# Roles

{% note info %}

Even if an [operation](../../../api-design-guide/concepts/about-async.md) with resources pertaining to Yandex Cloud [services](../../../overview/concepts/services.md) is allowed by a [role](roles.md), it may still be blocked if the [organization](../../../organization/concepts/organization.md), [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) is subject to an [access policy](access-policies.md) prohibiting this operation.

{% endnote %}

A _role_ is a set of permissions to perform operations with resources in Yandex Cloud.

There are two types of roles:
* _Primitive roles_ contain permissions that apply to all types of Yandex Cloud resources. These are roles such as `admin`, `editor`, `viewer`, and `auditor`.
* _Service roles_ contain permissions only for a specific type of resource in a particular service. The service role ID is specified in `service.resources.role` format. For example, the `compute.images.user` role allows you to use images in Yandex Compute Cloud.

  A service role can be assigned for the resource the role is intended for or the one from which the permissions are inherited. For example, you can assign the `compute.images.user` role for a folder or cloud, because images inherit permissions from them.

Currently, users are not allowed to create new roles with a custom set of permissions.

## Role reference {#roles-reference}

{% note info "" %}

Starting February 14, 2024, you can find the extended list of roles for all Yandex Cloud services on this page: [Role reference Yandex Cloud](../../roles-reference.md).

{% endnote %}

## Use cases {#examples}

* [Access control for user groups with different roles in Yandex Identity Hub](../../tutorials/user-group-access-control.md)
* [Using a service account with an OS Login profile for VM management via Ansible](../../tutorials/sa-oslogin-ansible.md)