[Yandex Cloud documentation](../../index.md) > [Yandex Cloud DNS](../index.md) > Access management

# Access management in Cloud DNS

In this section, you will learn about the following:
* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).
* [Roles required](#required-roles) for specific actions.

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign a role for a resource, you need the `dns.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

To assign a role for a [DNS zone](../concepts/dns-zone.md), use the Yandex Cloud [CLI](../../cli/cli-ref/dns/cli-ref/zone/add-access-binding.md), [API](../api-ref/authentication.md), or [Terraform](../../terraform/resources/dns_zone_iam_binding.md).

## Roles available in the service {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

```mermaid
flowchart BT
    dns.auditor --> dns.viewer
    dns.auditor --> dns.firewallUser
    dns.firewallUser --> dns.firewallEditor
    dns.firewallEditor --> dns.admin
    dns.viewer --> dns.editor
    dns.editor --> dns.admin
```

### Service roles {#service-roles}

#### dns.auditor {#dns-auditor}

The `dns.auditor` role enables viewing info on [DNS zones](../concepts/dns-zone.md) and [access permissions](../../iam/concepts/access-control/index.md) assigned to them, as well as on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and Cloud DNS [quotas](../concepts/limits.md#cloud-dns-quotas). This role does not provide access to [resource records](../concepts/resource-record.md).

#### dns.viewer {#dns-viewer}

The `dns.viewer` role enables viewing info on [DNS zones](../concepts/dns-zone.md) and [access permissions](../../iam/concepts/access-control/index.md) assigned to them, as well as on the [resource records](../concepts/resource-record.md), the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), and Cloud DNS [quotas](../concepts/limits.md#cloud-dns-quotas).

This role includes the `dns.auditor` permissions.

#### dns.editor {#dns-editor}

The `dns.editor` role enables managing DNS zones and resource records, as well as viewing info on the relevant folder and Cloud DNS quotas.

Users with this role can:
* View information on [DNS zones](../concepts/dns-zone.md) as well as create, use, modify, and delete them.
* View information on [resource records](../concepts/resource-record.md) as well as create, modify, and delete them.
* Create nested public DNS zones.
* View information on [access permissions](../../iam/concepts/access-control/index.md) assigned for DNS zones.
* View information on Cloud DNS [quotas](../concepts/limits.md#cloud-dns-quotas).
* View information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `dns.viewer` permissions.

#### dns.firewallUser {#dns-firewallUser}

The `dns.firewallUser` role enables using clouds, folders, and cloud networks as resources for DNS firewalls, as well as viewing info on Cloud DNS resources and quotas.

Users with this role can:
* View info on DNS firewalls and [access permissions](../../iam/concepts/access-control/index.md) granted for them.
* Use [clouds](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../../resource-manager/concepts/resources-hierarchy.md#folder), and [cloud networks](../../vpc/concepts/network.md#network) as resources for DNS firewalls.
* View info on [DNS zones](../concepts/dns-zone.md) and access permissions granted for them.
* View info on Cloud DNS [quotas](../concepts/limits.md#cloud-dns-quotas).
* View info on the relevant folder.

This role includes the `dns.auditor` permissions.

#### dns.firewallEditor {#dns-firewallEditor}

The `dns.firewallEditor` role enables managing DNS firewalls and using clouds, folders, and cloud networks as resources for them.

Users with this role can:
* View info on DNS firewalls and [access permissions](../../iam/concepts/access-control/index.md) granted for them.
* Create, modify, and delete DNS firewalls.
* Use [clouds](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../../resource-manager/concepts/resources-hierarchy.md#folder), and [cloud networks](../../vpc/concepts/network.md#network) as resources for DNS firewalls.
* View info on [DNS zones](../concepts/dns-zone.md) and access permissions granted for them.
* View info on Cloud DNS [quotas](../concepts/limits.md#cloud-dns-quotas).
* View info on the relevant folder.

This role includes the `dns.firewallUser` permissions.

#### dns.admin {#dns-admin}

The `dns.admin` role enables managing Cloud DNS resources and access to them.

Users with this role can:
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for [DNS zones](../concepts/dns-zone.md) and DNS firewalls, as well as modify such permissions.
* View info on DNS zones, as well as create, use, modify, and delete them.
* Create nested public DNS zones.
* View info on DNS firewalls, as well as create, modify, and delete them.
* Use [clouds](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../../resource-manager/concepts/resources-hierarchy.md#folder), and [cloud networks](../../vpc/concepts/network.md#network) as resources for DNS firewalls.
* View info on [resource records](../concepts/resource-record.md), as well as create, modify, and delete them.
* View info on Cloud DNS [quotas](../concepts/limits.md#cloud-dns-quotas).
* View info on the relevant folder.

This role includes the `dns.editor` and `dns.firewallEditor` permissions.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## Required roles {#required-roles}

The table below lists the roles required for specific actions. You can always assign a role with more permissions. For example, you can assign the `editor` role instead of `viewer`, or `dns.admin` instead of `dns.editor`.

| Action                                                                                                                                            |                              Methods                               | Required roles                                                                                                                                                                            |
|:----------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Viewing metadata**                                                                                                                         |                                                                   |                                                                                                                                                                                             |
| Viewing information about DNS zones                                                                                                                     |                           `get`, `list`                           | `dns.auditor` for the resource                                                                                                                                                                |
| **Viewing data**                                                                                                                             |                                                                   |                                                                                                                                                                                             |
| Viewing information about DNS zones and their resource records                                                                                           |                  `get`, `list`, `listRecordSets`                  | `viewer` or `dns.viewer` for the resource                                                                                                                                                    |
| **Managing DNS zones**                                                                                                                           |                                                                   |                                                                                                                                                                                             |
| Creating a zone                                                                                                                                       |                             `create`                              | `editor` or `dns.editor` for the folder, as well as `vpc.user` for this folder or VPC network if your DNS zone is private.                                                                |
| Updating and deleting zones                                                                                                                             |                        `update`, `delete`                         | `editor` or `dns.editor` for the folder, as well as `vpc.user` for this folder or VPC network if your DNS zone is private.                                                                |
| Creating subzones                                                                                                                                     |                             `create`                              | `editor` or `dns.editor` for the folder hosting the zone to include the new subzones, as well as `vpc.user` for this folder or VPC network if your DNS zone is private. |
| **Managing resource records**                                                                                                                  |                                                                   |                                                                                                                                                                            |
| Creating resource records in a DNS zone                                                                                                               |                             `create`                              | `editor` or `dns.editor` for the folder or zone                                                                                                                              |
| Updating and deleting resource records                                                                                                               |                        `update`, `delete`                         | `editor` or `dns.editor`                                                                                                                                                  |
| **Managing access to DNS zones**                                                                                                                 |                                                                   |                                                                                                                                                                            |
| [Granting](../../iam/operations/roles/grant.md), [revoking](../../iam/operations/roles/revoke.md), and viewing roles for a DNS zone | `setAccessBindings`, `updateAccessBindings`, `listAccessBindings` | `admin` or `dns.admin` for the folder or zone                                                                                                                                |

To restrict user access, assign roles for specific zones or subzones.


#### What's next {#next}

* [How to assign a role](../../iam/operations/roles/grant.md).
* [How to revoke a role](../../iam/operations/roles/revoke.md).
* [Learn more about access management in Yandex Cloud](../../iam/concepts/access-control/index.md).
* [Learn more about role inheritance](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance).