Common Yandex Security Deck roles
Yandex Cloud users can only perform operations on resources within the permissions of the roles assigned to them. With no roles assigned, almost no operations are allowed.
To allow access to Security Deck resources, assign relevant roles from the list below to a Yandex account, service account, federated or local users, user group, or system group. Currently, a role can only be assigned for a parent resource, i.e., folder or cloud, whose roles are inherited by nested resources.
For more information about role inheritance, see Inheritance of access permissions in the Resource Manager documentation.
Roles this service has
In Security Deck, you can manage access using both service and primitive roles.
Service roles
security-deck.worker
The security-deck.worker enables viewing info on the DSPM scan area, as well as on controlled KSPM, CSPM, and TD resources in Security Deck.
Users with this role can:
- View info on the organization, the list of and info on clouds, folders, and buckets in the DSPM scan area configured by the user, and data in scanned buckets.
- View the list of clouds and folders and their info as controlled resources of a Security Deck workspace for KSPM.
- View the list of Kubernetes clusters and info on them and their settings as controlled resources of a Security Deck workspace for KSPM.
- View info on the organization, the list of clouds and folders, and their info as controlled resources of a Security Deck workspace for CSPM.
- View logs registered in the customer's infrastructure using Yandex Audit Trails for TD.
The role is assigned to the service account to perform the DSPM scan or the KSPM, CSPM, or TD check. The role extends to an organization, cloud, folder, or bucket (if using DSPM).
The role does not allow viewing data in encrypted buckets. To scan an encrypted bucket, additionally assign to the service account the kms.keys.decrypter role for the encryption key or for the folder, cloud, or organization this key resides in.
This role includes the dspm.worker, kspm.worker, cspm.worker, and td.worker permissions.
Note
The role cannot guarantee access to a bucket with a Yandex Object Storage access policy applied.
security-deck.auditor
The security-deck.auditor role enables viewing info on DSPM, CSPM, KSPM, VM, and TD resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. This role does not enable viewing masked and unprocessed data.
Users with this role can:
- View info on DSPM profiles.
- View info on DSPM data sources and their scan areas.
- View info on sensitive data scan jobs in DSPM.
- View info on data types and categories.
- View info on sensitive data scan jobs in DSPM.
- View the lists of results and scan errors.
- View DSPM scan results and info on detected threats.
- View info on DSPM data analysis results.
- View info on Security Deck workspaces and resources managed in them, as well as on access permissions granted for them.
- View info on connectors.
- View info on cloud infrastructure checks for compliance with security standards, as well as on jobs for such checks configured in the CSPM settings.
- View info on the KSPM settings and operations, as well as the list of exceptions from rules.
- View info on alert sinks and access permissions granted for them.
- View VM scan results.
- View info on TD security management rules and access permissions granted for TD.
This role includes the dspm.auditor, cspm.auditor, kspm.auditor, security-deck.alertSinks.auditor, vulnerability-manager.auditor, and threat-detector.auditor permissions.
security-deck.viewer
The security-deck.viewer role enables viewing info on events of access to organization resources by Yandex Cloud employees, on DSPM, CSPM, KSPM, VM, and TD resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. This role does not enable viewing masked and unprocessed data.
Users with this role can:
- View the list of events when Yandex Cloud employees access organization resources.
- Approve or disapprove the results of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
- View info on DSPM profiles.
- View info on DSPM data sources and their scan areas.
- View info on sensitive data scan jobs in DSPM.
- View info on data types and categories.
- View info on sensitive data scan jobs in DSPM.
- View the lists of results and scan errors.
- View DSPM scan results and info on detected threats.
- View info on DSPM data analysis results.
- View info on Security Deck workspaces and resources managed in them, as well as on access permissions granted for them.
- View info on connectors.
- View info on cloud infrastructure checks for compliance with security standards and their results, as well as on jobs for such checks and exceptions from check rules configured in the CSPM settings.
- View info on the KSPM settings, Managed Service for Kubernetes clusters connected to KSPM, exceptions from rules, exceptions from the scope of control, and KSPM users and operations.
- View info on alert sinks and access permissions granted for them.
- View info on alerts and access permissions granted for them.
- View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
- View info on VM scan jobs and their results.
- View info on TD security management rules and access permissions granted for TD.
This role includes the access-transparency.viewer, dspm.viewer, cspm.viewer, kspm.viewer, security-deck.alertSinks.viewer, vulnerability-manager.viewer, and threat-detector.viewer permissions.
security-deck.editor
The security-deck.editor role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well as DSPM, CSPM, KSPM, VM, and TD resources. This role does not enable viewing masked and unprocessed data.
Users with this role can:
- Select a billing account in Access Transparency.
- View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
- View the list of events when Yandex Cloud employees access organization resources.
- Approve or disapprove the results of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
- View info on DSPM profiles and use them.
- View info on DSPM data sources and their scan areas, as well as create, modify, use, and delete such sources.
- View info on DSPM sensitive data scan jobs, as well as create, run, suspend, resume, modify, and delete such jobs.
- View info on sensitive data scans, as well as create, suspend, resume, modify, and delete them.
- View the lists of results and scan errors when scanning for sensitive data.
- View DSPM sensitive data scan results and info on detected threats.
- View info on DSPM data types and categories.
- View info on DSPM data analysis results.
- View bucket metadata.
- View info on Security Deck workspaces and resources managed in them, as well as on access permissions granted for them.
- Create, modify, and delete Security Deck workspaces.
- View info on connectors, as well as create, use, modify, and delete them.
- View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings, as well as delete checks.
- View info on CSPM check jobs.
- Manually run checks for compliance with CSPM security standards.
- View CSPM check results.
- Create, suspend, resume, modify, and delete CSPM check jobs.
- View exceptions from CSPM check rules, as well as create and delete such exceptions.
- Engage, set up, and disconnect KSPM, as well as create, modify, and delete exceptions from rules and from the control scope.
- View info on Managed Service for Kubernetes clusters connected to KSPM, as well as on KSPM users and operations.
- View info on alert sinks and access permissions granted for them.
- Create, use, modify, and delete alert sinks.
- View info on alerts and access permissions granted for them.
- View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
- Create, modify, and delete alerts.
- View the list of comments to alerts, as well as create, modify, and delete such comments.
- View info on Vulnerability Management scan jobs and modify such jobs.
- Run Vulnerability Management scan jobs and view their results.
- View info on TD security management rules and create exceptions from such rules.
- View info on access permissions granted for TD.
This role includes the access-transparency.editor, dspm.editor, cspm.editor, kspm.editor, security-deck.alertSinks.editor, vulnerability-manager.editor, and threat-detector.editor permissions.
security-deck.admin
The security-deck.admin role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well as DSPM, CSPM, KSPM, VM, and TD resources. This role enables viewing masked and unprocessed data in scan results.
Users with this role can:
- Select a billing account in Access Transparency.
- View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
- View the list of events when Yandex Cloud employees access organization resources.
- Approve or disapprove the results of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
- View info on DSPM profiles and use them.
- View info on DSPM data sources and their scan areas, as well as create, modify, use, and delete such sources.
- Use Yandex Cloud resources in DSPM data sources.
- View info on DSPM data types and categories.
- View info on DSPM data analysis results.
- View info on DSPM sensitive data scan jobs, as well as create, run, suspend, resume, modify, and delete such jobs.
- View info on sensitive data scans, as well as create, suspend, resume, modify, and delete them.
- View the lists of results and scan errors when scanning for sensitive data.
- View the results of DSPM scan jobs and info on detected threats, which includes viewing masked and unprocessed data in the scan results.
- View bucket metadata.
- View info on Security Deck workspaces and resources managed in them, as well as create, modify, and delete Security Deck workspaces.
- View info on access permissions granted for Security Deck workspaces and modify such permissions.
- View info on connectors, as well as create, use, modify, and delete them.
- View info on cloud infrastructure checks for compliance with security standards configured in the CSPM settings, as well as delete checks.
- View info on CSPM check jobs.
- Manually run checks for compliance with CSPM security standards.
- View CSPM check results.
- Create, suspend, resume, modify, and delete CSPM check jobs.
- View exceptions from CSPM check rules, as well as create and delete such exceptions.
- Engage, set up, and disconnect KSPM, as well as create, modify, and delete exceptions from rules and from the control scope.
- View info on Managed Service for Kubernetes clusters connected to KSPM, as well as on KSPM users and operations.
- View info on alert sinks, as well as create, use, modify, and delete them.
- View info on access permissions granted for alert sinks and modify such permissions.
- View info on alerts, as well as create, modify, and delete them.
- View info on access permissions granted for alerts and modify such permissions.
- View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
- View the list of comments to alerts, as well as create, modify, and delete such comments.
- View info on Vulnerability Management scan jobs and modify such jobs.
- Run Vulnerability Management scan jobs and view their results.
- View info on TD security management rules and create exceptions from such rules.
- View info on access permissions granted for TD and modify such permissions.
This role includes the access-transparency.admin, dspm.admin, cspm.admin, kspm.admin, security-deck.alertSinks.admin, vulnerability-manager.admin, and threat-detector.admin permissions.
Yandex Cloud also supports a separate list of roles for each Security Deck module. For more information, see:
- Roles for Data Security Posture Management.
- Roles for security management with KSPM.
- Roles for Cloud Infrastructure Entitlement Management.
- Roles for security management with CSPM.
- Roles for Access Transparency data analysis.
- Roles for managing alerts and alert sinks.
Primitive roles
Primitive roles allow users to perform actions in all Yandex Cloud services.
auditor
The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.
For instance, users with this role can:
- View info on a resource.
- View the resource metadata.
- View the list of operations with a resource.
auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.
viewer
The viewer role grants the permissions to read the info on any Yandex Cloud resources.
This role includes the auditor permissions.
Unlike auditor, the viewer role provides access to service data in read mode.
editor
The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.
For instance, users with this role can create, modify, and delete resources.
This role includes the viewer permissions.
admin
The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).
Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.
This role includes the editor permissions.
Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.
For more information on primitive roles, see the Yandex Cloud role reference.
Useful links
Hierarchy of Yandex Cloud resources