[Yandex Cloud documentation](../../index.md) > [Yandex DataSphere](../index.md) > Access management

# Access management in DataSphere

Access to Yandex DataSphere is controlled by assigning permissions within an organization. Organizations are managed using [Yandex Identity Hub](../../organization/index.md).

The operations available to DataSphere users are determined by their roles. You can assign roles to a Yandex account, [service account](../../iam/concepts/users/service-accounts.md), [federated](../../iam/concepts/users/accounts.md#saml-federation) or [local](../../iam/concepts/users/accounts.md#local) users, [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information about access management in Yandex Cloud, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

## Resources you can assign a role for {#resources}

Access control is implemented at the [community](../concepts/community.md) and [project](../concepts/project.md) level. You can also make resources available to all community users by [publishing](../operations/index.md#share) them in the community. The access permissions you grant apply to the whole hierarchy of resources. For example, if you assign a role for a DataSphere project to a user, all permissions will also apply to resources within that project. Learn more about [relationships between DataSphere resources](../concepts/resource-model.md).

## How to assign a role {#grant-role}

You can assign a role to a user in the DataSphere interface:
* [Adding a user to a community](../operations/community/add-user.md).
* [Adding a user to a project](../operations/projects/add-user.md).
* [Share resources with community members](../operations/index.md#share).

You can also grant access permissions through the [Yandex Identity Hub interface in Cloud Center](https://center.yandex.cloud/organization) using [Terraform](../../terraform/index.md) and the [Yandex Cloud API](../api-ref/authentication.md).

## Roles this service has {#roles-list}

```mermaid
flowchart BT
    datasphere.community-projects.viewer --> datasphere.community-projects.developer
    datasphere.community-projects.developer --> datasphere.community-projects.editor
    datasphere.community-projects.editor --> datasphere.community-projects.admin
    datasphere.community-projects.viewer --> datasphere.communities.viewer
    datasphere.communities.viewer --> datasphere.communities.developer
    datasphere.communities.developer --> datasphere.communities.editor
    datasphere.community-projects.editor --> datasphere.communities.editor
    datasphere.communities.editor --> datasphere.communities.admin
    datasphere.community-projects.admin --> datasphere.communities.admin
```

### Service roles {#service-roles}

#### datasphere.community-projects.viewer {#datasphere-communityprojects-viewer}

The `datasphere.community-projects.viewer` role allows you to view information on [projects](../concepts/project.md), project settings, and project [resources](../concepts/resources.md), as well as on granted [access permissions](../../iam/concepts/access-control/index.md) for these projects.

In the DataSphere interface, users with the `datasphere.community-projects.viewer` role have the `Viewer` role in the **Members** tab on the community page.

#### datasphere.community-projects.developer {#datasphere-communityprojects-developer}

The `datasphere.community-projects.developer` role allows you to work in projects and manage project resources.

Users with this role can:
* View info on [projects](../concepts/project.md), project settings, and project [resources](../concepts/resources.md).
* Create, modify, and delete resources within projects.
* Run IDEs and code cells in projects.
* View info on granted [access permissions](../../iam/concepts/access-control/index.md) for projects.

This role includes the `datasphere.community-projects.viewer` permissions.

In the DataSphere interface, users with the `datasphere.community-projects.developer` role have the `Developer` role in the **Members** tab on the community page.

#### datasphere.community-projects.editor {#datasphere-communityprojects-editor}

The `datasphere.community-projects.editor` role allows you to work in projects, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:
* View info on [projects](../concepts/project.md), project settings, and project resources, as well as modify and delete projects.
* Create, modify, and delete [resources](../concepts/resources.md) within projects, as well as share the relevant project resources with the communities where the user has the `Developer` permissions (the `datasphere.communities.developer` role or higher).
* Run IDEs and code cells in projects.
* View info on granted [access permissions](../../iam/concepts/access-control/index.md) for projects.

This role includes the `datasphere.community-projects.developer` permissions.

In the DataSphere interface, users with the `datasphere.community-projects.editor` role have the `Editor` role in the **Members** tab on the community page.

#### datasphere.community-projects.admin {#datasphere-communityprojects-admin}

The `datasphere.community-projects.admin` role allows you to manage access to projects, work in them, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:
* View info on granted [access permissions](../../iam/concepts/access-control/index.md) for projects and modify access permissions.
* View info on [projects](../concepts/project.md), project settings, and project resources, as well as modify and delete projects.
* Create, modify, and delete [resources](../concepts/resources.md) within projects, as well as share the relevant project resources with the communities where the user has the `Developer` role (`datasphere.communities.developer`) or higher.
* Run IDEs and code cells in projects.

This role includes the `datasphere.community-projects.editor` permissions.

In the DataSphere interface, users with the `datasphere.community-projects.admin` role have the `Admin` role in the **Members** tab on the community page.

#### datasphere.communities.viewer {#datasphere-communities-viewer}

The `datasphere.communities.viewer` role allows you to view information on communities and projects, as well as on granted access permissions for them.

Users with this role can:
* View info on [communities](../concepts/community.md) and granted [access permissions](../../iam/concepts/access-control/index.md) for them.
* View info on community [projects](../concepts/project.md), project settings, and project [resources](../concepts/resources.md), as well as on granted access permissions for these projects.
* View info on the relevant [organization](../../organization/concepts/organization.md).

This role includes the `datasphere.community-projects.viewer` permissions.

In the DataSphere interface, users with the `datasphere.communities.viewer` role have the `Viewer` role in the **Members** tab on the community page.

#### datasphere.communities.developer {#datasphere-communities-developer}

The `datasphere.communities.developer` role allows you to create new projects and publish project resources in communities, as well as view information on communities and projects.

Users with this role can:
* View info on [communities](../concepts/community.md) and granted [access permissions](../../iam/concepts/access-control/index.md) for them.
* Create new [projects](../concepts/project.md) in communities.
* Publish project [resources](../concepts/resources.md) in the communities where the user has the `Developer` permissions (the `datasphere.communities.developer` role) or higher.
* View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
* View info on the relevant [organization](../../organization/concepts/organization.md).

This role includes the `datasphere.communities.viewer` permissions.

In the DataSphere interface, users with the `datasphere.communities.developer` role have the `Developer` role in the **Members** tab on the community page.

#### datasphere.communities.editor {#datasphere-communities-editor}

The `datasphere.communities.editor` role allows you to link a billing account to communities, delete communities, and edit community settings, as well as manage community projects and resources.

Users with this role can:
* View info on [communities](../concepts/community.md) and granted [access permissions](../../iam/concepts/access-control/index.md) for them, as well as modify and delete communities.
* Link a [billing account](../../billing/concepts/billing-account.md) to communities.
* Create new [projects](../concepts/project.md) in communities, as well as modify and delete projects.
* View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
* Create, modify, and delete [resources](../concepts/resources.md) within projects, as well as publish project resources in the communities where the user has the `Developer` permissions (the `datasphere.communities.developer` role) or higher.
* Run IDEs and code cells in projects.
* View info on the relevant [organization](../../organization/concepts/organization.md).

This role includes the `datasphere.communities.developer` and `datasphere.community-projects.editor` permissions.

In the DataSphere interface, users with the `datasphere.communities.editor` role have the `Editor` role in the **Members** tab on the community page.

#### datasphere.communities.admin {#datasphere-communities-admin}

The `datasphere.communities.admin` role allows you to manage communities and community projects, as well as access to them.

Users with this role can:
* View info on [communities](../concepts/community.md), as well as modify and delete communities.
* View info on granted [access permissions](../../iam/concepts/access-control/index.md) for communities and modify access permissions.
* Link a [billing account](../../billing/concepts/billing-account.md) to communities.
* Create new [projects](../concepts/project.md) in communities, as well as modify and delete projects.
* View info on projects, project settings, and project resources.
* View info on granted access permissions for projects and modify access permissions.
* Create, modify, and delete [resources](../concepts/resources.md) within projects, as well as publish project resources in the communities where the user has the `Developer` permissions (the `datasphere.communities.developer` role or higher).
* Run IDEs and code cells in projects.
* View info on the relevant [organization](../../organization/concepts/organization.md).

This role includes the `datasphere.communities.editor` and `datasphere.community-projects.admin` permissions.

In the DataSphere interface, users with the `datasphere.communities.admin` role have the `Admin` role in the **Members** tab on the community page.

> For example, Julia works with multiple teams and belongs to their communities with different access permissions:
  
  * In the <q>Cat lovers</q> community: `Admin` (the `datasphere.communities.admin` role).
  * In the <q>Counting fences</q> community: `Developer` (the `datasphere.communities.developer` role).
  * In the <q>Top secret</q> community: `Viewer` (the `datasphere.communities.viewer` role), but with the `Editor` permissions in <q>Project_111</q> of this community (the `datasphere.community-projects.editor` role).
  
  Julia can:
  
  * Share the resources of any <q>Cat lovers</q> community's project within this community.
  * Share the resources of any <q>Cat lovers</q> community's project in the <q>Counting fences</q> community.
  * Publish the <q>Project_111</q> resources in the <q>Cat lovers</q> and <q>Counting fences</q> communities, but cannot share them in the <q>Top secret</q> community.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## Required roles {#choosing-roles}

The table below lists the roles required for specific actions. You can always assign a role with more permissions, e.g., `Editor` instead of `Viewer`.

#|
|| **Action** | **Required roles** ||
|| **Viewing data** ||
|| Viewing a project, its settings, and users | `Viewer` for a project ||
|| Viewing a project, its settings, and users | `Viewer` for a community ||
|| **Project management** ||
|| [Creating a project](../operations/projects/create.md) | `Developer` for a community ||
|| Running the IDE | `Developer` for a project ||
|| Using resources | `Developer` for a project ||
|| Creating resources | `Developer` for a project ||
|| Deleting resources | `Developer` for a project ||
|| Publishing resources in a community | `Editor` for a project and `Developer` for a community ||
|| [Editing project settings](../operations/projects/update.md) | `Editor` for a project ||
|| [Deleting a project](../operations/projects/delete.md) | `Editor` for a project ||
|| [Granting a role](#grant-role) in a project | `Admin` for a project ||
|| **Community management** ||
|| Editing community settings | `Editor` for a community ||
|| [Linking a billing account](../operations/community/link-ba.md) | `Editor` for a community and `billing.accounts.editor` for a billing account ||
|| [Deleting a community](../operations/community/delete.md) | `Editor` for a community ||
|| [Granting a role](#grant-role) in a community | `Admin` for a community ||
|#

#### Useful links {#see-also}

* [Yandex Identity Hub](../../organization/index.md)
* [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md)
* [Service accounts](../../iam/concepts/users/service-accounts.md)
* [Learn more about role inheritance](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance)