Common Yandex Security Deck roles

Yandex Cloud users can only perform operations on resources in accordance with the roles assigned to them. If a user has no roles yet, they cannot perform any operations.

To allow access to Security Deck resources, assign relevant roles from the list below to a Yandex account, service account, federated or local users, user group, or system group. Currently, a role can only be assigned for a parent resource, such as a folder or cloud. Roles are inherited by nested resources.

Roles this service hasRoles this service has

In Security Deck, you can manage access using both service and primitive roles.

Service rolesService roles

security-deck.workersecurity-deck.worker

The security-deck.worker role allows the user to view info on DSPM scan area, as well as info on KSPM and CSPM controlled resources in Security Deck.

Users with this role can:

• View the organization info, view the list of and info on clouds, folders, and buckets in the scan area configured by the DSPM user, view data in buckets subject to scanning.
• View the list of clouds and folders and their info as controlled resources of a Security Deck workspace for KSPM.
• View the list of Kubernetes clusters and info on them and their settings as controlled resources of a Security Deck workspace for KSPM.
• View the organization info, view the list of clouds and folders and their info as controlled resources of a Security Deck workspace for CSPM.

The role is issued to the service account to perform the DSPM scan, KSPM or CSPM check. The role extends to an organization, cloud, folder, or bucket (if using DSPM).

The role does not allow viewing data in encrypted buckets. To scan an encrypted bucket, additionally assign to the service account the kms.keys.decrypter role for the encryption key or for the folder, cloud, or organization this key resides in.

This role includes the dspm.worker, kspm.worker, and cspm.worker permissions.

security-deck.auditorsecurity-deck.auditor

The security-deck.auditor role enables viewing info on DSPM, CSPM, and KSPM resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

• View info on DSPM profiles.
• View info on DSPM data sources.
• View info on DSPM security scan jobs.
• View info on data types and categories.
• View DSPM scan results and info on detected threats.
• View info on Security Deck workspaces and resources managed in them, as well as on access permissions granted for them.
• View info on connectors.
• View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings.
• View info on the KSPM settings and operations, as well as the list of exceptions from rules.
• View info on alert sinks and access permissions granted for them.

This role includes the dspm.auditor, cspm.auditor, kspm.auditor, and security-deck.alertSinks.auditor permissions.

security-deck.viewersecurity-deck.viewer

The security-deck.viewer role enables viewing info on events of access to organization resources by Yandex Cloud employees, on DSPM, CSPM, and KSPM resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

• View the list of events when Yandex Cloud employees access organization resources.
• Approve or disapprove the result of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
• View info on DSPM profiles.
• View info on DSPM data sources.
• View info on DSPM security scan jobs.
• View info on data types and categories.
• View DSPM scan results and info on detected threats.
• View info on Security Deck workspaces and resources managed in them, as well as on access permissions granted for them.
• View info on connectors.
• View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings, the results of such checks, and exceptions from check rules.
• View info on the KSPM settings, Managed Service for Kubernetes clusters connected to KSPM, exceptions from rules, exceptions from the control scope, KSPM users, and KSPM operations.
• View info on alert sinks and access permissions granted for them.
• View info on alerts and access permissions granted for them.
• View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.

This role includes the access-transparency.viewer, dspm.viewer, cspm.viewer, kspm.viewer, and security-deck.alertSinks.viewer permissions.

security-deck.editorsecurity-deck.editor

The security-deck.editor role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well DSPM, CSPM, and KSPM resources. With this role, you cannot view masked and unprocessed data.

Users with this role can:

• Select a billing account in Access Transparency.
• View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
• View the list of events when Yandex Cloud employees access organization resources.
• Approve or disapprove the result of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
• View info on DSPM profiles and use them.
• View info on DSPM data sources, as well as create, modify, use, and delete them.
• View info on DSPM security scan jobs, as well as create, modify, and delete such jobs.
• Run DSPM security scan jobs and view their results, as well as info on detected threats.
• View info on DSPM data types and categories.
• View bucket metadata.
• View info on Security Deck workspaces and resources managed in them, as well as on access permissions granted for them.
• Create, modify, and delete Security Deck workspaces.
• View info on connectors, as well as create, use, modify, and delete them.
• View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings.
• View CSPM check results.
• Create, suspend, resume, update, and delete CSPM checks.
• View exceptions from CSPM check rules, create and delete such exceptions.
• Engage, set up, and disconnect KSPM, as well as create, modify, and delete exceptions from rules and exceptions from the control scope.
• View info on Managed Service for Kubernetes clusters connected to KSPM, KSPM users, and KSPM operations.
• View info on alert sinks and access permissions granted for them.
• Create, use, modify, and delete alert sinks.
• View info on alerts and access permissions granted for them.
• View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
• Create, modify, and delete alerts.
• View the list of comments to alerts, as well as create, modify, and delete such comments.

This role includes the access-transparency.editor, dspm.editor, cspm.editor, kspm.editor, and security-deck.alertSinks.editor permissions.

security-deck.adminsecurity-deck.admin

The security-deck.admin role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well DSPM, CSPM, and KSPM resources. With this role, you can view masked and unprocessed data in scan results.

Users with this role can:

• Select a billing account in Access Transparency.
• View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
• View the list of events when Yandex Cloud employees access organization resources.
• Approve or disapprove the result of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
• View info on DSPM profiles and use them.
• View info on DSPM data sources, as well as create, modify, use, and delete them.
• Use Yandex Cloud resources in DSPM data sources.
• View info on DSPM data types and categories.
• View info on DSPM security scan jobs, as well as create, modify, and delete such jobs.
• Run DSPM security scan jobs, view their result and info on detected threats, which includes viewing masked and unprocessed data in the scan results.
• View bucket metadata.
• View info on Security Deck workspaces and resources managed in them, as well as create, update, and delete Security Deck workspaces.
• View info on access permissions granted for Security Deck workspaces and modify such permissions.
• View info on connectors, as well as create, use, modify, and delete them.
• View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings.
• View CSPM check results.
• Create, suspend, resume, update, and delete CSPM checks.
• View exceptions from CSPM check rules, create and delete such exceptions.
• Engage, set up, and disconnect KSPM, as well as create, modify, and delete exceptions from rules and exceptions from the control scope.
• View info on Managed Service for Kubernetes clusters connected to KSPM, KSPM users, and KSPM operations.
• View info on alert sinks, as well as create, use, modify, and delete them.
• View info on access permissions granted for alert sinks and modify such permissions.
• View info on alerts, as well as create, modify, and delete them.
• View info on access permissions granted for alerts and modify such permissions.
• View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
• View the list of comments to alerts, as well as create, modify, and delete such comments.

This role includes the access-transparency.admin, dspm.admin, cspm.admin, kspm.admin, and security-deck.alertSinks.admin permissions.

Yandex Cloud also supports a separate list of roles for each Security Deck module. For more information, see:

• Roles for Yandex Cloud Detection and Response).
• Roles for Data Security Posture Management.
• Roles for security management with KSPM.
• Roles for Cloud Infrastructure Entitlement Management.
• Roles for security management with CSPM.
• Roles for Access Transparency data analysis.
• Roles for managing alerts and alert sinks.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

• View info on a resource.
• View the resource metadata.
• View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role includes the editor permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.

For more information about primitive roles, see the Yandex Cloud role reference.

See alsoSee also

Hierarchy of Yandex Cloud resources