Access management in Query

Query uses roles to manage access permissions.

Yandex Cloud users can only perform operations on resources within the permissions of the roles assigned to them. With no roles assigned, almost no operations are allowed.

To allow access to Yandex Query resources, assign the relevant roles from the list below to a Yandex account, service account, federated or local users, user group, system group, or public group. Currently, a role can only be assigned for a parent resource, such as a folder or cloud. Roles are inherited by nested resources.

For more information about role inheritance, see Inheriting access permissions for Yandex Resource Manager.

To assign a role for a resource, you need the yq.admin role or one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Assigning rolesAssigning roles

To assign a role to a user:

1. Add the appropriate user, if required.
2. In the management console, on the left, select a cloud.
3. Navigate to the Access bindings tab.
4. Click Configure access.
5. In the window that opens, select User accounts.
6. Select a user from the list or use the user search option.
7. Click Add role and select a role for the cloud.
8. Click Save.

Roles this service hasRoles this service has

You can manage access to Query objects using both service and primitive roles. The diagram below shows available service roles and their permission inheritance hierarchy. For example, editor inherits all viewer permissions. You can find role descriptions below the diagram.

The list below shows all the roles used for access control in Query.

Service rolesService roles

yq.auditoryq.auditor

The yq.auditor role allows you to view the service metadata, including the information on the relevant folder, connections, bindings, queries, and runs.

yq.vieweryq.viewer

The yq.viewer role allows you to view the service metadata, including the information on the relevant folder, connections, bindings, queries, and runs, including query texts and results.

This role includes the yq.auditor permissions.

yq.editoryq.editor

Users with the yq.editor role can manage connections and the queries they create.

Users with this role can:

• View info on the queries they create and on such query runs, including query texts and results.
• Create queries, as well as run and cancel the runs of the queries they create.
• View info on connections, as well as create, use, update, and delete them.
• View info on bindings, as well as create, use, update, and delete them.
• View info on the relevant folder.

This role includes the yq.viewer and yq.invoker permissions.

yq.adminyq.admin

The yq.admin role allows you to manage any Yandex Query resources, including those labeled as private.

Users with this role can:

• View info on queries and query runs, view query texts and results.
• Create queries, as well as run and cancel query runs.
• View info on connections, as well as create, use, update, and delete them.
• View info on bindings, as well as create, use, update, and delete them.
• View info on the relevant folder.

This role includes the yq.editor permissions.

yq.invokeryq.invoker

The yq.invoker role allows you to create and run queries, use connections and bindings, as well as view information on the relevant folder and queries, including query texts and results.

The role is designed to automate query execution by service accounts. For example, you can use it to run queries by an event or on schedule.

Primitive rolesPrimitive roles

viewerviewer

Users with the viewer role can view information about resources, such as query runs.

editoreditor

Users with the editor role can manage any resource, such as creating or deleting a query. The editor role includes all permissions of the viewer role.

adminadmin

Users with the admin role can manage resource access rights, such as permitting other users to create queries. The admin role includes all permissions of the editor role.