Access management in SpeechSense
User access to Yandex SpeechSense depends on relevant permissions granted within an organization. Organizations are managed using Yandex Cloud Organization.
The operations available to SpeechSense users are determined by their roles. You can assign roles to a Yandex account, service account, federated users, user group, system group, or public group. For more information about managing access to Yandex Cloud, see How access management works in Yandex Cloud.
Only users with the admin, resource-manager.clouds.owner, or organization-manager.organizations.owner role for a resource can assign roles for this resource.
Which resources you can assign a role for
You can assign a role for a space or a project. Roles assigned for a space also apply to all nested projects and resources.
Which roles exist in the service
Service roles
speech-sense.auditor
The speech-sense.auditor role enables you to view names, descriptions, and lists of members of a project or a space with all of its projects. The role does not provide access to project data.
speech-sense.viewer
The speech-sense.viewer role enables you to view project or space characteristics, the list of their members, connections, and dashboards.
The speech-sense.viewer role includes all permissions of the speech-sense.auditor role.
speech-sense.editor
The speech-sense.editor role enables you to edit a project, its description, dashboards, and alerts, create and edit its classifiers, and run analyses. When assigned for a space, the role allows you to edit the space and create projects, connections, and dictionaries within it.
The speech-sense.editor role includes all permissions of the speech-sense.viewer role.
speech-sense.admin
The speech-sense.admin role assigned for a space or project enables you to perform any action in them: view dialogs, edit connections, or run analyses. The role grants permission to assign roles to other users.
The speech-sense.admin role includes all permissions of the speech-sense.editor and speech-sense.data.editor roles.
speech-sense.spaces.creator
The speech-sense.spaces.creator role allows you to create spaces in SpeechSense.
speech-sense.data.viewer
The speech-sense.data.viewer role allows you to view a project's name or description, the list of connections, dashboards, and project members. It also enables you to search inside documents, listen to dialogs, and view their text transcripts. When assigned for a space, this role enables you to view all of its projects without editing them.
speech-sense.data.editor
The speech-sense.data.editor role enables you to upload dialogs to project or space connections, evaluate these dialogs and comment on them in the system.
The speech-sense.data.editor role includes all permissions of the speech-sense.data.viewer role.
Users with roles like speech-sense.data.* can view and rate the contents of documents but do not have access to aggregate information.
Users with roles like speech-sense.data.* can view and rate the contents of documents but do not have access to aggregate information.
Primitive roles
Primitive roles allow users to perform actions in all Yandex Cloud services.
auditor
The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.
For instance, users with this role can:
- View info on a resource.
- View the resource metadata.
- View the list of operations with a resource.
auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.
Currently, the auditor role is available for all Yandex Cloud services, except for:
- Yandex Data Streams
- Yandex Query
viewer
The viewer role grants the permissions to read the info on any Yandex Cloud resources.
This role also includes the auditor permissions.
Unlike auditor, the viewer role provides access to service data in read mode.
editor
The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.
For instance, users with this role can create, modify, and delete resources.
This role also includes the viewer permissions.
admin
The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).
Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.
This role also includes the editor permissions.
Instead of primitive roles, we recommend using service roles. This ensures more selective access control and implementation of the principle of least privilege.
For more information about primitive roles, see the Yandex Cloud role reference.
What roles do I need
The table below lists the roles required to perform a particular action. You can always assign a role offering more permissions than the one specified. For example, you can assign the speech-sense.editor role for a space instead of speech-sense.viewer.
|
Action |
Required role |
|
Viewing information |
|
|
Viewing a space and all its nested projects |
|
|
Viewing the characteristics of a space or a project |
|
|
Viewing a project, its channels, and dialogs |
|
|
Managing a project |
|
|
Creating a project |
|
|
Modifying project settings |
|
|
Uploading and rating dialogs |
|
|
Commenting |
|
|
Creating connections |
|
|
Creating classifiers |
|
|
Running analysis |
|
|
Deleting a project |
|
|
Assigning roles for a project |
|
|
Managing a space |
|
|
Modifying space settings |
|
|
Deleting a space |
|
|
Assigning roles for a space |
|