[Yandex Cloud documentation](../../index.md) > [Yandex Container Registry](../index.md) > Access management

# Access management in Container Registry

In this section, you will learn:
* [Which resources you can assign a role for](#resources).
* [Which roles exist in the service](#roles-list).
* [Which roles are required](#choosing-roles) for particular actions.

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

Roles for a resource can be assigned by users who have the `container-registry.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Which resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

You can also assign roles for individual resources within the service:

{% list tabs group=instructions %}

- Management console {#console}

  You can use the [management console](https://console.yandex.cloud) to assign roles for a [registry](../concepts/registry.md).

- CLI {#cli}

  You can use the [Yandex Cloud CLI](../../cli/cli-ref/container/cli-ref/index.md) to assign roles for the following resources:

  * [Registry](../concepts/registry.md)
  * [Repository](../concepts/repository.md)

- Terraform {#tf}

  You can use [Terraform](../../terraform/index.md) to assign roles for the following resources:

  * [Registry](../concepts/registry.md)
  * [Repository](../concepts/repository.md)

- API {#api}

  You can use [Yandex Cloud](../api-ref/authentication.md) API to assign roles for the following resources:

  * [Registry](../concepts/registry.md)
  * [Repository](../concepts/repository.md)

{% endlist %}

## Which roles exist in the service {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

![service-roles-hierarchy](../../_assets/container-registry/service-roles-hierarchy.svg)

### Service roles {#service-roles}

#### container-registry.viewer {#container-registry.viewer}

The `container-registry.viewer` role enables viewing info on registries, Docker images, and repositories, as well as on the relevant folder, cloud, and Container Registry quotas.

Users with this role can:
* View the list of [registries](../concepts/registry.md), info on them and the [access permissions](../../iam/concepts/access-control/index.md) granted for them, as well as on the [access policy settings](../operations/registry/registry-access.md) for IP addresses and the [vulnerability scanner](../concepts/vulnerability-scanner.md) settings.
* View info on [repositories](../concepts/repository.md) and the access permissions granted for them.
* View the list of the [Docker image](../concepts/docker-image.md) auto-delete [policies](../concepts/lifecycle-policy.md) and info on them.
* View the list of the [testing](../operations/lifecycle-policy/lifecycle-policy-dry-run.md) results for Docker image auto-delete policies and info on such results.
* View the list of Docker images in the registry and the info on them, as well as download Docker images from the registry.
* View the Docker image vulnerability scan history and the info on the result of such scans.
* View info on the Container Registry [quotas](../concepts/limits.md#container-registry-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

#### container-registry.editor {#container-registry.editor}

The `container-registry.editor` role enables managing registries, Docker images, repositories, and their settings.

Users with this role can:
* View the list of [registries](../concepts/registry.md) and info on them, as well as create, modify, and delete them.
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for registries, as well as on the [access policy settings](../operations/registry/registry-access.md) for IP addresses.
* View info on the [vulnerability scanner](../concepts/vulnerability-scanner.md) settings, as well as create, modify, and delete scan rules.
* View the list of [Docker images](../concepts/docker-image.md) in the registry and info on them, as well as create, download, modify, and delete them.
* [Start](../operations/scanning-docker-image.md#manual) and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
* View info on [repositories](../concepts/repository.md) and the access permissions granted for them, as well as create and delete repositories.
* View the list of the Docker image auto-delete [policies](../concepts/lifecycle-policy.md) and info on them, as well as create, modify, and delete such policies.
* [Test](../operations/lifecycle-policy/lifecycle-policy-dry-run.md) the Docker image auto-delete policies, view the list of testing results and the info on such results.
* View info on the Container Registry [quotas](../concepts/limits.md#container-registry-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `container-registry.viewer` permissions.

#### container-registry.admin {#container-registry.admin}

The `container-registry.admin` role enables managing access to registries and repositories, as well as managing registries, Docker images, repositories and their settings.

Users with this role can:
* View the list of [registries](../concepts/registry.md) and info on them, as well as create, modify, and delete them.
* View info on granted [access permissions](../../iam/concepts/access-control/index.md) to registries and modify such permissions.
* View info on the [access policy settings](../operations/registry/registry-access.md) for IP address and modify such settings.
* View info on the [vulnerability scanner](../concepts/vulnerability-scanner.md) settings, as well as create, modify, and delete scan rules.
* View the list of [Docker images](../concepts/docker-image.md) in the registry and info on them, as well as create, download, modify, and delete them.
* [Start](../operations/scanning-docker-image.md#manual) and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
* View info on [repositories](../concepts/repository.md), as well as create and delete them.
* View info on granted access permissions to repositories and modify such permissions.
* View the list of the Docker image auto-delete [policies](../concepts/lifecycle-policy.md) and info on them, as well as create, modify, and delete such policies.
* [Test](../operations/lifecycle-policy/lifecycle-policy-dry-run.md) the Docker image auto-delete policies, view the list of testing results and the info on such results.
* View info on the Container Registry [quotas](../concepts/limits.md#container-registry-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `container-registry.editor` permissions.

#### container-registry.images.pusher {#container-registry-images-pusher}

The `container-registry.images.pusher` role enables managing Docker images and repositories, as well as viewing info on Docker images, repositories, and registries.

Users with this role can:
* View the list of [registries](../concepts/registry.md) and info on them.
* View the list of [Docker images](../concepts/docker-image.md) in the registry and info on them, as well as push, download, update, and delete them.
* Create and delete [repositories](../concepts/repository.md).

#### container-registry.images.puller {#container-registry-images-puller}

The `container-registry.images.puller` role enables downloading [Docker images](../concepts/docker-image.md) from the registry and viewing the list of [registries](../concepts/registry.md) and Docker images, as well as info on them.

#### container-registry.images.scanner {#container-registry-images-scanner}

The `container-registry.images.scanner` role enables scanning Docker images for vulnerabilities, as well as viewing info on registries, Docker images, repositories, the relevant cloud and folder, and the Container Registry quotas.

Users with this role can:
* View the list of [Docker images](../concepts/docker-image.md) in the registry and info on them, as well as download Docker images from the registry.
* [Start](../operations/scanning-docker-image.md#manual) and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
* View the list of [registries](../concepts/registry.md), info on them and the [access permissions](../../iam/concepts/access-control/index.md) granted for them, as well as on the [access policy settings](../operations/registry/registry-access.md) for IP addresses and the [vulnerability scanner](../concepts/vulnerability-scanner.md) settings.
* View info on [repositories](../concepts/repository.md) and the access permissions granted for them.
* View the list of the Docker image auto-delete [policies](../concepts/lifecycle-policy.md) and info on them.
* View the list of the [testing](../operations/lifecycle-policy/lifecycle-policy-dry-run.md) results for Docker image auto-delete policies and info on such results.
* View info on the Container Registry [quotas](../concepts/limits.md#container-registry-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `container-registry.viewer` permissions.

For more information about service roles, see [Roles](../../iam/concepts/access-control/roles.md) in the Yandex Identity and Access Management documentation.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## What roles do I need {#choosing-roles}

The table below lists the roles required to perform a particular action. You can always assign a role offering more permissions than the one specified. For example, you can assign the `editor` role instead of `viewer`.

Action | Methods | Required roles
--- | --- | ---
**Viewing data** |
[Get a list of registries](../operations/registry/registry-list.md). | `list` | `container-registry.viewer` for the folder
Get information about registries, [Docker images](../operations/docker-image/docker-image-list.md), and [repositories](../operations/repository/repository-list.md). | `get`, `list` | `container-registry.viewer` for the registry containing the resource
[Pulling a Docker image](../operations/docker-image/docker-image-pull.md). | `pull` | `container-registry.images.puller`<br>For the registry or repository
Get information on [lifecycle policies](../operations/lifecycle-policy/lifecycle-policy-list.md) and the outcomes of their [dry runs](../operations/lifecycle-policy/lifecycle-policy-dry-run.md). | `get`, `list`, `getDryRunResult`, `listDryRunResults`| `container-registry.viewer` for the registry or repository the lifecycle policy was created for
**Managing resources** |
[Create registries in a folder](../operations/registry/registry-create.md). | `create` | `container-registry.editor` for the folder
[Update](../operations/registry/registry-update.md) and [delete](../operations/registry/registry-delete.md) registries | `update`, `delete` | `container-registry.editor` for the registry
[Create Docker images](../operations/docker-image/docker-image-create.md) using basic Docker images from the registry | — | `container-registry.images.puller`<br>For the registry or repository
[Create Docker images](../operations/docker-image/docker-image-create.md) without using basic Docker images from the registry. | — | No roles required.
[Push Docker images to the registry](../operations/docker-image/docker-image-push.md). | `push` | `container-registry.images.pusher`<br>For the registry or repository
[Delete Docker images](../operations/docker-image/docker-image-delete.md). | `delete` | `container-registry.images.pusher` for the registry or repository containing the Docker image
[Create](../operations/lifecycle-policy/lifecycle-policy-create.md), [edit](../operations/lifecycle-policy/lifecycle-policy-update.md), [delete](../operations/lifecycle-policy/lifecycle-policy-delete.md), and perform a [dry run](../operations/lifecycle-policy/lifecycle-policy-dry-run.md) of a lifecycle policy. | `create`, `update`, `delete`, `dryRun` | `container-registry.editor` for the registry or repository the lifecycle policy was created for
**Resource access management** |
[Grant a role](../../iam/operations/roles/grant.md), [revoke a role](../../iam/operations/roles/revoke.md), and view the roles assigned to a folder, a cloud, or a registry. | `setAccessBindings`, `updateAccessBindings`, `listAccessBindings` | `admin` for the resource
**Scan for vulnerabilities** |
[Scan](../operations/scanning-docker-image.md) a Docker image. | `scan` | `container-registry.images.scanner` for the registry or repository containing the Docker image
Get the results of a Docker image scan. | `get`, `getLast`, `list`, `listVulnerabilities` | `container-registry.images.scanner` for the registry or repository containing the Docker image

#### What's next {what-is-next}

* [Assigning a role](../operations/roles/grant.md).
* [Viewing assigned roles](../operations/roles/get-assigned-roles.md).
* [Revoking a role](../operations/roles/revoke.md).
* [Learn more about access management in Yandex Cloud](../../iam/concepts/access-control/index.md).
* [Learn more about inheriting roles](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance).