Access management in Monium

Yandex Cloud users can only perform operations on resources within the permissions of the roles assigned to them. With no roles assigned, almost no operations are allowed.

To allow access to Monium.Metrics resources, assign relevant roles from the list below to a Yandex account, service account, federated or local users, user group, system group, or public group.

Currently, a role can only be assigned for a parent resource, such as a folder or cloud. Roles are inherited by nested resources.

To assign roles for a resource, you need to have one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Roles this service hasRoles this service has

Alerting roles

Telemetry roles

Configuration and visualization roles

In Monium, you can manage access using both service and primitive roles.

Service rolesService roles

monium.alerts.viewermonium.alerts.viewer

The monium.alerts.viewer role enables viewing the list of alerts, their settings, and trigger history.

monium.alerts.editormonium.alerts.editor

The monium.alerts.editor role enables viewing the list of alerts, their settings, and trigger history, as well as creating, modifying, and deleting alerts.

This role includes the monium.alerts.viewer permissions.

monium.channels.viewermonium.channels.viewer

The monium.channels.viewer role enables viewing the list of alert notification channels and info on them.

monium.channels.editormonium.channels.editor

The monium.channels.editor role enables viewing the list of alert notification channels and info on them, as well as creating, modifying, and deleting such channels.

This role includes the monium.channels.viewer permissions.

monium.contextLinks.viewermonium.contextLinks.viewer

The monium.contextLinks.viewer role enables viewing the set-up context links on dashboard charts.

monium.contextLinks.editormonium.contextLinks.editor

The monium.contextLinks.editor role enables viewing the set-up context links on dashboard charts, as well as creating, editing, and deleting such links.

This role includes the monium.contextLinks.viewer permissions.

monium.quickLinks.viewermonium.quickLinks.viewer

The monium.quickLinks.viewer role enables viewing the list of the set-up quick links and info on them in the project menu.

monium.quickLinks.editormonium.quickLinks.editor

The monium.quickLinks.editor role enables viewing the list of the set-up quick links and info on them in the project menu, as well as creating, modifying, and deleting such links.

This role includes the monium.quickLinks.viewer permissions.

monium.dashboards.viewermonium.dashboards.viewer

The monium.dashboards.viewer role enables viewing dashboards and their widgets.

monium.dashboards.editormonium.dashboards.editor

The monium.dashboards.editor role enables viewing dashboards and their widgets, as well as creating, modifying, and deleting dashboards.

This role includes the monium.dashboards.viewer permissions.

monium.escalations.viewermonium.escalations.viewer

The monium.escalations.viewer role enables viewing info on alert notifications and escalations.

monium.escalations.editormonium.escalations.editor

The monium.escalations.editor role enables viewing info on alert notifications and escalations, as well as creating, modifying, and deleting escalations.

This role includes the monium.escalations.viewer permissions.

monium.escalationPolicies.viewermonium.escalationPolicies.viewer

The monium.escalationPolicies.viewer role enables viewing the list and settings of alert escalation policies.

monium.escalationPolicies.editormonium.escalationPolicies.editor

The monium.escalationPolicies.editor role enables viewing the list and settings of alert escalation policies, as well as creating, modifying, and deleting such policies.

This role includes the monium.escalationPolicies.viewer permissions.

monium.logErrorLabels.viewermonium.logErrorLabels.viewer

The monium.logErrorLabels.viewer role enables viewing labels assigned to log errors.

monium.logErrorLabels.editormonium.logErrorLabels.editor

The monium.logErrorLabels.editor role enables viewing, adding new, editing, and deleting the existing labels to log errors.

This role includes the monium.logErrorLabels.viewer permissions.

monium.mutes.viewermonium.mutes.viewer

The monium.mutes.viewer role enables viewing mutes, i.e., rules for temporarily disabling alert notifications.

monium.mutes.editormonium.mutes.editor

The monium.mutes.editor role enables viewing, creating, editing, and deleting mutes, i.e., rules for temporarily disabling alert notifications.

This role includes the monium.mutes.viewer permissions.

monium.serviceLevelObjectives.viewermonium.serviceLevelObjectives.viewer

The monium.serviceLevelObjectives.viewer role enables viewing the set-up service level objectives (SLOs).

monium.serviceLevelObjectives.editormonium.serviceLevelObjectives.editor

The monium.serviceLevelObjectives.editor role enables viewing the set-up service level objectives (SLOs), as well as creating, modifying, and deleting SLOs.

This role includes the monium.serviceLevelObjectives.viewer permissions.

monium.shards.viewermonium.shards.viewer

The monium.shards.viewer role enables viewing info on shards, clusters, services and their quotas.

monium.shards.editormonium.shards.editor

The monium.shards.editor enables viewing info on shards, clusters, services and their quotas, as well as creating, modifying, and deleting shards.

This role includes the monium.shards.viewer permissions.

monium.metrics.readermonium.metrics.reader

The monium.metrics.reader role enables reading metrics, their values, and labels.

monium.metrics.writermonium.metrics.writer

The monium.metrics.writer role enables writing metrics.

monium.logs.readermonium.logs.reader

The monium.logs.reader role enables reading logs and viewing log error stats.

monium.logs.writermonium.logs.writer

The monium.logs.writer role enables writing Monium logs.

monium.traces.readermonium.traces.reader

The monium.traces.reader role enables viewing distributed tracing data.

monium.traces.writermonium.traces.writer

The monium.traces.writer role enables writing distributed tracing data.

monium.telemetry.readermonium.telemetry.reader

The monium.telemetry.reader role enables reading all types of Monium telemetry, such as metrics, logs, and distributed tracing.

This role includes the monium.metrics.reader, monium.logs.reader, and monium.traces.reader permissions.

monium.telemetry.writermonium.telemetry.writer

The monium.telemetry.writer role enables writing all types of Monium telemetry, such as metrics, logs, and distributed tracing.

This role includes the monium.metrics.writer, monium.logs.writer, and monium.traces.writer permissions.

monium.auditormonium.auditor

The monium.auditor role enables viewing information on Monium resources. However, it does not allow reading the telemetry data.

Users with this role can:

• View info on projects and access permissions assigned to them.
• View dashboards and their widgets.
• View the set-up context links on dashboard charts.
• View the list of the set-up quick links and info on them in the project menu.
• View info on shards, clusters, services and their quotas.
• View the list of alerts, their settings, and trigger history.
• View the set-up service level objectives (SLOs).
• View the list of alert notification channels and info on them.
• View the list and settings of alert escalation policies.
• View info on alert notifications and escalations.
• View mutes, i.e., rules for temporarily disabling alert notifications.
• View labels assigned to log errors.
• View info on the Yandex Managed Service for Prometheus® rules.

This role includes the monium.dashboards.viewer, monium.shards.viewer, monium.contextLinks.viewer, monium.quickLinks.viewer, monium.alerts.viewer, monium.serviceLevelObjectives.viewer, monium.channels.viewer, monium.escalationPolicies.viewer, monium.escalations.viewer, monium.mutes.viewer, and monium.logErrorLabels.viewer permissions.

monium.viewermonium.viewer

The monium.viewer role enables viewing information on Monium resources. It also enables reading all types of telemetry data.

Users with this role can:

• View info on projects and access permissions assigned to them.
• Read all types of Monium telemetry, such as metrics, logs, and distributed tracing.
• View dashboards and their widgets.
• View the set-up context links on dashboard charts.
• View the list of the set-up quick links and info on them in the project menu.
• View info on shards, clusters, services and their quotas.
• View the list of alerts, their settings, and trigger history.
• View the set-up service level objectives (SLOs).
• View the list of alert notification channels and info on them.
• View the list and settings of alert escalation policies.
• View info on alert notifications and escalations.
• View mutes, i.e., rules for temporarily disabling alert notifications.
• View labels assigned to log errors.
• View info on the Yandex Managed Service for Prometheus® rules.
• View info on the relevant folder.

This role includes the monium.auditor and monium.telemetry.reader permissions.

monium.editormonium.editor

The monium.editor role enables managing Monium resources, as well as reading and writing all types of telemetry.

Users with this role can:

• View info on projects and access permissions assigned to them, as well as set up projects.
• Read and write all types of Monium telemetry, such as metrics, logs, and distributed tracing.
• View dashboards and their widgets, as well as create, modify, and delete dashboards.
• View the set-up context links on dashboard charts, as well as create, edit, and delete such links.
• View the list of the set-up quick links and info on them in the project menu, as well as create, modify, and delete such links.
• View info on shards, clusters, services and their quotas, as well as create, modify, and delete shards.
• View the list of alerts, their settings, and trigger history, as well as create, modify, and delete alerts.
• View the set-up service level objectives (SLOs), as well as create, modify, and delete SLOs.
• View the list of alert notification channels and info on them, as well as create, modify, and delete such channels.
• View the list and settings of alert escalation policies, as well as create, modify, and delete such policies.
• View info on alert notifications and escalations, as well as create, modify, and delete escalations.
• View, create, edit, and delete mutes, i.e., rules for temporarily disabling alert notifications.
• View, add new, edit, and delete the existing labels to log errors.
• View info on the Yandex Managed Service for Prometheus® rules, as well as create, modify, and delete such rules.
• View info on the relevant folder.

This role includes the monium.viewer, monium.telemetry.writer, monium.dashboards.editor, monium.shards.editor, monium.contextLinks.editor, monium.quickLinks.editor, monium.alerts.editor, monium.serviceLevelObjectives.editor, monium.channels.editor, monium.escalationPolicies.editor, monium.escalations.editor, monium.mutes.editor, and monium.logErrorLabels.editor permissions.

monium.adminmonium.admin

The monium.admin role enables managing Monium resources, read and write all types of telemetry, and manage projects and access to them.

Users with this role can:

• View info on projects and create, set up, and delete them.
• View info on access permissions granted for projects and modify such permissions.
• Read and write all types of Monium telemetry, such as metrics, logs, and distributed tracing.
• View dashboards and their widgets, as well as create, modify, and delete dashboards.
• View the set-up context links on dashboard charts, as well as create, edit, and delete such links.
• View the list of the set-up quick links and info on them in the project menu, as well as create, modify, and delete such links.
• View info on shards, clusters, services and their quotas, as well as create, modify, and delete shards.
• View the list of alerts, their settings, and trigger history, as well as create, modify, and delete alerts.
• View the set-up service level objectives (SLOs), as well as create, modify, and delete SLOs.
• View the list of alert notification channels and info on them, as well as create, modify, and delete such channels.
• View the list and settings of alert escalation policies, as well as create, modify, and delete such policies.
• View info on alert notifications and escalations, as well as create, modify, and delete escalations.
• View, create, edit, and delete mutes, i.e., rules for temporarily disabling alert notifications.
• View, add new, edit, and delete the existing labels to log errors.
• View info on the Yandex Managed Service for Prometheus® rules, as well as create, modify, and delete such rules.
• View info on the relevant folder.

This role includes the monium.editor permissions.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

• View info on a resource.
• View the resource metadata.
• View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role includes the editor permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.

For more information about primitive roles, see the Yandex Cloud role reference.

Assigning rolesAssigning roles

To assign a role to a user:

1. Add the appropriate user, if required.
2. In the management console, on the left, select a cloud.
3. Navigate to the Access bindings tab.
4. Click Configure access.
5. In the window that opens, select User accounts.
6. Select a user from the list or use the user search option.
7. Click Add role and select a role for the cloud.
8. Click Save.