[Yandex Cloud documentation](../../../index.md) > [Yandex Identity and Access Management](../../index.md) > [Step-by-step guides](../index.md) > Roles > Viewing assigned roles

# Viewing assigned roles

To view the permissions granted to an account for a resource, retrieve the list of roles assigned for the resource and its parent resources. Assigned roles will be [inherited](../../concepts/access-control/index.md#inheritance) by child resources from their parent resources. For example, if you want to find out what permissions an account has for the folder, look at the roles:

1. For that folder.
1. For the cloud that the folder belongs to.
1. For the organization that the cloud belongs to.

You can view a list of inherited roles for the folder or the cloud in the management console, in the **Access bindings** section of the folder or cloud.

[Learn](../../concepts/access-control/resources-with-access-control.md) which resources you can assign a role for.

{% note info %}

Even if an [operation](../../../api-design-guide/concepts/about-async.md) with resources pertaining to Yandex Cloud [services](../../../overview/concepts/services.md) is allowed by a [role](../../concepts/access-control/roles.md), it may still be blocked if the [organization](../../../organization/concepts/organization.md), [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) is subject to an [access policy](../../concepts/access-control/access-policies.md) prohibiting this operation.

{% endnote %}

To view assigned roles:

{% list tabs group=instructions %}

- Management console {#console}

  To view the roles of a [Yandex account user](../../concepts/users/accounts.md#passport), [federated user](../../concepts/users/accounts.md#saml-federation), [local user](../../concepts/users/accounts.md#local), or [service account](../../concepts/users/service-accounts.md) for a cloud:

    1. In the [management console](https://console.yandex.cloud), click ![image](../../../_assets/console-icons/layout-side-content-left.svg) or ![image](../../../_assets/console-icons/chevron-down.svg) in the top panel and select the cloud.
    1. Navigate to the **Access bindings** tab.
    1. Find the required user in the list. Assigned roles are specified in the **Roles** column.

  To view the roles of a [service account](../../concepts/users/service-accounts.md) for a folder and its child resources:

  1. In the [management console](https://console.yandex.cloud), click ![image](../../../_assets/console-icons/layout-side-content-left.svg) or ![image](../../../_assets/console-icons/chevron-down.svg) in the top panel and select the folder the service account belongs to.
  1. In the list of services, select **Identity and Access Management**.
  1. In the left-hand panel, select ![FaceRobot](../../../_assets/console-icons/face-robot.svg) **Service accounts**.
  1. The service account roles are listed in the **Roles in folder** field.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  1. Get your account ID:
      1. [Guide](../sa/get-id.md) for service accounts.
      1. [Guide](../../../organization/operations/users-get.md) for Yandex account users, federated users, and local users.
  1. Get the resource ID or name.
  1. View the roles assigned for a resource:
     
     ```bash
     yc <service_name> <resource_category> list-access-bindings <resource_name_or_ID>
     ```
     
     Where:
     
     * `<service_name>`: Name of the service the resource belongs to, e.g., `resource-manager`.
     * `<resource_category>`: Resource category, e.g., `folder`.
     * `<resource_name_or_ID>`: Resource name or ID. You can specify a resource by its name or ID.
     
     For example, you can view the roles and the assignees for the `default` folder:
     
     ```bash
     yc resource-manager folder list-access-bindings default
     ```
     
     Result:
     
     ```text
     +---------------------+----------------+----------------------+
     |       ROLE ID       |  SUBJECT TYPE  |      SUBJECT ID      |
     +---------------------+----------------+----------------------+
     | editor              | serviceAccount | ajepg0mjas06******** |
     | viewer              | userAccount    | aje6o61dvog2******** |
     +---------------------+----------------+----------------------+
     ```

        In the server response, find all the rows where the subject contains the account ID and the `All users` and `All authenticated users` [public groups](../../concepts/access-control/public-group.md) are specified as the subject.
    1. Repeat the previous two steps for all the parent resources.

- API {#api}

    1. Get your account ID:
        1. [Guide](../sa/get-id.md) for service accounts.
        1. [Guide](../../../organization/operations/users-get.md) for Yandex account users, federated users, and local users.
    1. Get the resource ID or name.
    1. View the roles and assignees for the resource using the `listAccessBindings` REST API method. For example, to view the roles for the `b1gvmob95yys********` folder:
       
       ```bash
       export FOLDER_ID=b1gvmob95yys********
       export IAM_TOKEN=CggaATEVAgA...
       curl \
         --header "Authorization: Bearer ${IAM_TOKEN}" \
         "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"
       ```
       
       Result:
       
       ```json
       {
         "accessBindings": [
         {
           "subject": {
             "id": "ajei8n54hmfh********",
             "type": "userAccount"
           },
           "roleId": "editor"
         }
         ]
       }
       ```

        In the server response, find all the rows where the subject contains the account ID and the `All users` and `All authenticated users` [public groups](../../concepts/access-control/public-group.md) are specified as the subject.
    1. Repeat the previous two steps for all the parent resources.

{% endlist %}

#### See also {#see-also}

* [Revoke a role for a resource](revoke.md)
* [Assigning roles](grant.md)