# Access management in Yandex BareMetal

Yandex Cloud users can only perform operations on resources within the permissions of the [roles](../../iam/concepts/access-control/roles.md) assigned to them. With no roles assigned, almost no operations are allowed.

To grant access to BareMetal resources, assign the relevant roles from the list below to a Yandex account, [service account](../../iam/concepts/users/service-accounts.md), [federated](../../iam/concepts/users/accounts.md#saml-federation) or [local](../../iam/concepts/users/accounts.md#local) users, [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). Currently, a role can only be assigned for a parent resource, i.e., folder or cloud, whose roles are inherited by nested resources.

For more information about role inheritance, see [Inheritance of access permissions](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) in the Resource Manager documentation.

## Roles this service has {#roles-list}

In BareMetal, you can manage access using both service and primitive roles.

```mermaid
%%{init: {"flowchart": {'defaultRenderer': 'elk'}} }%%
flowchart BT
    baremetal.editor --> baremetal.admin
    baremetal.viewer --> baremetal.operator
    baremetal.operator --> baremetal.editor
    baremetal.auditor --> baremetal.viewer
```

### Service roles {#service-roles}

#### baremetal.auditor {#baremetal-auditor}

The `baremetal.auditor` role enables viewing the Yandex BareMetal resource metadata.

Users with this role can:
* View info on BareMetal [servers](../concepts/servers.md) and their [configuration](../concepts/server-configurations.md).
* View info on [private subnets](../concepts/private-network.md#private-subnet) and [virtual routing and forwarding (VRF) segments](../concepts/private-network.md#vrf-segment).
* View info on the uploaded OS images for BareMetal servers.
* View details on Yandex BareMetal [quotas](../concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

#### baremetal.viewer {#baremetal-viewer}

The `baremetal.viewer` role enables viewing info on the Yandex BareMetal resources.

Users with this role can:
* View info on BareMetal [servers](../concepts/servers.md) and their [configuration](../concepts/server-configurations.md).
* View info on [private subnets](../concepts/private-network.md#private-subnet) and [virtual routing and forwarding (VRF) segments](../concepts/private-network.md#vrf-segment).
* View info on the uploaded OS images for BareMetal servers.
* View details on Yandex BareMetal [quotas](../concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `baremetal.auditor` permissions.

#### baremetal.operator {#baremetal-operator}

The `baremetal.operator` role enables working on the BareMetal servers and viewing info on the Yandex BareMetal resources.

Users with this role can:
* View info on BareMetal [servers](../concepts/servers.md) and their [configuration](../concepts/server-configurations.md).
* Use the [KVM console](../operations/servers/server-kvm.md).
* Use [IPMI](https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface) to power the servers on, shut them down, and restart them.
* View info on [private subnets](../concepts/private-network.md#private-subnet) and [virtual routing and forwarding (VRF) segments](../concepts/private-network.md#vrf-segment).
* View info on the uploaded OS images for the servers.
* View details on Yandex BareMetal [quotas](../concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `baremetal.viewer` permissions.

#### baremetal.editor {#baremetal-editor}

The `baremetal.editor` role enables managing BareMetal servers, private subnets, virtual routing and forwarding (VRF) segments, and OS server images.

Users with this role can:
* View info on BareMetal [servers](../concepts/servers.md) and their [configuration](../concepts/server-configurations.md).
* Start and stop renting BareMetal servers and change their settings.
* View info on [private subnets](../concepts/private-network.md#private-subnet), as well as create, modify, and delete them.
* View info on [virtual routing and forwarding (VRF)](../concepts/private-network.md#vrf-segment) segments, as well as create, modify, and delete them.
* View info on the uploaded OS images for BareMetal servers, as well as upload, modify, and delete such images.
* Re-install OS’s for BareMetal servers.
* Use the [KVM console](../operations/servers/server-kvm.md).
* Use [IPMI](https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface) to power the servers on, shut them down, and restart them.
* View details on Yandex BareMetal [quotas](../concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `baremetal.operator` permissions.

{% note warning %}

Starting August 1, 2026, the `baremetal.editor` role gets new permissions allowing it to connect servers to [Yandex Cloud Backup](../../backup/index.md), link and unlink them from [backup policies](../../backup/concepts/policy.md).

If you do not plan to connect your resources to Cloud Backup and do not want to grant such permissions to your users, you can proactively disable these features using the `backup.denyActivation` [authorization policy](../../iam/concepts/access-control/access-policies.md#backup-denyActivation) assigned to your folder, cloud, or organization. For more information on how to create an authorization policy, see [Creating an access policy for a resource](../../iam/operations/access-policies/assign.md).

{% endnote %}

#### baremetal.admin {#baremetal-admin}

The `baremetal.admin` role enables managing BareMetal servers, private subnets, virtual routing and forwarding (VRF) segments, and OS server images.

Users with this role can:
* View info on BareMetal [servers](../concepts/servers.md) and their [configuration](../concepts/server-configurations.md).
* Start and stop renting BareMetal servers and change their settings.
* View info on [private subnets](../concepts/private-network.md#private-subnet), as well as create, modify, and delete them.
* View info on [virtual routing and forwarding (VRF)](../concepts/private-network.md#vrf-segment) segments, as well as create, modify, and delete them.
* View info on the uploaded OS images for BareMetal servers, as well as upload, modify, and delete such images.
* Re-install OS’s for BareMetal servers.
* Use the [KVM console](../operations/servers/server-kvm.md).
* Use [IPMI](https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface) to power the servers on, shut them down, and restart them.
* View details on Yandex BareMetal [quotas](../concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `baremetal.editor` permissions.

{% note warning %}

Starting August 1, 2026, the `baremetal.admin` role gets new permissions allowing it to connect servers to [Yandex Cloud Backup](../../backup/index.md), link and unlink them from [backup policies](../../backup/concepts/policy.md).

If you do not plan to connect your resources to Cloud Backup and do not want to grant such permissions to your users, you can proactively disable these features using the `backup.denyActivation` [authorization policy](../../iam/concepts/access-control/access-policies.md#backup-denyActivation) assigned to your folder, cloud, or organization. For more information on how to create an authorization policy, see [Creating an access policy for a resource](../../iam/operations/access-policies/assign.md).

{% endnote %}

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## See also {#see-also}

[Hierarchy of Yandex Cloud resources](../../resource-manager/concepts/resources-hierarchy.md)