[Yandex Cloud documentation](../../index.md) > [Yandex Cloud Registry](../index.md) > Access management

# Access management in Yandex Cloud Registry

Cloud Registry uses [roles](../../iam/concepts/access-control/roles.md) to manage access permissions.

In this section, you will learn about:

* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign a role for a resource, you need the `cloud-registry.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

{% note info %}

For more information about role inheritance, see [Inheritance of access permissions](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) in the Resource Manager documentation.

{% endnote %}

You can also assign a role for [Cloud Registry registries](../concepts/registry.md) as well as directories inside them.

## Roles this service has {#roles-list}

In Cloud Registry, you can manage access using both service and primitive roles.

```mermaid
flowchart BT
    cloud-registry.editor --> cloud-registry.admin
    cloud-registry.artifacts.puller --> cloud-registry.editor
    cloud-registry.artifacts.pusher --> cloud-registry.editor
    cloud-registry.viewer --> cloud-registry.editor
    cloud-registry.auditor --> cloud-registry.viewer
```

### Service roles {#service-roles}

#### cloud-registry.auditor {#cloud-registry-auditor}

The `cloud-registry.auditor` role enables viewing the artifact metadata, the info on registries and access permissions granted for them, as well as on the Cloud Registry quotas.

Users with this role can:
* View the [artifact](../concepts/artifacts/index.md) metadata.
* View info on [registries](../concepts/registry.md).
* View registry access policies.
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for registries, folders within registries, and artifacts.
* View info on registry [lifecycle policies](../concepts/lifecycle-policy.md).
* View artifact vulnerability scanning settings and results.
* View info on the Cloud Registry quotas.
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

#### cloud-registry.viewer {#cloud-registry-viewer}

The`cloud-registry.viewer` role enables pulling artifacts, as well as viewing info on artifacts and registries, on the access permissions granted for registries, and on the Cloud Registry quotas.

Users with this role can:
* View info on [artifacts](../concepts/artifacts/index.md) and pull them.
* View info on [registries](../concepts/registry.md).
* View registry access policies.
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for registries, folders within registries, and artifacts.
* View info on registry [lifecycle policies](../concepts/lifecycle-policy.md).
* View vulnerability scanning results.
* View info on the Cloud Registry quotas.
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-registry.auditor` permissions.

#### cloud-registry.editor {#cloud-registry-editor}

The `cloud-registry.editor` role enables managing artifacts, registries, and lifecycle policies, as well as viewing info on the access permissions granted for registries and Cloud Registry quotas.

Users with this role can:
* View info on [registries](../concepts/registry.md), as well as create, modify, and delete them.
* View info on [artifacts](../concepts/artifacts/index.md), as well as create, modify, download, and delete them.
* Create and delete folders within registries.
* Scan registry artifacts for vulnerabilities.
* View and edit vulnerability scanning settings for artifacts.
* View vulnerability scanning results.
* View registry access policies.
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for registries, folders within registries, and artifacts.
* View info on registry [lifecycle policies](../concepts/lifecycle-policy.md) as well as create, modify, or delete such policies and test them in `dry run` mode.
* View info on the Cloud Registry quotas.
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-registry.viewer`, `cloud-registry.artifacts.pusher`, and `cloud-registry.artifacts.scanner` permissions.

#### cloud-registry.admin {#cloud-registry-admin}

The `cloud-registry.admin` role enables managing artifacts, registries, and access to registries, as well as viewing info on the Cloud Registry quotas.

Users with this role can:
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for [registries](../concepts/registry.md), folders within registries, and [artifacts](../concepts/artifacts/index.md), as well as modify such permissions.
* View and modify registry access policies.
* View info on registries, as well as create, modify, and delete registries, along with all data inside them.
* View info on artifacts, as well as create, modify, download, and delete them.
* Create and delete folders within registries.
* Delete the revision history for [Docker images](../concepts/artifacts/docker.md) within registries.
* Scan registry artifacts for vulnerabilities.
* View and edit vulnerability scanning settings for artifacts.
* View vulnerability scanning results.
* View info on registry [lifecycle policies](../concepts/lifecycle-policy.md) as well as create, modify, or delete such policies and test them in `dry run` mode.
* View info on the Cloud Registry quotas.
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-registry.editor` permissions.

#### cloud-registry.artifacts.puller {#cloud-registry-artifacts-puller}

The `cloud-registry.artifacts.puller` role enables pulling [artifacts](../concepts/artifacts/index.md), as well as getting info on artifacts and [registries](../concepts/registry.md).

#### cloud-registry.artifacts.pusher {#cloud-registry-artifacts-pusher}

The `cloud-registry.artifacts.pusher` role enables managing artifacts, as well as viewing info on the registries and managing folders within them.

Users with this role can:
* View info on [artifacts](../concepts/artifacts/index.md), as well as create, modify, download, and delete them.
* View info on [registries](../concepts/registry.md).
* Create and delete folders within registries.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## Useful links {#see-also}

[Hierarchy of Yandex Cloud resources](../../resource-manager/concepts/resources-hierarchy.md)