[Yandex Cloud documentation](../../index.md) > [Yandex Data Transfer](../index.md) > Access management

# Access management in Data Transfer


In this section, you will learn about:

* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).
* [Roles required for specific actions](#required-roles).

To use the service, log in to the management console with your [Yandex account](../../iam/concepts/users/accounts.md#passport), [federated account](../../iam/concepts/users/accounts.md#saml-federation), or [local account](../../iam/concepts/users/accounts.md#local).

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign roles for a resource, you need to have one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

## Roles this service has {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

```mermaid
%%{init: {"flowchart": {'defaultRenderer': 'elk'}} }%%
flowchart BT
    data-transfer.auditor --> data-transfer.viewer --> data-transfer.privateAdmin --> data-transfer.admin
```

### Service roles {#service-roles}

#### data-transfer.auditor {#data-transfer-auditor}

The `data-transfer.auditor` role allows you to view the service metadata, including the information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), [endpoints](../concepts/index.md#endpoint), and [transfers](../concepts/index.md#transfer), as well as on Data Transfer [quotas](../concepts/limits.md#dataproc-quotas).

Currently, this role can only be assigned for working with a folder or a cloud.

#### data-transfer.viewer {#data-transfer-viewer}

The `data-transfer.viewer` role allows you to view information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), [endpoints](../concepts/index.md#endpoint), and [transfers](../concepts/index.md#transfer), as well as on Data Transfer [quotas](../concepts/limits.md#dataproc-quotas).

This role includes the `data-transfer.auditor` permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

#### data-transfer.privateAdmin {#data-transfer-privateadmin}

The `data-transfer.privateAdmin` role allows you to manage endpoints and transfers for transferring data only within Yandex Cloud networks, as well as to view information on the relevant folder and Data Transfer quotas.

Users with this role can:
* View information on [transfers](../concepts/index.md#transfer), as well as create, modify, delete, activate, use, and deactivate transfers for transferring data within Yandex Cloud networks.
* View information on [endpoints](../concepts/index.md#endpoint), as well as create, modify, and delete endpoints in Yandex Cloud.
* View information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).
* View information on Data Transfer [quotas](../concepts/limits.md#dataproc-quotas).

This role includes the `data-transfer.viewer` permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

#### data-transfer.admin {#data-transfer-admin}

The `data-transfer.admin` role allows you to manage endpoints and transfers for transferring data within Yandex Cloud networks and over the internet, as well as to view information on the relevant folder and Data Transfer quotas.

Users with this role can:
* View information on [transfers](../concepts/index.md#transfer), as well as create, modify, delete, activate, use, and deactivate transfers for transferring data both within Yandex Cloud networks and over the internet.
* View information on [endpoints](../concepts/index.md#endpoint), as well as create, modify, and delete endpoints both within and outside Yandex Cloud.
* View information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).
* View information on Data Transfer [quotas](../concepts/limits.md#dataproc-quotas).

This role includes the `data-transfer.privateAdmin` permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

### Primitive roles {#primitive-roles}

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

## Required roles {#required-roles}

To use the service, you need the `editor` [role](../../iam/concepts/access-control/roles.md) or higher for the folder where you want to create Data Transfer resources. With the `viewer` role, you can only view the list of the projects and the contents of uploaded files.

If you are creating a managed database endpoint for a cluster residing in a different folder, you will need a service or primitive [`viewer` role](../../iam/roles-reference.md#viewer) for that folder.

If you are creating a managed database endpoint for a third-party cluster with internet access, you will need the primitive `admin` role or the `data-transfer.admin` service role for the folder where you are creating the endpoint.

You can always assign a role offering more permissions (e.g., `admin` instead of `editor`) or roles that allow only individual actions. For more information about the roles required to perform particular actions with Data Transfer resources, see this table:

| Action                                                                    | Required roles             |
|-----------------------------------------------------------------------------|------------------------------|
| Getting metadata on transfers and endpoints                              | `data-transfer.viewer`       |
| Getting information about Data Transfer quotas               | `data-transfer.viewer`       |
| Getting information about transfers and endpoints                               | `data-transfer.viewer`       |
| Creating an endpoint in Yandex Cloud                                       | `data-transfer.privateAdmin` |
| Updating an endpoint in Yandex Cloud                                      | `data-transfer.privateAdmin` |
| Deleting an endpoint in Yandex Cloud                                       | `data-transfer.privateAdmin` |
| Creating a data transfer in Yandex Cloud                    | `data-transfer.privateAdmin` |
| Updating a data transfer in Yandex Cloud                   | `data-transfer.privateAdmin` |
| Activating a data transfer in Yandex Cloud               | `data-transfer.privateAdmin` |
| Deactivating a data transfer in Yandex Cloud             | `data-transfer.privateAdmin` |
| Deleting a data transfer in Yandex Cloud                    | `data-transfer.privateAdmin` |
| Creating an endpoint in or outside Yandex Cloud                  | `data-transfer.admin`        |
| Updating an endpoint in or outside Yandex Cloud                 | `data-transfer.admin`        |
| Deleting an endpoint in or outside Yandex Cloud                  | `data-transfer.admin`        |
| Creating a data transfer to Yandex Cloud or over the internet | `data-transfer.admin`        |
| Updating a data transfer to Yandex Cloud or over the internet | `data-transfer.admin`       |
| Activating a data transfer to Yandex Cloud or over the internet | `data-transfer.admin`   |
| Deactivating a data transfer to Yandex Cloud or over the internet | `data-transfer.admin` |
| Deleting a data transfer to Yandex Cloud or over the internet | `data-transfer.admin`        |

## What's next {#whats-next}

* [How to assign a role](../../iam/operations/roles/grant.md).
* [How to revoke a role](../../iam/operations/roles/revoke.md).
* [Learn more about access management in Yandex Cloud](../../iam/concepts/access-control/index.md).
* [Learn more about role inheritance](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance).