Access management in Query

Query uses roles to manage access permissions.

Yandex Cloud users can only perform operations on resources in accordance with the roles assigned to them. Without assigned roles, a user cannot perform most operations.

To allow access to Yandex Query resources, assign relevant roles from the list below to a Yandex account, service account, federated or local users, user group, system group, or public group. Currently, a role can only be assigned for a parent resource, such as a folder or cloud. Roles are inherited by nested resources.

To assign a role for a resource, you should have the yq.admin role or one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Assigning rolesAssigning roles

To assign a role to a user:

1. Add the appropriate user, if required.
2. In the management console, on the left, select a cloud.
3. Navigate to the Access bindings tab.
4. Click Configure access.
5. In the window that opens, select User accounts.
6. Select a user from the list or use the user search option.
7. Click Add role and select a role for the cloud.
8. Click Save.

Roles this service hasRoles this service has

You can manage access to Query objects using both service and primitive roles. The chart below shows the roles existing in the service and their permission inheritance. For example, editor inherits all the viewer permissions. You can find the role descriptions below the chart.

The list below shows all roles used for access control in Query.

Service rolesService roles

yq.auditoryq.auditor

The yq.auditor role allows you to view the service metadata, including the information on folder, connections, bindings, and queries.

yq.vieweryq.viewer

Users with the yq.viewer role can view queries and their results.

This role includes the yq.auditor permissions.

yq.editoryq.editor

Users assigned the yq.editor role can view, edit, and delete their connections and queries, as well as run the queries they create. The yq.editor role includes all permissions of the yq.viewer role.

yq.adminyq.admin

The yq.admin role allows you to manage any Query resources, including those labeled as private. The yq.admin role includes all permissions of the yq.editor role.

yq.invokeryq.invoker

Users with the yq.invoker role can run queries in Query. The role is designed to automate query execution by service accounts. For example, you can use it to run queries by an event or on schedule.

Primitive rolesPrimitive roles

viewerviewer

Users with the viewer role can view information about resources, such as query runs.

editoreditor

Users with the editor role can manage any resource, such as creating or deleting a query. The editor role includes all permissions of the viewer role.

adminadmin

Users with the admin role can manage resource access rights, such as permitting other users to create queries. The admin role includes all permissions of the editor role.