Data Security Posture Management (DSPM) service roles

With DSPM service roles, you can manage user access to the DSPM resources and their settings, as well as to the results of scans of sources for sensitive information.

dspm.workerdspm.worker

The dspm.worker role enables viewing info on an organization, viewing the list of clouds, folders, and buckets in a scan zone specified by the user and info on them, as well as viewing data in buckets being scanned.

The role is granted to the service account that will be used to perform scans for an organization, cloud, folder, or bucket.

The role does not enable viewing data in encrypted buckets. To scan an encrypted bucket, additionally grant the kms.keys.decrypter role to your service account either for the encryption key at hand or for the folder, cloud, or organization hosting this key.

dspm.inspectordspm.inspector

The dspm.inspector role enables creating DSPM data sources using the specified Yandex Cloud resources. To create a DSPM data source, assign this role to a user for the appropriate cloud resource.

The dspm.inspector role is deprecated and no longer in use.

dspm.auditordspm.auditor

The dspm.auditor role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

• View info on DSPM profiles.
• View info on DSPM data sources.
• View info on security scan jobs.

dspm.viewerdspm.viewer

The dspm.viewer role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:

• View info on DSPM profiles.
• View info on DSPM data sources.
• View info on security scan jobs.

This role includes the dspm.auditor permissions.

dspm.editordspm.editor

The dspm.editor role enables using DSPM profiles and managing data sources and security scans. With this role, you cannot view masked and unprocessed data.

Users with this role can:

• View info on DSPM profiles and use them.
• View info on DSPM data sources, as well as create, modify, use, and delete them.
• View info on security scan jobs, as well as create, run, modify, and delete such jobs.

This role includes the dspm.viewer permissions.

dspm.admindspm.admin

The dspm.admin role enables using DSPM profiles and managing data sources and security scans, which includes viewing masked and unprocessed data in the scan results.

Users with this role can:

• View info on DSPM profiles and use them.
• View info on DSPM data sources, as well as create, modify, use, and delete them.
• Use Yandex Cloud resources in DSPM data sources.
• View info on DSPM data categories.
• View info on security scan jobs, as well as create, modify, and delete such jobs.
• Run security scan jobs and view their results and info on detected threats, which includes viewing masked and unprocessed data in the scan results.

This role includes the dspm.editor permissions.