# Access management in Cloud Backup

In this section, you will learn about:

* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).
* [Access policies available in the service](#access-policies).

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign a role for a resource, you need the `backup.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

In addition to roles, Yandex Identity and Access Management supports [access policies](#access-policies) which enable you to prohibit specific actions on Yandex Cloud resources even when such actions are explicitly allowed by a user’s roles.

## Resources you can assign a role for {#resources}

Using the Yandex Cloud console or the CLI, you can assign a role for a [cloud](*clouds) or [folder](*folders). These assigned roles will also apply to nested resources.

## Roles this service has {#roles-list}

```mermaid
%%{
  init: {
    "flowchart": { "defaultRenderer": "elk" },
    "elk": { "nodePlacementStrategy": "SIMPLE" }
  }
}%%
flowchart BT
    backup.auditor --> backup.viewer
    backup.auditor --> backup.user
    backup.viewer --> backup.editor
    backup.user --> backup.editor
    backup.editor --> backup.admin
```

### Service roles {#service-roles}

#### backup.auditor {#backup-auditor}

The `backup.auditor` role enables viewing information on virtual machines and BareMetal servers connected to Cloud Backup, on backup policies and service quotas, as well as on the relevant cloud and folder.

Users with this role can:
* View info on the connected backup [providers](../concepts/index.md#providers).
* View info on [backup policies](../concepts/policy.md) and virtual machines and BareMetal servers linked to them.
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for the relevant backup policies.
* View info on the virtual machines and BareMetal servers [connected](../concepts/vm-connection.md) to Cloud Backup.
* View info on Cloud Backup [quotas](../concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

To assign the `backup.auditor` role, you need the `admin` role for the cloud or `backup.admin` for the folder.

#### backup.viewer {#backup-viewer}

The `backup.viewer` role enables viewing information on virtual machines and BareMetal servers connected to Cloud Backup, on backup policies and backups, as well as on the relevant cloud, folder, and quotas.

Users with this role can:
* View info on the connected backup [providers](../concepts/index.md#providers).
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for the relevant backup policies.
* View info on [backup policies](../concepts/policy.md) and virtual machines and BareMetal servers linked to them.
* View info on the virtual machines and BareMetal servers [connected](../concepts/vm-connection.md) to Cloud Backup.
* View info on [backups](../concepts/backup.md).
* View info on Cloud Backup [quotas](../concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

This role includes the `backup.auditor` permissions.

To assign the `backup.viewer` role, you need the `admin` role for the cloud or `backup.admin` for the folder.

#### backup.user {#backup-user}

The `backup.user` role enables connecting backup providers, connecting VMs and BareMetal servers to Cloud Backup, linking backup policies to VMs and BareMetal servers and unlinking them, as well as viewing info on Cloud Backup resources and quotas and on the relevant cloud and folder.

Users with this role can:
* View info on connected backup [providers](../concepts/index.md#providers), as well as connect providers available in Cloud Backup.
* View info on virtual machines and BareMetal servers [connected](../concepts/vm-connection.md) to Cloud Backup, as well as connect VMs and BareMetal servers to it.
* View info on [backup policies](../concepts/policy.md) as well as on virtual machines and BareMetal servers linked to such policies.
* Link backup policies to VMs and BareMetal servers and unlink them.
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for backup policies.
* View info on Cloud Backup [quotas](../concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

This role includes the `backup.auditor` permissions.

To assign the `backup.user` role, you need the `admin` role for the cloud or `backup.admin` for the folder.

#### backup.editor {#backup-editor}

The `backup.editor` role enables managing the connection of virtual machines and BareMetal servers to Cloud Backup, managing backup policies, making backups, and restoring VMs and BareMetal servers from the existing backups.

Users with this role can:
* View info on connected backup [providers](../concepts/index.md#providers), as well as connect providers available in Cloud Backup.
* View info on [backup policies](../concepts/policy.md) as well as on virtual machines and BareMetal servers linked to such policies.
* Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines and BareMetal servers.
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for backup policies.
* View info on virtual machines and BareMetal servers [connected](../concepts/vm-connection.md) to Cloud Backup, as well as connect and disconnect VMs and BareMetal servers to and from it.
* View info on [backups](../concepts/backup.md), as well as delete them and use them to restore VMs and BareMetal servers.
* View info on Cloud Backup [quotas](../concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

This role includes the `backup.viewer` and `backup.user` permissions.

To assign the `backup.editor` role, you need the `admin` role for the cloud or `backup.admin` for the folder.

#### backup.admin {#backup-admin}

The `backup.admin` role enables managing backup policies and access to them, managing the connection of virtual machines and BareMetal servers to Cloud Backup, making backups, and restoring VMs and BareMetal servers from the existing backups.

Users with this role can:
* View info on connected backup [providers](../concepts/index.md#providers), as well as connect providers available in Cloud Backup.
* View info on [backup policies](../concepts/policy.md) as well as on virtual machines and BareMetal servers linked to such policies.
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for backup policies and modify such permissions.
* Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines and BareMetal servers.
* View info on virtual machines and BBareMetal servers [connected](../concepts/vm-connection.md) to Cloud Backup, as well as connect and disconnect VMs and BareMetal servers to and from it.
* View info on [backups](../concepts/backup.md), as well as delete them and use them to restore VMs and BareMetal servers.
* View info on Cloud Backup [quotas](../concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

This role includes the `backup.editor` permissions.

To assign the `backup.admin` role, you need the `admin` role for the cloud.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## Access policies {#access-policies}

[Access policies](*access_policies) complement the role system for more flexible access management in Yandex Cloud.

Cloud Backup supports the following access policies:

#### backup.denyActivation {#backup-denyActivation}

This policy prohibits connecting [protected resources](../concepts/index.md) to Yandex Cloud Backup, linking or unlinking them from [backup policies](../concepts/policy.md).

#### backup.denyRemoveProtection {#backup-denyRemoveProtection}

This policy prohibits updating or deleting Yandex Cloud Backup [policies](../concepts/policy.md), removing [resources](../concepts/index.md) from such policies, and deleting any existing resource [backups](../concepts/backup.md).

You can assign access policies to a [folder](*folders), [cloud](*clouds), or [organization](*organizations) to restrict certain actions within that scope. These restrictions apply even if the user was explicitly assigned [roles](#roles-list) that allow such operations.

For more on how to create an access policy for a resource, see [Creating an access policy for a resource](../../iam/operations/access-policies/assign.md).

[*access_policies]: _Access policies_ are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with [Yandex Cloud resources](../../overview/roles-and-resources.md). Access policies complement the [role](../../iam/concepts/access-control/roles.md) system for more flexible [access management](../../iam/concepts/access-control/index.md). [Learn more](../../iam/concepts/access-control/access-policies.md) about access policies in Yandex Cloud.

[*folders]: [Learn more](../../resource-manager/concepts/resources-hierarchy.md#folder) about folders.

[*clouds]: [Learn more](../../resource-manager/concepts/resources-hierarchy.md#cloud) about clouds.

[*organizations]: [Learn more](../../organization/concepts/organization.md) about organizations.