[Yandex Cloud documentation](../../index.md) > [Yandex Data Processing](../index.md) > Access management

# Access management in Yandex Data Processing

Yandex Cloud users can only perform operations on resources within the permissions of the [roles](../../iam/concepts/access-control/roles.md) assigned to them. With no roles assigned, almost no operations are allowed.

To allow access to Yandex Data Processing resources (clusters and subclusters), assign relevant roles from the list below to a Yandex account, [service account](../../iam/concepts/users/service-accounts.md), [federated](../../iam/concepts/users/accounts.md#saml-federation) or [local](../../iam/concepts/users/accounts.md#local) users, [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). Currently, a role can only be assigned for a parent resource, such as a folder or cloud. Roles are inherited by nested resources.

For more information about role inheritance, see [Inheriting access permissions](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) for Yandex Resource Manager.

To assign a role for a resource, you need the `mdb.admin` role, `dataproc.admin` role, or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Assigning roles {#grant-role}

To assign a role to a user:

1. [Add](../../organization/operations/add-account.md) the appropriate user, if required.
1. In the [management console](https://console.yandex.cloud), on the left, [select](../../resource-manager/operations/cloud/switch-cloud.md) a cloud.
1. Navigate to the **Access bindings** tab.
1. Click **Configure access**.
1. In the window that opens, select **User accounts**.
1. Select a user from the list or use the user search option.
1. Click ![image](../../_assets/console-icons/plus.svg) **Add role** and select a role for the cloud.
1. Click **Save**.

## Roles this service has {#roles-list}

The list below shows all the roles used for access control in Yandex Data Processing.

```mermaid
flowchart BT
    dataproc.auditor --> dataproc.viewer
    dataproc.viewer --> dataproc.user
    mdb.viewer --> dataproc.user
    mdb.viewer --> mdb.admin
    mdb.auditor --> mdb.viewer
    dataproc.provisioner ~~~ dataproc.agent
    dataproc.user --> dataproc.editor
    dataproc.editor --> dataproc.admin
    dataproc.viewer --> mdb.viewer
    dataproc.admin --> mdb.admin 
```

### Service roles {#service-roles}

#### dataproc.agent {#dataproc-agent}

The `dataproc.agent` role allows the [service account](../../iam/concepts/users/service-accounts.md) linked to the Yandex Data Processing cluster to notify Data Proc of the cluster host state. You can assign this role to a service account linked to the Yandex Data Processing cluster.

Service accounts with this role can:
* Notify Yandex Data Processing of the [cluster](../concepts/index.md#resources) host state.
* Get info on [jobs](../concepts/jobs.md) and their progress statuses.
* Get info on [log groups](../../logging/concepts/log-group.md) and add entries to them.

Currently, you can only assign this role for a folder or cloud.

#### dataproc.auditor {#dataproc-auditor}

The `dataproc.auditor` role allows you to view information on Yandex Data Processing [clusters](../concepts/index.md#resources).

#### dataproc.viewer {#dataproc-viewer}

The `dataproc.viewer` role allows you to view information on Yandex Data Processing [clusters](../concepts/index.md#resources) and [jobs](../concepts/jobs.md).

#### dataproc.user {#dataproc-user}

The `dataproc.user` role grants access to the Yandex Data Processing component web interfaces and enables creating jobs and viewing info on Yandex Cloud managed DB clusters.

{% cut "Users with this role can:" %}

* View info on Yandex Data Processing [clusters](../concepts/index.md#resources) and [jobs](../concepts/jobs.md), as well as create jobs.
* Use the web interface to access the Yandex Data Processing components.
* View info on [ClickHouse®](../../managed-clickhouse/concepts/index.md), [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/index.md), [Apache Kafka®](../../managed-kafka/concepts/index.md), [Yandex StoreDoc](../../storedoc/concepts/index.md), [MySQL®](../../managed-mysql/concepts/index.md), [PostgreSQL](../../managed-postgresql/concepts/index.md), [Valkey™](../../managed-valkey/concepts/index.md), [OpenSearch](../../managed-opensearch/concepts/index.md), and SQL Server clusters.
* View info on [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/instance-types.md), [Yandex StoreDoc](../../storedoc/concepts/instance-types.md), [MySQL®](../../managed-mysql/concepts/instance-types.md), [PostgreSQL](../../managed-postgresql/concepts/instance-types.md), [Valkey™](../../managed-valkey/concepts/instance-types.md), and SQL Server cluster hosts.
* View info on database backups for [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/backup.md), [Yandex StoreDoc](../../storedoc/concepts/backup.md), [MySQL®](../../managed-mysql/concepts/backup.md), [PostgreSQL](../../managed-postgresql/concepts/backup.md), [Valkey™](../../managed-valkey/concepts/backup.md), and SQL Server clusters.
* View info on [Yandex StoreDoc](../../storedoc/concepts/users-and-roles.md), [MySQL®](../../managed-mysql/concepts/user-rights.md), [PostgreSQL](../../managed-postgresql/concepts/roles.md), and SQL Server cluster users.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and SQL Server DBs.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and Valkey™ alerts.
* View info on the results of Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, and PostgreSQL cluster performance diagnostics.
* View info on [Yandex StoreDoc](../../storedoc/concepts/sharding.md) and [Valkey™](../../managed-valkey/concepts/sharding.md) cluster shards.
* View Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, PostgreSQL, Valkey™, and SQL Server cluster logs.
* View info on [Managed Service for ClickHouse®](../../managed-clickhouse/concepts/limits.md#mch-quotas), [Managed Service for Apache Kafka®](../../managed-kafka/concepts/limits.md#mkf-quotas), [Managed Service for OpenSearch](../../managed-opensearch/concepts/limits.md#quotas), [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/limits.md#quotas), [Yandex StoreDoc](../../storedoc/concepts/limits.md#mmg-quotas), [Managed Service for MySQL®](../../managed-mysql/concepts/limits.md#mmy-quotas), [Managed Service for PostgreSQL](../../managed-postgresql/concepts/limits.md#mpg-quotas), [Yandex Managed Service for Valkey™](../../managed-valkey/concepts/limits.md#mrd-quotas), and SQL Server quotas.
* View info on resource operations for all Yandex Cloud managed DB services.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `dataproc.viewer` and `mdb.viewer` permissions.

#### dataproc.provisioner {#dataproc-provisioner}

The `dataproc.provisioner` role grants access to the API to create, update, and delete Yandex Data Processing cluster objects.

{% cut "Users with this role can:" %}

* View information on [DNS zones](../../dns/concepts/dns-zone.md) as well as create, use, modify, and delete them.
* View information on [resource records](../../dns/concepts/resource-record.md) as well as create, modify, and delete them.
* Create nested public DNS zones.
* View info on granted [access permissions](../../iam/concepts/access-control/index.md) for DNS zones.
* View information on available [platforms](../../compute/concepts/vm-platforms.md) and use them.
* Create, modify, start, restart, stop, move, and delete [instances](../../compute/concepts/vm.md).
* View the list of instances, information on instances and on granted access permissions for them.
* Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link [security groups](../../vpc/concepts/security-groups.md) to instance network interfaces.
* Create instances with custom [FQDNs](../../vpc/concepts/address.md#fqdn) and create multi-interface instances.
* Bind [service accounts](../../iam/concepts/users/service-accounts.md) to instances and activate AWS v1 tokens on instances.
* View the list of service accounts and info on them, as well as perform operations on behalf of a service account.
* Use the instance [serial port](../../compute/operations/vm-info/get-serial-port-output.md) for reading and writing.
* Simulate instance maintenance events.
* View instance [metadata](../../compute/concepts/vm-metadata.md).
* View information on the status of configuring access via [OS Login](../../organization/concepts/os-login.md) on instances and connect to instances via OS Login using SSH certificates or SSH keys.
* View the list of [instance groups](../../compute/concepts/instance-groups/index.md), information on instance groups and on granted access permissions for them, as well as use, create, modify, start, stop, and delete instance groups.
* View the list of [instance placement groups](../../compute/concepts/placement-groups.md), information on instance placement groups and on granted access permissions for them, as well as use, modify, and delete instance placement groups.
* View lists of instances in placement groups.
* View the list of [dedicated host groups](../../compute/concepts/dedicated-host.md#host-group-size), information on dedicated host groups and on granted access permissions for them, as well as use, modify, and delete dedicated host groups.
* View lists of [hosts](../../compute/concepts/dedicated-host.md) and instances in dedicated host groups.
* Modify scheduled maintenance windows for hosts in dedicated host groups.
* Use [GPU clusters](../../compute/concepts/gpus.md#gpu-clusters), as well as create, modify, and delete them.
* View info on GPU clusters and instances included in GPU clusters, as well as on granted access permissions for these clusters.
* View the list of [disks](../../compute/concepts/disk.md), information on disks and on granted access permissions for them, as well as use, modify, move, and delete disks.
* Create [encrypted disks](../../compute/concepts/disk.md#encryption).
* View and update disk links.
* View the list of [file storages](../../compute/concepts/filesystem.md), information on file storages and on granted access permissions for them, as well as use, create, modify, and delete file storages.
* View the list of [non-replicated disk placement groups](../../compute/concepts/disk-placement-group.md), information on non-replicated disk placement groups and on granted access permissions for them, as well as use, modify, and delete non-replicated disk placement groups.
* View lists of disks in placement groups.
* View the list of [images](../../compute/concepts/image.md), information on images and on granted access permissions for them, as well as use, modify, and delete images.
* Create, modify, delete, and update [image families](../../compute/concepts/image.md#family).
* View info on image families, on images within families, on the latest family image, as well as on granted access permissions for image families.
* View the list of [disk snapshots](../../compute/concepts/snapshot.md), information on disk snapshots and on granted access permissions for them, as well as use, modify, and delete disk snapshots.
* View info on disk snapshot [schedules](../../compute/concepts/snapshot-schedule.md) and on granted access permissions for them, as well as create, modify, and delete disk snapshot schedules.
* View the list of [cloud networks](../../vpc/concepts/network.md#network) and info on them, as well as use them.
* View the list of [subnets](../../vpc/concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud resource addresses](../../vpc/concepts/address.md) and info on them, as well as use such addresses.
* View the list of [route tables](../../vpc/concepts/routing.md#rt-vpc) and info on them, as well as use them.
* View the list of security groups and info on them, as well as use them.
* View information on [NAT gateways](../../vpc/concepts/gateways.md) and connect them to route tables.
* View information on the IP addresses used in subnets.
* View info on Monitoring [metrics](../../monitoring/concepts/data-model.md#metric) and their [labels](../../monitoring/concepts/data-model.md#label), as well as download metrics.
* View the list of Monitoring [dashboards](../../monitoring/concepts/visualization/dashboard.md) and [widgets](../../monitoring/concepts/visualization/widget.md), as well as the info on those.
* View the Monitoring [notification](../../monitoring/concepts/alerting/notification-channel.md) history.
* View info on [log groups](../../logging/concepts/log-group.md).
* View info on log sinks.
* View info on granted access permissions for Cloud Logging resources.
* View info on log exports.
* View information on Compute Cloud resource and [quota](../../compute/concepts/limits.md#compute-quotas) consumption and [disk limits](../../compute/concepts/limits.md#compute-limits-disks) in the management console.
* View info on the [Cloud DNS](../../dns/concepts/limits.md#cloud-dns-quotas), [Virtual Private Cloud](../../vpc/concepts/limits.md#vpc-quotas), and [Monitoring](../../monitoring/concepts/limits.md#monitoring-quotas) quotas.
* View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
* View information on resource operations for Virtual Private Cloud.
* View the list of [availability zones](../../overview/concepts/geo-scope.md), information on availability zones and on granted access permissions for them.
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `iam.serviceAccounts.user`, `dns.editor`, `compute.editor`, `monitoring.viewer`, and `logging.viewer` permissions.

#### dataproc.editor {#dataproc-editor}

The `dataproc.editor` role allows you to manage Yandex Data Processing clusters, run jobs, and view information on them. It also grants access to the Data Proc component web interfaces.

{% cut "Users with this role can:" %}

* View info on Yandex Data Processing [clusters](../concepts/index.md#resources), as well as create, modify, run, stop, and delete them.
* View info on [jobs](../concepts/jobs.md) and create them.
* Use the web interface to access the Yandex Data Processing components.
* View info on [ClickHouse®](../../managed-clickhouse/concepts/index.md), [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/index.md), [Apache Kafka®](../../managed-kafka/concepts/index.md), [Yandex StoreDoc](../../storedoc/concepts/index.md), [MySQL®](../../managed-mysql/concepts/index.md), [PostgreSQL](../../managed-postgresql/concepts/index.md), [Valkey™](../../managed-valkey/concepts/index.md), [OpenSearch](../../managed-opensearch/concepts/index.md), and SQL Server clusters.
* View info on [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/instance-types.md), [Yandex StoreDoc](../../storedoc/concepts/instance-types.md), [MySQL®](../../managed-mysql/concepts/instance-types.md), [PostgreSQL](../../managed-postgresql/concepts/instance-types.md), [Valkey™](../../managed-valkey/concepts/instance-types.md), and SQL Server cluster hosts.
* View info on database backups for [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/backup.md), [Yandex StoreDoc](../../storedoc/concepts/backup.md), [MySQL®](../../managed-mysql/concepts/backup.md), [PostgreSQL](../../managed-postgresql/concepts/backup.md), [Valkey™](../../managed-valkey/concepts/backup.md), and SQL Server clusters.
* View info on [Yandex StoreDoc](../../storedoc/concepts/users-and-roles.md), [MySQL®](../../managed-mysql/concepts/user-rights.md), [PostgreSQL](../../managed-postgresql/concepts/roles.md), and SQL Server cluster users.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and SQL Server DBs.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and Valkey™ alerts.
* View info on the results of Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, and PostgreSQL cluster performance diagnostics.
* View info on [Yandex StoreDoc](../../storedoc/concepts/sharding.md) and [Valkey™](../../managed-valkey/concepts/sharding.md) cluster shards.
* View Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, PostgreSQL, Valkey™, and SQL Server cluster logs.
* View info on [Managed Service for ClickHouse®](../../managed-clickhouse/concepts/limits.md#mch-quotas), [Managed Service for Apache Kafka®](../../managed-kafka/concepts/limits.md#mkf-quotas), [Managed Service for OpenSearch](../../managed-opensearch/concepts/limits.md#quotas), [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/limits.md#quotas), [Yandex StoreDoc](../../storedoc/concepts/limits.md#mmg-quotas), [Managed Service for MySQL®](../../managed-mysql/concepts/limits.md#mmy-quotas), [Managed Service for PostgreSQL](../../managed-postgresql/concepts/limits.md#mpg-quotas), [Yandex Managed Service for Valkey™](../../managed-valkey/concepts/limits.md#mrd-quotas), and SQL Server quotas.
* View info on resource operations for all Yandex Cloud managed DB services.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `dataproc.user` permissions.

#### dataproc.admin {#dataproc-admin}

The `dataproc.admin` role allows you to manage Yandex Data Processing clusters, run jobs, and view information on them. It also grants access to the Data Processing component web interfaces.

{% cut "Users with this role can:" %}

* View info on Yandex Data Processing [clusters](../concepts/index.md#resources), as well as create, modify, run, stop, and delete them.
* View info on [jobs](../concepts/jobs.md) and create them.
* Use the web interface to access the Yandex Data Processing components.
* View info on [ClickHouse®](../../managed-clickhouse/concepts/index.md), [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/index.md), [Apache Kafka®](../../managed-kafka/concepts/index.md), [Yandex StoreDoc](../../storedoc/concepts/index.md), [MySQL®](../../managed-mysql/concepts/index.md), [PostgreSQL](../../managed-postgresql/concepts/index.md), [Valkey™](../../managed-valkey/concepts/index.md), [OpenSearch](../../managed-opensearch/concepts/index.md), and SQL Server clusters.
* View info on [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/instance-types.md), [Yandex StoreDoc](../../storedoc/concepts/instance-types.md), [MySQL®](../../managed-mysql/concepts/instance-types.md), [PostgreSQL](../../managed-postgresql/concepts/instance-types.md), [Valkey™](../../managed-valkey/concepts/instance-types.md), and SQL Server cluster hosts.
* View info on database backups for [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/backup.md), [Yandex StoreDoc](../../storedoc/concepts/backup.md), [MySQL®](../../managed-mysql/concepts/backup.md), [PostgreSQL](../../managed-postgresql/concepts/backup.md), [Valkey™](../../managed-valkey/concepts/backup.md), and SQL Server clusters.
* View info on [Yandex StoreDoc](../../storedoc/concepts/users-and-roles.md), [MySQL®](../../managed-mysql/concepts/user-rights.md), [PostgreSQL](../../managed-postgresql/concepts/roles.md), and SQL Server cluster users.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and SQL Server DBs.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and Valkey™ alerts.
* View info on the results of Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, and PostgreSQL cluster performance diagnostics.
* View info on [Yandex StoreDoc](../../storedoc/concepts/sharding.md) and [Valkey™](../../managed-valkey/concepts/sharding.md) cluster shards.
* View Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, PostgreSQL, Valkey™, and SQL Server cluster logs.
* View info on [Managed Service for ClickHouse®](../../managed-clickhouse/concepts/limits.md#mch-quotas), [Managed Service for Apache Kafka®](../../managed-kafka/concepts/limits.md#mkf-quotas), [Managed Service for OpenSearch](../../managed-opensearch/concepts/limits.md#quotas), [Yandex MPP Analytics for PostgreSQL](../../managed-greenplum/concepts/limits.md#quotas), [Yandex StoreDoc](../../storedoc/concepts/limits.md#mmg-quotas), [Managed Service for MySQL®](../../managed-mysql/concepts/limits.md#mmy-quotas), [Managed Service for PostgreSQL](../../managed-postgresql/concepts/limits.md#mpg-quotas), [Yandex Managed Service for Valkey™](../../managed-valkey/concepts/limits.md#mrd-quotas), and SQL Server quotas.
* View info on resource operations for all Yandex Cloud managed DB services.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `dataproc.editor` permissions.

#### mdb.auditor {#mdb-auditor}

The `mdb.auditor` role grants the minimum permissions required to view info on managed database clusters (without access to data or logs).

Users with this role can view info on managed database clusters, quotas, and resource operations.

This role includes the `managed-opensearch.auditor`, `managed-kafka.auditor`, `managed-mysql.auditor`, `managed-postgresql.auditor`, `managed-spqr.auditor`, `managed-greenplum.auditor`, `managed-clickhouse.auditor`, `managed-redis.auditor`, and `managed-mongodb.auditor` permissions.

#### mdb.viewer {#mdb-viewer}

The `mdb.viewer` role grants read access to managed database clusters and cluster logs.

Users with this role can read from databases, view the logs of managed database clusters, and view info on cluster maintenance tasks, clusters, quotas, and resource operations.

This role includes the `managed-opensearch.viewer`, `managed-kafka.viewer`, `managed-mysql.viewer`, `managed-postgresql.viewer`, `managed-greenplum.viewer`, `managed-clickhouse.viewer`, `managed-redis.viewer`, `managed-mongodb.viewer`, and `dataproc.viewer` permissions.

#### mdb.admin {#mdb-admin}

The `mdb.admin` role grants full access to managed database clusters.

Users with this role can create, edit, delete, run, and stop managed database clusters, manage access to clusters, create cluster backups and restore clusters from backups, read and write to databases, view info on clusters, view and modify cluster maintenance tasks, and view cluster logs as well as info on quotas and resource operations.

This role includes the `mdb.viewer`, `vpc.user`, `managed-opensearch.admin`, `managed-kafka.admin`, `managed-mysql.admin`, `managed-postgresql.admin`, `managed-spqr.admin`, `managed-greenplum.admin`, `managed-clickhouse.admin`, `managed-redis.admin`, `managed-mongodb.admin`, and `dataproc.admin` permissions.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).