# Access management in Cloud CDN

Cloud CDN uses [roles](../../iam/concepts/access-control/roles.md) to manage access permissions.

In this section, you will learn about:

* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).
* [Roles required](#required-roles) for specific actions.

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign roles for a resource, you need to have one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

## Roles this service has {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

```mermaid
%%{init: {"flowchart": {'defaultRenderer': 'elk'}} }%%
flowchart BT
cdn.viewer --> cdn.editor --> cdn.admin
```

### Service roles {#service-roles}

#### cdn.viewer {#cdn-viewer}

The `cdn.viewer` role enables viewing info on the folder, [origin groups](../concepts/origins.md), [CDN resources](../concepts/resource.md), and Cloud CDN [quotas](../concepts/limits.md#cdn-quotas).

#### cdn.editor {#cdn-editor}

The `cdn.editor` role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.

Users with this role can:
* View information on [origin groups](../concepts/origins.md) as well as create, modify, and delete them.
* View information on [CDN resources](../concepts/resource.md) as well as create, modify, and delete them.
* Manage [log export](../concepts/logs.md) for the requests to CDN servers.
* Manage [origin shielding](../concepts/origins-shielding.md).
* View information on Cloud CDN [quotas](../concepts/limits.md#cdn-quotas).
* View information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cdn.viewer` permissions.

#### cdn.admin {#cdn-admin}

The `cdn.admin` role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.

Users with this role can:
* View information on [origin groups](../concepts/origins.md) as well as create, modify, and delete them.
* View information on [CDN resources](../concepts/resource.md) as well as create, modify, and delete them.
* Manage [log export](../concepts/logs.md) for the requests to CDN servers.
* Manage [origin shielding](../concepts/origins-shielding.md).
* View information on Cloud CDN [quotas](../concepts/limits.md#cdn-quotas).
* View information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cdn.editor` permissions.

Moving forward, it will additionally include more features.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## Required roles {#required-roles}

The table below lists the roles required for specific actions. You can always assign a role with more permissions, e.g., `editor` instead of `viewer`.

Action | Required roles
-------- | --------
**Viewing data** | 
Viewing resource details | `cdn.viewer` for this resource
**Managing CDN resources** | 
[Creating a resource](../operations/resources/create-resource.md) | `cdn.editor` for the folder to host new resources
[Updating basic settings of a resource](../operations/resources/configure-basics.md) | `cdn.editor` for the folder with CDN resources
[Suspending and resuming a resource](../operations/resources/disable-resource.md) | `cdn.editor` for the folder with CDN resources
[Configuring resource caching](../operations/resources/configure-caching.md) | `cdn.editor` for the folder with CDN resources
[Prefetching files to the CDN server cache](../operations/resources/prefetch-files.md) | `cdn.editor` for the folder with CDN resources
[Purging resource cache](../operations/resources/purge-cache.md) | `cdn.editor` for the folder with CDN resources
Configuring HTTP request and response headers | `cdn.editor` for the folder with CDN resources
[Configuring CORS for responses to clients](../operations/resources/configure-cors.md) | `cdn.editor` for the folder with CDN resources
[Configuring HTTP methods](../operations/resources/configure-http.md) | `cdn.editor` for the folder with CDN resources
[Enabling file compression](../operations/resources/enable-compression.md) | `cdn.editor` for the folder with CDN resources
[Enabling file segmentation](../operations/resources/enable-segmentation.md) | `cdn.editor` for the folder with CDN resources
**Managing origin groups** | 
[Creating an origin group](../operations/origin-groups/create-group.md) | `cdn.editor` for the folder with the origin group
[Updating an origin group](../operations/origin-groups/edit-group.md) | `cdn.editor` for the folder with the origin group
[Adding an origin group to a resource](../operations/origin-groups/bind-group-to-resource.md) | `cdn.editor` for the folder with the CDN resource
[Deleting an origin group](../operations/origin-groups/delete-group.md) | `cdn.editor` for the folder with the origin group
**Managing paid features** | 
Origin shielding | `cdn.editor` for the folder with CDN resources
Log export | `cdn.editor` for the folder with CDN resources
**Managing resource access** | 
[Granting](../../iam/operations/roles/grant.md), [revoking](../../iam/operations/roles/revoke.md), and viewing roles for a resource | `admin` for this resource

#### What's next

* [How to assign a role](../../iam/operations/roles/grant.md).
* [How to revoke a role](../../iam/operations/roles/revoke.md).
* [Learn more about access management in Yandex Cloud](../../iam/concepts/access-control/index.md).
* [Learn more about role inheritance](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance).