[Yandex Cloud documentation](../../index.md) > [Yandex API Gateway](../index.md) > Access management

# Access management in API Gateway

In this section, you will learn about:

* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign a role for a resource, you need the `api-gateway.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

{% note info %}

To learn more about role inheritance, see [Inheriting access permissions](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) for Yandex Resource Manager.

{% endnote %}

## Assigning roles {#grant-roles}

To assign a role for the cloud:

1. [Add](../../organization/operations/add-account.md) the appropriate user, if required.
1. In the [management console](https://console.yandex.cloud), on the left, [select](../../resource-manager/operations/cloud/switch-cloud.md) a cloud.
1. Navigate to the **Access bindings** tab.
1. Click **Configure access**.
1. In the window that opens, select **User accounts**.
1. Select a user from the list or use the user search option.
1. Click ![image](../../_assets/console-icons/plus.svg) **Add role** and select a role for the cloud.
1. Click **Save**.

For more information about assigning roles, see the [Yandex Identity and Access Management](../../iam/operations/roles/grant.md) documentation.

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

You can assign a role for an [API gateway](../concepts/index.md) via the Yandex Cloud [CLI](../../cli/cli-ref/serverless/cli-ref/api-gateway/add-access-binding.md) or [API](../api-ref/apigateway/authentication.md).

## Roles available in the service {#roles-list}

The list below shows all the roles used for access control in API Gateway.

### Service roles {#service-roles}

```mermaid
flowchart BT
    auditor["api-gateway.auditor"] --> viewer1["api-gateway.viewer"]
    viewer1 --> editor["api-gateway.editor"]
    viewer1 --> websocketWriter["api-gateway.websocketWriter"]
    websocketWriter --> websocketBroadcaster["api-gateway.websocketBroadcaster"]
    viewer1 --> websocketBroadcaster
    websocketWriter --> editor
    editor --> admin["api-gateway.admin"]
```

#### api-gateway.auditor {#api-gateway-auditor}

The `api-gateway.auditor` role allows you to view the list of [API gateways](../concepts/index.md) and the details on [access permissions](../../iam/concepts/access-control/index.md) assigned to such gateways. It also enables viewing the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) metadata.

#### api-gateway.viewer {#api-gateway-viewer}

The `api-gateway.viewer` role allows you to view the list of [API gateways](../concepts/index.md), info on them, and the details on [access permissions](../../iam/concepts/access-control/index.md) assigned to such gateways. It also enables viewing the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) metadata.

This role includes the `api-gateway.auditor` permissions.

#### api-gateway.editor {#api-gateway-editor}

The `api-gateway.editor` role enables managing API gateways and viewing info on them, as well as working with WebSocket API.

Users with this role can:
* View the list of [API gateways](../concepts/index.md), info on them and on [access permissions](../../iam/concepts/access-control/index.md) assigned to them, as well as use, modify, and delete such gateways.
* Use the [request rate](../concepts/extensions/rate-limit.md) limit.
* View info on [WebSocket](../concepts/index.md#websocket) connections and close them, as well as send data through such connections.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `api-gateway.websocketWriter` permissions.

#### api-gateway.websocketWriter {#api-gateway-websocketwriter}

The `api-gateway.websocketWriter` role allows you to work with WebSocket API, as well as view the list of API gateways, info on them, and the details on access permissions assigned to such gateways.

Users with this role can:
* View info on [WebSocket](../concepts/index.md#websocket) connections and close them, as well as send data through such connections.
* View the list of [API gateways](../concepts/index.md), info on them and on [access permissions](../../iam/concepts/access-control/index.md) assigned to them.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `api-gateway.viewer` permissions.

#### api-gateway.websocketBroadcaster {#api-gateway-websocketBroadcaster}

The `api-gateway.websocketBroadcaster` role enables transmitting data through WebSocket (which includes sending data to multiple clients concurrently), as well as viewing the list of API gateways, info on them and on access permissions assigned to them.

Users with this role can:
* View info on [WebSocket](../concepts/index.md#websocket) connections and close them, as well as send data through such connections, which includes transmitting data to multiple clients concurrently.
* View the list of [API gateways](../concepts/index.md), info on them and on [access permissions](../../iam/concepts/access-control/index.md) assigned to them.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `api-gateway.websocketWriter` permissions.

#### api-gateway.admin {#api-gateway-admin}

The `api-gateway.admin` role enables managing API gateways and access to them, viewing info on API gateways, and working with WebSocket API.

Users with this role can:
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned for API gateways and modify such permissions.
* View info on [API gateways](../concepts/index.md), as well as create, modify, and delete them.
* View info on [WebSocket](../concepts/index.md#websocket) connections and close them, as well as send data through such connections.
* Use the [request rate](../concepts/extensions/rate-limit.md) limit.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `api-gateway.editor` permissions.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).