[Yandex Cloud documentation](../../index.md) > [Yandex DataLens](../index.md) > [Access management](index.md) > DataLens roles

# Yandex DataLens roles


There are two types of roles in DataLens:

* For service access: These roles are assigned to an [organization](../concepts/organizations.md) and grant access to DataLens.
* For [workbooks and collections](../workbooks-collections/index.md): These roles define the access level to each workbook or collection. They apply to users who [switched to workbooks and collections](../workbooks-collections/index.md#enable-workbooks) to store their objects in DataLens.

## Roles required to access the service {#service-roles}

To grant a user access to DataLens, [assign](../../organization/security/index.md#add-role) them a role. You can assign roles to a Yandex account, [service account](../../iam/concepts/users/service-accounts.md), [federated](../../iam/concepts/users/accounts.md#saml-federation) or [local](../../iam/concepts/users/accounts.md#local) users, [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md).

{% list tabs group=datalens_roles %}

- After switching to workbooks and collections {#after-workbooks-collections}

  #### datalens.visitor {#datalens-visitor}

  The `datalens.visitor` role grants access to DataLens. You can view and edit [workbooks and collections](../workbooks-collections/index.md) if you have the appropriate [roles](#workbooks-collections-roles) that grant access to these workbooks and collections.

  #### datalens.creator {#datalens-creator}

  The `datalens.creator` role grants access to DataLens with a permission to create [workbooks and collections](../workbooks-collections/index.md) in the DataLens root. You can view and edit workbooks and collections created by other users only if you have [access permissions](#workbooks-collections-roles) to these workbooks and collections.
  
  This role includes the `datalens.visitor` permissions.

  #### datalens.admin {#datalens-admin}

  The `datalens.admin` role grants full access to DataLens and any of its [workbooks and collections](../workbooks-collections/index.md).
  
  This role includes the `datalens.creator` and `datalens.metaReader` permissions.

- Before switching to workbooks and collections {#before-workbooks-collections}

  #### datalens.instances.user {#datalens-instances-user}

  The `datalens.instances.user` role grants access to DataLens as a user with permissions to create, read, and edit objects according to the permissions to [objects](../concepts/index.md#component-interrelation) and allows to view information on organization [folders](../../resource-manager/concepts/resources-hierarchy.md#folder).
  
  After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
  
  {% note tip %}
  
  We recommend using the `datalens.creator` role instead of the `datalens.instances.user` one. The two roles grant identical permissions, but using `datalens.creator` is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.
  
  {% endnote %}

  #### datalens.instances.admin {#datalens-instances-admin}

  The `datalens.instances.admin` role allows you to access DataLens as a DataLens instance administrator. Administrators have full access to all [objects](../concepts/index.md#component-interrelation) and folders in DataLens, as well as to DataLens settings. The role also allows you to view information on organization [folders](../../resource-manager/concepts/resources-hierarchy.md#folder).
  
  This role includes the `datalens.instances.user` permissions.
  
  {% note tip %}
  
  We recommend using the `datalens.admin` role instead of the `datalens.instances.admin` one. The two roles grant identical permissions, but using `datalens.admin` is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.
  
  {% endnote %}

{% endlist %}

## Roles to work with API {#api-roles}

#### datalens.metaReader {#datalens-metaReader}

The `datalens.metaReader` role enables executing requests from the [Audit](https://api.datalens.tech/#/Audit) section in the [DataLens Public API](../operations/api-start.md), as well as requests to get DataLens entities.

You can get the following entities:

* Connection: `getConnection` [method](https://api.datalens.tech/#/Connection/post_rpc_getConnection)
* Dataset: `getDataset` [method](https://api.datalens.tech/#/Dataset/post_rpc_getDataset)
* Wizard chart: `getWizardChart` [method](https://api.datalens.tech/#/Wizard/post_rpc_getWizardChart)
* Editor chart: `getEditorChart` [method](https://api.datalens.tech/#/Editor/post_rpc_getEditorChart)
* QL chart: `getQLChart` [method](https://api.datalens.tech/#/QL/post_rpc_getQLChart)
* Dashboard: `getDashboard` [method](https://api.datalens.tech/#/Dashboard/post_rpc_getDashboard)
* Report: `getReport` [method](https://api.datalens.tech/#/Reports/post_rpc_getReport)

{% note warning %}

Getting entities will only work if the request includes the `x-dl-audit-mode` heading with the `true` value.

{% endnote %}

## Roles for workbooks, collections, and shared objects {#workbooks-collections-roles}

These roles are valid for users who adopted the new DataLens object layout: in [workbooks and collections](../workbooks-collections/index.md). Roles allow you to define the level of access a user or group of users has to each workbook, collection, or shared object.

### Roles for workbooks {#workbook-roles}

You can [assign](../workbooks-collections/workbooks-operations.md#wb-coll-grant) roles for workbooks to a user.

#### datalens.workbooks.limitedViewer {#datalens-workbooks-limitedViewer}

You can assign the `datalens.workbooks.limitedViewer` role to a [workbook](../workbooks-collections/index.md). With it, you can view all the workbook's nested [charts](../concepts/chart/index.md), [dashboards](../concepts/dashboard.md), and [reports](../reports/index.md), as well as info on the [access permissions](../../iam/concepts/access-control/index.md) granted for the workbook. In the DataLens UI, this role is referred to as `Limited viewer`. You may want to only assign this role through the DataLens UI.

#### datalens.workbooks.viewer {#datalens-workbooks-viewer}

You can assign the `datalens.workbooks.viewer` role to a [workbook](../workbooks-collections/index.md). With it, you can view all workbook's nested [objects](../concepts/index.md#component-interrelation) and the info on the [access permissions](../../iam/concepts/access-control/index.md) granted for such a workbook. In the DataLens UI, this role is referred to as `Viewer`. You may want to only assign this role through the DataLens UI.

This role includes the `datalens.workbooks.limitedViewer` permissions.

#### datalens.workbooks.editor {#datalens-workbooks-editor}

You can assign the `datalens.workbooks.editor` role to a workbook. With it, you can edit both the workbook and all its nested objects. In the DataLens UI, this role is referred to as `Editor`. You may want to only assign this role through the DataLens UI.

Users with this role can:
* Edit the relevant [workbook](../workbooks-collections/index.md) and create copies of it.
* View and edit all workbook's nested [objects](../concepts/index.md#component-interrelation).
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for the workbook.

This role includes the `datalens.workbooks.viewer` permissions.

#### datalens.workbooks.admin {#datalens-workbooks-admin}

You can assign the `datalens.workbooks.admin` role to a workbook. With it, you can manage the relevant workbook and access to it, as well as all its nested objects. In the DataLens UI, this role is referred to as `Admin`. You may want to only assign this role through the DataLens UI.

Users with this role can:
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for the relevant [workbook](../workbooks-collections/index.md) and modify such permissions.
* Edit, move, create copies of, and delete the relevant workbook.
* View and edit all workbook's nested [objects](../concepts/index.md#component-interrelation).
* [Embed](private-embedded-objects.md) the workbook's nested private objects to websites and apps.
* [Publish](../concepts/datalens-public.md#how-to-publish) the workbook's nested objects.

This role includes the `datalens.workbooks.editor` permissions.

{% note info %}

The workbook author automatically gets the `datalens.workbooks.admin` (`Admin`) role for the workbook as soon as it is created.

{% endnote %}

### Roles for collections {#collection-roles}

You can [assign](../workbooks-collections/collections-operations.md#wb-coll-grant) a user roles for collections.

#### datalens.collections.visitor {#datalens-collections-visitor}

The `datalens.collections.visitor` is assigned for a collection and enables viewing info on it without access to its nested objects. In the DataLens UI, this role is referred to as `Visitor of collection`. We recommend assigning this role only via the DataLens UI.

#### datalens.collections.limitedViewer {#datalens-collections-limitedViewer}

You can assign the `datalens.collections.limitedViewer` role to a collection. It allows you to view info on the collection and its nested collections and workbooks, which includes viewing charts, dashboards, and reports of the nested workbooks. In the DataLens UI, this role is referred to as `Limited viewer`. You may want to only assign this role through the DataLens UI.

Users with this role can:
* View info on the relevant collection and its nested [workbooks and collections](../workbooks-collections/index.md).
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for the appropriate collection, as well as for its nested collections and workbooks.
* View [charts](../concepts/chart/index.md), [dashboards](../concepts/dashboard.md), and [reports](../reports/index.md) nested into the workbooks related to the appropriate collection and its nested collections.

This role includes the `datalens.workbooks.limitedViewer` permissions.

#### datalens.collections.viewer {#datalens-collections-viewer}

You can assign the `datalens.collections.viewer` role to a collection. It allows you to view the info on it and its nested collections and workbooks, as well as view all nested workbook objects. In the DataLens UI, this role is referred to as `Viewer`. You may want to only assign this role through the DataLens UI.

Users with this role can:
* View info on the relevant collection and its nested [workbooks and collections](../workbooks-collections/index.md).
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for the appropriate collection, as well as for its nested collections and workbooks.
* View all nested [objects](../concepts/index.md#component-interrelation) of the workbooks related to the appropriate collection and its nested collections.

This role includes the `datalens.collections.limitedViewer` and `datalens.workbooks.viewer` permissions.

#### datalens.collections.limitedEntryBindingCreator {#datalens-collections-limitedEntryBindingCreator}

The `datalens.collections.limitedEntryBindingCreator` role is assigned for a collection and enables re-using common objects from it without delegation of access permissions. In the DataLens UI, this role is referred to as `Bindings without delegation`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.sharedEntries.limitedEntryBindingCreator` permissions.

#### datalens.collections.entryBindingCreator {#datalens-collections-entryBindingCreator}

The `datalens.collections.entryBindingCreator` role is assigned for a collection and enables re-using common objects from it, both with and without delegation of access permissions. In the DataLens UI, this role is referred to as `Bindings with delegation`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.sharedEntries.entryBindingCreator` permissions.

#### datalens.collections.creator {#datalens-collections-creator}

The `datalens.collections.creator` is assigned for a collection and enables viewing it as well as creating objects within it without access to any other objects residing within the collection. In the DataLens UI, this role is referred to as `Creator in collection`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.collections.visitor` permissions.

#### datalens.collections.editor {#datalens-collections-editor}

The `datalens.collections.editor` role is assigned for a collection and enables editing it and all its nested collections, workbooks, and all objects within such workbooks. In the DataLens UI, this role is referred to as `Editor`. We recommend assigning this role only via the DataLens UI.

Users with this role can:
* View info on the relevant collection and its nested [collections and workbooks](../workbooks-collections/index.md).
* Edit the appropriate collection and all its nested collections and workbooks.
* Create copies of the appropriate collection's nested workbooks.
* Create new collections and workbooks within the relevant collection and all its nested ones.
* View and edit all nested [objects](../concepts/index.md#component-interrelation) of the workbooks pertaining to the appropriate collection and its nested collections.
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for the appropriate collection, as well as for its nested collections and workbooks.

This role includes the `datalens.collections.viewer` and `datalens.workbooks.editor` permissions.

#### datalens.collections.admin {#datalens-collections-admin}

The `datalens.collections.admin` role is assigned for a collection and enables managing this collection and access to it, as well as all its nested collections, workbooks, and all objects within such workbooks. In the DataLens UI, this role is referred to as `Admin`. We recommend assigning this role only via the DataLens UI.

Users with this role can:
* View info on the [access permissions](../../iam/concepts/access-control/index.md) granted for the appropriate collection and for its nested [collections and workbooks](../workbooks-collections/index.md), as well as modify such access permissions.
* View info on the appropriate collection and its nested collections and workbooks.
* Edit the appropriate collection and all its nested collections and workbooks.
* Create copies of the appropriate collection's nested workbooks.
* Move and delete the relevant collection and all its nested collections and workbooks.
* Create new collections and workbooks within the relevant collection.
* View and edit all nested [objects](../concepts/index.md#component-interrelation) of the workbooks pertaining to the appropriate collection and its nested collections.
* [Embed](private-embedded-objects.md) private objects nested into workbooks related to the relevant collection and its nested ones, to websites and apps.
* [Publish](../concepts/datalens-public.md#how-to-publish) objects nested into the workbooks related to the appropriate collection and its nested collections.

This role includes the `datalens.collections.editor` and `datalens.workbooks.admin` permissions.

This role includes the `datalens.collections.editor` and `datalens.workbooks.admin` permissions.

{% note info %}

The role granted for a collection applies to all collections and their workbooks. The collection author automatically gets the `datalens.collections.admin` (`Admin`) role for the collection as soon as it is created.

{% endnote %}

### Roles for shared objects {#shared-entry-roles}

#### datalens.sharedEntries.limitedViewer {#datalens-sharedEntries-limitedViewer}

The `datalens.sharedEntries.limitedViewer` role is assigned for a common object and enables viewing its [charts](../concepts/chart/index.md) and the [dashboards](../concepts/dashboard.md) that use it, without direct access to the common object itself. In the DataLens UI, this role is referred to as `Limited viewer`. We recommend assigning this role only via the DataLens UI.

#### datalens.sharedEntries.viewer {#datalens-sharedEntries-viewer}

The `datalens.sharedEntries.viewer` role is assigned for a common object and enables viewing it and its access permissions. In the DataLens UI, this role is referred to as `Viewer`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.sharedEntries.limitedViewer` permissions.

#### datalens.sharedEntries.limitedEntryBindingCreator {#datalens-sharedEntries-limitedEntryBindingCreator}

The `datalens.sharedEntries.limitedEntryBindingCreator` role is assigned for a common object and enables re-using it in workbooks without delegation of access permissions. In the DataLens UI, this role is referred to as `Bindings without delegation`. We recommend assigning this role only via the DataLens UI.

#### datalens.sharedEntries.entryBindingCreator {#datalens-sharedEntries-entryBindingCreator}

The `datalens.sharedEntries.entryBindingCreator` role is assigned for a common object and enables re-using it in workbooks, both with and without delegation of access permissions. In the DataLens UI, this role is referred to as `Bindings with delegation`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.sharedEntries.limitedEntryBindingCreator` permissions.

#### datalens.sharedEntries.editor {#datalens-sharedEntries-editor}

The `datalens.sharedEntries.editor` role is assigned for a common object and enables editing and viewing it, as well as viewing its access permissions. In the DataLens UI, this role is referred to as `Editor`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.sharedEntries.viewer` permissions.

#### datalens.sharedEntries.admin {#datalens-sharedEntries-admin}

The `datalens.sharedEntries.admin` role is assigned for a common object and enables viewing it and entirely managing it, including editing, moving, deleting, and configuring its access permissions. In the DataLens UI, this role is referred to as `Admin`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.sharedEntries.editor` and `datalens.sharedEntries.entryBindingCreator` permissions.