, marketplace.publishers.admin, or marketplace.publishers.owner role to the relevant user.

For more information, see Managing partner access in Marketplace.

User roles

license-manager.auditor

The license-manager.auditor role enables viewing information on subscriptions.

license-manager.viewer

The license-manager.viewer role enables viewing information on subscriptions and their links to a resource, app, or service.

This role includes the license-manager.auditor permissions.

license-manager.user

The license-manager.user role enables managing subscriptions, as well as viewing information on those and their links to resources, apps, or services.

Users with this role can:

  • View information on subscriptions and their links to resources, apps, or services.
  • Buy subscriptions.
  • Disable subscription auto-renew.
  • Link subscriptions to resources, apps, and services, as well as unlink them.
  • Move subscriptions from one folder to another.

This role includes the license-manager.viewer permissions.

license-manager.subscriptionAgent

The license-manager.subscriptionAgent role enables linking subscriptions to resources, apps, or services, as well as viewing info on subscriptions and their links to resources, apps, or services.

For more information, see User access management in Marketplace.

Yandex Cloud Organization

organization-manager.auditor

The organization-manager.auditor role enables viewing info on the organization and its settings, as well as on the federations, users and user groups within the organization.

Users with this role can:
  • View info on the organization under Cloud Organization and its settings.
  • View info on the access permissions granted for the organization.
  • View info on the organization’s identity federations.
  • View the list of the organization users.
  • View the list of the organization users that are subscribed to technical notifications on organization events.
  • View info on certificates.
  • View the list of federated user group mappings and info on them.
  • View info on the attributes of the federated users.
  • View info on the organization's OS Login settings.
  • View the list of OS Login profiles for users and service accounts.
  • View the list of the organization users' SSH keys and the info on such keys.
  • View info on the user groups and access permissions granted for them.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View the info on the refresh tokens of the organization’s federated users and on the refresh token settings.
  • View info on Cloud Organization quotas.
  • View the info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the iam.userAccounts.refreshTokenViewer, organization-manager.federations.auditor, and organization-manager.osLogins.viewer permissions.

organization-manager.viewer

The organization-manager.viewer role enables viewing info on the organization and its settings, as well as on the identity federations, users and user groups within the organization.

Users with this role can:
  • View info on the organization under Cloud Organization and its settings.
  • View info on the access permissions granted for the organization.
  • View info on the organization’s identity federations.
  • View the list of the organization users and info on them.
  • View the list of the organization users that are subscribed to technical notifications on organization events.
  • View info on certificates.
  • View the list of federated user group mappings and info on them.
  • View info on the attributes of the federated users.
  • View info on the organization's OS Login settings.
  • View the list of OS Login profiles for users and service accounts.
  • View the list of the organization users' SSH keys and the info on such keys.
  • View info on the user groups and access permissions granted for them.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View the info on the refresh tokens of the organization’s federated users and on the refresh token settings.
  • View info on Cloud Organization quotas.
  • View the info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the organization-manager.auditor, organization-manager.federations.viewer, and organization-manager.users.viewer permissions.

organization-manager.editor

The organization-manager.editor role enables managing the organization settings, identity federations, users, and user groups.

Users with this role can:
  • View and edit info on the relevant organization under Cloud Organization.
  • View and edit organization settings.
  • View info on the access permissions granted for the organization.
  • View info on the identity federations in an organization and create, modify, and delete such federations.
  • View the list of the organization users and info on them.
  • Add and remove federated users.
  • View the list of the organization users that are subscribed to technical notifications on organization events, as well as edit this list.
  • View info on the certificates and add, modify, and delete them.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View info on the federated user attributes, as well as create, modify, and delete them.
  • View info on the organization's OS Login settings.
  • View the list of OS Login profiles for users and service accounts.
  • View the list of the organization users' SSH keys and the info on such keys.
  • View info on user groups, as well as create, modify, and delete them.
  • View info on access permissions granted for user groups.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View and edit the refresh token settings in an organization.
  • View the info on the refresh tokens of the organization’s federated users, as well as revoke such tokens.
  • View info on Cloud Organization quotas.
  • View the info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the organization-manager.viewer and organization-manager.federations.editor permissions.

organization-manager.admin

The organization-manager.admin role enables managing organization settings, identity federations, users and their groups, and the user access permissions to the organization and its resources.

Users with this role can:
  • Link a billing account to an organization under Cloud Organization.
  • View and edit info on the relevant organization under Cloud Organization.
  • View and edit organization settings.
  • View info on the access permissions granted for the relevant organization and modify such permissions.
  • View info on the identity federations in an organization and create, modify, and delete such federations.
  • View the list of the organization users and info on them, as well as remove such users from the organization.
  • View the info on the invites to the organization sent to the users, as well as send and delete such invites.
  • Add and remove federated users.
  • View the list of the organization users that are subscribed to technical notifications on organization events, as well as edit this list.
  • View info on the certificates and add, modify, and delete them.
  • Configure federated user group mapping.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View info on the federated user attributes, as well as create, modify, and delete them.
  • View info on the organization's OS Login settings and modify them.
  • View the list of the users' and service accounts’ OS Login profiles, as well as create, modify, and delete such profiles.
  • View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.
  • View info on user groups, as well as create, modify, and delete them.
  • Add users and service accounts to and remove them from groups.
  • View info on the access permissions granted for the relevant user groups and modify such permissions.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View and edit the refresh token settings in an organization.
  • View the info on the refresh tokens of the organization’s federated users, as well as revoke such tokens.
  • View info on Cloud Organization quotas.
  • View the info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the organization-manager.editor, organization-manager.federations.admin, and organization-manager.osLogins.admin permissions.

organization-manager.organizations.owner

The organization-manager.organizations.owner role enables performing any actions with the organization resources and billing accounts, which includes creating billing accounts and linking them to clouds. This role also enables assigning additional organization owners.

Prior to assigning this role, make sure to check out the information on protecting privileged accounts.

organization-manager.federations.auditor

The organization-manager.federations.auditor role enables viewing info on the organization and its settings, the identity federations, and user group mappings.

Users with this role can:

organization-manager.federations.viewer

The organization-manager.federations.viewer role enables viewing info on the organization and its settings, the identity federations, organization users, and user group mappings.

Users with this role can:

This role includes the organization-manager.federations.auditor permissions.

organization-manager.federations.editor

The organization-manager.federations.editor role enables managing identity federations, federated users, and certificates, as well as viewing info on the organization, its settings, and users.

Users with this role can:

This role includes the organization-manager.federations.viewer and organization-manager.federations.userAdmin permissions.

organization-manager.federations.userAdmin

The organization-manager.federations.userAdmin role enables adding and removing federated users to/from an organization, revoking federated users’ refresh tokens, viewing the list of the organization users and the user groups they are members of, and viewing federated users' attributes.

This role includes the iam.userAccounts.refreshTokenRevoker permissions.

organization-manager.federations.admin

The organization-manager.federations.admin role enables managing identity federations, federated users, and certificates, as well as viewing info on the organization, its settings, and users.

Users with this role can:

This role includes the organization-manager.federations.editor permissions.

organization-manager.osLogins.viewer

The organization-manager.osLogins.viewer role enables viewing the organization's OS Login settings and the list of the users' and service accounts’ OS Login profiles, as well as viewing the list of the users' SSH keys and the info on them.

organization-manager.osLogins.admin

The organization-manager.osLogins.admin role enables managing the organization's OS Login settings, as well as the users' OS Login profiles and SSH keys.

Users with this role can:

  • View info on the organization's OS Login settings and modify them.
  • View the list of the organization users' and service accounts’ OS Login profiles, as well as create, modify, and delete such profiles.
  • View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.

This role includes the organization-manager.osLogins.viewer permissions.

organization-manager.groups.memberAdmin

The organization-manager.groups.memberAdmin role enables viewing the info on user groups, configuring user group mapping, and viewing and modifying the lists of the users and service accounts that are members of groups.

organization-manager.users.viewer

The organization-manager.users.viewer role enables viewing the list of the organization users and the info on them, as well as the lists of groups the users are members of and the federated users’ attributes.

organization-manager.passportUserAdmin

The organization-manager.passportUserAdmin role enables viewing info on the organization users, as well as inviting the users with Yandex accounts to the organization and removing them from it.

Users with this role can:

  • Send and resend invites to the organization to new users with Yandex accounts, as well as view and delete such invites.
  • Remove users from the organization.
  • View the list of the organization users.
  • View the attributes of the organization federated users.

For more information, see Access management in Yandex Cloud Organization.

Yandex Cloud Postbox

postbox.sender

The postbox.sender role allows you to send emails from Yandex Cloud Postbox.

postbox.auditor

The postbox.auditor role allows you to view information about Yandex Cloud Postbox addresses.

Users with this role can:

postbox.viewer

The postbox.viewer role allows you to view information about Yandex Cloud Postbox addresses.

Users with this role can:

This role includes the postbox.auditor permissions.

postbox.editor

The postbox.editor role allows you to manage Yandex Cloud Postbox addresses and send emails.

Users with this role can:

  • Create, modify, and delete addresses and their configurations.
  • View information about addresses and their configurations.
  • Get a list of addresses and their configurations.
  • Send emails.

This role includes the postbox.viewer permissions.

postbox.admin

The postbox.admin role allows you to manage Yandex Cloud Postbox addresses and send emails.

Users with this role can:

  • Create, modify, and delete addresses and their configurations.
  • View information about addresses and their configurations.
  • Get a list of addresses and their configurations.
  • Send emails.

This role includes the postbox.editor permissions.

For more information, see Access management in Yandex Cloud Postbox.

Yandex Cloud Registry

cloud-registry.auditor

The cloud-registry.auditor role enables viewing the artifact metadata, the info on registries and access permissions granted to them, as well as on the Cloud Registry quotas.

Users with this role can:

  • View the artifact metadata.
  • View info on registries.
  • View the list of registry IP permissions.
  • View info on the access permissions granted to registries and folders within registries.
  • View info on the Cloud Registry quotas.
  • View info on the relevant cloud and folder.

cloud-registry.viewer

Thecloud-registry.viewer role enables pulling artifacts, as well as viewing info on artifacts and registries, on the access permissions granted to registries, and on the Cloud Registry quotas.

Users with this role can:

  • View info on artifacts and pull them.
  • View info on registries.
  • View the list of registry IP permissions.
  • View info on the access permissions granted to registries and folders within registries.
  • View info on the Cloud Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the cloud-registry.auditor permissions.

cloud-registry.editor

The cloud-registry.editor role enables managing artifacts and registries, as well as viewing info on the access permissions granted to registries and Cloud Registry quotas.

Users with this role can:

  • View info on artifacts, as well as create, modify, download, and delete them.
  • View info on registries, as well as create, modify, and delete them.
  • Create and delete folders within registries.
  • View the list of registry IP permissions.
  • View info on the access permissions granted to registries and folders within registries.
  • View info on the Cloud Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the cloud-registry.viewer and cloud-registry.artifacts.pusher permissions.

cloud-registry.admin

The cloud-registry.admin role enables managing artifacts, registries, and access to registries, as well as viewing info on the Cloud Registry quotas.

Users with this role can:

  • View info on artifacts, as well as create, modify, download, and delete them.
  • View info on registries, as well as create, modify, and delete them.
  • View info on the access permissions granted to registries and folders within registries, as well as modify such permissions.
  • Create and delete folders within registries.
  • View the list of registry IP permissions.
  • View info on the Cloud Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the cloud-registry.editor permissions.

cloud-registry.artifacts.puller

The cloud-registry.artifacts.puller role enables pulling artifacts, as well as getting info on artifacts and registries.

cloud-registry.artifacts.pusher

The cloud-registry.artifacts.pusher role enables managing artifacts, as well as viewing info on the registries and managing folders within them.

Users with this role can:

  • View info on artifacts, as well as create, modify, download, and delete them.
  • View info on registries.
  • Create and delete folders within registries.

For more information, see Access management in Yandex Cloud Registry.

Yandex Cloud Video

video.auditor

The video.auditor role enables viewing info on Cloud Video resources and their parameters.

video.viewer

The video.viewer role enables viewing info on Cloud Video resources and their parameters.

This role includes the video.auditor permissions.

video.editor

The video.editor role allows you to manage Cloud Video resources, as well as broadcast video streams.

Users with this role can:

  • View info on Cloud Video resources and their settings, as well as create, modify, and delete such resources.
  • Broadcast live video streams from Cloud Video.

This role includes the video.viewer permissions.

video.admin

The video.admin role allows you to manage Cloud Video resources and access to them.

Users with this role can:

  • Manage access of other users to Cloud Video resources.
  • View info on Cloud Video resources and their settings, as well as create, modify, and delete such resources.
  • Broadcast live video streams from Cloud Video.

This role includes the video.editor permissions.

Yandex Compute Cloud

compute.auditor

The compute.auditor role allows you to view information on Compute Cloud resources and relevant operations, as well as on the amount of used resources and quotas. It does not allow you to access the serial port or serial console of an instance.

Users with this role can:
  • View a list of instances and information on them.
  • View a list of instance groups and information on them.
  • View a list of instance placement groups and information on them.
  • View lists of instances in placement groups.
  • View a list of dedicated host groups and information on them.
  • View lists of hosts and instances in dedicated host groups.
  • View information on GPU clusters and instances included in these clusters.
  • View a list of disks and information on them.
  • View a list of file storages and information on them.
  • View a list of non-replicated disk placement groups and information on them.
  • View lists of disks in placement groups.
  • View a list of images and information on them.
  • View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
  • View a list of disk snapshots and information on them.
  • View information on disk snapshot schedules.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View lists of resource operations for Compute Cloud, as well as information on these operations.
  • View information on the status of configuring access via OS Login on instances.
  • View information on available platforms.
  • View a list of availability zones and information on them.

compute.viewer

The compute.viewer role allows you to view information on Compute Cloud resources and resource operations, as well as on access permissions assigned to the resources and on the amount of used resources and quotas. This role also grants access to instance metadata and serial port output.

Users with this role can:
  • View the instance serial port output.
  • View instance metadata.
  • View a list of instances, information on instances and on access permissions assigned to them.
  • View a list of instance groups and information on them.
  • View a list of instance placement groups, information on instance placement groups and on access permissions assigned to them.
  • View lists of instances in placement groups.
  • View a list of dedicated host groups, information on dedicated host groups and on access permissions assigned to them.
  • View lists of hosts and instances in dedicated host groups.
  • View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
  • View a list of disks, information on disks and on access permissions assigned to them.
  • View a list of file storages, information on file storages and on access permissions assigned to them.
  • View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access permissions assigned to them.
  • View lists of disks in placement groups.
  • View a list of images, information on images and on access permissions assigned to them.
  • View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
  • View a list of disk snapshots, information on disk snapshots and on access permissions assigned to them.
  • View information on disk snapshot schedules and on access permissions assigned to them.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View lists of resource operations for Compute Cloud, as well as information on these operations.
  • View information on the status of configuring access via OS Login on instances.
  • View information on available platforms.
  • View a list of availability zones, information on availability zones and on access permissions assigned to them.

This role includes the compute.auditor permissions.

compute.editor

The compute.editor role allows you to manage instances, instance groups, disks, images, GPU clusters, and other Compute Cloud resources.

Users with this role can:
  • Create, modify, start, restart, stop, move, and delete instances.
  • View a list of instances, information on instances and on access permissions assigned to them.
  • Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link security groups to instance network interfaces.
  • Create instances with custom FQDNs and create multi-interface instances.
  • Bind service accounts to instances and activate AWS v1 tokens on instances.
  • Use the instance serial port for reading and writing.
  • Simulate instance maintenance events.
  • View instance metadata.
  • View information on the status of configuring access via OS Login on instances and connect to instances via OS Login using SSH certificates or SSH keys.
  • View a list of instance groups, information on instance groups and on access permissions assigned to them, as well as use, create, modify, start, stop, and delete instance groups.
  • View a list of instance placement groups, information on instance placement groups and on access permissions assigned to them, as well as use, modify, and delete instance placement groups.
  • View lists of instances in placement groups.
  • View a list of dedicated host groups, information on dedicated host groups and on access permissions assigned to them, as well as use, modify, and delete dedicated host groups.
  • View lists of hosts and instances in dedicated host groups.
  • Modify scheduled maintenance windows for hosts in dedicated host groups.
  • Use GPU clusters, as well as create, modify, and delete them.
  • View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
  • View a list of disks, information on disks and on access permissions assigned to them, as well as use, modify, move, and delete disks.
  • Create encrypted disks.
  • View and update disk links.
  • View a list of file storages, information on file storages and on access permissions assigned to them, as well as use, create, modify, and delete file storages.
  • View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access permissions assigned to them, as well as use, modify, and delete non-replicated disk placement groups.
  • View lists of disks in placement groups.
  • View a list of images, information on images and on access permissions assigned to them, as well as use, modify, and delete images.
  • Create, modify, delete, and update image families.
  • View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
  • View a list of disk snapshots, information on disk snapshots and on access permissions assigned to them, as well as use, modify, and delete disk snapshots.
  • View information on disk snapshot schedules and on access permissions assigned to them, as well as create, modify, and delete disk snapshot schedules.
  • View information on cloud networks and use them.
  • View information on subnets and use them.
  • View information on cloud resource addresses and use them.
  • View information on route tables and use them.
  • View information on security groups and use them.
  • View information on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View information on resource operations for Virtual Private Cloud.
  • View information on Virtual Private Cloud quotas.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
  • View information on available platforms and use them.
  • View a list of availability zones, information on availability zones and on access permissions assigned to them.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role includes the compute.viewer, compute.osLogin, and vpc.user permissions.

compute.admin

The compute.admin role allows you to manage instances, instance groups, disks, images, GPU clusters, and other Compute Cloud resources, as well as manage access to them.

Users with this role can:
  • Create, modify, start, restart, stop, move, and delete instances, as well as manage access to them.
  • View a list of instances, information on instances and on access permissions assigned to them.
  • Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link security groups to instance network interfaces.
  • Create instances with custom FQDNs and create multi-interface instances.
  • Bind service accounts to instances and activate AWS v1 tokens on instances.
  • Use the instance serial port for reading and writing.
  • Simulate instance maintenance events.
  • View instance metadata.
  • View information on the status of configuring access via OS Login on instances and connect to instances via OS Login using SSH certificates or SSH keys and run commands as a superuser (sudo).
  • Use, create, modify, start, stop, and delete instance groups, as well as manage access to instance groups.
  • View a list of instance groups, information on instance groups and on access permissions assigned to them.
  • Use, create, modify, and delete instance placement groups, as well as manage access to instance placement groups.
  • View a list of instance placement groups, information on instance placement groups and on access permissions assigned to them.
  • View lists of instances in placement groups.
  • Use, create, modify, and delete dedicated host groups, as well as manage access to dedicated host groups.
  • View a list of dedicated host groups, information on dedicated host groups and on access permissions assigned to them.
  • View lists of hosts and instances in dedicated host groups.
  • Modify scheduled maintenance windows for hosts in dedicated host groups.
  • Use, create, modify, and delete GPU clusters, as well as manage access to them.
  • View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
  • Use, create, modify, move, and delete disks, as well as manage access to them.
  • Create encrypted disks.
  • View a list of disks, information on disks and on access permissions assigned to them.
  • View and update disk links.
  • Use, create, modify, and delete file storages, as well as manage access to them.
  • View a list of file storages, information on file storages and on access permissions assigned to them.
  • Use, create, modify, and delete non-replicated disk placement groups, as well as manage access to non-replicated disk placement groups.
  • View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access permissions assigned to them.
  • View lists of disks in placement groups.
  • Use, create, modify, and delete images, as well as manage access to them.
  • View a list of images, information on images and on access permissions assigned to them.
  • Create, modify, delete, and update image families, as well as manage access to them.
  • View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
  • Use, create, modify, and delete disk snapshots, as well as manage access to them.
  • View a list of disk snapshots, information on disk snapshots and on access permissions assigned to them.
  • Create, modify, and delete disk snapshot schedules, as well as manage access to them.
  • View information on disk snapshot schedules and on access permissions assigned to them.
  • View information on cloud networks and use them.
  • View information on subnets and use them.
  • View information on cloud resource addresses and use them.
  • View information on route tables and use them.
  • View information on security groups and use them.
  • View information on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View information on resource operations for Virtual Private Cloud.
  • View information on Virtual Private Cloud quotas.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
  • View information on available platforms and use them.
  • View a list of availability zones, information on availability zones and on access permissions assigned to them.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role includes the compute.editor and compute.osAdminLogin permissions.

compute.osLogin

The compute.osLogin role allows you to connect to instances via OS Login using SSH certificates or SSH keys.

compute.osAdminLogin

The compute.osAdminLogin role allows you to connect to instances using SSH certificates or SSH keys via OS Login and run commands as a superuser (sudo).

compute.disks.user

The compute.disks.user role allows you to view a list of disks and information on them, as well as use disks to create new resources, such as instances.

compute.images.user

The compute.images.user role allows you to view a list of images and information on them, get information on the latest image within the image family, as well as use images to create new resources, such as instances.

compute.operator

The compute.operator role allows you to start and stop instances and instance groups, as well as view information on Compute Cloud resources and resource operations, as well as on access permissions assigned to the resources and the amount of used resources and quotas.

Users with this role can:
  • Start, restart, and stop instances.
  • View a list of instances, information on instances and on access permissions assigned to them.
  • Start and stop instance groups.
  • View a list of instance groups and information on them.
  • View the instance serial port output.
  • View instance metadata.
  • View a list of instance placement groups, information on instance placement groups and on access permissions assigned to them.
  • View lists of instances in placement groups.
  • View a list of dedicated host groups, information on dedicated host groups and on access permissions assigned to them.
  • View lists of hosts and instances in dedicated host groups.
  • View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
  • View a list of disks, information on disks and on access permissions assigned to them.
  • View a list of file storages, information on file storages and on access permissions assigned to them.
  • View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access permissions assigned to them.
  • View lists of disks in placement groups.
  • View a list of images, information on images and on access permissions assigned to them.
  • View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
  • View a list of disk snapshots, information on disk snapshots and on access permissions assigned to them.
  • View information on disk snapshot schedules and on access permissions assigned to them.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View lists of resource operations for Compute Cloud, as well as information on these operations.
  • View information on the status of configuring access via OS Login on instances.
  • View information on available platforms.
  • View a list of availability zones, information on availability zones and on access permissions assigned to them.

This role includes the compute.viewer permissions.

compute.snapshotSchedules.viewer

The compute.snapshotSchedules.viewer role allows you to view information on scheduled disk snapshots.

Users with this role can:

compute.snapshotSchedules.editor

The compute.snapshotSchedules.editor role allows you to create, modify, and delete disk snapshot schedule, create and delete disk snapshots, as well as view information on disk snapshot operations.

Users with this role can:

  • View information on disk snapshot schedules and on access permissions assigned to them, as well as create, modify, and delete disk snapshot schedules.
  • View lists of disks and use disks to create snapshots.
  • View lists of disk snapshots, create and delete snapshots.
  • View a list of disk snapshot operations and information on them.

This role includes the compute.snapshotSchedules.viewer permissions.

For more information, see Access management in Compute Cloud.

Yandex Connection Manager

connection-manager.auditor

The connection-manager.auditor role allows you to view public details on connections and access permissions assigned to them. If you have this role assigned for a cloud, it will also enable viewing Connection Manager quotas.

connection-manager.viewer

The connection-manager.viewer role enables viewing info on connections and access permissions assigned to them, as well as on the Connection Manager quotas.

This role includes the connection-manager.auditor permissions.

connection-manager.editor

The connection-manager.editor role allows you to manage connections and view their details.

Users with this role can:

This role includes the connection-manager.viewer permissions.

connection-manager.admin

The connection-manager.admin role allows you to manage connections and access to those, as well as view connection details.

Users with this role can:

  • Create, use, edit, and delete connections, as well as manage access to them.
  • View connection details and info on connection access permissions.
  • View info on Connection Manager quotas.

This role includes the connection-manager.editor permissions.

For more information, see Access management in Connection Manager.

Yandex Container Registry

container-registry.viewer

The container-registry.viewer role enables viewing info on registries, Docker images, and repositories, as well as on the relevant folder, cloud, and Container Registry quotas.

Users with this role can:

  • View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
  • View info on repositories and the access permissions granted for them.
  • View the list of the Docker image auto-delete policies and info on them.
  • View the list of the testing results for Docker image auto-delete policies and info on such results.
  • View the list of Docker images in the registry and the info on them, as well as download Docker images from the registry.
  • View the Docker image vulnerability scan history and the info on the result of such scans.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

container-registry.editor

The container-registry.editor role enables managing registries, Docker images, repositories, and their settings.

Users with this role can:

  • View the list of registries and info on them, as well as create, modify, and delete them.
  • View info on the access permissions granted for registries, as well as on the access policy settings for IP addresses.
  • View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
  • View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
  • Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
  • View info on repositories and the access permissions granted for them, as well as create and delete repositories.
  • View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
  • Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the container-registry.viewer permissions.

container-registry.admin

The container-registry.admin role enables managing access to registries and repositories, as well as managing registries, Docker images, repositories and their settings.

Users with this role can:

  • View the list of registries and info on them, as well as create, modify, and delete them.
  • View info on granted access permissions to registries and modify such permissions.
  • View info on the access policy settings for IP address and modify such settings.
  • View info on the vulnerability scanner settings, as well as create, modify, and delete scan rules.
  • View the list of Docker images in the registry and info on them, as well as create, download, modify, and delete them.
  • Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
  • View info on repositories, as well as create and delete them.
  • View info on granted access permissions to repositories and modify such permissions.
  • View the list of the Docker image auto-delete policies and info on them, as well as create, modify, and delete such policies.
  • Test the Docker image auto-delete policies, view the list of testing results and the info on such results.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the container-registry.editor permissions.

container-registry.images.pusher

The container-registry.images.pusher role enables managing Docker images and repositories, as well as viewing info on Docker images, repositories, and registries.

Users with this role can:

  • View the list of registries and info on them.
  • View the list of Docker images in the registry and info on them, as well as push, download, update, and delete them.
  • Create and delete repositories.

container-registry.images.puller

The container-registry.images.puller role enables downloading Docker images from the registry and viewing the list of registries and Docker images, as well as info on them.

container-registry.images.scanner

The container-registry.images.scanner role enables scanning Docker images for vulnerabilities, as well as viewing info on registries, Docker images, repositories, the relevant cloud and folder, and the Container Registry quotas.

Users with this role can:

  • View the list of Docker images in the registry and info on them, as well as download Docker images from the registry.
  • Start and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
  • View the list of registries, info on them and the access permissions granted for them, as well as on the access policy settings for IP addresses and the vulnerability scanner settings.
  • View info on repositories and the access permissions granted for them.
  • View the list of the Docker image auto-delete policies and info on them.
  • View the list of the testing results for Docker image auto-delete policies and info on such results.
  • View info on the Container Registry quotas.
  • View info on the relevant cloud and folder.

This role includes the container-registry.viewer permissions.

For more information, see Access management in Container Registry.

Yandex DataLens

datalens.workbooks.limitedViewer

You can assign the datalens.workbooks.limitedViewer role to a workbook. With it, you can view all workbook's nested charts and dashboards and the info on the access permissions granted for such a workbook. In the DataLens UI, this role is referred to as Limited viewer. You may want to only assign this role through the DataLens UI.

datalens.workbooks.viewer

You can assign the datalens.workbooks.viewer role to a workbook. With it, you can view all workbook's nested objects and the info on the access permissions granted for such a workbook. In the DataLens UI, this role is referred to as Viewer. You may want to only assign this role through the DataLens UI.

This role includes the datalens.workbooks.limitedViewer permissions.

datalens.workbooks.editor

You can assign the datalens.workbooks.editor role to a workbook. With it, you can edit both the workbook and all its nested objects. In the DataLens UI, this role is referred to as Editor. You may want to only assign this role through the DataLens UI.

Users with this role can:

This role includes the datalens.workbooks.viewer permissions.

datalens.workbooks.admin

You can assign the datalens.workbooks.admin role to a workbook. With it, you can manage the relevant workbook and access to it, as well as all its nested objects. In the DataLens UI, this role is referred to as Admin. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the access permissions granted for the relevant workbook and modify such permissions.
  • Edit, move, create copies of, and delete the relevant workbook.
  • View and edit all workbook's nested objects.
  • Embed the workbook's nested private objects to websites and apps.
  • Publish the workbook's nested objects.

This role includes the datalens.workbooks.editor permissions.

datalens.collections.limitedViewer

You can assign the datalens.collections.limitedViewer role to a collection. It allows you to view the info on it and its nested collections and workbooks, which includes viewing charts and dashboards of the nested workbook workbooks. In the DataLens UI, this role is referred to as Limited viewer. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the relevant collection and its nested workbooks and collections.
  • View info on the access permissions granted for the appropriate collection, as well as for its nested collections and workbooks.
  • View charts and dashboards nested into the workbooks related to the appropriate collection and its nested collections.

This role includes the datalens.workbooks.limitedViewer permissions.

datalens.collections.viewer

You can assign the datalens.collections.viewer role to a collection. It allows you to view the info on it and its nested collections and workbooks, as well as view all nested workbook objects. In the DataLens UI, this role is referred to as Viewer. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the relevant collection and its nested workbooks and collections.
  • View info on the access permissions granted for the appropriate collection, as well as for its nested collections and workbooks.
  • View all nested objects of the workbooks related to the appropriate collection and its nested collections.

This role includes the datalens.collections.limitedViewer and datalens.workbooks.viewer permissions.

datalens.collections.editor

You can assign the datalens.collections.editor role to a collection. It allows you to edit the relevant collection and all its nested collections, workbooks, and all objects within such workbooks. In the DataLens UI, this role is referred to as Editor. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the relevant collection and its nested collections and workbooks.
  • Edit the relevant collection and all its nested collections and workbooks.
  • Create copies of the relevant collection and all its nested collections and workbooks.
  • Create new collections and workbooks within the relevant collection and all its nested ones.
  • View and edit all nested objects of the workbooks related to the appropriate collection and its nested collections.
  • View info on the access permissions granted for the appropriate collection, as well as for its nested collections and workbooks.

This role includes the datalens.collections.viewer and datalens.workbooks.editor permissions.

datalens.collections.admin

You can assign the datalens.collections.admin role to a collection. It allows you to manage the relevant collection and access to it, as well as all its nested collections, workbooks, and all objects within such workbooks. In the DataLens UI, this role is referred to as Admin. You may want to only assign this role through the DataLens UI.

Users with this role can:

  • View info on the access permissions granted for the appropriate collection and for its nested collections and workbooks, as well as modify such access permissions.
  • View info on the relevant collection and its nested collections and workbooks.
  • Edit the relevant collection and all its nested collections and workbooks, as well as create copies of it.
  • Move and delete the relevant collection and all its nested collections and workbooks.
  • Create new collections and workbooks within the relevant collection.
  • View and edit all nested objects of the workbooks related to the appropriate collection and its nested collections.
  • Embed the private objects nested into workbooks related to the relevant collection and its nested ones, to websites and apps.
  • Publish the objects nested into the workbooks related to the appropriate collection and its nested collections.

This role includes the datalens.collections.editor and datalens.workbooks.admin permissions.

datalens.visitor

The datalens.visitor role grants access to DataLens. You can view and edit workbooks and collections if you have the appropriate roles that grant access to these workbooks and collections.

datalens.creator

The datalens.creator role grants access to DataLens with a permission to create workbooks and collections in the DataLens root. You can view and edit workbooks and collections created by other users only if you have access permissions to these workbooks and collections.

This role includes the datalens.visitor permissions.

datalens.admin

The datalens.admin role grants full access to DataLens and any of its workbooks and collections.

This role includes the datalens.creator permissions.

datalens.instances.user

The datalens.instances.user role grants access to DataLens as a user with permissions to create, read, and edit objects according to the permissions to objects and allows to view information on organization folders.

After you assign a service role, you can grant the user permissions to objects and directories in DataLens.

Tip

We recommend using the datalens.creator role instead of the datalens.instances.user one. The two roles grant identical permissions, but using datalens.creator is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.

datalens.instances.admin

The datalens.instances.admin role allows you to access DataLens as a DataLens instance administrator. Administrators have full access to all objects and folders in DataLens, as well as to DataLens settings. The role also allows you to view information on organization folders.

This role includes the datalens.instances.user permissions.

Tip

We recommend using the datalens.admin role instead of the datalens.instances.admin one. The two roles grant identical permissions, but using datalens.admin is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.

For more information, see DataLens roles.

Yandex Data Processing

dataproc.agent

The dataproc.agent role allows the service account linked to the Yandex Data Processing cluster to notify Data Proc of the cluster host state. You can assign this role to a service account linked to the Yandex Data Processing cluster.

Service accounts with this role can:

  • Notify Yandex Data Processing of the cluster host state.
  • Get info on jobs and their progress statuses.
  • Get info on log groups and add entries to them.

Currently, you can only assign this role for a folder or cloud.

dataproc.auditor

The dataproc.auditor role allows you to view information on Yandex Data Processing clusters.

dataproc.viewer

The dataproc.viewer role allows you to view information on Yandex Data Processing clusters and jobs.

dataproc.user

The dataproc.user role grants access to the Yandex Data Processing component web interfaces and enables creating jobs and viewing info on Yandex Cloud managed DB clusters.

Users with this role can:

This role includes the dataproc.viewer and mdb.viewer permissions.

dataproc.provisioner

The dataproc.provisioner role grants access to the API to create, update, and delete Yandex Data Processing cluster objects.

Users with this role can:
  • View information on DNS zones as well as create, use, modify, and delete them.
  • View information on resource records as well as create, modify, and delete them.
  • Create nested public DNS zones.
  • View info on granted access permissions for DNS zones.
  • View information on available platforms and use them.
  • Create, modify, start, restart, stop, move, and delete instances.
  • View the list of instances, information on instances and on granted access permissions for them.
  • Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link security groups to instance network interfaces.
  • Create instances with custom FQDNs and create multi-interface instances.
  • Bind service accounts to instances and activate AWS v1 tokens on instances.
  • View the list of service accounts and info on them, as well as perform operations on behalf of a service account.
  • Use the instance serial port for reading and writing.
  • Simulate instance maintenance events.
  • View instance metadata.
  • View information on the status of configuring access via OS Login on instances and connect to instances via OS Login using SSH certificates or SSH keys.
  • View the list of instance groups, information on instance groups and on granted access permissions for them, as well as use, create, modify, start, stop, and delete instance groups.
  • View the list of instance placement groups, information on instance placement groups and on granted access permissions for them, as well as use, modify, and delete instance placement groups.
  • View lists of instances in placement groups.
  • View the list of dedicated host groups, information on dedicated host groups and on granted access permissions for them, as well as use, modify, and delete dedicated host groups.
  • View lists of hosts and instances in dedicated host groups.
  • Modify scheduled maintenance windows for hosts in dedicated host groups.
  • Use GPU clusters, as well as create, modify, and delete them.
  • View info on GPU clusters and instances included in GPU clusters, as well as on granted access permissions for these clusters.
  • View the list of disks, information on disks and on granted access permissions for them, as well as use, modify, move, and delete disks.
  • Create encrypted disks.
  • View and update disk links.
  • View the list of file storages, information on file storages and on granted access permissions for them, as well as use, create, modify, and delete file storages.
  • View the list of non-replicated disk placement groups, information on non-replicated disk placement groups and on granted access permissions for them, as well as use, modify, and delete non-replicated disk placement groups.
  • View lists of disks in placement groups.
  • View the list of images, information on images and on granted access permissions for them, as well as use, modify, and delete images.
  • Create, modify, delete, and update image families.
  • View info on image families, on images within families, on the latest family image, as well as on granted access permissions for image families.
  • View the list of disk snapshots, information on disk snapshots and on granted access permissions for them, as well as use, modify, and delete disk snapshots.
  • View info on disk snapshot schedules and on granted access permissions for them, as well as create, modify, and delete disk snapshot schedules.
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View information on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View info on Monitoring metrics and their labels, as well as download metrics.
  • View the list of Monitoring dashboards and widgets, as well as the info on those.
  • View the Monitoring notification history.
  • View info on log groups.
  • View info on log sinks.
  • View info on granted access permissions for Cloud Logging resources.
  • View info on log exports.
  • View information on Compute Cloud resource and quota consumption and disk limits in the management console.
  • View info on the Cloud DNS, Virtual Private Cloud, and Monitoring quotas.
  • View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
  • View information on resource operations for Virtual Private Cloud.
  • View the list of availability zones, information on availability zones and on granted access permissions for them.
  • View info on the relevant cloud and folder.

This role includes the iam.serviceAccounts.user, dns.editor, compute.editor, monitoring.viewer, and logging.viewer permissions.

dataproc.editor

The dataproc.editor role allows you to manage Yandex Data Processing clusters, run jobs, and view information on them. It also grants access to the Data Proc component web interfaces.

Users with this role can:

This role includes the dataproc.user permissions.

dataproc.admin

The dataproc.admin role allows you to manage Yandex Data Processing clusters, run jobs, and view information on them. It also grants access to the Data Processing component web interfaces.

Users with this role can:

This role includes the dataproc.editor permissions.

mdb.dataproc.agent

The mdb.dataproc.agent role allows the service account linked to the Yandex Data Processing cluster to notify Data Processing of the cluster host state.

Service accounts with this role can:

  • Notify Yandex Data Processing of the cluster host state.
  • Get info on jobs and their progress statuses.
  • Get info on log groups and add entries to them.

You can assign this role to a service account linked to the Yandex Data Processing cluster.

This role is no longer available. Please use dataproc.agent instead.

managed-metastore.auditor

The managed-metastore.auditor role allows you to view information on Hive Metastore clusters and the Yandex Cloud managed DB service quotas.

managed-metastore.viewer

The managed-metastore.viewer role allows you to view information on Hive Metastore clusters and their runtime logs, as well as details on the Yandex Cloud managed DB service quotas.

Users with this role can:

  • View info on Hive Metastore clusters.
  • View Hive Metastore cluster logs.
  • View info on the Yandex Cloud managed DB service quotas.
  • View info on the relevant cloud and folder.

This role includes the managed-metastore.auditor permissions.

managed-metastore.editor

The managed-metastore.editor role allows you to manage Hive Metastore clusters, as well as view their runtime logs and information on the Yandex Cloud managed DB service quotas.

Users with this role can:

  • View info on Hive Metastore clusters, as well as create, modify, run, stop, and delete them.
  • Export and import Hive Metastore clusters.
  • View Hive Metastore cluster logs.
  • View info on the Yandex Cloud managed DB service quotas.
  • View info on the relevant cloud and folder.

This role includes the managed-metastore.viewer permissions.

To create clusters, you also need the vpc.user role.

managed-metastore.admin

The managed-metastore.admin role allows you to manage Hive Metastore clusters, as well as view their runtime logs and information on service quotas of Yandex Cloud managed DBs.

Users with this role can:

  • View info on Hive Metastore clusters, as well as create, modify, run, stop, and delete them.
  • Export and import Hive Metastore clusters.
  • View Hive Metastore cluster logs.
  • View info on the Yandex Cloud managed DB service quotas.
  • View info on the relevant cloud and folder.

This role includes the managed-metastore.editor permissions.

To create clusters, you also need the vpc.user role.

managed-metastore.integrationProvider

The managed-metastore.integrationProvider role allows the Hive Metastore cluster to work with user resources required for its operation on behalf of the service account. You can assign this role to a service account linked to a Hive Metastore cluster.

Users with this role can:

  • Add entries to log groups.
  • View info on log groups.
  • View info on log sinks.
  • View info on granted access permissions for Cloud Logging resources.
  • View info on log exports.
  • View info on Monitoring metrics and their labels, as well as upload and download metrics.
  • View the list of Monitoring dashboards and widgets and info on them, as well as create, modify, and delete them.
  • View the Monitoring notification history.
  • View details on Monitoring quotas.
  • View info on the relevant cloud and folder.

This role includes the logging.writer and monitoring.editor permissions.

For more information, see Access management in Yandex Data Processing.

Yandex DataSphere

datasphere.community-projects.viewer

The datasphere.community-projects.viewer role allows you to view information on projects, project settings, and project resources, as well as on granted access permissions for these projects.

In the DataSphere interface, users with the datasphere.community-projects.viewer role have the Viewer role in the Members tab on the community page.

datasphere.community-projects.developer

The datasphere.community-projects.developer role allows you to work in projects and manage project resources.

Users with this role can:

  • View info on projects, project settings, and project resources.
  • Create, modify, and delete resources within projects.
  • Run IDEs and code cells in projects.
  • View info on granted access permissions for projects.

This role includes the datasphere.community-projects.viewer permissions.

In the DataSphere interface, users with the datasphere.community-projects.developer role have the Developer role in the Members tab on the community page.

datasphere.community-projects.editor

The datasphere.community-projects.editor role allows you to work in projects, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:

  • View info on projects, project settings, and project resources, as well as modify and delete projects.
  • Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the Developer permissions (the datasphere.communities.developer role or higher).
  • Run IDEs and code cells in projects.
  • View info on granted access permissions for projects.

This role includes the datasphere.community-projects.developer permissions.

In the DataSphere interface, users with the datasphere.community-projects.editor role have the Editor role in the Members tab on the community page.

datasphere.community-projects.admin

The datasphere.community-projects.admin role allows you to manage access to projects, work in them, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:

  • View info on granted access permissions for projects and modify access permissions.
  • View info on projects, project settings, and project resources, as well as modify and delete projects.
  • Create, modify, and delete resources within projects, as well as share the relevant project resources with the communities where the user has the Developer role (datasphere.communities.developer) or higher.
  • Run IDEs and code cells in projects.

This role includes the datasphere.community-projects.editor permissions.

In the DataSphere interface, users with the datasphere.community-projects.admin role have the Admin role in the Members tab on the community page.

datasphere.communities.viewer

The datasphere.communities.viewer role allows you to view information on communities and projects, as well as on granted access permissions for them.

Users with this role can:

This role includes the datasphere.community-projects.viewer permissions.

In the DataSphere interface, users with the datasphere.communities.viewer role have the Viewer role in the Members tab on the community page.

datasphere.communities.developer

The datasphere.communities.developer role allows you to create new projects and publish project resources in communities, as well as view information on communities and projects.

Users with this role can:

  • View info on communities and granted access permissions for them.
  • Create new projects in communities.
  • Publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role) or higher.
  • View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
  • View info on the relevant organization.

This role includes the datasphere.communities.viewer permissions.

In the DataSphere interface, users with the datasphere.communities.developer role have the Developer role in the Members tab on the community page.

datasphere.communities.editor

The datasphere.communities.editor role allows you to link a billing account to communities, delete communities, and edit community settings, as well as manage community projects and resources.

Users with this role can:

  • View info on communities and granted access permissions for them, as well as modify and delete communities.
  • Link a billing account to communities.
  • Create new projects in communities, as well as modify and delete projects.
  • View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
  • Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role) or higher.
  • Run IDEs and code cells in projects.
  • View info on the relevant organization.

This role includes the datasphere.communities.developer and datasphere.community-projects.editor permissions.

In the DataSphere interface, users with the datasphere.communities.editor role have the Editor role in the Members tab on the community page.

datasphere.communities.admin

The datasphere.communities.admin role allows you to manage communities and community projects, as well as access to them.

Users with this role can:

  • View info on communities, as well as modify and delete communities.
  • View info on granted access permissions for communities and modify access permissions.
  • Link a billing account to communities.
  • Create new projects in communities, as well as modify and delete projects.
  • View info on projects, project settings, and project resources.
  • View info on granted access permissions for projects and modify access permissions.
  • Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role or higher).
  • Run IDEs and code cells in projects.
  • View info on the relevant organization.

This role includes the datasphere.communities.editor and datasphere.community-projects.admin permissions.

In the DataSphere interface, users with the datasphere.communities.admin role have the Admin role in the Members tab on the community page.

datasphere.user

The datasphere.user role allows you to run code cells in projects, view information on DataSphere projects and quotas, as well as on the relevant cloud and folder.

The datasphere.user role is deprecated and no longer in use.

data-sphere.user

The data-sphere.user role is no longer available.

datasphere.admin

The datasphere.admin role allows you to manage communities, community projects and access to them, and use cloud networks and Virtual Private Cloud resources.

Users with this role can:
  • View info on communities, as well as modify and delete communities.
  • View info on granted access permissions for communities and modify access permissions.
  • Link a billing account to communities.
  • Create new projects in communities, as well as modify and delete projects.
  • View info on projects, project settings, and project resources.
  • View info on granted access permissions for projects and modify access permissions.
  • Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the Developer permissions (the datasphere.communities.developer role or higher).
  • Run IDEs and code cells in projects.
  • View the list of service accounts and use them.
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View info on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View info on the DataSphere and Virtual Private Cloud quotas.
  • View info on the relevant organization, cloud, and folder.

The datasphere.admin role is deprecated and no longer in use.

data-sphere.admin

The data-sphere.admin role is no longer available.

For more information, see Access management in DataSphere.

Yandex Data Streams

yds.auditor

The yds.auditor role enables viewing metadata of streams in Yandex Data Streams, establishing YDB database connections, and viewing info on YDB databases and the relevant access permissions granted for them, as well as on the YDB database schema objects and backups.

Users with this role can:

  • View streams metadata in Yandex Data Streams.
  • Establish YDB database connections.
  • View the list of YDB databases and info on them, as well as on the relevant access permissions granted for them.
  • View info on YDB database backups and the relevant access permissions granted for them.
  • View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.auditor permissions.

yds.viewer

The yds.viewer role enables reading data from streams in Yandex Data Streams and viewing their settings, as well as establishing connections to YDB databases, querying them for reading, and viewing info on YDB databases and the relevant access permissions granted for them.

Users with this role can:

  • View metadata of streams in Yandex Data Streams and read data from those steams.
  • Establish connections to YDB databases and query them for reading.
  • View the list of YDB databases and info on them, as well as on the relevant access permissions granted for them.
  • View info on YDB database backups and the relevant access permissions granted for them.
  • View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.viewer permissions.

yds.writer

The yds.writer role enables writing data to streams in Yandex Data Streams and connecting to YDB databases.

yds.editor

The yds.editor role enables creating, modifying, and deleting streams in Yandex Data Streams, as well as reading and writing data from and to those streams.

Users with this role can:

  • View info on data streams and create, modify, and delete them.
  • Read and write data from and to streams in Yandex Data Streams.
  • View the list of YDB databases, info on them, and the relevant access permissions granted for them, as well as create, run, stop, modify, and delete YDB databases.
  • Establish connections to YDB databases and query them for reading and writing.
  • View info on YDB database backups and the relevant access permissions granted for them, as well as create and delete them, and use them to restore databases.
  • View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them, as well as create, modify, and delete such objects.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.editor and yds.writer permissions.

yds.admin

The yds.admin role enables creating, modifying, and deleting streams in Yandex Data Streams, as well as reading and writing data from and to those streams.

Users with this role can:

  • View info on data streams and create, modify, and delete them.
  • Read and write data from and to streams in Yandex Data Streams.
  • View the list of YDB databases and info on them, as well as create, run, stop, modify, and delete them.
  • View info on granted access permissions for the relevant YDB databases and modify such permissions.
  • Establish connections to YDB databases and query them for reading and writing.
  • View info on YDB database backups, as well as create and delete them and use them to restore YDB databases.
  • View info on granted access permissions to backups and modify such permissions.
  • View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them, as well as create, modify, and delete such objects.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.admin permissions.

For more information, see Access management in Data Streams.

Yandex Data Transfer

data-transfer.auditor

The data-transfer.auditor role allows you to view the service metadata, including the information on the relevant folder, endpoints, and transfers, as well as on Data Transfer quotas.

Currently, this role can only be assigned for working with a folder or a cloud.

data-transfer.viewer

The data-transfer.viewer role allows you to view information on the relevant folder, endpoints, and transfers, as well as on Data Transfer quotas.

This role includes the data-transfer.auditor permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

data-transfer.privateAdmin

The data-transfer.privateAdmin role allows you to manage endpoints and transfers for transferring data only within Yandex Cloud networks, as well as to view information on the relevant folder and Data Transfer quotas.

Users with this role can:

  • View information on transfers, as well as create, modify, delete, activate, use, and deactivate transfers for transferring data within Yandex Cloud networks.
  • View information on endpoints, as well as create, modify, and delete endpoints in Yandex Cloud.
  • View information on the relevant folder.
  • View information on Data Transfer quotas.

This role includes the data-transfer.viewer permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

data-transfer.admin

The data-transfer.admin role allows you to manage endpoints and transfers for transferring data within Yandex Cloud networks and over the internet, as well as to view information on the relevant folder and Data Transfer quotas.

Users with this role can:

  • View information on transfers, as well as create, modify, delete, activate, use, and deactivate transfers for transferring data both within Yandex Cloud networks and over the internet.
  • View information on endpoints, as well as create, modify, and delete endpoints both within and outside Yandex Cloud.
  • View information on the relevant folder.
  • View information on Data Transfer quotas.

This role includes the data-transfer.privateAdmin permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

For more information, see Access management in Data Transfer.

Yandex Identity and Access Management

iam.serviceAccounts.user

The iam.serviceAccounts.user role enables viewing the list of service accounts and info on them, as well as performing operations on behalf of a service account.

For example, if you specify a service account when creating an instance group, IAM will check whether you have a permission to use this service account.

iam.serviceAccounts.admin

The iam.serviceAccounts.admin role enables managing service accounts and access to them and their keys, as well as getting IAM tokens for service accounts.

Users with this role can:

  • View the list of service accounts and info on them, as well as create, use, modify, and delete them.
  • View info on access permissions assigned for service accounts and modify such permissions.
  • Get IAM tokens for service accounts.
  • View the list of service account API keys and info on them, as well as create, modify, and delete them.
  • View the list of service account static access keys and info on them, as well as create, modify, and delete them.
  • View info on service account authorized keys, as well as create, modify, and delete them.
  • View info on the relevant folder and its settings.

iam.serviceAccounts.accessKeyAdmin

The iam.serviceAccounts.accessKeyAdmin role enables managing static access keys for service accounts.

Users with this role can:

iam.serviceAccounts.apiKeyAdmin

The iam.serviceAccounts.apiKeyAdmin role enables managing API keys for service accounts.

Users with this role can:

  • View the list of service account API keys and information on them.
  • Create, update, and delete API keys for service accounts.

iam.serviceAccounts.authorizedKeyAdmin

The iam.serviceAccounts.authorizedKeyAdmin role enables viewing info on service account authorized keys, as well as create, modify, and delete them.

iam.serviceAccounts.keyAdmin

The iam.serviceAccounts.keyAdmin role enables managing static access keys, API keys, and authorized keys for service accounts.

Users with this role can:

  • View the list of service account static access keys and info on them, as well as create, modify, and delete them.
  • View the list of service account API keys and info on them, as well as create, modify, and delete them.
  • View info on service account authorized keys, as well as create, modify, and delete them.

This role includes the iam.serviceAccounts.accessKeyAdmin, iam.serviceAccounts.apiKeyAdmin, and iam.serviceAccounts.authorizedKeyAdmin permissions.

iam.serviceAccounts.tokenCreator

The iam.serviceAccounts.tokenCreator role enables getting IAM tokens for service accounts.

With such an IAM token one can impersonate to a service account and perform operations allowed for it.

This role does not allow you to modify access permissions or delete a service account.

iam.serviceAccounts.federatedCredentialViewer

The iam.serviceAccounts.federatedCredentialViewer role enables viewing the list of federation credentials in workload identity federations and info on such credentials.

iam.serviceAccounts.federatedCredentialEditor

The iam.serviceAccounts.federatedCredentialEditor role enables viewing the list of federation credentials in workload identity federations and info on such credentials, as well as create and delete those.

This role includes the iam.serviceAccounts.federatedCredentialViewer permissions.

iam.workloadIdentityFederations.auditor

The iam.workloadIdentityFederations.auditor role enables viewing the workload identity federation metadata.

iam.workloadIdentityFederations.viewer

The iam.workloadIdentityFederations.viewer role enables viewing info on workload identity federations.

This role includes the iam.workloadIdentityFederations.auditor permissions.

iam.workloadIdentityFederations.user

The iam.workloadIdentityFederations.user role enables using workload identity federations.

iam.workloadIdentityFederations.editor

The iam.workloadIdentityFederations.editor role enables viewing info on workload identity federations, as well as creating, modifying, and deleting such federations.

This role includes the iam.workloadIdentityFederations.viewer permissions.

iam.workloadIdentityFederations.admin

The iam.workloadIdentityFederations.admin role enables viewing info on workload identity federations, as well as creating, modifying, using, and deleting such federations.

This role includes the iam.workloadIdentityFederations.editor and iam.workloadIdentityFederations.user permissions.

iam.userAccounts.refreshTokenViewer

The iam.userAccounts.refreshTokenViewer role enables viewing the lists of federated users’ refresh tokens. To use this role, you need to assign it for an organization.

iam.userAccounts.refreshTokenRevoker

The iam.userAccounts.refreshTokenRevoker role enables revoking federated users’ refresh tokens. To use this role, you need to assign it for an organization.

iam.auditor

The iam.auditor role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:

  • View the list of service accounts and information on them.
  • View info on access permissions assigned for service accounts.
  • View the list of service account API keys and information on them.
  • View the list of service account static access keys and information on them.
  • View info on service account authorized keys.
  • View the list of operations and the info on IAM resource operations.
  • View info on Identity and Access Management quotas.
  • View info on the relevant cloud and its settings.
  • View info on the relevant folder and its settings.

iam.viewer

The iam.viewer role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:

  • View the list of service accounts and information on them.
  • View info on access permissions assigned for service accounts.
  • View the list of service account API keys and information on them.
  • View the list of service account static access keys and information on them.
  • View info on service account authorized keys.
  • View the list of operations and the info on IAM resource operations.
  • View info on Identity and Access Management quotas.
  • View info on the relevant cloud and its settings.
  • View info on the relevant folder and its settings.

This role includes the iam.auditor permissions.

iam.editor

The iam.editor role allows you to manage service accounts and their keys, manage folders, and view info on IAM resource operations and quotas.

Users with this role can:

  • View the list of service accounts and info on them, as well as create, use, modify, and delete them.
  • View the list of service account API keys and info on them, as well as create, modify, and delete them.
  • View the list of service account static access keys and info on them, as well as create, modify, and delete them.
  • View info on service account authorized keys, as well as create, modify, and delete them.
  • View info on access permissions assigned for service accounts.
  • View the list of operations and the info on IAM resource operations.
  • View info on Identity and Access Management quotas.
  • View info on the relevant cloud and its settings.
  • View info on the relevant folders and their settings.
  • Create, modify, delete, and setup folders.

This role includes the iam.viewer permissions.

iam.admin

The iam.admin role enables managing service accounts and access to them and their keys, as well as managing folders, viewing info on IAM resource operations and quotas, and getting IAM tokens for service accounts.

Users with this role can:

  • View the list of service accounts and info on them, as well as create, use, modify, and delete them.
  • View info on access permissions assigned for service accounts and modify such permissions.
  • Get IAM tokens for service accounts.
  • View the list of service account API keys and info on them, as well as create, modify, and delete them.
  • View the list of service account static access keys and info on them, as well as create, modify, and delete them.
  • View info on service account authorized keys, as well as create, modify, and delete them.
  • View info on identity federations.
  • View the list of operations and the info on Identity and Access Management resource operations.
  • View info on Identity and Access Management quotas.
  • View info on the relevant cloud and its settings.
  • View info on the relevant folders and their settings.
  • Create, modify, delete, and setup folders.

This role includes the iam.editor and iam.serviceAccounts.admin permissions.

For more information, see Access management in Identity and Access Management.

Yandex IoT Core

iot.devices.writer

The iot.devices.writer role grants permission to send gRPC messages to Yandex IoT Core on behalf of a device.

iot.registries.writer

The iot.registries.writer role grants permission to send gRPC messages to Yandex IoT Core on behalf of a registry.

iot.auditor

The iot.auditor role allows you to view metadata about devices and device registries, as well as brokers and quotas in Yandex IoT Core.

iot.viewer

The iot.viewer role allows you to view all Yandex IoT Core resources.

iot.editor

The iot.editor role allows users to create, edit, and delete all Yandex IoT Core resources.

For more information, see Access management in Yandex IoT Core.

Yandex Foundation Models

ai.playground.user

The ai.playground.user role enables using AI Playground in the Yandex Cloud console.

ai.languageModels.user

The ai.languageModels.user role enables using the YandexGPT API language models for text generation within Yandex Foundation Models, as well as viewing info on the relevant cloud, folder, and quotas.

ai.imageGeneration.user

The ai.imageGeneration.user role enables using the YandexART image generation models within Yandex Foundation Models, as well as viewing info on the relevant cloud, folder, and quotas.

ai.assistants.auditor

The ai.assistants.auditor role enables viewing information on AI assistants, their users and threads, as well as on the uploaded files and their indexes.

Users with this role can:

  • View info on AI assistants.
  • View info on AI assistant users and their threads.
  • View info on uploaded files and their search indexes.
  • View info on quotas for Yandex Foundation Models.
  • View info on the relevant cloud.
  • View info on the relevant folder.

ai.assistants.viewer

The ai.assistants.viewer role enables reading threads and files, searching for files within a directory using indexes, and viewing information on AI assistants, uploaded files, and their indexes.

Users with this role can:

  • View info on AI assistants.
  • View info on AI assistant users.
  • View info on AI assistant user threads and read them.
  • View info on uploaded files and view them.
  • View info on file search indexes and search for files within a directory using these indexes.
  • View info on quotas for Yandex Foundation Models.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the ai.assistants.auditor permissions.

ai.assistants.editor

The ai.assistants.editor role enables managing AI assistants, their users and threads, as well as files with additional information and search indexes of those files.

Users with this role can:

  • View info on AI assistants, as well as create, modify, use, and delete them.
  • View info on AI assistant users, as well as create, modify, and delete them.
  • View info on AI assistant user threads, as well as create, modify, read, write, and delete them.
  • View info on uploaded files, as well as create, update, view, and delete them.
  • View info on file search indexes and create, modify, and delete them, as well as search for files within a directory using these indexes.
  • View info on quotas for Yandex Foundation Models.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the ai.playground.user and ai.assistants.viewer permissions.

ai.assistants.admin

The ai.assistants.admin role enables managing AI assistants, their users and threads, as well as files with additional information and search indexes of such files.

Users with this role can:

  • View info on AI assistants, as well as create, modify, use, and delete them.
  • View info on AI assistant users, as well as create, modify, and delete them.
  • View info on AI assistant user threads, as well as create, modify, read, write, and delete them.
  • View info on uploaded files, as well as create, update, view, and delete them.
  • View info on file search indexes and create, modify, and delete them, as well as search for files within a directory using these indexes.
  • View info on quotas for Yandex Foundation Models.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role includes the ai.assistants.editor permissions.

ai.datasets.auditor

The ai.datasets.auditor role enables viewing the dataset metadata.

ai.datasets.viewer

The ai.datasets.viewer role enables viewing the info on datasets.

This role includes the ai.datasets.auditor permissions.

ai.datasets.user

The ai.datasets.user role enables viewing info on datasets and using them to fine-tune models in Foundation Models.

This role includes the ai.datasets.viewer permissions.

ai.datasets.editor

The ai.datasets.editor role enables viewing info on datasets, creating, modifying, and deleting them, as well as using them to fine-tune models in Foundation Models.

This role includes the ai.datasets.user permissions.

ai.datasets.admin

The ai.datasets.admin role enables viewing info on datasets, creating, modifying, and deleting them, as well as using them to fine-tune models in Foundation Models.

This role includes the ai.datasets.editor permissions.

ai.models.auditor

The ai.datasets.auditor role enables viewing the text generation model metadata in Yandex Foundation Models.

ai.models.viewer

The ai.models.viewer role enables viewing info on the text generation models in Yandex Foundation Models.

This role includes the ai.models.auditor permissions.

ai.models.user

The ai.models.user role enables viewing info on the text generation models in Yandex Foundation Models, as well as using Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models.

Users with this role can:

This role includes the ai.models.viewer permissions.

ai.models.editor

The ai.models.editor role enables you to manage the fine-tuning of the text generation models in Yandex Foundation Models, as well as to use Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models.

Users with this role can:

This role includes the ai.models.user permissions.

ai.models.admin

The ai.models.admin role enables you to manage the fine-tuning of the text generation models in Yandex Foundation Models, as well as to use Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models.

Users with this role can:

This role includes the ai.models.editor permissions.

For more information, see Access management in Yandex Foundation Models.

Yandex Key Management Service

kms.keys.user

The kms.keys.user role enables using symmetric encryption keys.

kms.keys.encrypter

The kms.keys.encrypter role enables viewing info on symmetric encryption keys and using such keys to encrypt data.

kms.keys.decrypter

The kms.keys.decrypter role enables viewing info on symmetric encryption keys and using such keys to decrypt data.

kms.keys.encrypterDecrypter

The kms.keys.encrypterDecrypter role enables viewing info on symmetric encryption keys and using such keys to encrypt or decrypt data.

This role includes the kms.keys.encrypter and kms.keys.decrypter permissions.

kms.asymmetricEncryptionKeys.publicKeyViewer

The kms.asymmetricEncryptionKeys.publicKeyViewer role enables viewing info on asymmetric encryption key pairs, as well as getting a public key from an encryption key pair.

kms.asymmetricSignatureKeys.publicKeyViewer

The kms.asymmetricSignatureKeys.publicKeyViewer role enables viewing info on digital signature key pairs, as well as getting a public key from a digital signature key pair.

kms.asymmetricSignatureKeys.signer

The kms.asymmetricSignatureKeys.signer role enables signing data with a private key from a digital signature key pair.

kms.asymmetricEncryptionKeys.decrypter

The kms.asymmetricEncryptionKeys.decrypter role enables decrypting data with a private key from an asymmetric encryption key pair.

kms.auditor

The kms.auditor role enables viewing info on encryption keys and key pairs and access permissions assigned to them.

Users with this role can:

kms.viewer

The kms.viewer role enables viewing info on encryption and digital signature keys and key pairs, access permissions assigned to them, and KMS quotas.

Users with this role can:

This role includes the kms.auditor permissions.

kms.editor

The kms.editor role allows you to create encryption and digital signature keys and key pairs as well as use them to encrypt, decrypt, and sign data.

Users with this role can:

  • View the list of symmetric encryption keys, info on them and their access permissions, as well as create, rotate, and modify symmetric key metadata, including rotation periods.
  • Encrypt and decrypt data using symmetric encryption keys.
  • View info on asymmetric encryption key pairs and access permissions assigned to them as well as create such key pairs or modify their metadata.
  • Get a public key and decrypt data using a private key from an asymmetric encryption key pair.
  • View info on digital signature key pairs and access permissions assigned to them as well as create such key pairs or modify their metadata.
  • Get a public key and sign data using a private key from a digital signature key pair.
  • View details on the Key Management Service quotas.

kms.admin

The kms.admin role enables managing encryption and digital signature keys and key pairs, as well as managing access to such keys or key pairs and using them to encrypt, decrypt, and sign data.

Users with this role can:

  • View info on access permissions assigned to symmetric encryption keys and modify such permissions.
  • View the list of symmetric encryption keys and details on them, as well as create, activate, deactivate, rotate, and delete symmetric encryption keys, or change their default version and metadata (including rotation period).
  • Encrypt and decrypt data using symmetric encryption keys.
  • View info on access permissions assigned to asymmetric encryption key pairs and modify such permissions.
  • View details on asymmetric encryption key pairs as well as create, activate, deactivate, and delete such key pairs, or modify their metadata.
  • Get a public key and decrypt data using a private key from an asymmetric encryption key pair.
  • View info on access permissions assigned to digital signature key pairs and modify such permissions.
  • View details on digital signature key pairs as well as create, activate, deactivate, and delete such key pairs, or modify their metadata.
  • Get a public key and sign data using a private key from a digital signature key pair.
  • View details on Key Management Service quotas.
  • View info on the relevant folder.

This role includes the kms.editor permissions.

For more information, see Access management in Key Management Service.

Yandex Load Testing

loadtesting.viewer

The loadtesting.viewer role allows you to view info on load generators and tests, as well as folder metadata.

Users with this role can:

  • View info on load tests and reports on their run.
  • View info on load test configurations.
  • View info on load test regression dashboards.
  • View info on agents.
  • View info on Yandex Object Storage buckets used in load tests.
  • View info on the relevant folder.

loadtesting.editor

The loadtesting.editor role enables managing agents, load tests and their settings, data stores, and regression dashboards. It also allows you to register agents created outside Load Testing.

Users with this role can:

  • View info on load tests and reports on their run.
  • Create, modify, delete, run and stop load tests and load test data into them.
  • View info on load test configurations, as well as create, modify, and delete such configurations.
  • View info on agents and create, modify, delete, run, restart, and stop them.
  • Register external agents in Load Testing.
  • View info on Yandex Object Storage buckets used in load tests, upload test data to them, and create, modify, and delete buckets.
  • View info on regression dashboards, as well as create, modify, and delete such dashboards.
  • View information on the relevant folder.

This role includes the loadtesting.viewer, loadtesting.loadTester, and loadtesting.externalAgent permissions.

loadtesting.admin

The loadtesting.admin role enables managing agents, load tests and their settings, data stores, and regression dashboards. It also allows you to register agents created outside Load Testing.

Users with this role can:

  • View info on load tests and reports on their run.
  • Create, modify, delete, run and stop load tests and load test data into them.
  • View info on load test configurations, as well as create, modify, and delete such configurations.
  • View info on agents and create, modify, delete, run, restart, and stop them.
  • Register external agents in Load Testing.
  • View info on Yandex Object Storage buckets used in load tests, upload test data to them, and create, modify, and delete buckets.
  • View info on regression dashboards, as well as create, modify, and delete such dashboards.
  • View information on the relevant folder.

This role includes the loadtesting.editor permissions.

loadtesting.loadTester

The loadtesting.loadTester role enables managing agents, load tests and their settings, data stores, and regression dashboards.

Users with this role can:

  • View info on load tests and reports on their run.
  • Create, modify, delete, run and stop load tests and load test data into them.
  • View info on load test configurations, as well as create, modify, and delete such configurations.
  • View info on agents and create, modify, delete, run, restart, and stop them.
  • View info on Yandex Object Storage buckets used in load tests, upload test data to them, and create, modify, and delete buckets.
  • View info on regression dashboards, as well as create, modify, and delete such dashboards.
  • View information on the relevant folder.

loadtesting.generatorClient

The loadtesting.generatorClient role allows you to create, modify, and run load tests using an agent, as well as enables uploading test results to the storage.

Users with this role can:

  • Create, edit, and run load tests.
  • Create and edit load test configurations.
  • Upload the test result data to the storage.

Assign this role to the service account under which you create a VM with an agent.

loadtesting.externalAgent

The loadtesting.externalAgent role enables registering external agents in Load Testing, as well as creating, modifying, and running load tests using an agent.

Users with this role can:

  • Register external agents in Load Testing.
  • Create, edit, and run load tests.
  • Create and edit load test configurations.
  • Upload the test result data to the storage.

This role includes the loadtesting.generatorClient permissions.

Assign this role to the service account under which you create a VM with an agent.

For more information, see Access management in Load Testing.

Yandex Lockbox

lockbox.auditor

The lockbox.auditor role enables viewing info on secrets and on access permissions assigned to them, as well as details on Yandex Lockbox quotas and folder metadata.

lockbox.viewer

The lockbox.viewer role enables viewing info on secrets and access permissions assigned to them, as well as info on the relevant folder and Yandex Lockbox quotas.

This role includes the lockbox.auditor permissions.

lockbox.editor

The lockbox.editor role enables managing secrets and their versions, as well as viewing info on access permissions assigned to secrets.

Users with this role can:

  • View info on secrets and on access permissions assigned to them, as well as create, activate, deactivate, and delete secrets.
  • Modify secret version metadata, create and delete secret versions, as well as change current secret versions, schedule deleting a secret version, or cancel a scheduled deletion.
  • View information on the relevant folder.
  • View details on Yandex Lockbox quotas.

This role includes the lockbox.viewer permissions.

lockbox.admin

The lockbox.admin role enables managing secrets, their versions, and access to them, as well as viewing secret contents.

Users with this role can:

  • View info on access permissions assigned to secrets and modify such permissions.
  • View info on secrets, including secret contents.
  • Create, activate, deactivate, and delete secrets.
  • Modify secret version metadata, create and delete secret versions, as well as change current secret versions, schedule deleting a secret version, or cancel a scheduled deletion.
  • View information on the relevant folder.
  • View details on Yandex Lockbox quotas.

This role includes the lockbox.editor and lockbox.payloadViewer permissions.

lockbox.payloadViewer

The lockbox.payloadViewer role enables viewing secret contents.

For more information, see Access management in Yandex Lockbox.

Managed databases

mdb.auditor

The mdb.auditor role grants the minimum permissions required to view information about managed database clusters (without access to data or runtime logs).

Users with this role can view information about managed database clusters, quotas, and folders.

This role includes the managed-opensearch.auditor, managed-kafka.auditor, managed-mysql.auditor, managed-sqlserver.auditor, managed-postgresql.auditor, managed-greenplum.auditor, managed-clickhouse.auditor, managed-redis.auditor, and managed-mongodb.auditor permissions.

mdb.viewer

The mdb.viewer role grants read access to managed database clusters and cluster runtime logs.

Users with this role can read from databases, inspect the logs of managed database clusters, and view information about clusters, quotas, and folders.

This role includes the mdb.auditor, managed-opensearch.viewer, managed-kafka.viewer, managed-mysql.viewer, managed-sqlserver.viewer, managed-postgresql.viewer, managed-greenplum.viewer, managed-clickhouse.viewer, managed-redis.viewer, managed-mongodb.viewer, and dataproc.viewer permissions.

mdb.admin

The mdb.admin role grants full access to managed database clusters.

Users with this role can create, edit, delete, run, and stop managed database clusters, manage cluster access, read and write to databases, and view information about clusters, runtime logs, quotas, and folders.

This role includes the mdb.viewer, vpc.user, managed-opensearch.admin, managed-kafka.admin, managed-mysql.admin, managed-sqlserver.admin, managed-postgresql.admin, managed-greenplum.admin, managed-clickhouse.admin, managed-redis.admin, managed-mongodb.admin, and dataproc.admin permissions.

Yandex Managed Service for Apache Airflow™

managed-airflow.auditor

The managed-airflow.auditor role allows you to view information about the Apache Airflow™ clusters.

managed-airflow.viewer

The managed-airflow.viewer role allows you to view information about the Apache Airflow™ clusters.

This role includes the managed-airflow.auditor permissions.

managed-airflow.user

The managed-airflow.user role enables performing basic operations on the Apache Airflow™ clusters.

Users with this role can:

This role includes the managed-airflow.viewer permissions.

managed-airflow.editor

The managed-airflow.editor role allows you to manage the Apache Airflow™ clusters, as well as get information about quotas and service resource operations.

Users with this role can:

This role includes the managed-airflow.user permissions.

To create Apache Airflow™ clusters, you also need the vpc.user role.

managed-airflow.admin

The managed-airflow.admin role allows you to manage the Apache Airflow™ clusters and get information about quotas and service resource operations.

Users with this role can:

This role includes the managed-airflow.editor permissions.

To create Apache Airflow™ clusters, you also need the vpc.user role.

managed-airflow.integrationProvider

The managed-airflow.integrationProvider role allows the Apache Airflow™ cluster to work with user resources required for its operation on behalf of the service account. You can assign this role to a service account linked to the Apache Airflow™ cluster.

Service accounts with this role can:

This role includes the logging.writer, monitoring.editor, storage.viewer, and lockbox.viewer permissions.

The role does not provide access to Yandex Lockbox secret contents. To grant the Apache Airflow™ cluster access to Yandex Lockbox secret contents, additionally assign the lockbox.payloadViewer role to the service account either for the relevant folder or for specific secrets.

For more information, see Access management in Managed Service for Apache Airflow™.

Yandex Managed Service for Apache Kafka®

managed-kafka.auditor

The managed-kafka.auditor role allows you to view information about Apache Kafka® clusters, as well as quotas and resource operations for Managed Service for Apache Kafka®.

managed-kafka.viewer

The managed-kafka.viewer role allows you to view information about Apache Kafka® clusters and their logs, as well as information on quotas and resource operations for Managed Service for Apache Kafka®.

This role includes the managed-kafka.auditor permissions.

managed-kafka.editor

The managed-kafka.editor role allows you to manage Apache Kafka® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • View information about Apache Kafka® clusters, as well as create, modify, delete, run, and stop them.
  • View Apache Kafka® cluster logs.
  • View information about quotas of Managed Service for Apache Kafka®.
  • View information about resource operations for Managed Service for Apache Kafka®.

This role includes the managed-kafka.viewer permissions.

To create Apache Kafka® clusters, you also need the vpc.user role.

managed-kafka.admin

The managed-kafka.admin role allows you to manage Apache Kafka® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Manage access to Apache Kafka® clusters.
  • View information about Apache Kafka® clusters, as well as create, modify, delete, run, and stop them.
  • View Apache Kafka® cluster logs.
  • View information about quotas of Managed Service for Apache Kafka®.
  • View information about resource operations for Managed Service for Apache Kafka®.

This role includes the managed-kafka.editor permissions.

To create Apache Kafka® clusters, you also need the vpc.user role.

For more information, see Access management in Managed Service for Apache Kafka®.

Yandex Managed Service for ClickHouse®

managed-clickhouse.auditor

The managed-clickhouse.auditor role allows you to view information about ClickHouse® clusters, as well as quotas and resource operations for Managed Service for ClickHouse®.

managed-clickhouse.viewer

The managed-clickhouse.viewer role allows you to view information about ClickHouse® clusters and their logs, as well as information on quotas and resource operations for Managed Service for ClickHouse®.

This role includes the managed-clickhouse.auditor permissions.

managed-clickhouse.editor

The managed-clickhouse.editor role allows you to manage ClickHouse® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • View information about ClickHouse® clusters, as well as create, modify, delete, run, and stop them.
  • View ClickHouse® cluster logs.
  • View information about quotas of Managed Service for ClickHouse®.
  • View information about operations with resources of Managed Service for ClickHouse®.

This role includes the managed-clickhouse.viewer permissions.

To create ClickHouse® clusters, you also need the vpc.user role.

managed-clickhouse.admin

The managed-clickhouse.admin role allows you to manage ClickHouse® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Manage access to ClickHouse® clusters.
  • View information about ClickHouse® clusters, as well as create, modify, delete, run, and stop them.
  • View ClickHouse® cluster logs.
  • View information about quotas of Managed Service for ClickHouse®.
  • View information about operations with resources of Managed Service for ClickHouse®.

This role includes the managed-clickhouse.editor permissions.

To create ClickHouse® clusters, you also need the vpc.user role.

For more information, see Access management in Managed Service for ClickHouse®.

Yandex Managed Service for GitLab

gitlab.auditor

The gitlab.auditor role enables viewing info on the Managed Service for GitLab instances and quotas.

gitlab.viewer

The gitlab.viewer role enables viewing info on the Managed Service for GitLab instances and quotas.

This role includes the gitlab.auditor permissions.

gitlab.editor

The gitlab.editor role enables managing the Managed Service for GitLab instances and migrating them to other availability zones.

Users with this role can:

  • View info on the Managed Service for GitLab instances, as well as create, modify, and delete such instances.
  • Migrate instances to another availability zones.
  • View info on the quotas for Managed Service for GitLab.

This role includes the gitlab.viewer permissions.

To create Managed Service for GitLab instances, you also need the vpc.user role.

gitlab.admin

The gitlab.admin role enables managing the Managed Service for GitLab instances and migrating them to other availability zones.

Users with this role can:

  • View info on the Managed Service for GitLab instances, as well as create, modify, and delete such instances.
  • Migrate instances to another availability zones.
  • View info on the quotas for Managed Service for GitLab.

This role includes the gitlab.editor permissions.

To create Managed Service for GitLab instances, you also need the vpc.user role.

For more information, see Access management in Managed Service for GitLab.

Yandex Managed Service for Greenplum®

managed-greenplum.auditor

The managed-greenplum.auditor role allows you to view information about Greenplum® clusters and hosts, as well as quotas and resource operations for Managed Service for Greenplum®.

managed-greenplum.viewer

The managed-greenplum.viewer role allows you to view information about Greenplum® clusters and hosts, their logs, as well as information about quotas and service resource operations.

Users with this role can:

  • View information about Greenplum® clusters.
  • View information about Greenplum® cluster hosts.
  • View information about Greenplum® backups.
  • View Greenplum® cluster logs.
  • View information about the results of Greenplum® cluster performance diagnostics.
  • View information about quotas of Managed Service for Greenplum®.
  • View information about resource operations for Managed Service for Greenplum®.

This role includes the managed-greenplum.auditor permissions.

managed-greenplum.editor

The managed-greenplum.editor role allows you to manage Greenplum® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • View information about Greenplum® clusters, as well as create, modify, delete, run, and stop them.
  • View information about Greenplum® cluster hosts, as well as create, modify, and delete them.
  • View information about Greenplum® backups, as well as create and delete them.
  • View Greenplum® cluster logs.
  • View information about the results of Greenplum® cluster performance diagnostics.
  • View information about quotas of Managed Service for Greenplum®.
  • View information about resource operations for Managed Service for Greenplum®.

This role includes the managed-greenplum.viewer permissions.

To create Greenplum® clusters, you also need the vpc.user role.

managed-greenplum.admin

The managed-greenplum.admin role allows you to manage Greenplum® clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Manage access to Greenplum® clusters.
  • View information about Greenplum® clusters, as well as create, modify, delete, run, and stop them.
  • View information about Greenplum® cluster hosts, as well as create, modify, and delete them.
  • View information about Greenplum® backups, as well as create and delete them.
  • View Greenplum® cluster logs.
  • View information about the results of Greenplum® cluster performance diagnostics.
  • View information about quotas of Managed Service for Greenplum®.
  • View information about resource operations for Managed Service for Greenplum®.

This role includes the managed-greenplum.editor permissions.

To create Greenplum® clusters, you also need the vpc.user role.

For more information, see Access management in Managed Service for Greenplum®.

Yandex Managed Service for Kubernetes

k8s.viewer

The k8s.viewer role enables you to view information about Kubernetes clusters and node groups.

k8s.editor

The k8s.editor role enables you to create, delete, edit, stop, and start Kubernetes clusters and node groups.

It includes the k8s.viewer role.

k8s.admin

The k8s.admin role enables you to create, delete, edit, stop, and start Kubernetes clusters and node groups.

It includes the k8s.editor role.

k8s.cluster-api.viewer

Users with the k8s.cluster-api.viewer role get the yc:viewer group and the view role in Kubernetes RBAC for all namespaces in a cluster.

k8s.cluster-api.editor

Users with the k8s.cluster-api.editor role get the yc:editor group and the edit role in Kubernetes RBAC for all namespaces in a cluster.

k8s.cluster-api.cluster-admin

Users with the k8s.cluster-api.cluster-admin role get the yc:admin group and the cluster-admin role in Kubernetes RBAC.

k8s.tunnelClusters.agent

k8s.tunnelClusters.agent is a special role for creating Kubernetes clusters with tunnel mode. It enables you to create node groups, disks, and internal load balancers. You can use previously created Yandex Key Management Service keys to encrypt and decrypt secrets. It includes the following roles:

  • compute.admin
  • iam.serviceAccounts.user
  • k8s.viewer
  • kms.keys.encrypterDecrypter
  • load-balancer.privateAdmin

k8s.clusters.agent

k8s.clusters.agent is a special role for the Kubernetes cluster service account. It enables you to create node groups, disks, and internal load balancers. You can use previously created Yandex Key Management Service keys to encrypt and decrypt secrets and connect previously created security groups. When combined with the load-balancer.admin role, it enables you to create a network load balancer with a public IP address. It includes the following roles:

  • k8s.tunnelClusters.agent
  • vpc.privateAdmin

For more information, see Access management in Managed Service for Kubernetes.

Yandex Managed Service for MongoDB

managed-mongodb.auditor

The managed-mongodb.auditor role allows you to view information about MongoDB hosts and clusters, as well as quotas and resource operations for Managed Service for MongoDB.

managed-mongodb.viewer

The managed-mongodb.viewer role allows you to view information about clusters, hosts, shards, databases, MongoDB users, cluster logs, as well as about quotas and service resource operations.

Users with this role can:

  • View information about MongoDB clusters.
  • View information about MongoDB cluster hosts.
  • View information about MongoDB cluster shards.
  • View information about MongoDB databases.
  • View information about MongoDB users.
  • View information about MongoDB backups.
  • View information about MongoDB alerts.
  • View MongoDB cluster logs.
  • View information about the results of MongoDB cluster performance diagnostics.
  • View information about quotas of Managed Service for MongoDB.
  • View information about resource operations for Managed Service for MongoDB.

This role includes the managed-mongodb.auditor permissions.

managed-mongodb.editor

The managed-mongodb.editor role allows you to manage MongoDB clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Create, modify, delete, run and stop MongoDB clusters and view information about them.
  • Create, modify, and delete MongoDB cluster hosts and view information about them.
  • Create and delete MongoDB cluster shards and view information about them.
  • Create and delete MongoDB databases and view information about them.
  • Create, modify, and delete MongoDB users and view information about them.
  • Create MongoDB backups and view information about them.
  • Create, modify, and delete MongoDB alerts and view information about them.
  • View MongoDB cluster logs.
  • View information about the results of MongoDB cluster performance diagnostics.
  • View information about quotas of Managed Service for MongoDB.
  • View information about resource operations for Managed Service for MongoDB.

This role includes the managed-mongodb.viewer permissions.

To create MongoDB clusters, you also need the vpc.user role.

managed-mongodb.admin

The managed-mongodb.admin role allows you to manage MongoDB clusters and view their logs, as well as get information about quotas and service resource operations.

Users with this role can:

  • Manage access to MongoDB clusters.
  • Create, modify, delete, run and stop MongoDB clusters and view information about them.
  • Create, modify, and delete MongoDB cluster hosts and view information about them.
  • Create and delete MongoDB cluster shards and view information about them.
  • Create and delete MongoDB databases and view information about them.
  • Create, modify, and delete MongoDB users and view information about them.
  • Create MongoDB backups and view information about them.
  • Create, modify, and delete MongoDB alerts and view information about them.
  • View MongoDB cluster logs.
  • View information about the results of MongoDB cluster performance diagnostics.
  • View information about quotas of Managed Service for MongoDB.
  • View information about resource operations for Managed Service for MongoDB.

This role includes the managed-mongodb.editor permissions.

To create MongoDB clusters, you also need the vpc.user role.

For more information, see Access management in Managed Service for MongoDB.

Yandex Managed Service for MySQL®

managed-mysql.auditor

The managed-mysql.auditor role allows you to view information on MySQL® hosts and clusters, as well as quotas and resource operations for Managed Service for MySQL®.

managed-mysql.viewer

The managed-mysql.viewer role allows you to view information on MySQL® clusters, hosts, databases, users, and cluster logs, as well as on quotas and resource operations.

Users with this role can:

  • View information on MySQL® clusters.
  • View information on MySQL® cluster hosts.
  • View information on MySQL® databases.
  • View information on MySQL® users.
  • View information on MySQL® DB backups.
  • View information on MySQL® alerts.
  • View MySQL® cluster logs.
  • View information on the results of MySQL® cluster performance diagnostics.
  • View information on quotas of Managed Service for MySQL®.
  • View information on resource operations for Managed Service for MySQL®.

This role includes the managed-mysql.auditor permissions.

managed-mysql.editor

The managed-mysql.editor role allows you to manage MySQL® clusters and view their logs, as well as get information on service quotas and resource operations.

Users with this role can:

  • View information on MySQL® clusters, as well as create, modify, delete, run, and stop them.
  • View information on MySQL® cluster hosts, as well as create, modify, and delete them.
  • View information on MySQL® databases, as well as create, modify, and delete them.
  • View information on MySQL® users, as well as create, modify, and delete them.
  • View information on MySQL® DB backups, as well as create and delete them.
  • View information on MySQL® alerts, as well as create, modify, and delete them.
  • View MySQL® cluster logs.
  • View information on the results of MySQL® cluster performance diagnostics.
  • View information on quotas of Managed Service for MySQL®.
  • View information on resource operations for Managed Service for MySQL®.

This role includes the managed-mysql.viewer permissions.

To create MySQL® clusters, you also need the vpc.user role.

managed-mysql.admin

The managed-mysql.admin role allows you to manage MySQL® clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • Manage access to MySQL® clusters.
  • View information on MySQL® clusters, as well as create, modify, delete, run, and stop them.
  • View information on MySQL® cluster hosts, as well as create, modify, and delete them.
  • View information on MySQL® databases, as well as create, modify, and delete them.
  • View information on MySQL® users, as well as create, modify, and delete them.
  • View information on MySQL® DB backups, as well as create and delete them.
  • View information on MySQL® alerts, as well as create, modify, and delete them.
  • View MySQL® cluster logs.
  • View information on the results of MySQL® cluster performance diagnostics.
  • View information on quotas of Managed Service for MySQL®.
  • View information on resource operations for Managed Service for MySQL®.

This role includes the managed-mysql.editor permissions.

To create MySQL® clusters, you also need the vpc.user role.

For more information, see Access management in Managed Service for MySQL®.

Yandex Managed Service for OpenSearch

managed-opensearch.auditor

The managed-opensearch.auditor role allows you to view information on OpenSearch clusters, as well as quotas and resource operations for Managed Service for OpenSearch.

managed-opensearch.viewer

The managed-opensearch.viewer role allows you to view information on OpenSearch clusters and their logs, as well as on quotas and resource operations for Managed Service for OpenSearch.

This role includes the managed-opensearch.auditor permissions.

managed-opensearch.editor

The managed-opensearch.editor role allows you to manage OpenSearch clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • View information on OpenSearch clusters, as well as create, modify, delete, run, and stop them.
  • View OpenSearch cluster logs.
  • View information on quotas of Managed Service for OpenSearch.
  • View information on resource operations for Managed Service for OpenSearch.

This role includes the managed-opensearch.viewer permissions.

To create OpenSearch clusters, you also need the vpc.user role.

managed-opensearch.admin

The managed-opensearch.admin role allows you to manage OpenSearch clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • Manage access to OpenSearch clusters.
  • View information on OpenSearch clusters, as well as create, modify, delete, run, and stop them.
  • View OpenSearch cluster logs.
  • View information on quotas of Managed Service for OpenSearch.
  • View information on resource operations for Managed Service for OpenSearch.

This role includes the managed-opensearch.editor permissions.

To create OpenSearch clusters, you also need the vpc.user role.

For more information, see Managing access to Managed Service for OpenSearch.

Yandex Managed Service for PostgreSQL

managed-postgresql.auditor

The managed-postgresql.auditor role allows you to view information on PostgreSQL hosts and clusters, as well as quotas and resource operations for Managed Service for PostgreSQL.

managed-postgresql.viewer

The managed-postgresql.viewer role allows you to view information on PostgreSQL clusters, hosts, databases, users, and cluster logs, as well as on quotas and resource operations.

Users with this role can:

  • View information on PostgreSQL clusters.
  • View information on PostgreSQL cluster hosts.
  • View information on PostgreSQL databases.
  • View information on PostgreSQL users.
  • View information on PostgreSQL DB backups.
  • View information on PostgreSQL alerts.
  • View PostgreSQL cluster logs.
  • View information on the results of PostgreSQL cluster performance diagnostics.
  • View information on quotas of Managed Service for PostgreSQL.
  • View information on resource operations for Managed Service for PostgreSQL.

This role includes the managed-postgresql.auditor permissions.

managed-postgresql.editor

The managed-postgresql.editor role allows you to manage PostgreSQL clusters and view their logs, as well as get information on service quotas and resource operations.

Users with this role can:

  • View information on PostgreSQL clusters, as well as create, modify, delete, run, and stop them.
  • View information on PostgreSQL cluster hosts, as well as create, modify, and delete them.
  • View information on PostgreSQL databases, as well as create, modify, and delete them.
  • View information on PostgreSQL users, as well as create, modify, and delete them.
  • View information on PostgreSQL DB backups, as well as create and delete them.
  • View information on PostgreSQL alerts, as well as create, modify, and delete them.
  • View PostgreSQL cluster logs.
  • View information on the results of PostgreSQL cluster performance diagnostics.
  • View information on quotas of Managed Service for PostgreSQL.
  • View information on resource operations for Managed Service for PostgreSQL.

This role includes the managed-postgresql.viewer permissions.

To create PostgreSQL clusters, you also need the vpc.user role.

managed-postgresql.admin

The managed-postgresql.admin role allows you to manage PostgreSQL clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • Manage access to PostgreSQL clusters.
  • View information on PostgreSQL clusters, as well as create, modify, delete, run, and stop them.
  • View information on PostgreSQL cluster hosts, as well as create, modify, and delete them.
  • View information on PostgreSQL databases, as well as create, modify, and delete them.
  • View information on PostgreSQL users, as well as create, modify, and delete them.
  • View information on PostgreSQL DB backups, as well as create and delete them.
  • View information on PostgreSQL alerts, as well as create, modify, and delete them.
  • View PostgreSQL cluster logs.
  • View information on the results of PostgreSQL cluster performance diagnostics.
  • View information on quotas of Managed Service for PostgreSQL.
  • View information on resource operations for Managed Service for PostgreSQL.

This role includes the managed-postgresql.editor permissions.

To create PostgreSQL clusters, you also need the vpc.user role.

For more information, see Access management in Managed Service for PostgreSQL.

Yandex Managed Service for Valkey™

managed-redis.auditor

The managed-redis.auditor role allows you to view information on Valkey™ hosts and clusters, as well as quotas and resource operations for Yandex Managed Service for Valkey™.

managed-redis.viewer

The managed-redis.viewer role allows you to view information on Valkey™ hosts and clusters and their logs, as well as on quotas and resource operations.

Users with this role can:

  • View information on Valkey™ clusters.
  • View information on Valkey™ cluster hosts.
  • View information on Valkey™ cluster shards.
  • View information on Valkey™ DB backups.
  • View information on Valkey™ alerts.
  • View Valkey™ cluster logs.
  • View information on quotas of Yandex Managed Service for Valkey™.
  • View information on resource operations for Yandex Managed Service for Valkey™.

This role includes the managed-redis.auditor permissions.

managed-redis.editor

The managed-redis.editor role allows you to manage Valkey™ clusters and view their logs, as well as get information on service quotas and resource operations.

Users with this role can:

  • View information on Valkey™ clusters, as well as create, modify, delete, run, and stop them.
  • View information on Valkey™ cluster hosts, as well as create, modify, and delete them.
  • View information on Valkey™ cluster shards, as well as create and delete them.
  • View information on Valkey™ DB backups and create those.
  • View information on Valkey™ alerts, as well as create, modify, and delete them.
  • View Valkey™ cluster logs.
  • View information on quotas of Yandex Managed Service for Valkey™.
  • View information on resource operations for Yandex Managed Service for Valkey™.

This role includes the managed-redis.viewer permissions.

To create Valkey™ clusters, you also need the vpc.user role.

managed-redis.admin

The managed-redis.admin role allows you to manage Valkey™ clusters and view their logs, as well as get information on quotas and resource operations.

Users with this role can:

  • Manage access to Valkey™ clusters.
  • View information on Valkey™ clusters, as well as create, modify, delete, run, and stop them.
  • View information on Valkey™ cluster hosts, as well as create, modify, and delete them.
  • View information on Valkey™ cluster shards, as well as create and delete them.
  • View information on Valkey™ DB backups and create those.
  • View information on Valkey™ alerts, as well as create, modify, and delete them.
  • View Valkey™ cluster logs.
  • View information on quotas of Yandex Managed Service for Valkey™.
  • View information on resource operations for Yandex Managed Service for Valkey™.

This role includes the managed-redis.editor permissions.

To create Valkey™ clusters, you also need the vpc.user role.

For more information, see Access management in Yandex Managed Service for Valkey™.

Yandex Managed Service for SQL Server

managed-sqlserver.auditor

The managed-sqlserver.auditor role allows you to view information on SQL Server clusters, hosts, users, databases, and DB backups, as well as on quotas and resource operations for Managed Service for SQL Server.

managed-sqlserver.viewer

The managed-sqlserver.viewer role allows you to view SQL Server cluster logs, as well as information on SQL Server clusters, hosts, users, databases, and DB backups.

Users with this role can:

  • View info on SQL Server clusters.
  • View info on SQL Server cluster hosts.
  • View info on SQL Server users.
  • View info on SQL Server databases.
  • View info on SQL Server DB backups.
  • View SQL Server cluster logs.
  • View info on resource operations for Managed Service for SQL Server.
  • View info on the quotas for Managed Service for SQL Server.

This role includes the managed-sqlserver.auditor permissions.

managed-sqlserver.editor

The managed-sqlserver.editor role allows you to manage SQL Server clusters, hosts, users, and databases, as well as create DB backups and view SQL Server cluster logs.

Users with this role can:

  • View info on SQL Server clusters, as well as use, create, start, stop, modify, and delete them.
  • View info on SQL Server cluster hosts, as well as create, modify, and delete them.
  • View info on SQL Server users, as well as create, modify, and delete them.
  • View info on SQL Server databases, as well as create, modify, and delete them.
  • View info on SQL Server DB backups, as well as create such backups.
  • View SQL Server cluster logs.
  • View info on resource operations for Managed Service for SQL Server.
  • View info on the quotas for Managed Service for SQL Server.

This role includes the managed-sqlserver.viewer permissions.

managed-sqlserver.admin

The managed-sqlserver.admin role allows you to manage SQL Server clusters, hosts, users, and databases, as well as create DB backups and view SQL Server cluster logs.

Users with this role can:

  • View info on SQL Server clusters, as well as use, create, start, stop, modify, and delete them.
  • View info on SQL Server cluster hosts, as well as create, modify, and delete them.
  • View info on SQL Server users, as well as create, modify, and delete them.
  • View info on SQL Server databases, as well as create, modify, and delete them.
  • View info on SQL Server DB backups, as well as create such backups.
  • View SQL Server cluster logs.
  • View info on resource operations for Managed Service for SQL Server.
  • View info on the quotas for Managed Service for SQL Server.

This role includes the managed-sqlserver.editor permissions.

Yandex Managed Service for YDB

ydb.auditor

The ydb.auditor role enables establishing connections to databases, viewing info on databases and access permissions granted to them, as well as on the database schema objects and backups.

Users with this role can:

  • Establish database connections.
  • View the list of databases and info on them, as well as on the access permissions granted to them.
  • View info on database backups and the access permissions granted to them.
  • View the list of database schema objects, such as tables, indexes, and folders, and info on them.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

ydb.viewer

The ydb.viewer role enables establishing connections to databases and querying them for reading, viewing info on databases and access permissions granted to them, as well as on the database schema objects and backups.

Users with this role can:

  • Establish connections with databases and query them for reading.
  • View the list of databases and info on them, as well as on the access permissions granted to them.
  • View info on database backups and the access permissions granted to them.
  • View the list of database schema objects, such as tables, indexes, and folders, and info on them.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.auditor permissions.

ydb.editor

The ydb.editor role enables managing databases, schema objects, and database backups, as well as querying DBs for both reading and writing.

Users with this role can:

  • View the list of databases, info on them and the access permissions granted to them, as well as create, run, stop, modify, and delete DBs.
  • Establish connections with databases and query them for reading and writing.
  • View info on database backups and the access permissions granted to them, as well as create and delete them and use them to restore databases.
  • View the list of schema objects, such as tables, indexes, and folders, and info on those, as well as create, modify, and delete such objects.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.viewer permissions.

ydb.admin

The ydb.admin role enables managing databases and access to them, as well as schema objects and database backups. It also allows you to query DBs for both reading and writing.

Users with this role can:

  • View the list of databases and info on them, as well as create, run, stop, modify, and delete them.
  • View info on granted access permissions to databases and modify such permissions.
  • Establish connections with databases and query them for reading and writing.
  • View info on database backups, as well as create and delete them and use them to restore databases.
  • View info on granted access permissions to backups and modify such permissions.
  • View the list of schema objects, such as tables, indexes, and folders, and info on those, as well as create, modify, and delete such objects.
  • View info on the quotas for Managed Service for YDB.
  • View info on the relevant cloud and folder.

This role includes the ydb.editor permissions.

ydb.kafkaApi.client

The ydb.kafkaApi.client role allows you to work with ydb over the Kafka API protocol using plain authentication over an SSL connection.

For more information, see Access management in Managed Service for YDB.

Yandex Message Queue

ymq.reader

The ymq.reader role grants permission to read and delete messages, set message visibility timeouts, and clear a queue of messages. It allows you to get a list of queues and queue information.

ymq.writer

The ymq.writer role grants permission to write messages to a queue and create new queues. It allows you to get a list of queues and queue information.

ymq.admin

The ymq.admin role includes access rights of the ymq.reader and ymq.writer roles and allows updating queue attributes and deleting queues. It allows you to get a list of queues and queue information.

For more information, see Access management in Message Queue.

Yandex Monitoring

monitoring.viewer

The monitoring.viewer role enables downloading metrics and viewing info on metrics, dashboards, and widgets.

Users with this role can:

monitoring.editor

The monitoring.editor role enables managing dashboards and widgets, uploading and downloading metrics, and viewing the notification history and quota details.

Users with this role can:

This role includes the monitoring.viewer permissions.

monitoring.admin

The monitoring.admin role enables managing dashboards and widgets, uploading and downloading metrics, and viewing the notification history, info on quotas, and folder metadata.

Users with this role can:

This role includes the monitoring.editor permissions.

For more information, see Access management in Monitoring.

Yandex Network Load Balancer

load-balancer.auditor

The load-balancer.auditor role enables viewing the list of target groups and network load balancers, as well as viewing the info on them and on the Network Load Balancer quotas.

Users with this role can:

  • View the list of target groups and the info on them.
  • View the list of network load balancers and the info on them.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer quotas.

load-balancer.viewer

The load-balancer.viewer role enables viewing the list of target groups and network load balancers, as well as viewing the info on them, the list of operations on them, the info on the relevant cloud and folder, and the Network Load Balancer quotas.

Users with this role can:

  • View the list of target groups and the info on them.
  • View the list of network load balancers and the info on them.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer quotas.

This role includes the load-balancer.auditor permissions.

load-balancer.privateAdmin

The load-balancer.privateAdmin role enables managing internal network load balancers and target groups, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses.

Users with this role can:

  • View the list of network load balancers and the info on them, as well as create internal network load balances (including those with UDP listeners), modify, delete, start, and stop them.
  • View the list of target groups and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of cloud networks and the info on them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View the info on the used IP addresses in subnets, as well as create internal addresses.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer and Virtual Private Cloud quotas.

This role includes the load-balancer.viewer and vpc.viewer permissions.

load-balancer.editor

The load-balancer.editor role enables managing internal and external network load balancers and target groups, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses. The role does not allow creating public IP addresses.

Users with this role can:

  • View the list of network load balancers and info on them.
  • Create internal and external network load balancers and those with UDP listeners, as well as modify, delete, start, and stop load balancers.
  • View the list of target groups and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of cloud networks and info on them, as well as set up external access to them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View the info on the used IP addresses, create private addresses and use them.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer and Virtual Private Cloud quotas.

This role includes the load-balancer.privateAdmin permissions.

load-balancer.admin

The load-balancer.admin role enables managing internal and external network load balancers and target groups, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses.

Users with this role can:

  • View the list of network load balancers and info on them.
  • Create internal and external network load balancers and those with UDP listeners, as well as modify, delete, start, and stop load balancers.
  • View the list of target groups and the info on them, as well as create, modify, delete, and use target groups.
  • View the list of cloud networks and info on them, as well as set up external access to them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View the info on the used IP addresses, create private and public addresses, and use them.
  • View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
  • View the list of operations with the Network Load Balancer resources.
  • View information on the relevant cloud and folder.
  • View info on Network Load Balancer and Virtual Private Cloud quotas.

This role includes the load-balancer.editor permissions.

For more information, see Access management in Network Load Balancer.

Yandex Object Storage

storage.viewer

The storage.viewer role gives you read access to the list of buckets, settings, and data.

storage.configViewer

The storage.configViewer role enables you to view the security settings of buckets and their objects. It does not grant access to data stored in buckets.

storage.configurer

The storage.configurer role enables you to manage the settings of object lifecycles, static website hosting, access policy, and CORS.

It does not permit the user to manage access control list (ACL) or public access settings. It does not grant access to bucket data.

storage.uploader

The storage.uploader role enables you to upload objects to a bucket and overwrite previously uploaded ones. Since the storage.uploader role inherits the permissions of the storage.viewer role, it also grants permission to list bucket objects and download them.

This role does not allow you to delete objects or configure buckets.

storage.editor

The storage.editor role enables you to perform any operation with buckets and objects in the folder: create, delete, and edit them.

This role does not allow you to manage access control list (ACL) settings or create publicly accessible buckets.

storage.admin

The storage.admin role is intended for managing Object Storage.

Users with this role can:

  • Create buckets (including publicly accessible ones).
  • Delete buckets.
  • Assign an access control list (ACL).
  • Manage any bucket object.
  • Manage any bucket website.
  • Configure other bucket parameters and objects in the bucket.

This role enables the user to grant other users access to a bucket or a specific object in it.

This role can be assigned by the administrator of the cloud (the admin role).

For more information, see Managing access with Yandex Identity and Access Management.

Yandex Query

yq.auditor

The yq.auditor role allows you to view the service metadata, including the information on folder, connections, bindings, and queries.

yq.viewer

Users with the yq.viewer role can view queries and their results.

This role includes the yq.auditor permissions.

yq.editor

Users assigned the yq.editor role can view, edit, and delete their connections and queries, as well as run the queries they create. The yq.editor role includes all permissions of the yq.viewer role.

yq.admin

The yq.admin role allows you to manage any Query resources, including those labeled as private. The yq.admin role includes all permissions of the yq.editor role.

yq.invoker

Users with the yq.invoker role can run queries in Query. The role is designed to automate query execution by service accounts. For example, you can use it to run queries by an event or on schedule.

For more information, see Access management in Query.

Yandex Resource Manager

resource-manager.auditor

The resource-manager.auditor role enables viewing cloud and folder metadata, as well as the info on the access permissions granted to clouds and folders.

Users with this role can:

  • View info on clouds and their settings, as well as on the access permissions granted to clouds.
  • View info on folders and their settings, as well as on the access permissions granted to folders.
  • View info on the Resource Manager quotas.

resource-manager.viewer

The resource-manager.viewer role enables viewing info on clouds and folders, as well as on the access permissions to clouds and folders.

Users with this role can:

  • View info on clouds and their settings, as well as on the access permissions to clouds.
  • View info on folders and their settings, as well as on the access permissions to folders.
  • View info on the Resource Manager quotas.

This role includes the resource-manager.auditor permissions.

resource-manager.editor

The resource-manager.editor role enables managing clouds and folders, as well as viewing the info on the access permissions granted to clouds and folders.

Users with this role can:

  • View info on clouds, their settings, and the access permissions to such clouds, as well as create, modify, and delete clouds.
  • View info on folders, their settings, and the access permissions to such folders, as well as create, modify, and delete folders.
  • View info on the Resource Manager quotas.

This role includes the resource-manager.viewer permissions.

resource-manager.admin

The resource-manager.admin role enables managing clouds and folders, as well as access to those.

Users with this role can:

  • View info on granted access permissions to clouds and modify such permissions.
  • View info on clouds and their settings, as well as create, modify, and delete clouds.
  • View info on granted access permissions to folders and modify such permissions.
  • View info on folders and their settings, as well as create, modify, and delete folders.
  • View info on the Resource Manager quotas.

This role includes the resource-manager.editor permissions.

resource-manager.clouds.member

The resource-manager.clouds.member role enables viewing info on the relevant cloud and contacting the Yandex Cloud support.

The role can only be assigned for a cloud.

Users with this role can:

  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.
  • View info on clouds and their settings.

resource-manager.clouds.owner

The resource-manager.clouds.owner role enables running any operations within the cloud and its child resources.

It also allows you to manage linking the cloud to a billing account (for that purpose, you also need permissions for that billing account). For more information on managing access to a billing account, see the Yandex Cloud Billing documentation.

By default, the users with this role get notifications on what happens to the cloud and its folders.

You can only assign this role for a cloud. Any user creating a cloud automatically gets such a role for the cloud.

This role includes the admin and resource-manager.clouds.member permissions.

For more information, see Access management in Resource Manager.

Yandex Search API

search-api.executor

The search-api.executor role enables using Yandex Search API and running search queries via API v1.

search-api.webSearch.user

The search-api.webSearch.user role enables running search queries in Yandex Search API via API v2, as well as viewing info on the cloud, folder, and Yandex Search API quotas.

search-api.auditor

The search-api.auditor role enables viewing info on the registered IP addresses and Yandex Search API quotas, as well as on the relevant clouds and folders.

search-api.viewer

The search-api.viewer role enables viewing info on the registered IP addresses and Yandex Search API quotas, as well as on the relevant clouds and folders.

This role includes the search-api.auditor permissions.

search-api.editor

The search-api.editor role enables managing registered IP addresses and running search queries in Yandex Search API via API v1 and API v2.

Users with this role can:

This role includes the search-api.viewer, search-api.webSearch.user , and search-api.executor permissions.

search-api.admin

The search-api.admin role enables managing registered IP addresses and running search queries in Yandex Search API via API v1 and API v2.

Users with this role can:

This role includes the search-api.editor permissions.

For more information, see Access management in Yandex Search API.

Yandex Security Deck

General Yandex Security Deck roles

security-deck.auditor

The security-deck.auditor role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • View info on DSPM profiles.
  • View info on DSPM data sources.
  • View info on security scan jobs.
  • View scan results and the info on the detected threats.

This role includes the dspm.auditor permissions.

security-deck.viewer

The security-deck.viewer role enables viewing info on the events of access to organization resources by Yandex Cloud employees, as well as on DSPM resources, scan jobs, and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • View the list of the events when Yandex Cloud employees access organization resources.
  • Approve or disapprove the result of the neural network-driven analysis of the events when Yandex Cloud employees access organization resources.
  • View info on DSPM profiles.
  • View info on DSPM data sources.
  • View info on security scan jobs.
  • View scan results and the info on the detected threats.

This role includes the dspm.viewer and access-transparency.viewer permissions.

security-deck.editor

The security-deck.editor role enables managing subscriptions on events of access to organization resources by Yandex Cloud employees, as well as using DSPM profiles and managing data sources and security scans. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • Select a billing account in Access Transparency.
  • View info on subscriptions on events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
  • View the list of the events when Yandex Cloud employees access organization resources.
  • Approve or disapprove the result of the neural network-driven analysis of the events when Yandex Cloud employees access organization resources.
  • View info on DSPM profiles and use them.
  • View info on DSPM data sources, as well as create, modify, use, and delete them.
  • View info on security scan jobs, as well as create, modify, and delete such jobs.
  • Run security scan jobs and view their results, as well as info on the detected threats.
  • View the bucket metadata.

This role includes the dspm.editor and access-transparency.editor permissions.

security-deck.admin

The security-deck.admin role enables managing subscriptions on events of access to organization resources by Yandex Cloud employees, as well as using DSPM profiles and managing data sources and security scans, which includes viewing masked and unprocessed data in the scan results.

Users with this role can:

  • Select a billing account in Access Transparency.
  • View info on subscriptions on events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
  • View the list of the events when Yandex Cloud employees access organization resources.
  • Approve or disapprove the result of the neural network-driven analysis of the events when Yandex Cloud employees access organization resources.
  • View info on DSPM profiles and use them.
  • View info on DSPM data sources, as well as create, modify, use, and delete them.
  • Use Yandex Cloud resources in DSPM data sources.
  • View info on DSPM data categories.
  • View info on security scan jobs, as well as create, modify, and delete such jobs.
  • Run security scan jobs and view their results, as well as info on the detected threats.
  • View the bucket metadata.

This role includes the dspm.admin and access-transparency.admin permissions.

For more information, see General Yandex Security Deck roles.

Access Transparency roles

access-transparency.viewer

The access-transparency.viewer role enables viewing the list of subscriptions to the events when Yandex Cloud employees access organization resources and approving or disapproving the result of the neural network-driven analysis of such events.

access-transparency.editor

The access-transparency.editor role enables selecting a billing account in Access Transparency, managing subscriptions to the events when Yandex Cloud employees access organization resources, viewing the list of such events, and approving or disapproving the result of the neural network-driven analysis of such events.

This role includes the access-transparency.billingProvider and access-transparency.subscriptionManager permissions.

access-transparency.admin

The access-transparency.admin role enables selecting a billing account in Access Transparency, managing subscriptions to the events when Yandex Cloud employees access organization resources, viewing the list of such events, and approving or disapproving the result of the neural network-driven analysis of such events.

This role includes the access-transparency.editor permissions.

access-transparency.billingProvider

The access-transparency.billingProvider role enables selecting a billing account in Access Transparency.

access-transparency.subscriptionManager

The access-transparency.subscriptionManager role enables managing subscriptions to the events when Yandex Cloud employees access organization resources, viewing the list of such events, and approving or disapproving the result of the neural network-driven analysis of such events.

This role includes the access-transparency.viewer permissions.

For more information, see Access management in Access Transparency.

DSPM roles

dspm.inspector

The dspm.inspector role enables creating DSPM data sources using the specified Yandex Cloud resources. To create a DSPM data source, assign this role to a user for the appropriate cloud resource.

dspm.auditor

The dspm.auditor role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • View info on DSPM profiles.
  • View info on DSPM data sources.
  • View info on security scan jobs.
  • View scan results and the info on the detected threats.

dspm.viewer

The dspm.viewer role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • View info on DSPM profiles.
  • View info on DSPM data sources.
  • View info on security scan jobs.
  • View scan results and the info on the detected threats.

This role includes the dspm.auditor permissions.

dspm.editor

The dspm.editor role enables using DSPM profiles and managing data sources and security scans. With this role, you cannot view masked and unprocessed data.

Users with this role can:

  • View info on DSPM profiles and use them.
  • View info on DSPM data sources, as well as create, modify, use, and delete them.
  • View info on security scan jobs, as well as create, modify, and delete such jobs.
  • Run security scan jobs and view their results, as well as info on the detected threats.
  • View the bucket metadata.

This role includes the dspm.viewer permissions.

dspm.admin

The dspm.admin role enables using DSPM profiles and managing data sources and security scans, which includes viewing masked and unprocessed data in the scan results.

Users with this role can:

  • View info on DSPM profiles and use them.
  • View info on DSPM data sources, as well as create, modify, use, and delete them.
  • Use Yandex Cloud resources in DSPM data sources.
  • View info on DSPM data categories.
  • View info on security scan jobs, as well as create, modify, and delete such jobs.
  • Run security scan jobs and view their results, as well as info on the detected threats.
  • View the bucket metadata.

This role includes the dspm.editor and dspm.inspector permissions.

For more information, see Access management in DSPM.

Yandex Serverless Containers

serverless-containers.auditor

The serverless-containers.auditor role enables viewing info on containers, except for the info on the revision environment variables.

serverless-containers.viewer

The serverless-containers.viewer role enables viewing info on containers, as well as on the relevant cloud and folder.

Users with this role can:

This role includes the serverless-containers.auditor permissions.

serverless-containers.editor

The serverless-containers.editor role enables managing containers and viewing info on them, as well as on the relevant cloud and folder.

Users with this role can:

This role includes the serverless-containers.viewer permissions.

serverless-containers.admin

The serverless-containers.admin role enables managing containers and access to them, as well as viewing info on containers and the relevant cloud and folder.

Users with this role can:

This role includes the serverless-containers.editor permissions.

serverless-containers.containerInvoker

The serverless-containers.containerInvoker role enables invoking containers.

serverless.containers.viewer

The serverless.containers.viewer role enables viewing info on containers, as well as on the relevant cloud and folder.

Users with this role can:

  • View info on containers, including the revision environment variables.
  • View info on granted access permissions to containers.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role is no longer available. Please use serverless-containers.viewer instead.

serverless.containers.editor

The serverless.containers.editor role enables managing containers and viewing info on them, as well as on the relevant cloud and folder.

Users with this role can:

  • Create, invoke, modify, and delete containers.
  • View info on containers, including the revision environment variables, as well as on the granted access permissions to containers.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role is no longer available. Please use serverless-containers.editor instead.

serverless.containers.admin

The serverless.containers.admin role enables managing containers and access to them, as well as viewing info on containers and the relevant cloud and folder.

Users with this role can:

  • Create, invoke, modify, and delete containers.
  • View info on granted access permissions to containers and modify such permissions.
  • View info on containers, including the revision environment variables.
  • View info on the relevant cloud.
  • View info on the relevant folder.

This role is no longer available. Please use serverless-containers.admin instead.

serverless.containers.invoker

The serverless.containers.invoker role enables invoking containers.

This role is no longer available. Please use serverless-containers.containerInvoker instead.

For more information, see Access management in Serverless Containers.

Yandex SmartCaptcha

smart-captcha.auditor

The smart-captcha.auditor role enables viewing info on CAPTCHAs and access permissions assigned to them.

smart-captcha.viewer

The smart-captcha.viewer role enables viewing info on CAPTCHAs and access permissions assigned to them, as well as getting CAPTCHA keys.

This role includes the smart-captcha.auditor permissions.

smart-captcha.editor

The smart-captcha.editor role enables you to manage CAPTCHAs, view info on them, and get CAPTCHA keys.

Users with this role can:

This role includes the smart-captcha.viewer permissions.

smart-captcha.admin

The smart-captcha.admin role enables managing CAPTCHAs and access to them, as well as getting CAPTCHA keys.

Users with this role can:

This role includes the smart-captcha.editor permissions.

For more information, see Access management in SmartCaptcha.

Yandex Smart Web Security

smart-web-security.auditor

The smart-web-security.auditor role allows you to view information on security profiles in Smart Web Security and the metadata of the relevant cloud and folder.

Users with this role can:

  • View info on security profiles in Smart Web Security.
  • View info on access permissions assigned for security profiles.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

To assign the smart-web-security.auditor role, you need the admin role for the cloud or smart-web-security.admin role for the folder.

smart-web-security.viewer

The smart-web-security.viewer role allows you to view information on security profiles in Smart Web Security, as well as on the relevant cloud and folder.

Users with this role can:

  • View info on security profiles in Smart Web Security.
  • View info on access permissions assigned for security profiles.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the smart-web-security.auditor permissions.

To assign the smart-web-security.viewer role, you either need the admin role for the cloud or the smart-web-security.admin one for the folder.

smart-web-security.user

The smart-web-security.user role allows you to view information on security profiles in Smart Web Security and use them.

Users with this role can:

  • View info on security profiles in Smart Web Security and use them in other Yandex Cloud services.
  • View info on access permissions assigned for security profiles.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the smart-web-security.viewer permissions.

To assign the smart-web-security.user role, you need either the admin role for the cloud or the smart-web-security.admin one for the folder.

smart-web-security.editor

The smart-web-security.editor role allows you to use security profiles in Smart Web Security and manage them.

Users with this role can:

  • View info on security profiles in Smart Web Security, create, modify, and delete them, as well as use these security profiles in other Yandex Cloud services.
  • View info on access permissions assigned for security profiles.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the smart-web-security.user permissions.

To assign the smart-web-security.editor role, you need the admin role for the cloud or the smart-web-security.admin one for the folder.

smart-web-security.admin

The smart-web-security.admin role allows you to use security profiles in Smart Web Security, manage them, and manage access to them.

Users with this role can:

  • View info on access permissions assigned for security profiles and modify such permissions.
  • View info on security profiles in Smart Web Security, create, modify, and delete them, as well as use these security profiles in other Yandex Cloud services.
  • View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the smart-web-security.editor permissions.

To assign the smart-web-security.admin role, you need the admin role for the cloud.

For more information, see Access management in Smart Web Security.

Yandex SpeechKit

ai.speechkit-stt.user

The ai.speechkit-stt.user role allows you to use Yandex SpeechKit for speech recognition, as well as view info on the relevant cloud, folder, and quotas.

ai.speechkit-tts.user

The ai.speechkit-tts.user role allows you to use Yandex SpeechKit for speech synthesis, as well as view info on the relevant cloud, folder, and quotas.

For more information, see Access management in SpeechKit.

Yandex SpeechSense

speech-sense.auditor

The speech-sense.auditor role enables you to view names, descriptions, and lists of members of a project or a space with all of its projects. The role does not provide access to project data.

speech-sense.viewer

The speech-sense.viewer role enables you to view project or space characteristics, the list of their members, connections, and dashboards.

The speech-sense.viewer role includes all permissions of the speech-sense.auditor role.

speech-sense.editor

The speech-sense.editor role enables you to edit a project, its description, dashboards, and alerts, create and edit its classifiers, and run analyses. When assigned for a space, the role allows you to edit the space and create projects, connections, and dictionaries within it.

The speech-sense.editor role includes all permissions of the speech-sense.viewer role.

speech-sense.admin

The speech-sense.admin role assigned for a space or project enables you to perform any action in them: view dialogs, edit connections, or run analyses. The role grants permission to assign roles to other users.

The speech-sense.admin role includes all permissions of the speech-sense.editor and speech-sense.data.editor roles.

speech-sense.spaces.creator

The speech-sense.spaces.creator role allows you to create spaces in SpeechSense.

speech-sense.data.viewer

The speech-sense.data.viewer role allows you to view a project's name or description, the list of connections, dashboards, and project members. It also enables you to search inside documents, listen to dialogs, and view their text transcripts. When assigned for a space, this role enables you to view all of its projects without editing them.

speech-sense.data.editor

The speech-sense.data.editor role enables you to upload dialogs to project or space connections, evaluate these dialogs and comment on them in the system.

The speech-sense.data.editor role includes all permissions of the speech-sense.data.viewer role.

Users with roles like speech-sense.data.* can view and rate the contents of documents but do not have access to aggregate information.

For more information, see Access management in SpeechSense.

Yandex Translate

ai.translate.user

The ai.translate.user role allows you to use Yandex Translate to translate texts, as well as view info on the relevant cloud, folder, and quotas.

For more information, see Access management in Translate.

Yandex Virtual Private Cloud

vpc.auditor

The vpc.auditor roles allows you to view service metadata, including information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

Users with this role can:
  • View the list of cloud networks and the info on them.
  • View the list of subnets and info on them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

vpc.viewer

The vpc.viewer role allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on the quotas and resource operations.

Users with this role can:
  • View the list of cloud networks and the info on them.
  • View the list of subnets and info on them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.auditor permissions.

vpc.user

The vpc.user role allows you to use cloud networks, subnets, route tables, gateways, security groups, and IP addresses, get information on these resources, as well as on the quotas and resource operations.

Users with this role can:
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View information on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.externalAddresses.user

The vpc.externalAddresses.user role allows you to view the list of private and public addresses of the cloud resources; it also enables viewing info on such addresses, using them, and managing the external network connectivity.

vpc.admin

The vpc.admin role allows you to manage cloud networks, subnets, route tables, NAT gateways, security groups, internal and public IP addresses, as well as external network connectivity.

Users with this role can:
  • View the list of cloud networks and info on them, as well as create, modify, and delete them.
  • Configure external access to cloud networks.
  • Manage connectivity of multiple cloud networks.
  • Manage multi-interface instances that provide connectivity between multiple networks.
  • View the list of subnets and info on them, as well as create, modify, and delete them.
  • View the list of route tables and info on them, as well as create, modify, and delete them.
  • Link route tables to subnets.
  • View information on NAT gateways, as well as create, modify, and delete them.
  • Connect NAT gateways to route tables.
  • View the list of security groups and info on them, as well as create, modify, and delete them.
  • Create and delete default security groups in cloud networks.
  • Create and delete security group rules, as well as edit their metadata.
  • Configure DHCP in subnets.
  • View the list of cloud resource addresses and info on them, as well as create, update, and delete internal and public IP addresses.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.privateAdmin, vpc.publicAdmin, and vpc.securityGroups.admin permissions.

vpc.bridgeAdmin

The vpc.bridgeAdmin role allows you to use subnets and manage connectivity of multiple cloud networks. This role also allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

Users with this role can:
  • Manage connectivity of multiple cloud networks.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud networks and the info on them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.privateAdmin

The vpc.privateAdmin role allows you to manage cloud networks, subnets, and route tables, as well as view information on the quotas, resources, and resource operations. This role also allows you to manage connectivity within Yandex Cloud, while it does not allow doing so from the internet.

Users with this role can:
  • View the list of cloud networks and info on them, as well as create, modify, and delete them.
  • View the list of subnets and info on them, as well as create, modify, and delete them.
  • View the list of route tables and info on them, as well as create, modify, and delete them.
  • Link route tables to subnets.
  • View the list of security groups and info on them, as well as create default security groups within cloud networks.
  • Configure DHCP in subnets.
  • View the list of cloud resource addresses and info on them, as well as create internal IP addresses.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.publicAdmin

The vpc.publicAdmin role allows you to manage NAT gateways, public IP addresses, and external network connectivity, as well as view information on the quotas, resources, and resource operations. This role grants administrator privileges for multi-interface instances that provide connectivity between multiple networks.

Users with this role can:
  • View the list of cloud networks and info on them, as well as set up external access to them.
  • Manage connectivity of multiple cloud networks.
  • Manage multi-interface instances that provide connectivity between multiple networks.
  • View the list of subnets and info on them, as well as modify them.
  • View information on NAT gateways, as well as create, modify, and delete them.
  • Connect NAT gateways to route tables.
  • View the list of cloud resource addresses and info on them, as well as create, update, and delete public IP addresses.
  • View the list of route tables and info on them, as well as link them to subnets.
  • View the list of security groups and the info on them.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role includes the vpc.viewer permissions.

You can assign a role for a cloud or folder.

Warning

If a network and subnet are in different folders, the vpc.publicAdmin role is checked for the folder where the network is located.

vpc.gateways.viewer

The vpc.gateways.viewer role allows you to view information on NAT gateways.

vpc.gateways.user

The vpc.gateways.user role allows you to view information on NAT gateways and connect them to route tables.

vpc.gateways.editor

The vpc.gateways.editor role allows you to create, modify, and delete NAT gateways, as well as connect them to route tables.

vpc.securityGroups.user

The vpc.securityGroups.user role allows you to assign security groups to network interfaces and view information on the resources, quotas, and resource operations.

Users with this role can:
  • Assign security groups to instance network interfaces.
  • Get a list of cloud networks and view information on them.
  • Get a list of subnets and view information on them.
  • Get a list of cloud resource addresses and view information on them.
  • Get a list of route tables and view information on them.
  • Get a list of security groups and view information on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.securityGroups.admin

The vpc.securityGroups.admin role allows you to manage security groups and view information on the resources, quotas, and resource operations.

Users with this role can:
  • View information on security groups, as well as create, modify, and delete them.
  • Create and delete default security groups in cloud networks.
  • Create and delete security group rules, as well as edit their metadata.
  • Get a list of cloud networks and view information on them.
  • Get a list of subnets and view information on them.
  • Get a list of cloud resource addresses and view information on them.
  • Get a list of route tables and view information on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role includes the vpc.viewer permissions.

vpc.privateEndpoints.viewer

The vpc.privateEndpoints.viewer role enables viewing info on the service connections.

vpc.privateEndpoints.editor

The vpc.privateEndpoints.editor role enables viewing info on the service connections, as well as creating, modifying, and deleting such connections.

This role includes the vpc.privateEndpoints.viewer permissions.

vpc.privateEndpoints.admin

The vpc.privateEndpoints.admin role enables viewing info on the service connections, as well as creating, modifying, and deleting such connections.

This role includes the vpc.privateEndpoints.editor permissions.

For more information, see Access management in Virtual Private Cloud.

Yandex Vision OCR

ai.vision.user

The ai.vision.user role allows you to use Yandex Vision OCR to analyze images, as well as view info on the relevant cloud, folder, and quotas.

For more information, see Access management in Vision OCR.

Yandex WebSQL

websql.executedQueries.auditor

The websql.executedQueries.auditor role enables viewing the metadata of a published query from the history as well as information on access permissions assigned to it.

websql.savedQueries.auditor

The websql.savedQueries.auditor role enables viewing the metadata of a published saved query as well as information on access permissions assigned to it.

websql.executedQueries.viewer

The websql.executedQueries.viewer role enables viewing info on a published query from the history and access permissions assigned to it.

This role includes the websql.executedQueries.auditor permissions.

websql.savedQueries.viewer

The websql.savedQueries.viewer role enables viewing info on a published saved query and access permissions assigned to it.

This role includes the websql.savedQueries.auditor permissions.

websql.executedQueries.editor

The websql.executedQueries.editor role enables viewing info on a published query from the history and delete such a query.

Users with this role can:

  • View info on a published query from the history and delete such a query.
  • View info on the access permissions assigned to a published query from the history.

This role includes the websql.executedQueries.viewer permissions.

websql.savedQueries.editor

The websql.savedQueries.editor role enables modifying and deleting a published saved query.

Users with this role can:

  • View info on a published saved query, as well as modify and delete it.
  • View info on the access permissions assigned to a published saved query.

This role includes the websql.savedQueries.viewer permissions.

websql.executedQueries.admin

The websql.executedQueries.admin role enables managing a published query from the history and access to such a query.

Users with this role can:

  • View info on the access permissions assigned to a published query from the history and modify such permissions.
  • View info on a published query from the history and delete such a query.

This role includes the websql.executedQueries.editor permissions.

websql.savedQueries.admin

The websql.savedQueries.admin role enables managing a published saved query and access to it.

Users with this role can:

  • View info on the access permissions assigned to a published saved query and modify such permissions.
  • View info on a published saved query, as well as modify and delete it.

This role includes the websql.savedQueries.editor permissions.

websql.auditor

The websql.auditor role enables viewing the metadata of all published queries within WebSQL as well as information on access permissions assigned to them.

This role includes the websql.savedQueries.auditor and websql.executedQueries.auditor permissions.

websql.viewer

The websql.viewer role enables viewing info on all published queries within WebSQL and access permissions assigned to them.

Users with this role can:

  • View info on the published saved queries and access permissions assigned to them.
  • View info on the published queries from the history and access permissions assigned to them.

This role includes the websql.savedQueries.viewer and websql.executedQueries.viewer permissions.

websql.user

The websql.user role enables viewing info on the published queries within WebSQL, as well as create, modify, and delete such queries.

Users with this role can:

  • View info on the published saved queries and access permissions assigned to them.
  • Privately save queries and modify and delete privately saved queries.
  • View info on the published queries from the history and access permissions assigned to them.
  • Save the run queries to private history and delete them from history.

This role includes the websql.viewer permissions.

websql.editor

The websql.editor role enables managing published and private queries within WebSQL.

Users with this role can:

  • View info on the published saved queries and access permissions assigned to them, as well as modify and delete such queries.
  • Save queries privately, as well as modify, delete, and publish private saved queries.
  • View info on the published queries from the history and access permissions assigned to them, as well as modify and delete such queries.
  • Save the run queries to private history, as well publish private queries from the history and delete them.

This role includes the websql.user, websql.savedQueries.editor, and websql.executedQueries.editor permissions.

websql.admin

The websql.admin role enables managing private queries and publishing them, as well as manage published queries and access to those.

Users with this role can:

  • View info on the access permissions assigned to the published saved queries and modify such permissions.
  • View info on the published saved queries, as well as modify and delete them.
  • Save queries privately, as well as modify, delete, and publish private saved queries.
  • View info on the access permissions assigned to the published queries from the history and modify such permissions.
  • View info on the published queries from the history and delete them.
  • Save the run queries to private history, as well publish private queries from the history and delete them.

This role includes the websql.editor, websql.savedQueries.admin, and websql.executedQueries.admin permissions.

For more information, see Access management in WebSQL.

Yandex Wiki

wiki.viewer

The wiki.viewer role is assigned for an organization.

It grants permission to view pages in the organization's Yandex Wiki.

wiki.admin

The wiki.admin role is assigned for an organization.

It grants permission to edit pages, set up access rights for other users, edit the list of authors, and appoint a page's owner.

ClickHouse® is a registered trademark of ClickHouse, Inc.

Previous
Pricing policy
Next
Overview