[Yandex Cloud documentation](../index.md) > [Yandex Identity and Access Management](index.md) > Role reference

# Role reference Yandex Cloud


## Primitive roles {#primitive-roles}

The chart below shows which primitive roles are available in Yandex Cloud and how they inherit each other's permissions. For example, the `editor` role inherits all the `viewer` role permissions. You can find role descriptions below the diagram.

![image](../_assets/iam/security/primitive-roles-hierarchy.svg)

Primitive roles allow users to perform actions in all Yandex Cloud [services](../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../security/standard/all.md#min-privileges).


## Service roles {#auxiliary-roles}

#### quota-manager.viewer {#quota-manager-viewer}

The `quota-manager.viewer` role enables viewing info on the Yandex Cloud service [quotas](../overview/concepts/quotas-limits.md) and requests to increase such quotas, as well as on [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud).

#### quota-manager.requestOperator {#quota-manager-requestoperator}

The `quota-manager.requestOperator` role lets you create requests for new Yandex Cloud service [quotas](../overview/concepts/quotas-limits.md). This permission is also part of the `admin` and `editor` roles.


## AI services {#ai-services}

#### ai.auditor {#ai-auditor}

The `ai.auditor` role enables viewing info on quotas for [Yandex Translate](https://aistudio.yandex.ru/docs/en/translate/concepts/limits#translate-quotas), [Yandex Vision OCR](https://aistudio.yandex.ru/docs/en/vision/concepts/limits#vision-quotas), [Yandex SpeechKit](https://aistudio.yandex.ru/docs/en/speechkit/concepts/limits#speechkit-quotas), and [Yandex Cloud AI Studio](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas), on uploaded [files](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore#file-uploading), Vector Store [search indexes](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore), [datasets](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/resources/dataset), and [text generation models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models) in Yandex Cloud AI Studio, view metadata on [guardrails](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/security/guardrails#rules) for model responses, as well as info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ai.assistants.auditor`, `ai.datasets.auditor`, `ai.models.auditor`, and `ai.guardrails.auditor` permissions.

#### ai.viewer {#ai-viewer}

The `ai.viewer` role enables viewing info on quotas for [Yandex Translate](https://aistudio.yandex.ru/docs/en/translate/concepts/limits#translate-quotas), [Yandex Vision OCR](https://aistudio.yandex.ru/docs/en/vision/concepts/limits#vision-quotas), [Yandex SpeechKit](https://aistudio.yandex.ru/docs/en/speechkit/concepts/limits#speechkit-quotas), and [Yandex Cloud AI Studio](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas), on [text generation models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models), [guardrails](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/security/guardrails#rules) for model responses, [datasets](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/resources/dataset), uploaded [files](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore#file-uploading), and Vector Store [search indexes](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore) in Yandex Cloud AI Studio, read such files and conduct searches using these indexes, as well as view info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ai.auditor`, `ai.assistants.viewer`, `ai.datasets.viewer`, `ai.models.viewer`, and `ai.guardrails.viewer` permissions.

#### ai.editor {#ai-editor}

The `ai.editor` role enables using Yandex Translate, Yandex Vision OCR, Yandex SpeechKit, and Yandex Cloud AI Studio.

Users with this role can:
* Use Yandex Translate to [translate texts](https://aistudio.yandex.ru/docs/en/translate/quickstart).
* Use Yandex Vision OCR to [analyze images](https://aistudio.yandex.ru/docs/en/vision/concepts/ocr/).
* Use Yandex SpeechKit for speech [recognition](https://aistudio.yandex.ru/docs/en/speechkit/stt/) and [synthesis](https://aistudio.yandex.ru/docs/en/speechkit/tts/).
* View info on [text generation models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models) in Yandex Cloud AI Studio.
* View info on [guardrails](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/security/guardrails#rules) for model responses, as well as create, apply, modify, and delete guardrails.
* Use [AI agents](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/agents/), text and image generation models, [text embedding](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/embeddings#yandexgpt-embeddings) models, and [classifier](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/classifier/models) models in Yandex Cloud AI Studio.
* View info on uploaded [files](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore#file-uploading) as well as create, update, view, and delete them.
* View info on Vector Store [search indexes](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore), create, modify, and delete them, as well as conduct searches using these indexes.
* [Fine-tune](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/tuning/#fm-tuning) Yandex Cloud AI Studio models as well as create, modify, and delete fine-tuned models.
* View info on [datasets](https://aistudio.yandex.ru/docs/en/ai-studio/dataset/api-ref/grpc/), use them to fine-tune models, as well as create, modify, and delete datasets.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on quotes for [Yandex Translate](https://aistudio.yandex.ru/docs/en/translate/concepts/limits#translate-quotas), [Yandex Vision OCR](https://aistudio.yandex.ru/docs/en/vision/concepts/limits#vision-quotas), [Yandex SpeechKit](https://aistudio.yandex.ru/docs/en/speechkit/concepts/limits#speechkit-quotas), and [Yandex Cloud AI Studio](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas).

This role includes the `ai.viewer`, `ai.translate.user`, `ai.vision.user`, `ai.speechkit-stt.user`, `ai.speechkit-tts.user`, `ai.languageModels.user`, `ai.imageGeneration.user`, `ai.assistants.editor`, `ai.datasets.editor`, `ai.models.editor`, and `ai.guardrails.editor` permissions.

#### ai.admin {#ai-admin}

The `ai.admin` role enables using Yandex Translate, Yandex Vision OCR, Yandex SpeechKit, and Yandex Cloud AI Studio.

Users with this role can:
* Use Yandex Translate to [translate texts](https://aistudio.yandex.ru/docs/en/translate/quickstart).
* Use Yandex Vision OCR to [analyze images](https://aistudio.yandex.ru/docs/en/vision/concepts/ocr/).
* Use Yandex SpeechKit for speech [recognition](https://aistudio.yandex.ru/docs/en/speechkit/stt/) and [synthesis](https://aistudio.yandex.ru/docs/en/speechkit/tts/).
* View info on [text generation models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models) in Yandex Cloud AI Studio.
* View info on [guardrails](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/security/guardrails#rules) for model responses, as well as create, apply, modify, and delete guardrails.
* Use [AI agents](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/agents/), text and image generation models, [text embedding](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/embeddings#yandexgpt-embeddings) models, and [classifier](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/classifier/models) models in Yandex Cloud AI Studio.
* View info on uploaded [files](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore#file-uploading) as well as create, update, view, and delete them.
* View info on Vector Store [search indexes](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore), create, modify, and delete them, as well as conduct searches using these indexes.
* [Fine-tune](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/tuning/#fm-tuning) Yandex Cloud AI Studio models as well as create, modify, and delete fine-tuned models.
* View info on [datasets](https://aistudio.yandex.ru/docs/en/ai-studio/dataset/api-ref/grpc/), use them to fine-tune models, as well as create, modify, and delete datasets.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on [Yandex Translate](https://aistudio.yandex.ru/docs/en/translate/concepts/limits#translate-quotas), [Yandex Vision OCR](https://aistudio.yandex.ru/docs/en/vision/concepts/limits#vision-quotas), [Yandex SpeechKit](https://aistudio.yandex.ru/docs/en/speechkit/concepts/limits#speechkit-quotas), and [Yandex Cloud AI Studio](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas) quotes.

This role includes the `ai.editor`, `ai.assistants.admin`, `ai.datasets.admin`, `ai.models.admin`, and `ai.guardrails.admin` permissions.


## Yandex Cloud partner program {#partner-program}

#### billing.accounts.owner {#billing-accounts-owner}

When creating your billing account, you get the `billing.accounts.owner` role automatically. Any user with the `billing.accounts.owner` role can revoke this role from the billing account creator and change the owner.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View [client offers](../billing/concepts/glossary.md#client-offer).
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant billing accounts and modify such permissions.
* Activate, deactivate, or modify the [technical support](../support/overview.md) service plan, as well as change the billing account from which the payment is debited.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* [Export details](../billing/operations/get-folder-report.md).
* Create [budgets](../billing/concepts/budget.md).
* [Reserve resource usage](../billing/concepts/cvos.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.
* Top up their personal account using a credit or debit card.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to a billing account.
* Rename billing accounts.
* Changing payer contact details.
* Change payment details.
* Change their credit or debit card details.
* Change the payment method.
* Redeem promo codes.
* Activate the [trial period](../billing/concepts/trial-period.md).
* Activate the [paid version](../getting-started/free-trial/concepts/upgrade-to-paid.md).
* [Delete](../billing/operations/delete-account.md) billing accounts.

{% endcut %}

{% cut "On the Yandex Cloud partner portal, users with this role can:" %}

* [Create](../partner/operations/pin-client.md#client-entry) customer records ([subaccounts](../partner/terms.md#sub-account)).
* View the list of subaccounts and info on them, including personal data.
* Update subaccount records.
* Activate subaccounts.
* Suspend subaccounts.
* Re-activate subaccounts.
* Delete subaccounts without customer confirmation.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to subaccounts.
* [Manage](../partner/operations/access/partners-account.md) access permissions to subaccounts.
* [View](../partner/operations/get-client-stat.md) the details of how the customers use services.
* View the list of [partner discounts](../partner/portal.md#premium) and info on them.

{% endcut %}

This role includes the `billing.accounts.admin` and `billing.accounts.varWithoutDiscounts` permissions.

#### billing.accounts.viewer {#billing-accounts-viewer}

To use the `billing.accounts.viewer` role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).

{% endcut %}

#### billing.accounts.accountant {#billing-accounts-accountant}

To use the `billing.accounts.accountant` role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display billing accounts in the list of all accounts.
* View billing account data.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.

{% endcut %}


This role includes the `billing.accounts.viewer` permissions.

#### billing.accounts.editor {#billing-accounts-editor}

To use the `billing.accounts.editor` role, you need to assign it for a billing account. It enables you to get payment invoices, redeem promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View [client offers](../billing/concepts/glossary.md#client-offer).
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* [Export details](../billing/operations/get-folder-report.md).
* Create [budgets](../billing/concepts/budget.md).
* [Reserve resource usage](../billing/concepts/cvos.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to a billing account.
* Rename billing accounts.
* Redeem promo codes.

{% endcut %}

{% cut "On the Yandex Cloud partner portal, users with this role can:" %}

* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to [subaccounts](../partner/terms.md#sub-account).

{% endcut %}

This role includes the `billing.accounts.viewer` permissions.

#### billing.accounts.varWithoutDiscounts {#billing-accounts-var-without-discounts}

To use the `billing.accounts.varWithoutDiscounts` role, you need to assign it for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant billing accounts.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* [Export details](../billing/operations/get-folder-report.md).
* Create [budgets](../billing/concepts/budget.md).
* [Reserve resource usage](../billing/concepts/cvos.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to a billing account.
* Rename billing accounts.
* Redeem promo codes.

{% endcut %}

{% cut "On the Yandex Cloud partner portal, users with this role can:" %}

* [Create](../partner/operations/pin-client.md#client-entry) customer records ([subaccounts](../partner/terms.md#sub-account)).
* View the list of subaccounts and info on them.
* Activate subaccounts.
* Suspend subaccounts.
* Re-activate subaccounts.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to subaccounts.
* [Manage](../partner/operations/access/partners-account.md) access permissions to subaccounts.
* [View](../partner/operations/get-client-stat.md) the details of how the customers use services.

{% endcut %}

This role includes the `billing.partners.editor` permissions.

#### billing.accounts.admin {#billing-accounts-admin}

To use the `billing.accounts.admin` role, you need to assign it for a billing account. It enables managing access to a billing account (except for `billing.accounts.owner`).

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View [client offers](../billing/concepts/glossary.md#client-offer).
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant billing accounts and modify such permissions (except for assigning and revoking the `billing.accounts.owner` role).
* Activate, deactivate, or modify the [technical support](../support/overview.md) service plan, as well as change the billing account from which the payment is debited.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* [Export details](../billing/operations/get-folder-report.md).
* Create [budgets](../billing/concepts/budget.md).
* [Reserve resource usage](../billing/concepts/cvos.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to a billing account.
* Rename billing accounts.
* Redeem promo codes.

{% endcut %}

{% cut "On the Yandex Cloud partner portal, users with this role can:" %}

* [Create](../partner/operations/pin-client.md#client-entry) customer records ([subaccounts](../partner/terms.md#sub-account)).
* View the list of subaccounts and info on them, including personal data.
* Activate subaccounts.
* Suspend subaccounts.
* Re-activate subaccounts.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to subaccounts.
* [Manage](../partner/operations/access/partners-account.md) access permissions to subaccounts.
* [View](../partner/operations/get-client-stat.md) the details of how the customers use services.
* View the list of [partner discounts](../partner/portal.md#premium) and info on them.

{% endcut %}

This role includes the `billing.accounts.editor`, `billing.accounts.partnerAdmin`, and `billing.partners.editor` permissions.

#### billing.accounts.partnerViewer {#billing-accounts-partnerViewer}

To use the `billing.accounts.partnerViewer` role, you need to assign it for a billing account. It enables viewing partner info, except for personal data.

On the Yandex Cloud partner portal, users with this role can:
* View the list of [subaccounts](../partner/terms.md#sub-account) and info on them (except for personal data).
* View the list of [partner discounts](../partner/portal.md#premium).
* View the [partner tools](../partner/program/var-tools.md) page.
* View the list of accounts and info on them (except for personal data).
* View the list of contacts and info on them (except for personal data).
* View the list of [partner deals](../partner/terms.md#deal-reg) and info on them (except for personal data).

#### billing.accounts.piiPartnerViewer {#billing-accounts-piiPartnerViewer}

To use the `billing.accounts.piiPartnerViewer` role, you need to assign it for a billing account. It enables viewing subaccount and partner info, including personal data.

On the Yandex Cloud partner portal, users with this role can:
* View info on the partner balance, discounts, and [rebate](../partner/terms.md#rebate) withdrawals.
* [View](../partner/operations/get-client-stat.md) details on partner consumption, including consumption in partner [subaccounts](../partner/terms.md#sub-account).
* View the list of [partner discounts](../partner/portal.md#premium).
* View the [partner tools](../partner/program/var-tools.md) page.
* View the list of accounts and info on them, including personal data.
* View the list of subaccounts and info on them, including personal data.
* View the list of contacts and info on them, including personal data.
* View the list of [partner deals](../partner/terms.md#deal-reg) and info on them, including personal data.

This role includes the `billing.accounts.partnerViewer` permissions.

#### billing.accounts.partnerEditor {#billing-accounts-partnerEditor}

To use the `billing.accounts.partnerEditor` role, you need to assign it for a billing account. It enables managing accounts, subaccounts, contacts, and partner deals. This role does not provide access to personal data.

On the Yandex Cloud partner portal, users with this role can:
* Manage [subaccounts](../partner/terms.md#sub-account) regardless of the [access permissions](concepts/access-control/index.md) assigned at the [organization](../organization/concepts/organization.md) level, excepting the permission to work with a partner.
* View the list of subaccounts and info on them (except for personal data).
* Create new subaccounts and update the existing ones, as well as suspend, resume, and delete subaccounts.
* View the list of accounts and info on them (except for personal data), as well as edit such info.
* View the list of contacts and info on them (except for personal data), as well as edit such contacts.
* View the list of [partner deals](../partner/terms.md#deal-reg) and info on them (except for personal data), as well as edit such info.
* View the list of [partner discounts](../partner/portal.md#premium).
* View the [partner tools](../partner/program/var-tools.md) page.

This role includes the `billing.accounts.partnerViewer` permissions.

#### billing.accounts.piiPartnerEditor {#billing-accounts-piiPartnerEditor}

To use the `billing.accounts.piiPartnerEditor` role, you need to assign it for a billing account. It enables managing partner rebate withdrawals, as well as viewing subaccount and partner info, including personal data.

On the Yandex Cloud partner portal, users with this role can:
* View info on the partner balance, discounts, and [rebate](../partner/terms.md#rebate) withdrawals.
* Create spending agreements for partner rebates and withdraw such rebates.
* [View](../partner/operations/get-client-stat.md) details on partner consumption, including consumption in partner [subaccounts](../partner/terms.md#sub-account).
* View the list of [partner discounts](../partner/portal.md#premium).
* View the [partner tools](../partner/program/var-tools.md) page.
* View the list of accounts and info on them, including personal data.
* View the list of subaccounts and info on them, including personal data.
* View the list of contacts and info on them, including personal data.
* View the list of [partner deals](../partner/terms.md#deal-reg) and info on them, including personal data.

This role includes the `billing.accounts.piiPartnerViewer` permissions.

#### billing.accounts.partnerAdmin {#billing-accounts-partnerAdmin}

To use the `billing.accounts.partnerAdmin` role, you need to assign it to a billing account. It enables access to all partner portal tools and all info stored on the portal, including personal data.

On the Yandex Cloud partner portal, users with this role can:
* Manage [subaccounts](../partner/terms.md#sub-account) regardless of the [access permissions](concepts/access-control/index.md) assigned at the [organization](../organization/concepts/organization.md) level, excepting the permission to work with a partner.
* View the list of subaccounts and info on them, including personal data.
* Create new subaccounts and update the existing ones, as well as suspend, resume, and delete subaccounts.
* View the list of accounts and info on them, including personal data, as well as edit such info.
* View the list of contacts and info on them, including personal data, as well as edit such contacts.
* View the list of [partner deals](../partner/terms.md#deal-reg) and info on them, including personal data, as well as edit such info.
* View info on the partner balance, discounts, and [rebate](../partner/terms.md#rebate) withdrawals.
* Create spending agreements for partner rebates and withdraw such rebates.
* [View](../partner/operations/get-client-stat.md) details on partner consumption, including consumption in partner subaccounts.
* View the list of [partner discounts](../partner/portal.md#premium).
* View the [partner tools](../partner/program/var-tools.md) page.

This role includes the `billing.accounts.partnerEditor` and `billing.accounts.piiPartnerEditor` permissions.

For more information, see [Managing access in the Yandex Cloud partner program](../partner/security/index.md).


## Apache Hive™ Metastore {#metastore-roles}

#### managed-metastore.maintenanceTask.viewer {#managed-metastore-maintenanceTask-viewer}

The `managed-metastore.maintenanceTask.viewer` role enables viewing info on [Apache Hive™ Metastore clusters](../metadata-hub/concepts/metastore.md), [access permissions](concepts/access-control/index.md) granted for them, their maintenance tasks, and on the quotas for Yandex Cloud managed DB services.

#### managed-metastore.maintenanceTask.editor {#managed-metastore-maintenanceTask-editor}

The `managed-metastore.maintenanceTask.editor` role enables viewing info on maintenance tasks for [Apache Hive™ Metastore clusters](../metadata-hub/concepts/metastore.md) and modifying such tasks, as well as viewing info on Apache Hive™ Metastore clusters, on [access permissions](concepts/access-control/index.md) granted for them, and on the quotas for Yandex Cloud managed DB services.

This role includes the `managed-metastore.maintenanceTask.viewer` permissions.

#### managed-metastore.auditor {#managed-metastore-auditor}

The `managed-metastore.auditor` role allows you to view information on Apache Hive™ Metastore [clusters](../metadata-hub/concepts/metastore.md) and the Yandex Cloud managed DB service quotas.

#### managed-metastore.viewer {#managed-metastore-viewer}

The `managed-metastore.viewer` role enables viewing info on Apache Hive™ Metastore clusters and their runtime logs, as well as info on the quotas for Yandex Cloud managed DB services.

Users with this role can:
* View info on Apache Hive™ Metastore [clusters](../metadata-hub/concepts/metastore.md).
* View info on [access permissions](concepts/access-control/index.md) granted for Apache Hive™ Metastore clusters.
* View info on maintenance tasks for Apache Hive™ Metastore clusters.
* View Apache Hive™ Metastore cluster logs.
* View info on the quotas for Yandex Cloud managed DB services.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `managed-metastore.auditor` and `managed-metastore.maintenanceTask.viewer` permissions.

#### managed-metastore.editor {#managed-metastore-editor}

The `managed-metastore.editor` role enables managing Apache Hive™ Metastore clusters, as well as viewing their runtime logs and info on the quotas for Yandex Cloud managed DB services.

Users with this role can:
* View info on Apache Hive™ Metastore [clusters](../metadata-hub/concepts/metastore.md), as well as create, modify, run, stop, and delete them.
* [Export and import](../metadata-hub/operations/metastore/export-and-import.md) Apache Hive™ Metastore clusters.
* View Apache Hive™ Metastore cluster logs.
* View info on [access permissions](concepts/access-control/index.md) granted for Apache Hive™ Metastore clusters.
* View info on maintenance tasks for Apache Hive™ Metastore clusters and modify such tasks.
* View info on the quotas for Yandex Cloud managed DB services.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `managed-metastore.viewer` and `managed-metastore.maintenanceTask.editor` permissions.

To create clusters, you also need the `vpc.user` [role](../vpc/security/index.md#vpc-user).

#### managed-metastore.admin {#managed-metastore-admin}

The `managed-metastore.admin` role allows you to manage Apache Hive™ Metastore clusters, as well as view their runtime logs and information on service quotas of Yandex Cloud managed DBs.

Users with this role can:
* View info on Apache Hive™ Metastore [clusters](../metadata-hub/concepts/metastore.md), as well as create, modify, run, stop, and delete them.
* [Export and import](../metadata-hub/operations/metastore/export-and-import.md) Apache Hive™ Metastore clusters.
* View Apache Hive™ Metastore cluster logs.
* View info on the Yandex Cloud managed DB service quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `managed-metastore.editor` permissions.

To create clusters, you also need the `vpc.user` [role](../vpc/security/index.md#vpc-user).

#### managed-metastore.integrationProvider {#managed-metastore-integrationProvider}

The `managed-metastore.integrationProvider` role allows the Apache Hive™ Metastore cluster to work with user resources required for its operation on behalf of the service account. You can assign this role to a service account linked to a Apache Hive™ Metastore cluster.

Users with this role can:
* Add entries to [log groups](../logging/concepts/log-group.md).
* View info on log groups.
* View info on log sinks.
* View info on granted [access permissions](concepts/access-control/index.md) for Cloud Logging resources.
* View info on log exports.
* View info on Monitoring [metrics](../monitoring/concepts/data-model.md#metric) and their [labels](../monitoring/concepts/data-model.md#label), as well as upload and download metrics.
* View the list of Monitoring [dashboards](../monitoring/concepts/visualization/dashboard.md) and [widgets](../monitoring/concepts/visualization/widget.md) and info on them, as well as create, modify, and delete them.
* View the Monitoring [notification](../monitoring/concepts/alerting/notification-channel.md) history.
* View details on [Monitoring](../monitoring/concepts/limits.md#monitoring-quotas) quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.writer` and `monitoring.editor` permissions.

For more information, see [Service roles to manage metadata in a Apache Hive™ Metastore cluster](../metadata-hub/security/metastore-roles.md).


## Yandex API Gateway {#api-gateway-roles}

#### api-gateway.auditor {#api-gateway-auditor}

The `api-gateway.auditor` role allows you to view the list of [API gateways](../api-gateway/concepts/index.md) and the details on [access permissions](concepts/access-control/index.md) assigned to such gateways. It also enables viewing the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) metadata.

#### api-gateway.viewer {#api-gateway-viewer}

The `api-gateway.viewer` role allows you to view the list of [API gateways](../api-gateway/concepts/index.md), info on them, and the details on [access permissions](concepts/access-control/index.md) assigned to such gateways. It also enables viewing the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) metadata.

This role includes the `api-gateway.auditor` permissions.

#### api-gateway.editor {#api-gateway-editor}

The `api-gateway.editor` role enables managing API gateways and viewing info on them, as well as working with WebSocket API.

Users with this role can:
* View the list of [API gateways](../api-gateway/concepts/index.md), info on them and on [access permissions](concepts/access-control/index.md) assigned to them, as well as use, modify, and delete such gateways.
* Use the [request rate](../api-gateway/concepts/extensions/rate-limit.md) limit.
* View info on [WebSocket](../api-gateway/concepts/index.md#websocket) connections and close them, as well as send data through such connections.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `api-gateway.websocketWriter` permissions.

#### api-gateway.websocketWriter {#api-gateway-websocketwriter}

The `api-gateway.websocketWriter` role allows you to work with WebSocket API, as well as view the list of API gateways, info on them, and the details on access permissions assigned to such gateways.

Users with this role can:
* View info on [WebSocket](../api-gateway/concepts/index.md#websocket) connections and close them, as well as send data through such connections.
* View the list of [API gateways](../api-gateway/concepts/index.md), info on them and on [access permissions](concepts/access-control/index.md) assigned to them.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `api-gateway.viewer` permissions.

#### api-gateway.websocketBroadcaster {#api-gateway-websocketBroadcaster}

The `api-gateway.websocketBroadcaster` role enables transmitting data through WebSocket (which includes sending data to multiple clients concurrently), as well as viewing the list of API gateways, info on them and on access permissions assigned to them.

Users with this role can:
* View info on [WebSocket](../api-gateway/concepts/index.md#websocket) connections and close them, as well as send data through such connections, which includes transmitting data to multiple clients concurrently.
* View the list of [API gateways](../api-gateway/concepts/index.md), info on them and on [access permissions](concepts/access-control/index.md) assigned to them.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `api-gateway.websocketWriter` permissions.

#### api-gateway.admin {#api-gateway-admin}

The `api-gateway.admin` role enables managing API gateways and access to them, viewing info on API gateways, and working with WebSocket API.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) assigned for API gateways and modify such permissions.
* View info on [API gateways](../api-gateway/concepts/index.md), as well as create, modify, and delete them.
* View info on [WebSocket](../api-gateway/concepts/index.md#websocket) connections and close them, as well as send data through such connections.
* Use the [request rate](../api-gateway/concepts/extensions/rate-limit.md) limit.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `api-gateway.editor` permissions.

For more information, see [Access management in API Gateway](../api-gateway/security/index.md).


## Yandex Application Load Balancer {#alb-roles}

#### alb.auditor {#alb-auditor}

The `alb.auditor` role enables you to view  info on the Application Load Balancer resources and quotas.

Users with this role can:
* View the list of [L7 balancers](../application-load-balancer/concepts/application-load-balancer.md) and the info on them.
* View the list of [HTTP routers](../application-load-balancer/concepts/http-router.md) and the info on them.
* View the list of [virtual hosts](../application-load-balancer/concepts/http-router.md#virtual-host) and the info on them.
* View the list of [backend groups](../application-load-balancer/concepts/backend-group.md) and the info on them.
* View the list of [target groups](../application-load-balancer/concepts/target-group.md) and the info on them.
* View info on the Application Load Balancer [quotas](../application-load-balancer/concepts/limits.md#quotas).

#### alb.viewer {#alb-viewer}

The `alb.viewer` role enables viewing the list of Application Load Balancer resources and the info on them and the relevant quotas.

Users with this role can:
* View the list of [L7 balancers](../application-load-balancer/concepts/application-load-balancer.md) and the info on them.
* View the list of [HTTP routers](../application-load-balancer/concepts/http-router.md) and the info on them.
* View the list of [virtual hosts](../application-load-balancer/concepts/http-router.md#virtual-host) and the info on them.
* View the list of [backend groups](../application-load-balancer/concepts/backend-group.md) and the info on them.
* View the list of [target groups](../application-load-balancer/concepts/target-group.md) and the info on them.
* View info on the Application Load Balancer [quotas](../application-load-balancer/concepts/limits.md#quotas).

This role includes the `alb.auditor` permissions.

#### alb.user {#alb-user}

The `alb.user` role enables using L7 balancers, HTTP routers, backend groups, and target groups, as well as viewing info on the Application Load Balancer resources.

Users with this role can:
* View the list of [L7 balancers](../application-load-balancer/concepts/application-load-balancer.md) and info on them, as well as use them.
* View the list of [HTTP routers](../application-load-balancer/concepts/http-router.md) and the info on them, as well as use such routers.
* View the list of [virtual hosts](../application-load-balancer/concepts/http-router.md#virtual-host) and the info on them.
* View the list of [backend groups](../application-load-balancer/concepts/backend-group.md) and info on them, as well as use them.
* View the list of [target groups](../application-load-balancer/concepts/target-group.md) and the info on them, as well as use them.
* View info on the Application Load Balancer [quotas](../application-load-balancer/concepts/limits.md#quotas).

You can assign this role for a folder.

#### alb.editor {#alb-editor}

The `alb.editor` role enables managing Application Load Balancer resources and internal network load balancers, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses.

{% cut "Users with this role can:" %}

* View the list of [L7 balancers](../application-load-balancer/concepts/application-load-balancer.md) and the info on them, as well as create, modify, delete, and use such balancers.
* View the list of [HTTP routers](../application-load-balancer/concepts/http-router.md) and the info on them, as well as create, modify, delete, and use such routers.
* View the list of [virtual hosts](../application-load-balancer/concepts/http-router.md#virtual-host) and info on them, as well as modify them.
* View the list of [backend groups](../application-load-balancer/concepts/backend-group.md) and the info on them, as well as create, modify, delete, and use such groups.
* View the list of L7 balancer target groups and [network balancers](../network-load-balancer/concepts/target-resources.md) and the info on them, as well as create, modify, delete, and use target groups.
* View the list of [network load balancers](../network-load-balancer/concepts/index.md) and the info on them, as well as create internal network load balances (including those with UDP listeners), modify, delete, start, and stop them.
* View the list of [cloud networks](../vpc/concepts/network.md#network) and info on them, as well as use them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and info on them, as well as use such addresses.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and info on them, as well as use them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and info on them, as well as use them.
* View information on [NAT gateways](../vpc/concepts/gateways.md) and connect them to route tables.
* View the info on the used IP addresses in subnets, as well as create [internal addresses](../vpc/concepts/address.md#internal-addresses).
* View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
* View the list of operations with the Network Load Balancer resources.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on the [Application Load Balancer](../application-load-balancer/concepts/limits.md#quotas), [Network Load Balancer](../network-load-balancer/concepts/limits.md#load-balancer-quotas), and [Virtual Private Cloud](../vpc/concepts/limits.md#vpc-quotas) quotas.

{% endcut %}

This role includes the `load-balancer.privateAdmin` and `vpc.user` permissions.

To connect a public IP address to a new or existing L7 balancer, you also need the [vpc.publicAdmin](../vpc/security/index.md#vpc-public-admin) `role` assigned for the network where the balancer resides.

#### alb.admin {#alb-admin}

The `alb.admin` role enables managing Application Load Balancer resources and internal network load balancers, as well as viewing info on cloud networks, subnets, route tables, gateways, security groups, IP addresses, and quotas.

{% cut "Users with this role can:" %}

* View the list of [L7 balancers](../application-load-balancer/concepts/application-load-balancer.md) and the info on them, as well as create, modify, delete, and use such balancers.
* View the list of [HTTP routers](../application-load-balancer/concepts/http-router.md) and the info on them, as well as create, modify, delete, and use such routers.
* View the list of [virtual hosts](../application-load-balancer/concepts/http-router.md#virtual-host) and info on them, as well as modify them.
* View the list of [backend groups](../application-load-balancer/concepts/backend-group.md) and the info on them, as well as create, modify, delete, and use such groups.
* View the list of L7 balancer target groups and [network balancers](../network-load-balancer/concepts/target-resources.md) and the info on them, as well as create, modify, delete, and use target groups.
* View the list of [network load balancers](../network-load-balancer/concepts/index.md) and the info on them, as well as create internal network load balances (including those with UDP listeners), modify, delete, start, and stop them.
* View the list of [cloud networks](../vpc/concepts/network.md#network) and info on them, as well as use them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and info on them, as well as use such addresses.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and info on them, as well as use them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and info on them, as well as use them.
* View information on [NAT gateways](../vpc/concepts/gateways.md) and connect them to route tables.
* View the info on the used IP addresses in subnets, as well as create [internal addresses](../vpc/concepts/address.md#internal-addresses).
* View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
* View the list of operations with the Network Load Balancer resources.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on the [Application Load Balancer](../application-load-balancer/concepts/limits.md#quotas), [Network Load Balancer](../network-load-balancer/concepts/limits.md#load-balancer-quotas), and [Virtual Private Cloud](../vpc/concepts/limits.md#vpc-quotas) quotas.

{% endcut %}

This role includes the `alb.editor` permissions.

To connect a public IP address to a new or existing L7 balancer, you also need the `vpc.publicAdmin` [role](../vpc/security/index.md#vpc-public-admin) assigned for the network where the balancer resides.

For more information, see [Access management in Application Load Balancer](../application-load-balancer/security/index.md).


## Yandex Audit Trails {#at-roles}

#### audit-trails.auditor {#at-auditor}

The `audit-trails.auditor` role enables viewing the list of [trails](../audit-trails/concepts/trail.md) and info on them, as well as the info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and Audit Trails [quotas](../audit-trails/concepts/limits.md#audit-trails-quotas).

#### audit-trails.viewer {#at-viewer}

The `audit-trails.viewer` role enables reading [audit logs](../audit-trails/concepts/index.md) and viewing the list of [trails](../audit-trails/concepts/trail.md) and info on them, as well as the info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and Audit Trails [quotas](../audit-trails/concepts/limits.md#audit-trails-quotas).

This role includes the `audit-trails.auditor` permissions.

#### audit-trails.editor {#at-editor}

The `audit-trails.editor` role enables managing trails and reading audit logs.

Users with this role can:
* View the list of [trails](../audit-trails/concepts/trail.md) and info on them, as well as create, modify, and delete them.
* Read [audit logs](../audit-trails/concepts/index.md).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on the Audit Trails [quotas](../audit-trails/concepts/limits.md#audit-trails-quotas).

This role includes the `audit-trails.viewer` permissions.

#### audit-trails.admin {#at-admin}

The `audit-trails.admin` role enables managing trails and user access to them, as well as reading audit logs.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) assigned to [trails](../audit-trails/concepts/trail.md) and modify such permissions.
* View the list of trails and info on them, as well as create, modify, and delete them.
* Read [audit logs](../audit-trails/concepts/index.md).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on the Audit Trails [quotas](../audit-trails/concepts/limits.md#audit-trails-quotas).

This role includes the `audit-trails.editor` permissions.

#### audit-trails.configViewer {#at-configviewer}

The `audit-trails.configViewer` role enables viewing the list of trails and info on them, as well as the info on the relevant cloud, folder, and Audit Trails quotas.

This role is no longer available. Please use `audit-trails.auditor` instead.

For more information, see [Access management Audit Trails](../audit-trails/security/index.md).


## Yandex BareMetal {#baremetal-roles}

#### baremetal.auditor {#baremetal-auditor}

The `baremetal.auditor` role enables viewing the Yandex BareMetal resource metadata.

Users with this role can:
* View info on BareMetal [servers](../baremetal/concepts/servers.md) and their [configuration](../baremetal/concepts/server-configurations.md).
* View info on [private subnets](../baremetal/concepts/private-network.md#private-subnet) and [virtual routing and forwarding (VRF) segments](../baremetal/concepts/private-network.md#vrf-segment).
* View info on the uploaded OS images for BareMetal servers.
* View details on Yandex BareMetal [quotas](../baremetal/concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

#### baremetal.viewer {#baremetal-viewer}

The `baremetal.viewer` role enables viewing info on the Yandex BareMetal resources.

Users with this role can:
* View info on BareMetal [servers](../baremetal/concepts/servers.md) and their [configuration](../baremetal/concepts/server-configurations.md).
* View info on [private subnets](../baremetal/concepts/private-network.md#private-subnet) and [virtual routing and forwarding (VRF) segments](../baremetal/concepts/private-network.md#vrf-segment).
* View info on the uploaded OS images for BareMetal servers.
* View details on Yandex BareMetal [quotas](../baremetal/concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `baremetal.auditor` permissions.

#### baremetal.operator {#baremetal-operator}

The `baremetal.operator` role enables working on the BareMetal servers and viewing info on the Yandex BareMetal resources.

Users with this role can:
* View info on BareMetal [servers](../baremetal/concepts/servers.md) and their [configuration](../baremetal/concepts/server-configurations.md).
* Use the [KVM console](../baremetal/operations/servers/server-kvm.md).
* Use [IPMI](https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface) to power the servers on, shut them down, and restart them.
* View info on [private subnets](../baremetal/concepts/private-network.md#private-subnet) and [virtual routing and forwarding (VRF) segments](../baremetal/concepts/private-network.md#vrf-segment).
* View info on the uploaded OS images for the servers.
* View details on Yandex BareMetal [quotas](../baremetal/concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `baremetal.viewer` permissions.

#### baremetal.editor {#baremetal-editor}

The `baremetal.editor` role enables managing BareMetal servers, private subnets, virtual routing and forwarding (VRF) segments, and OS server images.

Users with this role can:
* View info on BareMetal [servers](../baremetal/concepts/servers.md) and their [configuration](../baremetal/concepts/server-configurations.md).
* Start and stop renting BareMetal servers and change their settings.
* View info on [private subnets](../baremetal/concepts/private-network.md#private-subnet), as well as create, modify, and delete them.
* View info on [virtual routing and forwarding (VRF)](../baremetal/concepts/private-network.md#vrf-segment) segments, as well as create, modify, and delete them.
* View info on the uploaded OS images for BareMetal servers, as well as upload, modify, and delete such images.
* Re-install OS’s for BareMetal servers.
* Use the [KVM console](../baremetal/operations/servers/server-kvm.md).
* Use [IPMI](https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface) to power the servers on, shut them down, and restart them.
* View details on Yandex BareMetal [quotas](../baremetal/concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `baremetal.operator` permissions.

#### baremetal.admin {#baremetal-admin}

The `baremetal.admin` role enables managing BareMetal servers, private subnets, virtual routing and forwarding (VRF) segments, and OS server images.

Users with this role can:
* View info on BareMetal [servers](../baremetal/concepts/servers.md) and their [configuration](../baremetal/concepts/server-configurations.md).
* Start and stop renting BareMetal servers and change their settings.
* View info on [private subnets](../baremetal/concepts/private-network.md#private-subnet), as well as create, modify, and delete them.
* View info on [virtual routing and forwarding (VRF)](../baremetal/concepts/private-network.md#vrf-segment) segments, as well as create, modify, and delete them.
* View info on the uploaded OS images for BareMetal servers, as well as upload, modify, and delete such images.
* Re-install OS’s for BareMetal servers.
* Use the [KVM console](../baremetal/operations/servers/server-kvm.md).
* Use [IPMI](https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface) to power the servers on, shut them down, and restart them.
* View details on Yandex BareMetal [quotas](../baremetal/concepts/limits.md#baremetal-quotas).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `baremetal.editor` permissions.

For more information, see [Access management in Yandex BareMetal](../baremetal/security/index.md).


## Yandex Certificate Manager {#certificate-manager-roles}

#### certificate-manager.auditor {#certificate-manager-auditor}

The `certificate-manager.auditor` role enables viewing info on certificates and access permissions assigned to them.

Users with this role can:
* View the list of [certificates](../certificate-manager/concepts/index.md#types) and [dependent](../certificate-manager/concepts/services.md) resources, as well as info on certificates and [access permissions](concepts/access-control/index.md) assigned to them.
* View info on the Certificate Manager [quotas](../certificate-manager/concepts/limits.md#certificate-manager-quotas).

#### certificate-manager.viewer {#certificate-manager-viewer}

The `certificate-manager.viewer` role enables viewing info on certificates and access permissions assigned to them.

Users with this role can:
* View the list of [certificates](../certificate-manager/concepts/index.md#types) and [dependent](../certificate-manager/concepts/services.md) resources, as well as info on certificates and [access permissions](concepts/access-control/index.md) assigned to them.
* View info on the Certificate Manager [quotas](../certificate-manager/concepts/limits.md#certificate-manager-quotas).

This role includes the `certificate-manager.auditor` permissions.

#### certificate-manager.editor {#certificate-manager-editor}

The `certificate-manager.editor` role enables managing certificates and viewing info on them, as well as on access permissions assigned to them, and on the Certificate Manager quotas.

Users with this role can:
* View the list of [certificates](../certificate-manager/concepts/index.md#types) and [dependent](../certificate-manager/concepts/services.md) resources, as well as info on certificates and [access permissions](concepts/access-control/index.md) assigned to them.
* Add, modify, update, and delete certificates.
* View info on the Certificate Manager [quotas](../certificate-manager/concepts/limits.md#certificate-manager-quotas).

This role includes the `certificate-manager.viewer` permissions.

#### certificate-manager.admin {#certificate-manager-admin}

The `certificate-manager.admin` role enables managing certificates and access to them, as well as getting the certificate contents.

Users with this role can:
* View the list of [certificates](../certificate-manager/concepts/index.md#types) and [dependent](../certificate-manager/concepts/services.md) resources, as well as info on certificates.
* View info on [access permissions](concepts/access-control/index.md) assigned to certificates and modify such permissions.
* Add, modify, update, and delete certificates.
* Get certificate contents.
* View info on the Certificate Manager [quotas](../certificate-manager/concepts/limits.md#certificate-manager-quotas).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `certificate-manager.editor` permissions.

#### certificate-manager.certificates.downloader {#certificate-manager-certificates-downloader}

The `certificate-manager.certificates.downloader` role enables viewing the list of [certificates](../certificate-manager/concepts/index.md#types) and info on them, as well as getting the certificate contents.

For more information, see [Access management in Certificate Manager](../certificate-manager/security/index.md).


## Yandex Cloud AI Studio {#fm-roles}

#### ai.playground.user {#ai-playground-user}

The `ai.playground.user` role enables creating experiments, getting a list of all available models, and using these models in AI Playground in the Yandex Cloud management console. To work with search indexes in the management console, you also need the `ai.assistants.editor` role.

#### ai.languageModels.user {#languageModels-user}

The `ai.languageModels.user` role enables using [text generation models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models), [text embedding models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/embeddings#yandexgpt-embeddings), and [classifier](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/classifier/models) models in Yandex Cloud AI Studio, as well as viewing info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and [quotas](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas).

#### ai.imageGeneration.user {#imageGeneration-user}

The `ai.imageGeneration.user` role enables using the YandexART image generation models within Yandex Cloud AI Studio, as well as viewing info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and [quotas](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas).

#### ai.assistants.auditor {#ai-assistants-auditor}

The `ai.assistants.auditor` role enables viewing info on uploaded [files](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore#file-uploading), Vector Store [search indexes](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore), Yandex Cloud AI Studio [quotas](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas), as well as on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

#### ai.assistants.viewer {#ai-assistants-viewer}

The `ai.assistants.viewer` role enables viewing info on files and Vector Store search indexes as well as conducting searches using these indexes.

Users with this role can:
* View info on uploaded [files](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore#file-uploading) and their contents.
* View info on Vector Store [search indexes](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore) as well as conduct searches using these indexes.
* View info on Yandex Cloud AI Studio [quotas](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ai.assistants.auditor` permissions.

#### ai.assistants.editor {#ai-assistants-editor}

The `ai.assistants.editor` role enables using AI agents as well as managing files and Vector Store search indexes.

Users with this role can:
* Use [AI agents](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/agents/).
* View info on uploaded [files](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore#file-uploading) as well as create, update, view, and delete them.
* View info on Vector Store [search indexes](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore), create, modify, and delete them, as well as conduct searches using these indexes.
* View info on Yandex Cloud AI Studio [quotas](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ai.assistants.viewer` permissions.

#### ai.assistants.admin {#ai-assistants-admin}

The `ai.assistants.admin` role enables using AI agents as well as managing files and Vector Store search indexes.

Users with this role can:
* Use [AI agents](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/agents/).
* View info on uploaded files as well as create, update, view, and delete them.
* View info on Vector Store [search indexes](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/search/vectorstore), create, modify, and delete them, as well as conduct searches using these indexes.
* View info on Yandex Cloud AI Studio [quotas](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/limits#yandexgpt-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ai.assistants.editor` permissions.

#### ai.datasets.auditor {#ai-datasets-auditor}

The `ai.datasets.auditor` role enables viewing the [dataset](https://aistudio.yandex.ru/docs/en/ai-studio/dataset/api-ref/grpc/) metadata.

#### ai.datasets.viewer {#ai-datasets-viewer}

The `ai.datasets.viewer` role enables viewing the info on [datasets](https://aistudio.yandex.ru/docs/en/ai-studio/dataset/api-ref/grpc/).

This role includes the `ai.datasets.auditor` permissions.

#### ai.datasets.user {#ai-datasets-user}

The `ai.datasets.user` role enables viewing info on [datasets](https://aistudio.yandex.ru/docs/en/ai-studio/dataset/api-ref/grpc/) and using them to [fine-tune](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/tuning/#fm-tuning) models in AI Studio.

This role includes the `ai.datasets.viewer` permissions.

#### ai.datasets.editor {#ai-datasets-editor}

The `ai.datasets.editor` role enables viewing info on [datasets](https://aistudio.yandex.ru/docs/en/ai-studio/dataset/api-ref/grpc/), creating, modifying, and deleting them, as well as using them to [fine-tune](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/tuning/#fm-tuning) models in AI Studio.

This role includes the `ai.datasets.user` permissions.

#### ai.datasets.admin {#ai-datasets-admin}

The `ai.datasets.admin` role enables viewing info on [datasets](https://aistudio.yandex.ru/docs/en/ai-studio/dataset/api-ref/grpc/), creating, modifying, and deleting them, as well as using them to [fine-tune](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/tuning/#fm-tuning) models in AI Studio.

This role includes the `ai.datasets.editor` permissions.

#### ai.models.auditor {#ai-models-auditor}

The `ai.models.auditor` role enables viewing the [text generation model](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models) metadata in Yandex Cloud AI Studio.

#### ai.models.viewer {#ai-models-viewer}

The `ai.models.viewer` role enables viewing info on the [text generation models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models) in Yandex Cloud AI Studio.

This role includes the `ai.models.auditor` permissions.

#### ai.models.user {#ai-models-user}

The `ai.models.user` role enables using AI agents, text and image generation models, text embedding models, and classifier models in Yandex Cloud AI Studio, as well as employing Yandex Translate, Yandex Vision OCR, and Yandex SpeechKit.

Users with this role can:
* View info on [text generation models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models) in Yandex Cloud AI Studio.
* Use [AI agents](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/agents/), text and image generation models, [text embedding](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/embeddings#yandexgpt-embeddings) models, and [classifier](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/classifier/models) models in Yandex Cloud AI Studio.
* Use Yandex Translate to [translate texts](https://aistudio.yandex.ru/docs/en/translate/quickstart).
* Use Yandex Vision OCR to [analyze images](https://aistudio.yandex.ru/docs/en/vision/concepts/ocr/).
* Use Yandex SpeechKit for speech [recognition](https://aistudio.yandex.ru/docs/en/speechkit/stt/) and [synthesis](https://aistudio.yandex.ru/docs/en/speechkit/tts/).

This role includes the `ai.models.viewer` permissions.

#### ai.models.editor {#ai-models-editor}

The `ai.models.editor` role enables managing the fine-tuning of Yandex Cloud AI Studio models as well as using Yandex Translate, Yandex Vision OCR, Yandex SpeechKit, and Yandex Cloud AI Studio.

Users with this role can:
* View info on [text generation models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models) in Yandex Cloud AI Studio.
* [Fine-tune](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/tuning/#fm-tuning) Yandex Cloud AI Studio models as well as create, modify, and delete fine-tuned models.
* Use [AI agents](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/agents/), text and image generation models, [text embedding](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/embeddings#yandexgpt-embeddings) models, and [classifier](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/classifier/models) models in Yandex Cloud AI Studio.
* Use Yandex Translate to [translate texts](https://aistudio.yandex.ru/docs/en/translate/quickstart).
* Use Yandex Vision OCR to [analyze images](https://aistudio.yandex.ru/docs/en/vision/concepts/ocr/).
* Use Yandex SpeechKit for speech [recognition](https://aistudio.yandex.ru/docs/en/speechkit/stt/) and [synthesis](https://aistudio.yandex.ru/docs/en/speechkit/tts/).

This role includes the `ai.models.user` permissions.

#### ai.models.admin {#ai-models-admin}

The `ai.models.admin` role enables managing the fine-tuning of Yandex Cloud AI Studio models as well as using Yandex Translate, Yandex Vision OCR, Yandex SpeechKit, and Yandex Cloud AI Studio.

Users with this role can:
* View info on [text generation models](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/generation/models) in Yandex Cloud AI Studio.
* [Fine-tune](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/tuning/#fm-tuning) Yandex Cloud AI Studio models as well as create, modify, and delete fine-tuned models.
* Use [AI agents](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/agents/), text and image generation models, [text embedding](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/embeddings#yandexgpt-embeddings) models, and [classifier](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/classifier/models) models in Yandex Cloud AI Studio.
* Use Yandex Translate to [translate texts](https://aistudio.yandex.ru/docs/en/translate/quickstart).
* Use Yandex Vision OCR to [analyze images](https://aistudio.yandex.ru/docs/en/vision/concepts/ocr/).
* Use Yandex SpeechKit for speech [recognition](https://aistudio.yandex.ru/docs/en/speechkit/stt/) and [synthesis](https://aistudio.yandex.ru/docs/en/speechkit/tts/).

This role includes the `ai.models.editor` permissions.

#### ai.guardrails.auditor {#ai-guardrails-auditor}

The `ai.guardrails.auditor` role enables viewing metadata on [guardrails](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/security/guardrails#rules) for model responses.

#### ai.guardrails.viewer {#ai-guardrails-viewer}

The `ai.guardrails.viewer` role enables viewing info on [guardrails](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/security/guardrails#rules) for model responses.

This role includes the `ai.guardrails.auditor` permissions.

#### ai.guardrails.user {#ai-guardrails-user}

The `ai.guardrails.user` role enables applying [guardrails](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/security/guardrails#rules) for model responses and viewing metadata on such rules.

#### ai.guardrails.editor {#ai-guardrails-editor}

The `ai.guardrails.editor` role enables viewing info on [guardrails](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/security/guardrails#rules) for model responses, as well as creating, applying, modifying, and deleting such rules.

This role includes the `ai.guardrails.viewer` and `ai.guardrails.user` permissions.

#### ai.guardrails.admin {#ai-guardrails-admin}

The `ai.guardrails.admin` role enables viewing info on [guardrails](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/security/guardrails#rules) for model responses, as well as creating, applying, modifying, and deleting such rules.

This role includes the `ai.guardrails.editor` permissions.

#### serverless.mcpGateways.auditor {#serverless-mcpGateways-auditor}

The `serverless.mcpGateways.auditor` role allows the user to view info on [MCP servers](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/mcp-hub/#servers) and their [access permissions](concepts/access-control/roles.md).

#### serverless.mcpGateways.viewer {#serverless-mcpGateways-viewer}

The `serverless.mcpGateways.viewer` role allows the user to view info on [MCP servers](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/mcp-hub/#servers) and their [access permissions](concepts/access-control/roles.md).

This role includes the `serverless.mcpGateways.auditor` permissions.

#### serverless.mcpGateways.invoker {#serverless-mcpGateways-invoker}

The `serverless.mcpGateways.invoker` role allows the user to access [MCP servers](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/mcp-hub/#servers), including access via MCP Hub.

#### serverless.mcpGateways.anonymousInvoker {#serverless-mcpGateways-anonymousInvoker}

The `serverless.mcpGateways.anonymousInvoker` role allows the user to access [MCP servers](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/mcp-hub/#servers), including access via MCP Hub.

#### serverless.mcpGateways.editor {#serverless-mcpGateways-editor}

The `serverless.mcpGateways.editor` role allows the user to create, modify and delete [MCP servers](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/mcp-hub/#servers), view info on them and their [access permissions](concepts/access-control/roles.md).

This role includes the `serverless.mcpGateways.viewer` permissions.

#### serverless.mcpGateways.admin {#serverless-mcpGateways-admin}

The `serverless.mcpGateways.admin` role allows the user to manage MCP servers and access to them.

Users with this role can:
* View [MCP server](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/mcp-hub/#servers) info, create, update, and delete MCP servers.
* View MCP server [access permission](concepts/access-control/roles.md) info, modify MCP server access permissions.
* Access MCP servers, including external ones, via MCP Hub.

This role includes the `serverless.mcpGateways.editor`, `serverless.mcpGateways.invoker`, and `serverless.mcpGateways.anonymousInvoker` permissions.

For more information, see [Access management in Yandex Cloud AI Studio](https://aistudio.yandex.ru/docs/en/ai-studio/security/index).


## Yandex Cloud Backup {#backup-roles}

#### backup.auditor {#backup-auditor}

The `backup.auditor` role enables viewing information on virtual machines and BareMetal servers connected to Cloud Backup, on backup policies and service quotas, as well as on the relevant cloud and folder.

Users with this role can:
* View info on the connected backup [providers](../backup/concepts/index.md#providers).
* View info on [backup policies](../backup/concepts/policy.md) and virtual machines and BareMetal servers linked to them.
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant backup policies.
* View info on the virtual machines and BareMetal servers [connected](../backup/concepts/vm-connection.md) to Cloud Backup.
* View info on Cloud Backup [quotas](../backup/concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

To assign the `backup.auditor` role, you need the `admin` role for the cloud or `backup.admin` for the folder.

#### backup.viewer {#backup-viewer}

The `backup.viewer` role enables viewing information on virtual machines and BareMetal servers connected to Cloud Backup, on backup policies and backups, as well as on the relevant cloud, folder, and quotas.

Users with this role can:
* View info on the connected backup [providers](../backup/concepts/index.md#providers).
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant backup policies.
* View info on [backup policies](../backup/concepts/policy.md) and virtual machines and BareMetal servers linked to them.
* View info on the virtual machines and BareMetal servers [connected](../backup/concepts/vm-connection.md) to Cloud Backup.
* View info on [backups](../backup/concepts/backup.md).
* View info on Cloud Backup [quotas](../backup/concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

This role includes the `backup.auditor` permissions.

To assign the `backup.viewer` role, you need the `admin` role for the cloud or `backup.admin` for the folder.

#### backup.user {#backup-user}

The `backup.user` role enables connecting backup providers, connecting VMs and BareMetal servers to Cloud Backup, linking backup policies to VMs and BareMetal servers and unlinking them, as well as viewing info on Cloud Backup resources and quotas and on the relevant cloud and folder.

Users with this role can:
* View info on connected backup [providers](../backup/concepts/index.md#providers), as well as connect providers available in Cloud Backup.
* View info on virtual machines and BareMetal servers [connected](../backup/concepts/vm-connection.md) to Cloud Backup, as well as connect VMs and BareMetal servers to it.
* View info on [backup policies](../backup/concepts/policy.md) as well as on virtual machines and BareMetal servers linked to such policies.
* Link backup policies to VMs and BareMetal servers and unlink them.
* View info on [access permissions](concepts/access-control/index.md) granted for backup policies.
* View info on Cloud Backup [quotas](../backup/concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

This role includes the `backup.auditor` permissions.

To assign the `backup.user` role, you need the `admin` role for the cloud or `backup.admin` for the folder.

#### backup.editor {#backup-editor}

The `backup.editor` role enables managing the connection of virtual machines and BareMetal servers to Cloud Backup, managing backup policies, making backups, and restoring VMs and BareMetal servers from the existing backups.

Users with this role can:
* View info on connected backup [providers](../backup/concepts/index.md#providers), as well as connect providers available in Cloud Backup.
* View info on [backup policies](../backup/concepts/policy.md) as well as on virtual machines and BareMetal servers linked to such policies.
* Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines and BareMetal servers.
* View info on [access permissions](concepts/access-control/index.md) granted for backup policies.
* View info on virtual machines and BareMetal servers [connected](../backup/concepts/vm-connection.md) to Cloud Backup, as well as connect and disconnect VMs and BareMetal servers to and from it.
* View info on [backups](../backup/concepts/backup.md), as well as delete them and use them to restore VMs and BareMetal servers.
* View info on Cloud Backup [quotas](../backup/concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

This role includes the `backup.viewer` and `backup.user` permissions.

To assign the `backup.editor` role, you need the `admin` role for the cloud or `backup.admin` for the folder.

#### backup.admin {#backup-admin}

The `backup.admin` role enables managing backup policies and access to them, managing the connection of virtual machines and BareMetal servers to Cloud Backup, making backups, and restoring VMs and BareMetal servers from the existing backups.

Users with this role can:
* View info on connected backup [providers](../backup/concepts/index.md#providers), as well as connect providers available in Cloud Backup.
* View info on [backup policies](../backup/concepts/policy.md) as well as on virtual machines and BareMetal servers linked to such policies.
* View info on [access permissions](concepts/access-control/index.md) granted for backup policies and modify such permissions.
* Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines and BareMetal servers.
* View info on virtual machines and BBareMetal servers [connected](../backup/concepts/vm-connection.md) to Cloud Backup, as well as connect and disconnect VMs and BareMetal servers to and from it.
* View info on [backups](../backup/concepts/backup.md), as well as delete them and use them to restore VMs and BareMetal servers.
* View info on Cloud Backup [quotas](../backup/concepts/limits.md#backup-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and its statistics.

This role includes the `backup.editor` permissions.

To assign the `backup.admin` role, you need the `admin` role for the cloud.

For more information, see [Access management in Cloud Backup](../backup/security/index.md).


## Yandex Cloud Billing {#billing-roles}

#### billing.accounts.member {#billing-accounts-member}

The `billing.accounts.member` role is granted automatically when a user is added to the service. It is required to display the selected [billing account](../billing/concepts/billing-account.md) in the list of all user accounts.

#### billing.accounts.owner {#billing-accounts-owner}

When creating your billing account, you get the `billing.accounts.owner` role automatically. Any user with the `billing.accounts.owner` role can revoke this role from the billing account creator and change the owner.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View [client offers](../billing/concepts/glossary.md#client-offer).
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant billing accounts and modify such permissions.
* Activate, deactivate, or modify the [technical support](../support/overview.md) service plan, as well as change the billing account from which the payment is debited.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* [Export details](../billing/operations/get-folder-report.md).
* Create [budgets](../billing/concepts/budget.md).
* [Reserve resource usage](../billing/concepts/cvos.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.
* Top up their personal account using a credit or debit card.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to a billing account.
* Rename billing accounts.
* Changing payer contact details.
* Change payment details.
* Change their credit or debit card details.
* Change the payment method.
* Redeem promo codes.
* Activate the [trial period](../billing/concepts/trial-period.md).
* Activate the [paid version](../getting-started/free-trial/concepts/upgrade-to-paid.md).
* [Delete](../billing/operations/delete-account.md) billing accounts.

{% endcut %}

{% cut "On the Yandex Cloud partner portal, users with this role can:" %}

* [Create](../partner/operations/pin-client.md#client-entry) customer records ([subaccounts](../partner/terms.md#sub-account)).
* View the list of subaccounts and info on them, including personal data.
* Update subaccount records.
* Activate subaccounts.
* Suspend subaccounts.
* Re-activate subaccounts.
* Delete subaccounts without customer confirmation.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to subaccounts.
* [Manage](../partner/operations/access/partners-account.md) access permissions to subaccounts.
* [View](../partner/operations/get-client-stat.md) the details of how the customers use services.
* View the list of [partner discounts](../partner/portal.md#premium) and info on them.

{% endcut %}

This role includes the `billing.accounts.admin` and `billing.accounts.varWithoutDiscounts` permissions.

#### billing.accounts.viewer {#billing-accounts-viewer}

To use the `billing.accounts.viewer` role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).

{% endcut %}

#### billing.accounts.accountant {#billing-accounts-accountant}

To use the `billing.accounts.accountant` role, you need to assign it for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display billing accounts in the list of all accounts.
* View billing account data.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.

{% endcut %}


This role includes the `billing.accounts.viewer` permissions.

#### billing.accounts.editor {#billing-accounts-editor}

To use the `billing.accounts.editor` role, you need to assign it for a billing account. It enables you to get payment invoices, redeem promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View [client offers](../billing/concepts/glossary.md#client-offer).
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* [Export details](../billing/operations/get-folder-report.md).
* Create [budgets](../billing/concepts/budget.md).
* [Reserve resource usage](../billing/concepts/cvos.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to a billing account.
* Rename billing accounts.
* Redeem promo codes.

{% endcut %}

{% cut "On the Yandex Cloud partner portal, users with this role can:" %}

* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to [subaccounts](../partner/terms.md#sub-account).

{% endcut %}

This role includes the `billing.accounts.viewer` permissions.

#### billing.accounts.admin {#billing-accounts-admin}

To use the `billing.accounts.admin` role, you need to assign it for a billing account. It enables managing access to a billing account (except for `billing.accounts.owner`).

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View [client offers](../billing/concepts/glossary.md#client-offer).
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant billing accounts and modify such permissions (except for assigning and revoking the `billing.accounts.owner` role).
* Activate, deactivate, or modify the [technical support](../support/overview.md) service plan, as well as change the billing account from which the payment is debited.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* [Export details](../billing/operations/get-folder-report.md).
* Create [budgets](../billing/concepts/budget.md).
* [Reserve resource usage](../billing/concepts/cvos.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to a billing account.
* Rename billing accounts.
* Redeem promo codes.

{% endcut %}

{% cut "On the Yandex Cloud partner portal, users with this role can:" %}

* [Create](../partner/operations/pin-client.md#client-entry) customer records ([subaccounts](../partner/terms.md#sub-account)).
* View the list of subaccounts and info on them, including personal data.
* Activate subaccounts.
* Suspend subaccounts.
* Re-activate subaccounts.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to subaccounts.
* [Manage](../partner/operations/access/partners-account.md) access permissions to subaccounts.
* [View](../partner/operations/get-client-stat.md) the details of how the customers use services.
* View the list of [partner discounts](../partner/portal.md#premium) and info on them.

{% endcut %}

This role includes the `billing.accounts.editor`, `billing.accounts.partnerAdmin`, and `billing.partners.editor` permissions.

#### billing.accounts.varWithoutDiscounts {#billing-accounts-var-without-discounts}

To use the `billing.accounts.varWithoutDiscounts` role, you need to assign it for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts.

{% cut "In Yandex Cloud Billing, users with this role can:" %}

* Display [billing accounts](../billing/concepts/billing-account.md) in the list of all accounts.
* View billing account data.
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant billing accounts.
* View and download [reporting (or closing) documents](../billing/payment/documents.md).
* Generate new [reconciliation reports](../billing/concepts/act.md#reconciliation-report).
* View and download generated reconciliation reports.
* Get and view notifications on consumption.
* Monitor expenses.
* [View usage details](../billing/operations/check-charges.md).
* [Export details](../billing/operations/get-folder-report.md).
* Create [budgets](../billing/concepts/budget.md).
* [Reserve resource usage](../billing/concepts/cvos.md).
* Top up their [personal account](../billing/concepts/personal-account.md) using a bank account.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to a billing account.
* Rename billing accounts.
* Redeem promo codes.

{% endcut %}

{% cut "On the Yandex Cloud partner portal, users with this role can:" %}

* [Create](../partner/operations/pin-client.md#client-entry) customer records ([subaccounts](../partner/terms.md#sub-account)).
* View the list of subaccounts and info on them.
* Activate subaccounts.
* Suspend subaccounts.
* Re-activate subaccounts.
* Link [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) to subaccounts.
* [Manage](../partner/operations/access/partners-account.md) access permissions to subaccounts.
* [View](../partner/operations/get-client-stat.md) the details of how the customers use services.

{% endcut %}

This role includes the `billing.partners.editor` permissions.

#### billing.partners.editor {#billing-partners-editor}

The `billing.partners.editor` role is assigned for a [billing account](../billing/concepts/billing-account.md). It grants permission to edit information about a [partner](../partner/program/var.md) and their products in the [partner product catalog](../partner/program/var-tools.md#catalog).

For more information, see [Access management in Yandex Cloud Billing](../billing/security/index.md).


## Yandex Cloud CDN {#cdn-roles}

#### cdn.viewer {#cdn-viewer}

The `cdn.viewer` role enables viewing info on the folder, [origin groups](../cdn/concepts/origins.md), [CDN resources](../cdn/concepts/resource.md), and Cloud CDN [quotas](../cdn/concepts/limits.md#cdn-quotas).

#### cdn.editor {#cdn-editor}

The `cdn.editor` role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.

Users with this role can:
* View information on [origin groups](../cdn/concepts/origins.md) as well as create, modify, and delete them.
* View information on [CDN resources](../cdn/concepts/resource.md) as well as create, modify, and delete them.
* Manage [log export](../cdn/concepts/logs.md) for the requests to CDN servers.
* Manage [origin shielding](../cdn/concepts/origins-shielding.md).
* View information on Cloud CDN [quotas](../cdn/concepts/limits.md#cdn-quotas).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cdn.viewer` permissions.

#### cdn.admin {#cdn-admin}

The `cdn.admin` role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.

Users with this role can:
* View information on [origin groups](../cdn/concepts/origins.md) as well as create, modify, and delete them.
* View information on [CDN resources](../cdn/concepts/resource.md) as well as create, modify, and delete them.
* Manage [log export](../cdn/concepts/logs.md) for the requests to CDN servers.
* Manage [origin shielding](../cdn/concepts/origins-shielding.md).
* View information on Cloud CDN [quotas](../cdn/concepts/limits.md#cdn-quotas).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cdn.editor` permissions.

Moving forward, it will additionally include more features.

For more information, see [Access management in Cloud CDN](../cdn/security/index.md).


## Yandex Cloud Desktop {#desktop-roles}

#### vdi.viewer {#vdi-viewer}

The `vdi.viewer` role enables viewing info on desktops and desktop groups.

Users with this role can:
* View info on desktop groups and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [desktops](../cloud-desktop/concepts/desktops-and-groups.md).
* View info on the Cloud Desktop [quotas](../cloud-desktop/concepts/limits.md#quotas).

This role includes the `vdi.auditor` permissions.

#### vdi.desktopGroups.maintainer {#vdi-desktopGroups-maintainer}

The `vdi.desktopGroups.maintainer` role enables using any desktops in a desktop group.

Users with this role can:
* Assign themselves one [desktop](../cloud-desktop/concepts/desktops-and-groups.md) in each desktop group.
* Connect to their desktops.
* Start, restart, and stop any desktops in a group.
* Reset the password on any desktop in a group.

This role includes the `vdi.desktopGroups.user` permissions.

#### vdi.desktopGroups.user {#vdi-desktopGroups-user}

The `vdi.desktopGroups.user` role enables using your desktops.

Users with this role can:
* Assign themselves one [desktop](../cloud-desktop/concepts/desktops-and-groups.md) in each desktop group.
* Connect to their desktops.
* Start, restart, and stop any desktops in a group.
* Reset the password on any desktop in a group.

#### vdi.editor {#vdi-editor}

The `vdi.editor` role allows managing desktop groups and desktops as well as using your desktops.

Users with this role can:
* View info on [desktop groups](../cloud-desktop/concepts/desktops-and-groups.md), as well as create, update, and delete them. A user with this role can only add themselves as a user to a desktop group or keep this field empty.
* View info on [access permissions](concepts/access-control/index.md) granted for desktop groups.
* View info on [desktop groups](../cloud-desktop/concepts/desktops-and-groups.md), as well as create, update, and delete them.
* Assign themselves any number of desktops in a group.
* Connect to their desktops.
* Start, restart, and stop any desktops in a group.
* Reset the password on any desktop in a group.
* View info on the Cloud Desktop [quotas](../cloud-desktop/concepts/limits.md#quotas).

This role includes the `vdi.viewer` and `vdi.desktopGroups.user` permissions.

#### vdi.admin {#vdi-admin}

The `vdi.admin` role allows managing desktop groups and access to them, as well as managing and using desktops.

Users with this role can:
* View info on [desktop groups](../cloud-desktop/concepts/desktops-and-groups.md), as well as create, update, and delete them.
* View info on and update [access permissions](concepts/access-control/index.md) granted for desktop groups.
* View info on [desktop groups](../cloud-desktop/concepts/desktops-and-groups.md), as well as create, update, and delete them.
* Assign themselves or any other user any number of desktops in a desktop group.
* Connect to their desktops.
* Start, restart, and stop any desktops in a group.
* Reset the password on any desktop in a group.
* View info on the Cloud Desktop [quotas](../cloud-desktop/concepts/limits.md#quotas).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `vdi.editor` and `vdi.desktopGroups.maintainer` permissions.

For more information, see [Access management in Yandex Cloud Desktop](../cloud-desktop/security/index.md).


## Yandex Cloud Detection and Response {#ycdr-roles}

#### ycdr.admin {#ycdr-admin}

The `ycdr.admin` role enables viewing dashboards and managing YCDR resources within an SIEM instance, including queries, investigations, and datasets.

{% cut "Users with this role can:" %}

* View info on URL addresses for embedding YCDR dashboards.
* View info on [investigations](../yandex-siem/concepts/investigations.md), as well as create, update, delete, and conduct them.
* View info on [datasets](../yandex-siem/concepts/investigations.md#datasets-schema), as well as create, update, and delete them.
* View info on [queries](../yandex-siem/concepts/queries.md), as well as create, update, delete, and run them.
* View info on [Yandex SIEM](../yandex-siem/concepts/index.md) and [YCDR](../ycdr/concepts/index.md) instances.

{% endcut %}

You need to assign this role for the organization.

For Yandex Cloud Detection and Response to process alerts from Security Deck, you also need to assign the `security-deck.editor` role for the folder from which alerts are being collected.

This role includes the `ycem.inspector` permissions.


## Yandex Cloud DNS {#dns-roles}

#### dns.auditor {#dns-auditor}

The `dns.auditor` role enables viewing info on [DNS zones](../dns/concepts/dns-zone.md) and [access permissions](concepts/access-control/index.md) assigned to them, as well as on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and Cloud DNS [quotas](../dns/concepts/limits.md#cloud-dns-quotas). This role does not provide access to [resource records](../dns/concepts/resource-record.md).

#### dns.viewer {#dns-viewer}

The `dns.viewer` role enables viewing info on [DNS zones](../dns/concepts/dns-zone.md) and [access permissions](concepts/access-control/index.md) assigned to them, as well as on the [resource records](../dns/concepts/resource-record.md), the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and Cloud DNS [quotas](../dns/concepts/limits.md#cloud-dns-quotas).

This role includes the `dns.auditor` permissions.

#### dns.editor {#dns-editor}

The `dns.editor` role enables managing DNS zones and resource records, as well as viewing info on the relevant folder and Cloud DNS quotas.

Users with this role can:
* View information on [DNS zones](../dns/concepts/dns-zone.md) as well as create, use, modify, and delete them.
* View information on [resource records](../dns/concepts/resource-record.md) as well as create, modify, and delete them.
* Create nested public DNS zones.
* View information on [access permissions](concepts/access-control/index.md) assigned for DNS zones.
* View information on Cloud DNS [quotas](../dns/concepts/limits.md#cloud-dns-quotas).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `dns.viewer` permissions.

#### dns.firewallUser {#dns-firewallUser}

The `dns.firewallUser` role enables using clouds, folders, and cloud networks as resources for DNS firewalls, as well as viewing info on Cloud DNS resources and quotas.

Users with this role can:
* View info on DNS firewalls and [access permissions](concepts/access-control/index.md) granted for them.
* Use [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../resource-manager/concepts/resources-hierarchy.md#folder), and [cloud networks](../vpc/concepts/network.md#network) as resources for DNS firewalls.
* View info on [DNS zones](../dns/concepts/dns-zone.md) and access permissions granted for them.
* View info on Cloud DNS [quotas](../dns/concepts/limits.md#cloud-dns-quotas).
* View info on the relevant folder.

This role includes the `dns.auditor` permissions.

#### dns.firewallEditor {#dns-firewallEditor}

The `dns.firewallEditor` role enables managing DNS firewalls and using clouds, folders, and cloud networks as resources for them.

Users with this role can:
* View info on DNS firewalls and [access permissions](concepts/access-control/index.md) granted for them.
* Create, modify, and delete DNS firewalls.
* Use [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../resource-manager/concepts/resources-hierarchy.md#folder), and [cloud networks](../vpc/concepts/network.md#network) as resources for DNS firewalls.
* View info on [DNS zones](../dns/concepts/dns-zone.md) and access permissions granted for them.
* View info on Cloud DNS [quotas](../dns/concepts/limits.md#cloud-dns-quotas).
* View info on the relevant folder.

This role includes the `dns.firewallUser` permissions.

#### dns.admin {#dns-admin}

The `dns.admin` role enables managing Cloud DNS resources and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [DNS zones](../dns/concepts/dns-zone.md) and DNS firewalls, as well as modify such permissions.
* View info on DNS zones, as well as create, use, modify, and delete them.
* Create nested public DNS zones.
* View info on DNS firewalls, as well as create, modify, and delete them.
* Use [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../resource-manager/concepts/resources-hierarchy.md#folder), and [cloud networks](../vpc/concepts/network.md#network) as resources for DNS firewalls.
* View info on [resource records](../dns/concepts/resource-record.md), as well as create, modify, and delete them.
* View info on Cloud DNS [quotas](../dns/concepts/limits.md#cloud-dns-quotas).
* View info on the relevant folder.

This role includes the `dns.editor` and `dns.firewallEditor` permissions.

For more information, see [Access management in Cloud DNS](../dns/security/index.md).


## Yandex Cloud Functions {#functions-roles}

#### functions.auditor {#functions-auditor}

The `functions.auditor` role enables viewing info on functions, triggers, and connections to managed databases.

Users with this role can:
* View the list of [functions](../functions/concepts/function.md) and info on them.
* View the list of [triggers](../functions/concepts/trigger/index.md) and info on them.
* View the list of database connections and info on them.
* View info on granted [access permissions](concepts/access-control/index.md) for Cloud Functions resources.

#### functions.viewer {#functions-viewer}

The `functions.viewer` role enables viewing info on functions, triggers, and connections to managed databases, as well as on Cloud Functions quotas.

Users with this role can:
* View the list of [functions](../functions/concepts/function.md) and info on them.
* View the list of [triggers](../functions/concepts/trigger/index.md) and info on them.
* View the list of database connections and info on them.
* View info on granted [access permissions](concepts/access-control/index.md) for Cloud Functions resources.
* View info on Cloud Functions [quotas](../functions/concepts/limits.md#functions-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `functions.auditor` permissions.

#### functions.functionInvoker {#functions-functionInvoker}

The `functions.functionInvoker` role enables invoking [functions](../functions/concepts/function.md).

#### functions.editor {#functions-editor}

The `functions.editor` role enables managing functions, triggers, API gateways, and connections to managed databases.

Users with this role can:
* View the list of [functions](../functions/concepts/function.md) and info on them, create functions and their [versions](../functions/concepts/function.md#version), and modify, invoke, and delete functions.
* View the function version [environment variables](../functions/concepts/runtime/environment-variables.md) and code.
* View the list of [triggers](../functions/concepts/trigger/index.md) and info on them, as well as create, stop, run, modify, and delete them.
* View the list of database connections and the info on them, as well as create, modify, and delete database connections and connect to databases through functions.
* Create, modify, and delete [API gateways](../api-gateway/concepts/index.md).
* View info on granted [access permissions](concepts/access-control/index.md) for Cloud Functions resources.
* View info on Cloud Functions [quotas](../functions/concepts/limits.md#functions-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `functions.viewer` permissions.

#### functions.mdbProxiesUser {#functions-mdbProxiesUser}

The `functions.mdbProxiesUser` role enables connecting to managed databases through [functions](../functions/concepts/function.md).

#### functions.admin {#functions-admin}

The `functions.admin` role enables managing functions, triggers, API gateways, and connections to managed databases, as well as access to those.

Users with this role can:
* View info on the granted [access permissions](concepts/access-control/index.md) to the Cloud Functions resources and modify such access permissions.
* View the list of [functions](../functions/concepts/function.md) and info on them, create functions and their [versions](../functions/concepts/function.md#version), and modify, invoke, and delete functions.
* View the function version [environment variables](../functions/concepts/runtime/environment-variables.md) and code.
* View the list of [triggers](../functions/concepts/trigger/index.md) and info on them, as well as create, stop, run, modify, and delete them.
* View the list of database connections and the info on them, as well as create, modify, and delete database connections and connect to databases through functions.
* Create, modify, and delete [API gateways](../api-gateway/concepts/index.md).
* View info on Cloud Functions [quotas](../functions/concepts/limits.md#functions-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `functions.editor` permissions.

#### serverless.mdbProxies.user {#serverless-mdbProxies-user}

The `serverless.mdbProxies.user` role enables connecting to managed databases through Cloud Functions.

This role is no longer available. Please use `functions.mdbProxiesUser` instead.

#### serverless.functions.invoker {#serverless-functions-invoker}

The `serverless.functions.invoker` role enables invoking functions.

This role is no longer available. Please use `functions.functionInvoker` instead.

#### serverless.functions.admin {#serverless-functions-admin}

The `serverless.functions.admin` role enables managing functions, triggers, API gateways, and connections to managed databases, as well as access to those.

Users with this role can:
* View info on the granted access permissions to the Cloud Functions resources and modify such access permissions.
* View the list of functions and info on them, create functions and their versions, and modify, invoke, and delete functions.
* View the function version environment variables and code.
* View the list of triggers and info on them, as well as create, stop, run, modify, and delete them.
* View the list of database connections and the info on them, as well as create, modify, and delete database connections and connect to databases through functions.
* View the list of API gateways and info on them, as well as create, modify, and delete them.
* View info on Cloud Functions quotas.
* View info on the relevant cloud.
* View info on the relevant folder.

This role is no longer available. Please use `functions.admin` instead.

For more information, see [Access management in Cloud Functions](../functions/security/index.md).


## Yandex Cloud Interconnect {#interconnect-roles}

#### cic.auditor {#cic-auditor}

The `cic.auditor` role enables viewing info on Cloud Interconnect resources.

{% cut "Users with this role can:" %}

* View info on the [points of presence](../interconnect/concepts/pops.md).
* View info on [CIC partners](../interconnect/concepts/partners.md).
* View info on [trunk links](../interconnect/concepts/trunk.md).
* View info on [private connections](../interconnect/concepts/priv-con.md).
* View info on [public connections](../interconnect/concepts/pub-con.md).
* View info on Cloud Interconnect [quotas](../interconnect/concepts/limits.md#interconnect-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

#### cic.viewer {#cic-viewer}

The `cic.viewer` role enables viewing info on Cloud Interconnect resources.

{% cut "Users with this role can:" %}

* View info on the [points of presence](../interconnect/concepts/pops.md).
* View info on [CIC partners](../interconnect/concepts/partners.md).
* View info on [trunk links](../interconnect/concepts/trunk.md).
* View info on [private connections](../interconnect/concepts/priv-con.md).
* View info on [public connections](../interconnect/concepts/pub-con.md).
* View info on Cloud Interconnect [quotas](../interconnect/concepts/limits.md#interconnect-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `cic.auditor` permissions.

#### cic.editor {#cic-editor}

The `cic.editor` role enables managing trunk links and private and public connections, as well as viewing info on Cloud Interconnect quotas and resources.

{% cut "Users with this role can:" %}

* View info on [trunk links](../interconnect/concepts/trunk.md), as well as create, modify, and delete them.
* View info on [private connections](../interconnect/concepts/priv-con.md), as well as create, modify, and delete them.
* View info on [public connections](../interconnect/concepts/pub-con.md), as well as create, modify, and delete them.
* View info on the [points of presence](../interconnect/concepts/pops.md).
* View info on [CIC partners](../interconnect/concepts/partners.md).
* View info on Cloud Interconnect [quotas](../interconnect/concepts/limits.md#interconnect-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `cic.viewer` permissions.

#### cic.admin {#cic-admin}

The `cic.admin` role enables managing Cloud Interconnect resources.

{% cut "Users with this role can:" %}

* View info on [trunk links](../interconnect/concepts/trunk.md), as well as create, modify, and delete them.
* View info on [private connections](../interconnect/concepts/priv-con.md), as well as create, modify, and delete them.
* View info on [public connections](../interconnect/concepts/pub-con.md), as well as create, modify, and delete them.
* View info on the [points of presence](../interconnect/concepts/pops.md).
* View info on [CIC partners](../interconnect/concepts/partners.md).
* View info on Cloud Interconnect [quotas](../interconnect/concepts/limits.md#interconnect-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `cic.editor` permissions.

#### cic.secretViewer {#cic-secretviewer}

The `cic.secretViewer` role enables getting Cloud Interconnect [private](../interconnect/concepts/priv-con.md) and [public](../interconnect/concepts/pub-con.md) connection secrets.

#### cic.secretEditor {#cic-secreteditor}

The `cic.secretEditor` role enables getting and modifying Cloud Interconnect [private](../interconnect/concepts/priv-con.md) and [public](../interconnect/concepts/pub-con.md) connection secrets.

This role includes the `cic.secretViewer` permissions.

For more information, see [Access management in Cloud Interconnect](../interconnect/security/index.md).


## Yandex Cloud Logging {#logging-roles}

#### logging.viewer {#logging-viewer}

The `logging.viewer` role enables viewing info on log groups and sinks and access permissions assigned to them, as well as on the relevant cloud and folder.

Users with this role can:
* View info on [log groups](../logging/concepts/log-group.md).
* View info on log sinks.
* View info on [access permissions](concepts/access-control/index.md) assigned to Cloud Logging resources.
* View info on log exports.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

#### logging.editor {#logging-editor}

The `logging.editor` role enables viewing info on Cloud Logging resources and managing them.

Users with this role can:
* View info on [log groups](../logging/concepts/log-group.md), as well as create, modify, delete, and use them.
* View info on log sinks, as well as create, modify, delete, and use them.
* View info on [access permissions](concepts/access-control/index.md) assigned to Cloud Logging resources.
* View info on log exports, run export, and create, modify, and delete exported files.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.viewer` permissions.

#### logging.reader {#logging-reader}

The `logging.reader` role enables viewing log group entries and info on the Cloud Logging resources, as well as the cloud and folder metadata.

Users with this role can:
* View [log group](../logging/concepts/log-group.md) entries.
* View info on log groups.
* View info on log sinks.
* View info on [access permissions](concepts/access-control/index.md) assigned to Cloud Logging resources.
* View info on log exports.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.viewer` permissions.

#### logging.writer {#logging-writer}

The `logging.writer` role enables adding entries to log groups and viewing info on the Cloud Logging resources, as well as on the relevant cloud and folder.

Users with this role can:
* Add entries to [log groups](../logging/concepts/log-group.md).
* View info on log groups.
* View info on log sinks.
* View info on [access permissions](concepts/access-control/index.md) assigned to Cloud Logging resources.
* View info on log exports.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.viewer` permissions.

#### logging.admin {#logging-admin}

The `logging.admin` role enables managing your Cloud Logging resources and access to them, as well as viewing and adding entries to log groups.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) assigned to Cloud Logging resources and modify such permissions.
* View info on [log groups](../logging/concepts/log-group.md), as well as create, modify, delete, and use them.
* View info on log sinks, as well as create, modify, delete, and use them.
* View info on log exports, run export, and create, modify, and delete exported files.
* View and add entries to log groups.
* View info on Cloud Logging [quotas](../logging/concepts/limits.md#logging-quotas).
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.editor`, `logging.reader`, and `logging.writer` permissions.

For more information, see [Access management in Cloud Logging](../logging/security/index.md).


## Yandex Cloud Marketplace {#marketplace-roles}

### Partner roles {#marketplace-partner-roles}

#### marketplace.meteringAgent {#marketplace-meteringagent}

The `marketplace.meteringAgent` role enables tracking Marketplace [product](../marketplace/concepts/product.md) usage.

This role allows a [partner](../marketplace/quickstart.md) to:
- Authenticate apps in the Metering API.
- Track the installed [app metrics](../marketplace/concepts/api-usage.md#guidelines) to [price](../marketplace/concepts/tariff.md) the app usage.

You can assign this role to a [service account](concepts/users/service-accounts.md) under which you are going to send the usage metrics.

#### license-manager.saasSubscriptionSupervisor {#license-manager-saasSubscriptionSupervisor}

The `license-manager.saasSubscriptionSupervisor` role enables viewing info on [subscriptions](../marketplace/concepts/users/subscription.md) and their links to resources, apps, and services, as well as creating such links.

This role is designed for SaaS products and can be assigned to a [service account](concepts/users/service-accounts.md) used to link subscriptions to resources, apps, and services.

#### marketplace.productInstances.saasSupervisor {#marketplace-productInstances-saasSupervisor}

The `marketplace.productInstances.saasSupervisor` role enables viewing info on installed Marketplace SaaS [products](../marketplace/concepts/product.md) and activating such products.

#### marketplace.product.creator {#marketplace-product-creator}

The `marketplace.product.creator` role enables creating [Marketplace products](../marketplace/concepts/product.md) in the [partner profile](../marketplace/quickstart.md#registration) and managing access to such products.

#### marketplace.product.admin {#marketplace-product-admin}

The `marketplace.product.admin` role enables managing Marketplace products and access to them, as well as their versions, pricing, trial periods, forms, and moderation requests.

Users with this role can:
* View info on the access permissions granted for products, as well as modify such permissions.
* View info on [products](../marketplace/concepts/product.md), as well as create and delete them.
* View the list of product [versions](../marketplace/concepts/version.md) and info on them, as well as create, modify, and delete versions.
* View the list of product [pricing plans](../marketplace/concepts/tariff.md) and info on such plans, as well as create and edit plans.
* View info on [trial periods](../marketplace/concepts/trial-period.md) and create, modify, and delete them.
* View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
* View the list of product forms and info on them, as well as create, modify, and delete such forms.
* View the list of product categories.

#### marketplace.publishers.reportViewer {#marketplace-publishers-reportViewer}

The `marketplace.publishers.reportViewer` role enables viewing the reports on [Marketplace products](../marketplace/concepts/product.md) in the [partner profile](../marketplace/quickstart.md#registration).

#### marketplace.publishers.viewer {#marketplace-publishers-viewer}

The `marketplace.publishers.viewer` role enables viewing info on the partner profile and Marketplace products within it, as well as contacting tech support.

Users with this role can:
* View the list of available [partner profiles](../marketplace/quickstart.md#registration), info on them and on the access permissions granted for them.
* View the list of product [versions](../marketplace/concepts/version.md) and info on them, as well as create, modify, and delete versions.
* View the list of moderation requests for products and info on such requests.
* Create technical support [requests](../support/overview.md), as well as view, leave comments, and close them.

This role includes the `marketplace.publishers.member` permissions.

#### marketplace.publishers.editor {#marketplace-publishers-editor}

The `marketplace.publishers.editor` role enables managing Marketplace products and access to them, as well as their versions, pricing, trial periods, forms, and moderation requests. It also enables contacting tech support.

Users with this role can:
* View the list of available [partner profiles](../marketplace/quickstart.md#registration), info on them and on the access permissions granted for them.
* View info on the access permissions granted for products, as well as modify such permissions.
* View info on [products](../marketplace/concepts/product.md), as well as create and delete them.
* View the list of product [versions](../marketplace/concepts/version.md) and info on them, as well as create, modify, and delete versions.
* View the list of product [pricing plans](../marketplace/concepts/tariff.md) and info on such plans, as well as create and edit plans.
* View the list of product [trial periods](../marketplace/concepts/trial-period.md) and info on them, as well as create, modify, and delete such periods.
* View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
* View the list of product forms and info on them, as well as create, modify, and delete such forms.
* View the list of product categories.
* Create technical support [requests](../support/overview.md), as well as view, leave comments, and close them.

This role includes the `marketplace.publishers.viewer` and `marketplace.product.admin` permissions.

#### marketplace.publishers.admin {#marketplace-publishers-admin}

The `marketplace.publishers.admin` role enables managing access to the partner profile, as well as managing Marketplace products and access to them, their versions, pricing, trial periods, forms, and moderation requests. It also enables viewing reports on Marketplace products in the partner profile.

Users with this role can:
* View the list of available [partner profiles](../marketplace/quickstart.md#registration), info on them and on the access permissions granted for them, as well as modify such permissions.
* View info on the access permissions granted for products, as well as modify such permissions.
* View info on [products](../marketplace/concepts/product.md), as well as create and delete them.
* View the list of product [versions](../marketplace/concepts/version.md) and info on them, as well as create, modify, and delete versions.
* View the list of product [pricing plans](../marketplace/concepts/tariff.md) and info on such plans, as well as create and edit plans.
* View info on [trial periods](../marketplace/concepts/trial-period.md) and create, modify, and delete them.
* View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
* View the list of product forms and info on them, as well as create, modify, and delete such forms.
* View the list of product categories.
* View the reports on Marketplace products in the partner profile.
* Create technical support [requests](../support/overview.md), as well as view, leave comments, and close them.

This role includes the `marketplace.publishers.editor` and `marketplace.publishers.reportViewer` permissions.

#### marketplace.publishers.owner {#marketplace-publishers-owner}

The `marketplace.publishers.owner` role enables managing access to the partner profile, as well as managing Marketplace products and access to them, their versions, pricing, trial periods, forms, and moderation requests. It also enables viewing reports on Marketplace products in the partner profile.

This role is granted to the billing account owner when creating a partner profile and cannot be re-assigned.

Users with this role can:
* View the list of available [partner profiles](../marketplace/quickstart.md#registration), info on them and on the access permissions granted for them, as well as modify such permissions.
* View info on the access permissions granted for products, as well as modify such permissions.
* View info on [products](../marketplace/concepts/product.md), as well as create and delete them.
* View the list of product [versions](../marketplace/concepts/version.md) and info on them, as well as create, modify, and delete versions.
* View the list of product [pricing plans](../marketplace/concepts/tariff.md) and info on such plans, as well as create and edit plans.
* View the list of product [trial periods](../marketplace/concepts/trial-period.md) and info on them, as well as create, modify, and delete such periods.
* View the list of moderation requests for products and info on them, as well as create, modify, and delete such requests.
* View the list of product forms and info on them, as well as create, modify, and delete such forms.
* View the list of product categories.
* View the reports on Marketplace products in the partner profile.
* Create technical support [requests](../support/overview.md), as well as view, leave comments, and close them.

This role includes the `marketplace.publishers.admin` permissions.

#### marketplace.publishers.member {#marketplace-publishers-member}

The `marketplace.publishers.member` role provides the [partner profile](../marketplace/quickstart.md#registration) member access; however, it does not grant any access to the profile resources. To grant access to [products](../marketplace/concepts/product.md) or partner profile reports, you also need to assign the `marketplace.publishers.viewer`, `marketplace.publishers.editor`, `marketplace.publishers.admin`, or `marketplace.publishers.owner` role to the relevant user.

For more information, see [Managing partner access in Marketplace](../marketplace/security/partners.md).


### User roles {#marketplace-user-roles}

#### license-manager.auditor {#license-manager-auditor}

The `license-manager.auditor` role enables viewing information on [subscriptions](../marketplace/concepts/users/subscription.md).

#### license-manager.viewer {#license-manager-viewer}

The `license-manager.viewer` role enables viewing information on [subscriptions](../marketplace/concepts/users/subscription.md) and their [links](../marketplace/operations/users/lock-subscription.md) to a resource, app, or service.

This role includes the `license-manager.auditor` permissions.

#### license-manager.user {#license-manager-user}

The `license-manager.user` role enables managing subscriptions, as well as viewing information on those and their links to resources, apps, or services.

Users with this role can:
* View information on [subscriptions](../marketplace/concepts/users/subscription.md) and their links to resources, apps, or services.
* [Buy](../marketplace/operations/users/buy-subscription.md) subscriptions.
* [Disable](../marketplace/operations/users/cancel-subscription.md) subscription auto-renew.
* [Link](../marketplace/operations/users/lock-subscription.md) subscriptions to resources, apps, and services, as well as [unlink](../marketplace/operations/users/unlock-subscription.md) them.
* [Move](../marketplace/operations/users/move-subscription.md) subscriptions from one folder to another.

This role includes the `license-manager.viewer` permissions.

#### license-manager.subscriptionAgent {#license-manager-subscriptionAgent}

The `license-manager.subscriptionAgent` role enables [linking](../marketplace/operations/users/lock-subscription.md) subscriptions to resources, apps, or services, as well as viewing info on [subscriptions](../marketplace/concepts/users/subscription.md) and their links to resources, apps, or services.

#### marketplace.productInstances.auditor {#marketplace-productInstances-auditor}

The `marketplace.productInstances.auditor` role enables viewing info on installed Marketplace [products](../marketplace/concepts/product.md) and [access permissions](concepts/access-control/index.md) granted for them, as well as viewing [folder](../resource-manager/concepts/resources-hierarchy.md#folder) metadata.

#### marketplace.productInstances.viewer {#marketplace-productInstances-viewer}

The `marketplace.productInstances.viewer` role enables enables viewing info on installed Marketplace [products](../marketplace/concepts/product.md), [access permissions](concepts/access-control/index.md) granted for them, and on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `marketplace.productInstances.auditor` permissions.

#### marketplace.productInstances.user {#marketplace-productInstances-user}

The `marketplace.productInstances.user` role enables viewing info on installed Marketplace [products](../marketplace/concepts/product.md), activating and deactivating them, as well as viewing info on [access permissions](concepts/access-control/index.md) granted for them and on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `marketplace.productInstances.viewer` permissions.

#### marketplace.productInstances.editor {#marketplace-productInstances-editor}

The `marketplace.productInstances.editor` role enables managing installed Marketplace products.

Users with this role can:
* View info on installed Marketplace [products](../marketplace/concepts/product.md) and [access permissions](concepts/access-control/index.md) granted for them.
* Create Marketplace products, modify their metadata, as well as activate and deactivate Marketplace products.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `marketplace.productInstances.user` permissions.

#### marketplace.productInstances.admin {#marketplace-productInstances-admin}

The `marketplace.productInstances.admin` role enables managing installed Marketplace products and access to them.

Users with this role can:
* View info on installed Marketplace [products](../marketplace/concepts/product.md).
* View info on [access permissions](concepts/access-control/index.md) granted for installed Marketplace products and modify such permissions.
* Create Marketplace products, modify their metadata, as well as activate and deactivate Marketplace products.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `marketplace.productInstances.editor` permissions.

For more information, see [User access management in Marketplace](../marketplace/security/index.md).


## Yandex Cloud Notification Service {#cns-roles}

#### notifications.auditor {#notifications-auditor}

The `notifications.auditor` role enables viewing metadata for all [notification channels](../notifications/concepts/index.md#channels), [topic](../notifications/concepts/topics.md) metadata, and info on Cloud Notification Service [quotas](../notifications/concepts/limits.md).

#### notifications.viewer {#notifications-viewer}

The `notifications.viewer` role enables viewing info on topics, notification channels, and Cloud Notification Service quotas.

Users with this role can:
* View info on [topics](../notifications/concepts/topics.md) and subscriptions in them.
* View info on [mobile push notification](../notifications/concepts/push.md#mobile-channel) channels and their [endpoints](../notifications/concepts/push.md#mobile-endpoints).
* View info on [browser push notification](../notifications/concepts/browser.md) channels and their [endpoints](../notifications/concepts/browser.md#create-endpoint).
* View info on [text message (SMS)](../notifications/concepts/sms.md) channels, SMS [templates](../notifications/concepts/sms.md#templates), and [test](../notifications/concepts/sms.md#sandbox) phone numbers.
* View info on Cloud Notification Service [quotas](../notifications/concepts/limits.md).

This role includes the `notifications.auditor` permissions.

#### notifications.publisher {#notifications-publisher}

The `notifications.publisher` role enables sending notifications to all [channels](../notifications/concepts/index.md#channels) and [topics](../notifications/concepts/topics.md).

#### notifications.editor {#notifications-editor}

The `notifications.editor` role enables managing all notification channels and topics, as well as sending notifications to all channels and topics.

Users with this role can:
* View info on [topics](../notifications/concepts/topics.md) and create, modify, and delete them.
* View info on subscriptions in topics, as well as create and delete them.
* View info on [mobile push notification](../notifications/concepts/push.md#mobile-channel) channels and their [endpoints](../notifications/concepts/push.md#mobile-endpoints), as well as create, modify, and delete such channels and endpoints.
* View info on [browser push notification](../notifications/concepts/push.md#mobile-channel) channels and their [endpoints](../notifications/concepts/push.md#mobile-endpoints), as well as create, modify, and delete such channels and endpoints.
* View info on [text message (SMS) notification](../notifications/concepts/sms.md) channels, as well as create, modify, and delete them.
* View info on text message (SMS) [templates](../notifications/concepts/sms.md#templates) and [test](../notifications/concepts/sms.md#sandbox) phone numbers, as well as modify them.
* Send notifications to all topics and channels.
* View info on Cloud Notification Service [quotas](../notifications/concepts/limits.md).

This role includes the `notifications.viewer` and `notifications.publisher` permissions.

#### notifications.admin {#notifications-admin}

The `notifications.admin` role enables managing all notification channels and topics, as well as sending notifications to all channels and topics.

Users with this role can:
* View info on [topics](../notifications/concepts/topics.md) and create, modify, and delete them.
* View info on subscriptions in topics, as well as create and delete them.
* View info on [mobile push notification](../notifications/concepts/push.md#mobile-channel) channels and their [endpoints](../notifications/concepts/push.md#mobile-endpoints), as well as create, modify, and delete such channels and endpoints.
* View info on [browser push notification](../notifications/concepts/push.md#mobile-channel) channels and their [endpoints](../notifications/concepts/push.md#mobile-endpoints), as well as create, modify, and delete such channels and endpoints.
* View info on [text message (SMS) notification](../notifications/concepts/sms.md) channels, as well as create, modify, and delete them.
* View info on text message (SMS) [templates](../notifications/concepts/sms.md#templates) and [test](../notifications/concepts/sms.md#sandbox) phone numbers, as well as modify them.
* Send notifications to all topics and channels.
* View info on Cloud Notification Service [quotas](../notifications/concepts/limits.md).

This role includes the `notifications.editor` permissions.

For more information, see [Access management in Yandex Cloud Notification Service](../notifications/security/index.md).


## Yandex Cloud Postbox {#postbox-roles}

#### postbox.sender {#postbox-sender}

The `postbox.sender` role allows you to send emails from Yandex Cloud Postbox.

#### postbox.auditor {#postbox-auditor}

The `postbox.auditor` role allows you to view information about Yandex Cloud Postbox addresses.

Users with this role can:
* View information about [addresses](../postbox/concepts/glossary.md#adress) and their [configurations](../postbox/concepts/glossary.md#configuration).
* Get lists of addresses and their configurations.

#### postbox.viewer {#postbox-viewer}

The `postbox.viewer` role allows you to view information about Yandex Cloud Postbox addresses.

Users with this role can:
* View information about [addresses](../postbox/concepts/glossary.md#adress) and their [configurations](../postbox/concepts/glossary.md#configuration).
* Get lists of addresses and their configurations.

This role includes the `postbox.auditor` permissions.

#### postbox.editor {#postbox-editor}

The `postbox.editor` role allows you to manage Yandex Cloud Postbox addresses and send emails.

Users with this role can:
* Create, modify, and delete [addresses](../postbox/concepts/glossary.md#adress) and their [configurations](../postbox/concepts/glossary.md#configuration).
* View information about addresses and their configurations.
* Get a list of addresses and their configurations.
* Send emails.

This role includes the `postbox.viewer` permissions.

#### postbox.messages.reader {#postbox-messages-reader}

The `postbox.messages.reader` role enables viewing info on sent emails in the **Sent emails** section of the [management console](https://console.yandex.cloud), including data on the sender, receivers, subject, sending date, deliverability and engagement [metrics](../postbox/concepts/statistics.md#metrics), complaints, and unsubscriptions.

#### postbox.statistics.reader {#postbox-statistics-reader}

The `postbox.statistics.reader` role enables viewing [statistics](../postbox/concepts/statistics.md) on sent emails in the **Statistics** section of the [management console](https://console.yandex.cloud).

#### postbox.admin {#postbox-admin}

The `postbox.admin` role enables managing Yandex Cloud Postbox addresses, sending emails, and viewing info on sent emails as well as their statistics.

Users with this role can:
* Create, modify, and delete [addresses](../postbox/concepts/glossary.md#adress) and their [configurations](../postbox/concepts/glossary.md#configuration).
* View info on addresses and their configurations.
* Get a list of addresses and their configurations.
* Send emails.
* View [statistics](../postbox/concepts/statistics.md) on sent emails in the **Statistics** section of the [management console](https://console.yandex.cloud).
* View info on sent emails in the **Sent emails** section of the management console, including data on the sender, receivers, subject, sending date, deliverability and engagement [metrics](../postbox/concepts/statistics.md#metrics), complaints, and unsubscriptions.

This role includes the `postbox.editor`, `postbox.messages.reader`, and `postbox.statistics.reader` permissions.

For more information, see [Access management in Yandex Cloud Postbox](../postbox/security/index.md).


## Yandex Cloud Registry {#cloud-registry-roles}

#### cloud-registry.auditor {#cloud-registry-auditor}

The `cloud-registry.auditor` role enables viewing the artifact metadata, the info on registries and access permissions granted to them, as well as on the Cloud Registry quotas.

Users with this role can:
* View the [artifact](../cloud-registry/concepts/artifacts/index.md) metadata.
* View info on [registries](../cloud-registry/concepts/registry.md).
* View the list of registry IP permissions.
* View info on the [access permissions](concepts/access-control/index.md) granted to registries and folders within registries.
* View info on the Cloud Registry quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

#### cloud-registry.viewer {#cloud-registry-viewer}

The`cloud-registry.viewer` role enables pulling artifacts, as well as viewing info on artifacts and registries, on the access permissions granted to registries, and on the Cloud Registry quotas.

Users with this role can:
* View info on [artifacts](../cloud-registry/concepts/artifacts/index.md) and pull them.
* View info on [registries](../cloud-registry/concepts/registry.md).
* View the list of registry IP permissions.
* View info on the [access permissions](concepts/access-control/index.md) granted to registries and folders within registries.
* View info on the Cloud Registry quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-registry.auditor` permissions.

#### cloud-registry.editor {#cloud-registry-editor}

The `cloud-registry.editor` role enables managing artifacts and registries, as well as viewing info on the access permissions granted to registries and Cloud Registry quotas.

Users with this role can:
* View info on [artifacts](../cloud-registry/concepts/artifacts/index.md), as well as create, modify, download, and delete them.
* View info on [registries](../cloud-registry/concepts/registry.md), as well as create, modify, and delete them.
* Create and delete folders within registries.
* View the list of registry IP permissions.
* View info on the [access permissions](concepts/access-control/index.md) granted to registries and folders within registries.
* View info on the Cloud Registry quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-registry.viewer` and `cloud-registry.artifacts.pusher` permissions.

#### cloud-registry.admin {#cloud-registry-admin}

The `cloud-registry.admin` role enables managing artifacts, registries, and access to registries, as well as viewing info on the Cloud Registry quotas.

Users with this role can:
* View info on [artifacts](../cloud-registry/concepts/artifacts/index.md), as well as create, modify, download, and delete them.
* View info on [registries](../cloud-registry/concepts/registry.md), as well as create, modify, and delete them.
* View info on the [access permissions](concepts/access-control/index.md) granted to registries and folders within registries, as well as modify such permissions.
* Create and delete folders within registries.
* View the list of registry IP permissions.
* View info on the Cloud Registry quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-registry.editor` permissions.

#### cloud-registry.artifacts.puller {#cloud-registry-artifacts-puller}

The `cloud-registry.artifacts.puller` role enables pulling [artifacts](../cloud-registry/concepts/artifacts/index.md), as well as getting info on artifacts and [registries](../cloud-registry/concepts/registry.md).

#### cloud-registry.artifacts.pusher {#cloud-registry-artifacts-pusher}

The `cloud-registry.artifacts.pusher` role enables managing artifacts, as well as viewing info on the registries and managing folders within them.

Users with this role can:
* View info on [artifacts](../cloud-registry/concepts/artifacts/index.md), as well as create, modify, download, and delete them.
* View info on [registries](../cloud-registry/concepts/registry.md).
* Create and delete folders within registries.

For more information, see [Access management in Yandex Cloud Registry](../cloud-registry/security/index.md).


## Yandex Cloud Router {#cloudrouter-roles}

#### cloud-router.auditor {#cloudrouter-auditor}

The `cloud-router.auditor` role enables viewing info on Cloud Router resources.

Users with this role can:
* View info on the [routing instances](../cloud-router/concepts/routing-instance.md).
* View info on Cloud Router quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

#### cloud-router.viewer {#cloudrouter-viewer}

The `cloud-router.viewer` role enables viewing info on Cloud Router resources.

Users with this role can:
* View info on the [routing instances](../cloud-router/concepts/routing-instance.md).
* View info on Cloud Router quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-router.auditor` permissions.

#### cloud-router.prefixEditor {#cloudrouter-prefixEditor}

The `cloud-router.prefixEditor` role enables managing cloud subnet IP prefixes in routing instances, as well as viewing info on Cloud Router resources.

Users with this role can:
* View info on the [routing instances](../cloud-router/concepts/routing-instance.md).
* Add, modify, and remove [cloud subnet](../vpc/concepts/network.md#subnet) [IP prefixes](../cloud-router/concepts/announces.md) in routing instances.
* View info on Cloud Router quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-router.viewer` permissions.

#### cloud-router.editor {#cloudrouter-editor}

The `cloud-router.editor` role enables managing routing instances, as well as viewing info on Cloud Router resources.

Users with this role can:
* View info on [routing instances](../cloud-router/concepts/routing-instance.md), as well as create, modify, and delete them.
* Add, modify, and remove [cloud subnet](../vpc/concepts/network.md#subnet) [IP prefixes](../cloud-router/concepts/announces.md) in routing instances.
* View info on Cloud Router quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-router.prefixEditor` permissions.

#### cloud-router.admin {#cloudrouter-admin}

The `cloud-router.admin` role enables managing Cloud Router resources.

Users with this role can:
* View info on [routing instances](../cloud-router/concepts/routing-instance.md), as well as create, modify, and delete them.
* Add, modify, and remove [cloud subnet](../vpc/concepts/network.md#subnet) [IP prefixes](../cloud-router/concepts/announces.md) in routing instances.
* View info on Cloud Router quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `cloud-router.editor` permissions.

For more information, see [Access management in Cloud Router](../cloud-router/security/index.md).


## Yandex Cloud Video {#video-roles}

#### video.auditor {#video-auditor}

The `video.auditor` role enables viewing info on Cloud Video resources or a separate [channel’s](../video/concepts/index.md#channels) resources, their settings, and their assigned [access permissions](concepts/access-control/index.md).

#### video.viewer {#video-viewer}

The `video.viewer` role enables viewing info on Cloud Video resources or a separate channel’s resources, their settings, and their assigned access permissions.

Users with this role can:
* View info on Cloud Video resources and their settings.
* Download source [video](../video/concepts/videos.md) and [subtitle](../video/concepts/videos.md#subtitles) files as well as thumbnails.
* View info on [access permissions](concepts/access-control/index.md) granted for [channels](../video/concepts/index.md#channels).

This role includes the `video.auditor` permissions.

#### video.editor {#video-editor}

The `video.editor` enables managing Cloud Video resources or a dedicated channel’s resources, as well as broadcasting video streams.

Users with this role can:
* View info on Cloud Video resources and their settings, as well as create, modify, and delete such resources.
* [Broadcast](../video/concepts/streams.md#streams) live video streams from Cloud Video.
* Download source [video](../video/concepts/videos.md) and [subtitle](../video/concepts/videos.md#subtitles) files as well as thumbnails.
* Use AI features, such as video [summarization](../video/concepts/videos.md#summarization) and [neural machine translation](../video/concepts/videos.md#stranslation).
* View info on [access permissions](concepts/access-control/index.md) granted for Cloud Video [channels](../video/concepts/index.md#channels).

This role includes the `video.viewer` permissions.

#### video.admin {#video-admin}

The `video.admin` role enables managing Cloud Video resources or a dedicated channel’s resources and assigning access permissions to all resources or a channel’s resources.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [channels](../video/concepts/index.md#channels) and modify such permissions.
* View info on Cloud Video resources and their settings, as well as create, modify, and delete such resources.
* [Broadcast](../video/concepts/streams.md#streams) live video streams from Cloud Video.
* Download source [video](../video/concepts/videos.md) and [subtitle](../video/concepts/videos.md#subtitles) files as well as thumbnails.
* Use AI features, such as video [summarization](../video/concepts/videos.md#summarization) and [neural machine translation](../video/concepts/videos.md#stranslation).

This role includes the `video.editor` permissions.


## Yandex Compute Cloud {#compute-roles}

#### compute.auditor {#compute-auditor}

The `compute.auditor` role allows you to view information on Compute Cloud resources and relevant operations, as well as on the amount of used resources and quotas. It does not allow you to access the serial port or serial console of an instance.

{% cut "Users with this role can:" %}

* View a list of [instances](../compute/concepts/vm.md) and information on them.
* View a list of [instance groups](../compute/concepts/instance-groups/index.md) and information on them.
* View a list of [instance placement groups](../compute/concepts/placement-groups.md) and information on them.
* View lists of instances in placement groups.
* View a list of [dedicated host groups](../compute/concepts/dedicated-host.md#host-group-size) and information on them.
* View lists of [hosts](../compute/concepts/dedicated-host.md) and instances in dedicated host groups.
* View information on [GPU clusters](../compute/concepts/gpus.md#gpu-clusters) and instances included in these clusters.
* View a list of [disks](../compute/concepts/disk.md) and information on them.
* View a list of [file storages](../compute/concepts/filesystem.md) and information on them.
* View a list of [non-replicated disk placement groups](../compute/concepts/disk-placement-group.md) and information on them.
* View lists of disks in placement groups.
* View information on [reserved instance pools](../compute/concepts/reserved-pools.md).
* View a list of [images](../compute/concepts/image.md) and information on them.
* View information on [image families](../compute/concepts/image.md#family), on images within families, on the latest family image, as well as on [access permissions](concepts/access-control/index.md) assigned to image families.
* View a list of [disk snapshots](../compute/concepts/snapshot.md) and information on them.
* View information on disk snapshot [schedules](../compute/concepts/snapshot-schedule.md).
* View information on Compute Cloud resource and [quota](../compute/concepts/limits.md#compute-quotas) consumption and [disk limits](../compute/concepts/limits.md#compute-limits-disks) in the management console.
* View lists of resource operations for Compute Cloud, as well as information on these operations.
* View information on the status of configuring access via [OS Login](../organization/concepts/os-login.md) on instances.
* View information on available [platforms](../compute/concepts/vm-platforms.md).
* View a list of [availability zones](../overview/concepts/geo-scope.md) and information on them.

{% endcut %}

#### compute.viewer {#compute-viewer}

The `compute.viewer` role allows you to view information on Compute Cloud resources and resource operations, as well as on access permissions assigned to the resources and on the amount of used resources and quotas. This role also grants access to instance metadata and serial port output.

{% cut "Users with this role can:" %}

* View the instance [serial port output](../compute/operations/vm-info/get-serial-port-output.md).
* View instance [metadata](../compute/concepts/vm-metadata.md).
* View a list of [instances](../compute/concepts/vm.md), information on instances and on [access permissions](concepts/access-control/index.md) assigned to them.
* View a list of [instance groups](../compute/concepts/instance-groups/index.md) and information on them.
* View a list of [instance placement groups](../compute/concepts/placement-groups.md), information on instance placement groups and on access permissions assigned to them.
* View lists of instances in placement groups.
* View a list of [dedicated host groups](../compute/concepts/dedicated-host.md#host-group-size), information on dedicated host groups and on access permissions assigned to them.
* View lists of [hosts](../compute/concepts/dedicated-host.md) and instances in dedicated host groups.
* View information on [GPU clusters](../compute/concepts/gpus.md#gpu-clusters) and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
* View a list of [disks](../compute/concepts/disk.md), information on disks and on access permissions assigned to them.
* View a list of [file storages](../compute/concepts/filesystem.md), information on file storages and on access permissions assigned to them.
* View a list of [non-replicated disk placement groups](../compute/concepts/disk-placement-group.md), information on non-replicated disk placement groups and on access permissions assigned to them.
* View lists of disks in placement groups.
* View information on [reserved instance pools](../compute/concepts/reserved-pools.md).
* View a list of [images](../compute/concepts/image.md), information on images and on access permissions assigned to them.
* View information on [image families](../compute/concepts/image.md#family), on images within families, on the latest family image, as well as on access permissions assigned to image families.
* View a list of [disk snapshots](../compute/concepts/snapshot.md), information on disk snapshots and on access permissions assigned to them.
* View information on [disk snapshot schedules](../compute/concepts/snapshot-schedule.md) and on access permissions assigned to them.
* View information on Compute Cloud resource and [quota](../compute/concepts/limits.md#compute-quotas) consumption and [disk limits](../compute/concepts/limits.md#compute-limits-disks) in the management console.
* View lists of resource operations for Compute Cloud, as well as information on these operations.
* View information on the status of configuring access via [OS Login](../organization/concepts/os-login.md) on instances.
* View information on available [platforms](../compute/concepts/vm-platforms.md).
* View a list of [availability zones](../overview/concepts/geo-scope.md), information on availability zones and on access permissions assigned to them.

{% endcut %}

This role includes the `compute.auditor` and `compute.snapshotSchedules.viewer` permissions.

#### compute.editor {#compute-editor}

The `compute.editor` role allows you to manage instances, instance groups, disks, images, GPU clusters, and other Compute Cloud resources.

{% cut "Users with this role can:" %}

* Create, modify, start, restart, stop, move, and delete [instances](../compute/concepts/vm.md).
* View a list of instances, information on instances and on [access permissions](concepts/access-control/index.md) assigned to them.
* Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link [security groups](../vpc/concepts/security-groups.md) to instance network interfaces.
* Create instances with custom [FQDNs](../vpc/concepts/address.md#fqdn) and create multi-interface instances.
* Bind [service accounts](concepts/users/service-accounts.md) to instances and activate AWS v1 tokens on instances.
* Use the instance [serial port](../compute/operations/vm-info/get-serial-port-output.md) for reading and writing.
* Simulate instance maintenance events.
* View instance [metadata](../compute/concepts/vm-metadata.md).
* View information on the status of configuring access via [OS Login](../organization/concepts/os-login.md) on instances and connect to instances via OS Login using SSH certificates or SSH keys.
* View a list of [instance groups](../compute/concepts/instance-groups/index.md), information on instance groups and on access permissions assigned to them, as well as use, create, modify, start, stop, and delete instance groups.
* View a list of [instance placement groups](../compute/concepts/placement-groups.md), information on instance placement groups and on access permissions assigned to them, as well as use, modify, and delete instance placement groups.
* View lists of instances in placement groups.
* View a list of [dedicated host groups](../compute/concepts/dedicated-host.md#host-group-size), information on dedicated host groups and on access permissions assigned to them, as well as use, modify, and delete dedicated host groups.
* View lists of [hosts](../compute/concepts/dedicated-host.md) and instances in dedicated host groups.
* Modify scheduled maintenance windows for hosts in dedicated host groups.
* Use [GPU clusters](../compute/concepts/gpus.md#gpu-clusters), as well as create, modify, and delete them.
* View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
* View information on [reserved instance pools](../compute/concepts/reserved-pools.md), as well as create, use, modify, and delete them.
* View a list of [disks](../compute/concepts/disk.md), information on disks and on access permissions assigned to them, as well as use, modify, move, and delete disks.
* Create [encrypted disks](../compute/concepts/disk.md#encryption).
* View and update disk links.
* View a list of [file storages](../compute/concepts/filesystem.md), information on file storages and on access permissions assigned to them, as well as use, create, modify, and delete file storages.
* View a list of [non-replicated disk placement groups](../compute/concepts/disk-placement-group.md), information on non-replicated disk placement groups and on access permissions assigned to them, as well as use, modify, and delete non-replicated disk placement groups.
* View lists of disks in placement groups.
* View a list of [images](../compute/concepts/image.md), information on images and on access permissions assigned to them, as well as use, modify, and delete images.
* Create, modify, delete, and update [image families](../compute/concepts/image.md#family).
* View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
* View a list of [disk snapshots](../compute/concepts/snapshot.md), information on disk snapshots and on access permissions assigned to them, as well as use, modify, and delete disk snapshots.
* View information on disk snapshot [schedules](../compute/concepts/snapshot-schedule.md) and on access permissions assigned to them, as well as create, modify, and delete disk snapshot schedules.
* View information on [cloud networks](../vpc/concepts/network.md#network) and use them.
* View information on [subnets](../vpc/concepts/network.md#subnet) and use them.
* View information on [cloud resource addresses](../vpc/concepts/address.md) and use them.
* View information on [route tables](../vpc/concepts/routing.md#rt-vpc) and use them.
* View information on security groups and use them.
* View information on [NAT gateways](../vpc/concepts/gateways.md) and connect them to route tables.
* View information on the IP addresses used in subnets.
* View information on resource operations for Virtual Private Cloud.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on Compute Cloud resource and [quota](../compute/concepts/limits.md#compute-quotas) consumption and [disk limits](../compute/concepts/limits.md#compute-limits-disks) in the management console.
* View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
* View information on available [platforms](../compute/concepts/vm-platforms.md) and use them.
* View a list of [availability zones](../overview/concepts/geo-scope.md), information on availability zones and on access permissions assigned to them.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `compute.operator`, `compute.osLogin`, `compute.snapshotSchedules.editor`, `compute.disks.user`, and `vpc.user` permissions.

#### compute.admin {#compute-admin}

The `compute.admin` role allows you to manage instances, instance groups, disks, images, GPU clusters, and other Compute Cloud resources, as well as manage access to them.

{% cut "Users with this role can:" %}

* Create, modify, start, restart, stop, move, and delete [instances](../compute/concepts/vm.md), as well as manage access to them.
* View a list of instances, information on instances and on [access permissions](concepts/access-control/index.md) assigned to them.
* Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link [security groups](../vpc/concepts/security-groups.md) to instance network interfaces.
* Create instances with custom [FQDNs](../vpc/concepts/address.md#fqdn) and create multi-interface instances.
* Bind [service accounts](concepts/users/service-accounts.md) to instances and activate AWS v1 tokens on instances.
* Use the instance [serial port](../compute/operations/vm-info/get-serial-port-output.md) for reading and writing.
* Simulate instance maintenance events.
* View instance [metadata](../compute/concepts/vm-metadata.md).
* View information on the status of configuring access via [OS Login](../organization/concepts/os-login.md) on instances and connect to instances via OS Login using SSH certificates or SSH keys and run commands as a superuser (`sudo`).
* Use, create, modify, start, stop, and delete [instance groups](../compute/concepts/instance-groups/index.md), as well as manage access to instance groups.
* View a list of instance groups, information on instance groups and on access permissions assigned to them.
* Use, create, modify, and delete [instance placement groups](../compute/concepts/placement-groups.md), as well as manage access to instance placement groups.
* View a list of instance placement groups, information on instance placement groups and on access permissions assigned to them.
* View lists of instances in placement groups.
* Use, create, modify, and delete [dedicated host groups](../compute/concepts/dedicated-host.md#host-group-size), as well as manage access to dedicated host groups.
* View a list of dedicated host groups, information on dedicated host groups and on access permissions assigned to them.
* View lists of [hosts](../compute/concepts/dedicated-host.md) and instances in dedicated host groups.
* Modify scheduled maintenance windows for hosts in dedicated host groups.
* Use, create, modify, and delete [GPU clusters](../compute/concepts/gpus.md#gpu-clusters), as well as manage access to them.
* View information on GPU clusters and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
* View information on [reserved instance pools](../compute/concepts/reserved-pools.md), as well as create, use, modify, and delete them.
* Use, create, modify, move, and delete [disks](../compute/concepts/disk.md), as well as manage access to them.
* Create [encrypted disks](../compute/concepts/disk.md#encryption).
* View a list of disks, information on disks and on access permissions assigned to them.
* View and update disk links.
* Use, create, modify, and delete [file storages](../compute/concepts/filesystem.md), as well as manage access to them.
* View a list of file storages, information on file storages and on access permissions assigned to them.
* Use, create, modify, and delete [non-replicated disk placement groups](../compute/concepts/disk-placement-group.md), as well as manage access to non-replicated disk placement groups.
* View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access permissions assigned to them.
* View lists of disks in placement groups.
* Use, create, modify, and delete [images](../compute/concepts/image.md), as well as manage access to them.
* View a list of images, information on images and on access permissions assigned to them.
* Create, modify, delete, and update [image families](../compute/concepts/image.md#family), as well as manage access to them.
* View information on image families, on images within families, on the latest family image, as well as on access permissions assigned to image families.
* Use, create, modify, and delete [disk snapshots](../compute/concepts/snapshot.md), as well as manage access to them.
* View a list of disk snapshots, information on disk snapshots and on access permissions assigned to them.
* Create, modify, and delete [disk snapshot schedules](../compute/concepts/snapshot-schedule.md), as well as manage access to them.
* View information on disk snapshot schedules and on access permissions assigned to them.
* View information on [cloud networks](../vpc/concepts/network.md#network) and use them.
* View information on [subnets](../vpc/concepts/network.md#subnet) and use them.
* View information on [cloud resource addresses](../vpc/concepts/address.md) and use them.
* View information on [route tables](../vpc/concepts/routing.md#rt-vpc) and use them.
* View information on security groups and use them.
* View information on [NAT gateways](../vpc/concepts/gateways.md) and connect them to route tables.
* View information on the IP addresses used in subnets.
* View information on resource operations for Virtual Private Cloud.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on Compute Cloud resource and [quota](../compute/concepts/limits.md#compute-quotas) consumption and [disk limits](../compute/concepts/limits.md#compute-limits-disks) in the management console.
* View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
* View information on available [platforms](../compute/concepts/vm-platforms.md) and use them.
* View a list of [availability zones](../overview/concepts/geo-scope.md), information on availability zones and on access permissions assigned to them.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `compute.editor` and `compute.osAdminLogin` permissions.

#### compute.osLogin {#compute-oslogin}

The `compute.osLogin` role allows you to connect to [instances](../compute/concepts/vm.md) via [OS Login](../organization/concepts/os-login.md) using SSH certificates or SSH keys.

#### compute.osAdminLogin {#compute-osadminlogin}

The `compute.osAdminLogin` role allows you to connect to [instances](../compute/concepts/vm.md) using SSH certificates or SSH keys via [OS Login](../organization/concepts/os-login.md) and run commands as a superuser (`sudo`).

#### compute.disks.user {#compute-disks-user}

The `compute.disks.user` role allows you to view a list of [disks](../compute/concepts/disk.md) and information on them, as well as use disks to create new resources, such as [instances](../compute/concepts/vm.md).

#### compute.images.user {#compute-images-user}

The `compute.images.user` role allows you to view a list of [images](../compute/concepts/image.md) and information on them, get information on the latest image within the [image family](../compute/concepts/image.md#family), as well as use images to create new resources, such as [instances](../compute/concepts/vm.md).

#### compute.operator {#compute-operator}

The `compute.operator` role allows you to start and stop instances and instance groups, as well as view information on Compute Cloud resources and resource operations, as well as on access permissions assigned to the resources and the amount of used resources and quotas.

{% cut "Users with this role can:" %}

* Start, restart, and stop [instances](../compute/concepts/vm.md).
* View a list of instances, information on instances and on [access permissions](concepts/access-control/index.md) assigned to them.
* Start and stop [instance groups](../compute/concepts/instance-groups/index.md).
* View a list of instance groups and information on them.
* View the instance [serial port output](../compute/operations/vm-info/get-serial-port-output.md).
* View instance [metadata](../compute/concepts/vm-metadata.md).
* View a list of [instance placement groups](../compute/concepts/placement-groups.md), information on instance placement groups and on access permissions assigned to them.
* View lists of instances in placement groups.
* View a list of [dedicated host groups](../compute/concepts/dedicated-host.md#host-group-size), information on dedicated host groups and on access permissions assigned to them.
* View lists of [hosts](../compute/concepts/dedicated-host.md) and instances in dedicated host groups.
* View information on [GPU clusters](../compute/concepts/gpus.md#gpu-clusters) and instances included in GPU clusters, as well as the on access permissions assigned to these clusters.
* View a list of [disks](../compute/concepts/disk.md), information on disks and on access permissions assigned to them.
* View a list of [file storages](../compute/concepts/filesystem.md), information on file storages and on access permissions assigned to them.
* View a list of [non-replicated disk placement groups](../compute/concepts/disk-placement-group.md), information on non-replicated disk placement groups and on access permissions assigned to them.
* View lists of disks in placement groups.
* View information on [reserved instance pools](../compute/concepts/reserved-pools.md).
* View a list of [images](../compute/concepts/image.md), information on images and on access permissions assigned to them.
* View information on [image families](../compute/concepts/image.md#family), on images within families, on the latest family image, as well as on access permissions assigned to image families.
* View a list of [disk snapshots](../compute/concepts/snapshot.md), information on disk snapshots and on access permissions assigned to them.
* View information on [disk snapshot schedules](../compute/concepts/snapshot-schedule.md) and on access permissions assigned to them.
* View information on Compute Cloud resource and [quota](../compute/concepts/limits.md#compute-quotas) consumption and [disk limits](../compute/concepts/limits.md#compute-limits-disks) in the management console.
* View lists of resource operations for Compute Cloud, as well as information on these operations.
* View information on the status of configuring access via [OS Login](../organization/concepts/os-login.md) on instances.
* View information on available [platforms](../compute/concepts/vm-platforms.md).
* View a list of [availability zones](../overview/concepts/geo-scope.md), information on availability zones and on access permissions assigned to them.

{% endcut %}

This role includes the `compute.viewer` permissions.

#### compute.snapshotSchedules.viewer {#compute-snapshotSchedules-viewer}

The `compute.snapshotSchedules.viewer` role allows you to view information on scheduled disk snapshots.

Users with this role can:
* View information on disk snapshot [schedules](../compute/concepts/snapshot-schedule.md) and on [access permissions](concepts/access-control/index.md) assigned to them.
* View lists of [disks](../compute/concepts/disk.md).
* View lists of [disk snapshots](../compute/concepts/snapshot.md).
* View a list of disk snapshot operations.

#### compute.snapshotSchedules.editor {#compute-snapshotSchedules-editor}

The `compute.snapshotSchedules.editor` role allows you to create, modify, and delete disk snapshot schedule, create and delete disk snapshots, as well as view information on disk snapshot operations.

Users with this role can:
* View information on disk snapshot [schedules](../compute/concepts/snapshot-schedule.md) and on [access permissions](concepts/access-control/index.md) assigned to them, as well as create, modify, and delete disk snapshot schedules.
* View lists of [disks](../compute/concepts/disk.md) and use disks to create snapshots.
* View lists of [disk snapshots](../compute/concepts/snapshot.md), create and delete snapshots.
* View a list of disk snapshot operations and information on them.

This role includes the `compute.snapshotSchedules.viewer` permissions.

For more information, see [Access management in Compute Cloud](../compute/security/index.md).


## Yandex Connection Manager {#connection-manager-roles}

#### connection-manager.auditor {#connection-manager-auditor}

The `connection-manager.auditor` role allows you to view public details on [connections](../metadata-hub/concepts/connection-manager.md) and [access permissions](concepts/access-control/index.md) assigned to them. If you have this role assigned for a cloud, it will also enable viewing Connection Manager [quotas](../metadata-hub/concepts/limits.md).

#### connection-manager.viewer {#connection-manager-viewer}

The `connection-manager.viewer` role enables viewing info on [connections](../metadata-hub/concepts/connection-manager.md) and [access permissions](concepts/access-control/index.md) assigned to them, as well as on the Connection Manager [quotas](../metadata-hub/concepts/limits.md).

This role includes the `connection-manager.auditor` permissions.

#### connection-manager.editor {#connection-manager-editor}

The `connection-manager.editor` role allows you to manage connections and view their details.

Users with this role can:
* Create, use, edit, and delete [connections](../metadata-hub/concepts/connection-manager.md).
* View connection details and info on connection [access permissions](concepts/access-control/index.md).
* View info on Connection Manager [quotas](../metadata-hub/concepts/limits.md).

This role includes the `connection-manager.viewer` permissions.

#### connection-manager.admin {#connection-manager-admin}

The `connection-manager.admin` role allows you to manage connections and access to those, as well as view connection details.

Users with this role can:
* Create, use, edit, and delete [connections](../metadata-hub/concepts/connection-manager.md), as well as manage access to them.
* View connection details and info on connection [access permissions](concepts/access-control/index.md).
* View info on Connection Manager [quotas](../metadata-hub/concepts/limits.md).

This role includes the `connection-manager.editor` permissions.

Learn more in [Access management in Connection Manager](../metadata-hub/security/index.md).


## Yandex Container Registry {#cr-roles}

#### container-registry.viewer {#container-registry.viewer}

The `container-registry.viewer` role enables viewing info on registries, Docker images, and repositories, as well as on the relevant folder, cloud, and Container Registry quotas.

Users with this role can:
* View the list of [registries](../container-registry/concepts/registry.md), info on them and the [access permissions](concepts/access-control/index.md) granted for them, as well as on the [access policy settings](../container-registry/operations/registry/registry-access.md) for IP addresses and the [vulnerability scanner](../container-registry/concepts/vulnerability-scanner.md) settings.
* View info on [repositories](../container-registry/concepts/repository.md) and the access permissions granted for them.
* View the list of the [Docker image](../container-registry/concepts/docker-image.md) auto-delete [policies](../container-registry/concepts/lifecycle-policy.md) and info on them.
* View the list of the [testing](../container-registry/operations/lifecycle-policy/lifecycle-policy-dry-run.md) results for Docker image auto-delete policies and info on such results.
* View the list of Docker images in the registry and the info on them, as well as download Docker images from the registry.
* View the Docker image vulnerability scan history and the info on the result of such scans.
* View info on the Container Registry [quotas](../container-registry/concepts/limits.md#container-registry-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

#### container-registry.editor {#container-registry.editor}

The `container-registry.editor` role enables managing registries, Docker images, repositories, and their settings.

Users with this role can:
* View the list of [registries](../container-registry/concepts/registry.md) and info on them, as well as create, modify, and delete them.
* View info on the [access permissions](concepts/access-control/index.md) granted for registries, as well as on the [access policy settings](../container-registry/operations/registry/registry-access.md) for IP addresses.
* View info on the [vulnerability scanner](../container-registry/concepts/vulnerability-scanner.md) settings, as well as create, modify, and delete scan rules.
* View the list of [Docker images](../container-registry/concepts/docker-image.md) in the registry and info on them, as well as create, download, modify, and delete them.
* [Start](../container-registry/operations/scanning-docker-image.md#manual) and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
* View info on [repositories](../container-registry/concepts/repository.md) and the access permissions granted for them, as well as create and delete repositories.
* View the list of the Docker image auto-delete [policies](../container-registry/concepts/lifecycle-policy.md) and info on them, as well as create, modify, and delete such policies.
* [Test](../container-registry/operations/lifecycle-policy/lifecycle-policy-dry-run.md) the Docker image auto-delete policies, view the list of testing results and the info on such results.
* View info on the Container Registry [quotas](../container-registry/concepts/limits.md#container-registry-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `container-registry.viewer` permissions.

#### container-registry.admin {#container-registry.admin}

The `container-registry.admin` role enables managing access to registries and repositories, as well as managing registries, Docker images, repositories and their settings.

Users with this role can:
* View the list of [registries](../container-registry/concepts/registry.md) and info on them, as well as create, modify, and delete them.
* View info on granted [access permissions](concepts/access-control/index.md) to registries and modify such permissions.
* View info on the [access policy settings](../container-registry/operations/registry/registry-access.md) for IP address and modify such settings.
* View info on the [vulnerability scanner](../container-registry/concepts/vulnerability-scanner.md) settings, as well as create, modify, and delete scan rules.
* View the list of [Docker images](../container-registry/concepts/docker-image.md) in the registry and info on them, as well as create, download, modify, and delete them.
* [Start](../container-registry/operations/scanning-docker-image.md#manual) and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
* View info on [repositories](../container-registry/concepts/repository.md), as well as create and delete them.
* View info on granted access permissions to repositories and modify such permissions.
* View the list of the Docker image auto-delete [policies](../container-registry/concepts/lifecycle-policy.md) and info on them, as well as create, modify, and delete such policies.
* [Test](../container-registry/operations/lifecycle-policy/lifecycle-policy-dry-run.md) the Docker image auto-delete policies, view the list of testing results and the info on such results.
* View info on the Container Registry [quotas](../container-registry/concepts/limits.md#container-registry-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `container-registry.editor` permissions.

#### container-registry.images.pusher {#container-registry-images-pusher}

The `container-registry.images.pusher` role enables managing Docker images and repositories, as well as viewing info on Docker images, repositories, and registries.

Users with this role can:
* View the list of [registries](../container-registry/concepts/registry.md) and info on them.
* View the list of [Docker images](../container-registry/concepts/docker-image.md) in the registry and info on them, as well as push, download, update, and delete them.
* Create and delete [repositories](../container-registry/concepts/repository.md).

#### container-registry.images.puller {#container-registry-images-puller}

The `container-registry.images.puller` role enables downloading [Docker images](../container-registry/concepts/docker-image.md) from the registry and viewing the list of [registries](../container-registry/concepts/registry.md) and Docker images, as well as info on them.

#### container-registry.images.scanner {#container-registry-images-scanner}

The `container-registry.images.scanner` role enables scanning Docker images for vulnerabilities, as well as viewing info on registries, Docker images, repositories, the relevant cloud and folder, and the Container Registry quotas.

Users with this role can:
* View the list of [Docker images](../container-registry/concepts/docker-image.md) in the registry and info on them, as well as download Docker images from the registry.
* [Start](../container-registry/operations/scanning-docker-image.md#manual) and cancel Docker image vulnerability scans, as well as view scan history and the info on scan results.
* View the list of [registries](../container-registry/concepts/registry.md), info on them and the [access permissions](concepts/access-control/index.md) granted for them, as well as on the [access policy settings](../container-registry/operations/registry/registry-access.md) for IP addresses and the [vulnerability scanner](../container-registry/concepts/vulnerability-scanner.md) settings.
* View info on [repositories](../container-registry/concepts/repository.md) and the access permissions granted for them.
* View the list of the Docker image auto-delete [policies](../container-registry/concepts/lifecycle-policy.md) and info on them.
* View the list of the [testing](../container-registry/operations/lifecycle-policy/lifecycle-policy-dry-run.md) results for Docker image auto-delete policies and info on such results.
* View info on the Container Registry [quotas](../container-registry/concepts/limits.md#container-registry-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `container-registry.viewer` permissions.

For more information, see [Access management in Container Registry](../container-registry/security/index.md).


## Yandex Data Catalog {#data-catalog-roles}

#### data-catalog.auditor {#data-catalog-auditor}

The `data-catalog.auditor` role enables viewing info on Data Catalogs resources and quotes.

Users with this role can:
* View info on catalogs in Data Catalog and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [domains](concepts/access-control/index.md)in Data Catalog and access permissions granted for them.
* View info on [sources and downloads](concepts/access-control/index.md) in Data Catalog.
* View info on data and data links in Data Catalog.
* View info on [glossaries and terms](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) links in Data Catalog.
* View info on [classifications and tags](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) links in Data Catalog.
* View info on the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.catalogs.auditor`, `data-catalog.domains.auditor`, `data-catalog.ingestionSources.auditor`, `data-catalog.ingestions.auditor`, `data-catalog.assets.auditor`, `data-catalog.lineages.auditor`, `data-catalog.glossaries.auditor`, `data-catalog.glossaryTerms.auditor`, `data-catalog.classifications.auditor`, and `data-catalog.classificationTags.auditor` permissions.

#### data-catalog.viewer {#data-catalog-viewer}

The `data-catalog.viewer` role enables viewing info on Data Catalogs resources and quotes.

Users with this role can:
* View info on catalogs in Data Catalog and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [domains](concepts/access-control/index.md)in Data Catalog and access permissions granted for them.
* View info on [sources and downloads](concepts/access-control/index.md) in Data Catalog.
* View info on data and data links in Data Catalog.
* View info on [glossaries and terms](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) links in Data Catalog.
* View info on [classifications and tags](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) links in Data Catalog.
* View info on the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.auditor` permissions.

#### data-catalog.editor {#data-catalog-editor}

The `data-catalog.editor` role enables managing Data Catalog resources.

Users with this role can:
* View info on catalogs in Data Catalog and [access permissions](concepts/access-control/index.md) granted for them as well as create, modify, and delete such catalogs.
* View info on [domains](concepts/access-control/index.md) in Data Catalog and access permissions granted for them as well as create, use, modify, and delete such catalogs.
* View info on [sources](concepts/access-control/index.md) in Data Catalog as well as create, modify, and delete them.
* View info on [downloads](../metadata-hub/concepts/data-catalog.md#metadata-upload) in Data Catalog as well as create, modify, and delete them.
* View info on data in Data Catalog as well as create, modify, and delete such data.
* View info on data links in Data Catalog as well as create, modify, and delete them.
* View info on [glossaries](concepts/access-control/index.md) in Data Catalog as well as create, modify, and delete them.
* View info on [terms](concepts/access-control/index.md) in Data Catalog as well as create, use, modify, and delete them.
* View info on [classifications](concepts/access-control/index.md) in Data Catalog as well as create, modify, and delete them.
* View info on [tags](concepts/access-control/index.md) in Data Catalog as well as create, use, modify, and delete them.
* View info on the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.catalogs.editor`, `data-catalog.domains.editor`, `data-catalog.ingestionSources.editor`, `data-catalog.ingestions.editor`, `data-catalog.assets.editor`, `data-catalog.lineages.editor`, `data-catalog.glossaries.editor`, `data-catalog.glossaryTerms.editor`, `data-catalog.classifications.editor`, and `data-catalog.classificationTags.editor` permissions.

#### data-catalog.admin {#data-catalog-admin}

The `data-catalog.admin` role enables managing Data Catalog resources and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for catalogs in Data Catalog and modify such permissions.
* View info on catalogs in Data Catalog as well as create, modify, and delete them.
* View info on access permissions granted for domains in Data Catalog and modify such permissions.
* View info on [domains](concepts/access-control/index.md) in Data Catalog as well as create, use, modify, and delete them.
* View info on [sources](concepts/access-control/index.md) in Data Catalog as well as create, modify, and delete them.
* View info on [downloads](concepts/access-control/index.md) in Data Catalog as well as start, stop, modify, and delete them.
* View info on data in Data Catalog as well as create, modify, and delete such data.
* View info on data links in Data Catalog as well as create, modify, and delete them.
* View info on [glossaries](concepts/access-control/index.md) in Data Catalog as well as create, modify, and delete them.
* View info on [terms](concepts/access-control/index.md) in Data Catalog as well as create, use, modify, and delete them.
* View info on [classifications](concepts/access-control/index.md) in Data Catalog as well as create, modify, and delete them.
* View info on [tags](concepts/access-control/index.md) in Data Catalog as well as create, use, modify, and delete them.
* View info on the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.catalogs.admin`, `data-catalog.domains.admin`, `data-catalog.ingestionSources.admin`, `data-catalog.ingestions.admin`, `data-catalog.assets.admin`, `data-catalog.lineages.admin`, `data-catalog.glossaries.admin`, `data-catalog.glossaryTerms.admin`, `data-catalog.classifications.admin`, and `data-catalog.classificationTags.admin` permissions.

#### data-catalog.dataSteward {#data-catalog-dataSteward}

The `data-catalog.dataSteward` role enables viewing info on Data Catalogs resources, using and modifying such resources, and managing Data Catalog downloads.

Users with this role can:
* View info on catalogs in Data Catalog and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [domains](../metadata-hub/concepts/data-catalog.md#domains-and-subdomains) in Data Catalog and access permissions granted for them, as well as use and modify such domains.
* View info on [sources](../metadata-hub/concepts/data-catalog.md#metadata-upload) in Data Catalog and modify them.
* View info on [downloads](../metadata-hub/concepts/data-catalog.md#metadata-upload) in Data Catalog as well as start, stop, and modify them.
* View info on data and data links in Data Catalog as well as modify such data and data links.
* View info on [glossaries](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog and modify them.
* View info on [terms](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as use and modify them.
* View info on [classifications](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog and modify them.
* View info on [tags](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as use and modify them.
* View info on the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.dataConsumer` permissions.

#### data-catalog.dataConsumer {#data-catalog-dataConsumer}

The `data-catalog.dataConsumer` role enables viewing info on Data Catalogs resources as well as using and modifying them.

This role does not enable modifying sources or managing Data Catalog downloads.

Users with this role can:
* View info on catalogs in Data Catalog and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [domains](../metadata-hub/concepts/data-catalog.md#domains-and-subdomains) in Data Catalog and access permissions granted for them, as well as use and modify such domains.
* View info on [sources and downloads](concepts/access-control/index.md) in Data Catalog.
* View info on data and data links in Data Catalog as well as modify such data and data links.
* View info on [glossaries](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog and modify them.
* View info on [terms](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as use and modify them.
* View info on [classifications](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog and modify them.
* View info on [tags](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as use and modify them.
* View info on the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.viewer` and `data-catalog.user` permissions.

#### data-catalog.user {#data-catalog-user}

The `data-catalog.user` role enables viewing info on [domains](../metadata-hub/concepts/data-catalog.md#classifications-and-tags), [tags](../metadata-hub/concepts/data-catalog.md#classifications-and-tags), and [terms](../metadata-hub/concepts/data-catalog.md#classifications-and-tags) in Data Catalog as well as using such domains, tags, and terms.

This role includes the `data-catalog.domains.user`, `data-catalog.classificationTags.user`, and `data-catalog.glossaryTerms.user` permissions.

#### data-catalog.catalogs.auditor {#data-catalog-catalogs-auditor}

The `data-catalog.catalogs.auditor` role enables viewing info on catalogs in Data Catalog, [access permissions](concepts/access-control/index.md) granted for them, and the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

#### data-catalog.catalogs.viewer {#data-catalog-catalogs-viewer}

The `data-catalog.catalogs.viewer` role enables viewing info on catalogs in Data Catalog, [access permissions](concepts/access-control/index.md) granted for them, and the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.catalogs.auditor` permissions.

#### data-catalog.catalogs.editor {#data-catalog-catalogs-editor}

The `data-catalog.catalogs.editor` role enables viewing info on catalogs in Data Catalog and managing them.

Users with this role can:
* View info on catalogs in Data Catalog as well as create, modify, and delete them.
* View info on [access permissions](concepts/access-control/index.md) granted to catalogs in Data Catalog.
* View info on the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.catalogs.viewer` permissions.

#### data-catalog.catalogs.admin {#data-catalog-catalogs-admin}

The `data-catalog.catalogs.admin` role enables managing catalogs and access to them in Data Catalog.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for catalogs in Data Catalog and modify such permissions.
* View info on catalogs in Data Catalog as well as create, modify, and delete them.
* View info on the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.catalogs.editor` permissions.

#### data-catalog.assets.auditor {#data-catalog-assets-auditor}

The `data-catalog.assets.auditor` role enables viewing info on data in Data Catalog.

#### data-catalog.assets.viewer {#data-catalog-assets-viewer}

The `data-catalog.catalogs.viewer` role enables viewing info on catalogs in Data Catalog, [access permissions](concepts/access-control/index.md) granted for them, and the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.catalogs.auditor` permissions.

#### data-catalog.assets.editor {#data-catalog-assets-editor}

The `data-catalog.assets.editor` role enables viewing info on data in Data Catalog as well as creating, modifying, and deleting such data.

This role includes the `data-catalog.assets.viewer` permissions.

#### data-catalog.assets.admin {#data-catalog-assets-admin}

The `data-catalog.catalogs.admin` role enables managing catalogs and access to them in Data Catalog.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for catalogs in Data Catalog and modify such permissions.
* View info on catalogs in Data Catalog as well as create, modify, and delete them.
* View info on the Data Catalog [quotes](../metadata-hub/concepts/limits.md#data-catalog-quota).

This role includes the `data-catalog.catalogs.editor` permissions.

#### data-catalog.classifications.auditor {#data-catalog-classifications-auditor}

The `data-catalog.classifications.auditor` role enables viewing info on [classifications](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

#### data-catalog.classifications.viewer {#data-catalog-classifications-viewer}

The `data-catalog.classifications.viewer` role enables viewing info on [classifications](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

This role includes the `data-catalog.classifications.auditor` permissions.

#### data-catalog.classifications.editor {#data-catalog-classifications-editor}

The `data-catalog.classifications.editor` role enables viewing info on [classifications](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as creating, modifying, and deleting them.

This role includes the `data-catalog.classifications.viewer` permissions.

#### data-catalog.classifications.admin {#data-catalog-classifications-admin}

The `data-catalog.classifications.admin` role enables viewing info on [classifications](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as creating, modifying, and deleting them.

This role includes the `data-catalog.classifications.editor` permissions.

#### data-catalog.classificationsTags.auditor {#data-catalog-classificationTags-auditor}

The `data-catalog.classificationTags.auditor` role enables viewing info on [tags](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

#### data-catalog.classificationsTags.viewer {#data-catalog-classificationTags-viewer}

The `data-catalog.classificationTags.viewer` role enables viewing info on [tags](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

This role includes the `data-catalog.classificationTags.auditor` permissions.

#### data-catalog.classificationsTags.user {#data-catalog-classificationTags-user}

The `data-catalog.classificationTags.user` role enables viewing info on [tags](../metadata-hub/concepts/data-catalog.md#classifications-and-tags) in Data Catalog and using them.

#### data-catalog.classificationsTags.editor {#data-catalog-classificationTags-editor}

The `data-catalog.classificationTags.editor` role enables viewing info on [tags](concepts/access-control/index.md) in Data Catalog as well as creating, using, modifying, and deleting them.

This role includes the `data-catalog.classificationTags.viewer` and `data-catalog.classificationTags.user` permissions.

#### data-catalog.classificationsTags.admin {#data-catalog-classificationTags-admin}

The `data-catalog.classificationTags.admin` role enables viewing info on [tags](concepts/access-control/index.md) in Data Catalog as well as creating, using, modifying, and deleting them.

This role includes the `data-catalog.classificationTags.editor` permissions.

#### data-catalog.domains.auditor {#data-catalog-domains-auditor}

The `data-catalog.domains.auditor` role enables viewing info on [domains](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog and on [access permissions](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) granted for them.

#### data-catalog.domains.viewer {#data-catalog-domains-viewer}

The `data-catalog.domains.viewer` role enables viewing info on [domains](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog and on [access permissions](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) granted for them.

This role includes the `data-catalog.domains.auditor` permissions.

#### data-catalog.domains.user {#data-catalog-domains-user}

The `data-catalog.domains.user` role enables viewing info on [domains](../metadata-hub/concepts/data-catalog.md#domains-and-subdomains) in Data Catalog and using them.

#### data-catalog.domains.editor {#data-catalog-domains-editor}

The `data-catalog.domains.editor` role enables viewing info on domains in Data Catalog and managing them.

Users with this role can:
* View info on [domains](concepts/access-control/index.md) in Data Catalog as well as creating, using, modifying, and deleting them.
* View info on [access permissions](concepts/access-control/index.md) granted for domains in Data Catalog.

This role includes the `data-catalog.domains.viewer` and `data-catalog.domains.user` permissions.

#### data-catalog.domains.admin {#data-catalog-domains-admin}

The `data-catalog.domains.admin` role enables managing domains and access to them in Data Catalog.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for domains in Data Catalog and modify such permissions.
* View info on [domains](concepts/access-control/index.md) in Data Catalog as well as create, use, modify, and delete them.

This role includes the `data-catalog.domains.editor` permissions.

#### data-catalog.glossaries.auditor {#data-catalog-glossaries-auditor}

The `data-catalog.glossaries.auditor` role enables viewing info on [glossaries](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

#### data-catalog.glossaries.viewer {#data-catalog-glossaries-viewer}

The `data-catalog.glossaries.viewer` role enables viewing info on [glossaries](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

This role includes the `data-catalog.glossaries.auditor` permissions.

#### data-catalog.glossaries.editor {#data-catalog-glossaries-editor}

The `data-catalog.glossaries.editor` role enables viewing info on [glossaries](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as creating, modifying, and deleting them.

This role includes the `data-catalog.glossaries.viewer` permissions.

#### data-catalog.glossaries.admin {#data-catalog-glossaries-admin}

The `data-catalog.glossaries.admin` role enables viewing info on [glossaries](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as creating, modifying, and deleting them.

This role includes the `data-catalog.glossaries.editor` permissions.

#### data-catalog.glossaryTerms.auditor {#data-catalog-glossaryTerms-auditor}

The `data-catalog.glossaryTerms.auditor` role enables viewing info on [terms](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

#### data-catalog.glossaryTerms.viewer {#data-catalog-glossaryTerms-viewer}

The `data-catalog.glossaryTerms.viewer` role enables viewing info on [terms](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

This role includes the `data-catalog.glossaryTerms.auditor` permissions.

#### data-catalog.glossaryTerms.user {#data-catalog-glossaryTerms-user}

The `data-catalog.glossaryTerms.user` role enables viewing info on [terms](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog and using them.

#### data-catalog.glossaryTerms.editor {#data-catalog-glossaryTerms-editor}

The `data-catalog.glossaryTerms.editor` role enables viewing info on [terms](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as creating, using, modifying, and deleting them.

This role includes the `data-catalog.glossaryTerms.viewer` and `data-catalog.glossaryTerms.user` permissions.

#### data-catalog.glossaryTerms.admin {#data-catalog-glossaryTerms-admin}

The `data-catalog.glossaryTerms.admin` role enables viewing info on [terms](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog as well as creating, using, modifying, and deleting them.

This role includes the `data-catalog.glossaryTerms.editor` permissions.

#### data-catalog.ingestions.auditor {#data-catalog-ingestions-auditor}

The `data-catalog.ingestions.auditor` role enables viewing info on [downloads](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

#### data-catalog.ingestions.viewer {#data-catalog-ingestions-viewer}

The `data-catalog.ingestions.viewer` role enables viewing info on [downloads](../metadata-hub/concepts/data-catalog.md#glossaries-and-terms) in Data Catalog.

This role includes the `data-catalog.ingestions.auditor` permissions.

#### data-catalog.ingestions.editor {#data-catalog-ingestions-editor}

The `data-catalog.ingestions.editor` role enables viewing info on [downloads](../metadata-hub/concepts/data-catalog.md#metadata-upload) in Data Catalog as well as creating, modifying, and deleting them.

This role includes the `data-catalog.ingestions.viewer` permissions.

#### data-catalog.ingestions.admin {#data-catalog-ingestions-admin}

The `data-catalog.ingestions.admin` role enables viewing info on [downloads](concepts/access-control/index.md) in Data Catalog as well as creating, starting, stopping, modifying, and deleting them.

This role includes the `data-catalog.ingestions.editor` permissions.

#### data-catalog.ingestionSources.auditor {#data-catalog-ingestionSources-auditor}

The `data-catalog.ingestionSources.auditor` role enables viewing info on [sources](../metadata-hub/concepts/data-catalog.md#metadata-upload) in Data Catalog.

#### data-catalog.ingestionSources.viewer {#data-catalog-ingestionSources-viewer}

The `data-catalog.ingestionSources.viewer` role enables viewing info on [sources](../metadata-hub/concepts/data-catalog.md#metadata-upload) in Data Catalog.

This role includes the `data-catalog.ingestionSources.auditor` permissions.

#### data-catalog.ingestionSources.editor {#data-catalog-ingestionSources-editor}

The `data-catalog.ingestionSources.editor` role enables viewing info on [sources](../metadata-hub/concepts/data-catalog.md#metadata-upload) in Data Catalog as well as creating, modifying, and deleting them.

This role includes the `data-catalog.ingestionSources.viewer` permissions.

#### data-catalog.ingestionSources.admin {#data-catalog-ingestionSources-admin}

The `data-catalog.ingestionSources.admin` role enables viewing info on [sources](../metadata-hub/concepts/data-catalog.md#metadata-upload) in Data Catalog as well as creating, modifying, and deleting them.

This role includes the `data-catalog.ingestionSources.editor` permissions.

#### data-catalog.lineages.auditor {#data-catalog-lineages-auditor}

The `data-catalog.lineages.auditor` role enables viewing info on data links in Data Catalog.

#### data-catalog.lineages.viewer {#data-catalog-lineages-viewer}

The `data-catalog.lineages.viewer` role enables viewing info on data links in Data Catalog.

This role includes the `data-catalog.lineages.auditor` permissions.

#### data-catalog.lineages.editor {#data-catalog-lineages-editor}

The `data-catalog.lineages.editor` role enables viewing info on data links in Data Catalog as well as creating, modifying, and deleting them.

This role includes the `data-catalog.lineages.viewer` permissions.

#### data-catalog.lineages.admin {#data-catalog-lineages-admin}

The `data-catalog.lineages.admin` role enables viewing info on data links in Data Catalog as well as creating, modifying, and deleting them.

This role includes the `data-catalog.lineages.editor` permissions.

For more information, see [Service roles to manage metadata in Yandex Data Catalog](../metadata-hub/security/data-catalog-roles.md).


## Yandex DataLens {#datalens-roles}

#### datalens.workbooks.limitedViewer {#datalens-workbooks-limitedViewer}

You can assign the `datalens.workbooks.limitedViewer` role to a [workbook](../datalens/workbooks-collections/index.md). With it, you can view all the workbook's nested [charts](../datalens/concepts/chart/index.md), [dashboards](../datalens/concepts/dashboard.md), and [reports](../datalens/reports/index.md), as well as info on the [access permissions](concepts/access-control/index.md) granted for the workbook. In the DataLens UI, this role is referred to as `Limited viewer`. You may want to only assign this role through the DataLens UI.

#### datalens.workbooks.viewer {#datalens-workbooks-viewer}

You can assign the `datalens.workbooks.viewer` role to a [workbook](../datalens/workbooks-collections/index.md). With it, you can view all workbook's nested [objects](../datalens/concepts/index.md#component-interrelation) and the info on the [access permissions](concepts/access-control/index.md) granted for such a workbook. In the DataLens UI, this role is referred to as `Viewer`. You may want to only assign this role through the DataLens UI.

This role includes the `datalens.workbooks.limitedViewer` permissions.

#### datalens.workbooks.editor {#datalens-workbooks-editor}

You can assign the `datalens.workbooks.editor` role to a workbook. With it, you can edit both the workbook and all its nested objects. In the DataLens UI, this role is referred to as `Editor`. You may want to only assign this role through the DataLens UI.

Users with this role can:
* Edit the relevant [workbook](../datalens/workbooks-collections/index.md) and create copies of it.
* View and edit all workbook's nested [objects](../datalens/concepts/index.md#component-interrelation).
* View info on the [access permissions](concepts/access-control/index.md) granted for the workbook.

This role includes the `datalens.workbooks.viewer` permissions.

#### datalens.workbooks.admin {#datalens-workbooks-admin}

You can assign the `datalens.workbooks.admin` role to a workbook. With it, you can manage the relevant workbook and access to it, as well as all its nested objects. In the DataLens UI, this role is referred to as `Admin`. You may want to only assign this role through the DataLens UI.

Users with this role can:
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant [workbook](../datalens/workbooks-collections/index.md) and modify such permissions.
* Edit, move, create copies of, and delete the relevant workbook.
* View and edit all workbook's nested [objects](../datalens/concepts/index.md#component-interrelation).
* [Embed](../datalens/security/private-embedded-objects.md) the workbook's nested private objects to websites and apps.
* [Publish](../datalens/concepts/datalens-public.md#how-to-publish) the workbook's nested objects.

This role includes the `datalens.workbooks.editor` permissions.

#### datalens.collections.visitor {#datalens-collections-visitor}

The `datalens.collections.visitor` is assigned for a collection and enables viewing info on it without access to its nested objects. In the DataLens UI, this role is referred to as `Visitor of collection`. We recommend assigning this role only via the DataLens UI.

#### datalens.collections.limitedViewer {#datalens-collections-limitedViewer}

You can assign the `datalens.collections.limitedViewer` role to a collection. It allows you to view info on the collection and its nested collections and workbooks, which includes viewing charts, dashboards, and reports of the nested workbooks. In the DataLens UI, this role is referred to as `Limited viewer`. You may want to only assign this role through the DataLens UI.

Users with this role can:
* View info on the relevant collection and its nested [workbooks and collections](../datalens/workbooks-collections/index.md).
* View info on the [access permissions](concepts/access-control/index.md) granted for the appropriate collection, as well as for its nested collections and workbooks.
* View [charts](../datalens/concepts/chart/index.md), [dashboards](../datalens/concepts/dashboard.md), and [reports](../datalens/reports/index.md) nested into the workbooks related to the appropriate collection and its nested collections.

This role includes the `datalens.workbooks.limitedViewer` permissions.

#### datalens.collections.viewer {#datalens-collections-viewer}

You can assign the `datalens.collections.viewer` role to a collection. It allows you to view the info on it and its nested collections and workbooks, as well as view all nested workbook objects. In the DataLens UI, this role is referred to as `Viewer`. You may want to only assign this role through the DataLens UI.

Users with this role can:
* View info on the relevant collection and its nested [workbooks and collections](../datalens/workbooks-collections/index.md).
* View info on the [access permissions](concepts/access-control/index.md) granted for the appropriate collection, as well as for its nested collections and workbooks.
* View all nested [objects](../datalens/concepts/index.md#component-interrelation) of the workbooks related to the appropriate collection and its nested collections.

This role includes the `datalens.collections.limitedViewer` and `datalens.workbooks.viewer` permissions.

#### datalens.collections.limitedEntryBindingCreator {#datalens-collections-limitedEntryBindingCreator}

The `datalens.collections.limitedEntryBindingCreator` role is assigned for a collection and enables re-using common objects from it without delegation of access permissions. In the DataLens UI, this role is referred to as `Bindings without delegation`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.sharedEntries.limitedEntryBindingCreator` permissions.

#### datalens.collections.entryBindingCreator {#datalens-collections-entryBindingCreator}

The `datalens.collections.entryBindingCreator` role is assigned for a collection and enables re-using common objects from it, both with and without delegation of access permissions. In the DataLens UI, this role is referred to as `Bindings with delegation`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.sharedEntries.entryBindingCreator` permissions.

#### datalens.collections.creator {#datalens-collections-creator}

The `datalens.collections.creator` is assigned for a collection and enables viewing it as well as creating objects within it without access to any other objects residing within the collection. In the DataLens UI, this role is referred to as `Creator in collection`. We recommend assigning this role only via the DataLens UI.

This role includes the `datalens.collections.visitor` permissions.

#### datalens.collections.editor {#datalens-collections-editor}

The `datalens.collections.editor` role is assigned for a collection and enables editing it and all its nested collections, workbooks, and all objects within such workbooks. In the DataLens UI, this role is referred to as `Editor`. We recommend assigning this role only via the DataLens UI.

Users with this role can:
* View info on the relevant collection and its nested [collections and workbooks](../datalens/workbooks-collections/index.md).
* Edit the appropriate collection and all its nested collections and workbooks.
* Create copies of the appropriate collection's nested workbooks.
* Create new collections and workbooks within the relevant collection and all its nested ones.
* View and edit all nested [objects](../datalens/concepts/index.md#component-interrelation) of the workbooks pertaining to the appropriate collection and its nested collections.
* View info on the [access permissions](concepts/access-control/index.md) granted for the appropriate collection, as well as for its nested collections and workbooks.

This role includes the `datalens.collections.viewer` and `datalens.workbooks.editor` permissions.

#### datalens.collections.admin {#datalens-collections-admin}

The `datalens.collections.admin` role is assigned for a collection and enables managing this collection and access to it, as well as all its nested collections, workbooks, and all objects within such workbooks. In the DataLens UI, this role is referred to as `Admin`. We recommend assigning this role only via the DataLens UI.

Users with this role can:
* View info on the [access permissions](concepts/access-control/index.md) granted for the appropriate collection and for its nested [collections and workbooks](../datalens/workbooks-collections/index.md), as well as modify such access permissions.
* View info on the appropriate collection and its nested collections and workbooks.
* Edit the appropriate collection and all its nested collections and workbooks.
* Create copies of the appropriate collection's nested workbooks.
* Move and delete the relevant collection and all its nested collections and workbooks.
* Create new collections and workbooks within the relevant collection.
* View and edit all nested [objects](../datalens/concepts/index.md#component-interrelation) of the workbooks pertaining to the appropriate collection and its nested collections.
* [Embed](../datalens/security/private-embedded-objects.md) private objects nested into workbooks related to the relevant collection and its nested ones, to websites and apps.
* [Publish](../datalens/concepts/datalens-public.md#how-to-publish) objects nested into the workbooks related to the appropriate collection and its nested collections.

This role includes the `datalens.collections.editor` and `datalens.workbooks.admin` permissions.

#### datalens.visitor {#datalens-visitor}

The `datalens.visitor` role grants access to DataLens. You can view and edit [workbooks and collections](../datalens/workbooks-collections/index.md) if you have the appropriate [roles](#workbooks-collections-roles) that grant access to these workbooks and collections.

#### datalens.creator {#datalens-creator}

The `datalens.creator` role grants access to DataLens with a permission to create [workbooks and collections](../datalens/workbooks-collections/index.md) in the DataLens root. You can view and edit workbooks and collections created by other users only if you have [access permissions](#workbooks-collections-roles) to these workbooks and collections.

This role includes the `datalens.visitor` permissions.

#### datalens.admin {#datalens-admin}

The `datalens.admin` role grants full access to DataLens and any of its [workbooks and collections](../datalens/workbooks-collections/index.md).

This role includes the `datalens.creator` and `datalens.metaReader` permissions.

#### datalens.instances.user {#datalens-instances-user}

The `datalens.instances.user` role grants access to DataLens as a user with permissions to create, read, and edit objects according to the permissions to [objects](../datalens/concepts/index.md#component-interrelation) and allows to view information on organization [folders](../resource-manager/concepts/resources-hierarchy.md#folder).

After you assign a service role, you can grant the user permissions to objects and directories in DataLens.

{% note tip %}

We recommend using the `datalens.creator` role instead of the `datalens.instances.user` one. The two roles grant identical permissions, but using `datalens.creator` is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.

{% endnote %}

#### datalens.instances.admin {#datalens-instances-admin}

The `datalens.instances.admin` role allows you to access DataLens as a DataLens instance administrator. Administrators have full access to all [objects](../datalens/concepts/index.md#component-interrelation) and folders in DataLens, as well as to DataLens settings. The role also allows you to view information on organization [folders](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `datalens.instances.user` permissions.

{% note tip %}

We recommend using the `datalens.admin` role instead of the `datalens.instances.admin` one. The two roles grant identical permissions, but using `datalens.admin` is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.

{% endnote %}

#### datalens.metaReader {#datalens-metaReader}

The `datalens.metaReader` role enables executing requests from the [Audit](https://api.datalens.tech/#/Audit) section in the [DataLens Public API](../datalens/operations/api-start.md), as well as requests to get DataLens entities.

You can get the following entities:

* Connection: `getConnection` [method](https://api.datalens.tech/#/Connection/post_rpc_getConnection)
* Dataset: `getDataset` [method](https://api.datalens.tech/#/Dataset/post_rpc_getDataset)
* Wizard chart: `getWizardChart` [method](https://api.datalens.tech/#/Wizard/post_rpc_getWizardChart)
* Editor chart: `getEditorChart` [method](https://api.datalens.tech/#/Editor/post_rpc_getEditorChart)
* QL chart: `getQLChart` [method](https://api.datalens.tech/#/QL/post_rpc_getQLChart)
* Dashboard: `getDashboard` [method](https://api.datalens.tech/#/Dashboard/post_rpc_getDashboard)
* Report: `getReport` [method](https://api.datalens.tech/#/Reports/post_rpc_getReport)

{% note warning %}

Getting entities will only work if the request includes the `x-dl-audit-mode` heading with the `true` value.

{% endnote %}

For more information, see [Yandex DataLens roles](../datalens/security/roles.md).


## Yandex Data Processing {#dataproc-roles}

#### dataproc.agent {#dataproc-agent}

The `dataproc.agent` role allows the [service account](concepts/users/service-accounts.md) linked to the Yandex Data Processing cluster to notify Data Proc of the cluster host state. You can assign this role to a service account linked to the Yandex Data Processing cluster.

Service accounts with this role can:
* Notify Yandex Data Processing of the [cluster](../data-proc/concepts/index.md#resources) host state.
* Get info on [jobs](../data-proc/concepts/jobs.md) and their progress statuses.
* Get info on [log groups](../logging/concepts/log-group.md) and add entries to them.

Currently, you can only assign this role for a folder or cloud.

#### dataproc.auditor {#dataproc-auditor}

The `dataproc.auditor` role allows you to view information on Yandex Data Processing [clusters](../data-proc/concepts/index.md#resources).

#### dataproc.viewer {#dataproc-viewer}

The `dataproc.viewer` role allows you to view information on Yandex Data Processing [clusters](../data-proc/concepts/index.md#resources) and [jobs](../data-proc/concepts/jobs.md).

#### dataproc.user {#dataproc-user}

The `dataproc.user` role grants access to the Yandex Data Processing component web interfaces and enables creating jobs and viewing info on Yandex Cloud managed DB clusters.

{% cut "Users with this role can:" %}

* View info on Yandex Data Processing [clusters](../data-proc/concepts/index.md#resources) and [jobs](../data-proc/concepts/jobs.md), as well as create jobs.
* Use the web interface to access the Yandex Data Processing components.
* View info on [ClickHouse®](../managed-clickhouse/concepts/index.md), [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/index.md), [Apache Kafka®](../managed-kafka/concepts/index.md), [Yandex StoreDoc](../storedoc/concepts/index.md), [MySQL®](../managed-mysql/concepts/index.md), [PostgreSQL](../managed-postgresql/concepts/index.md), [Valkey™](../managed-valkey/concepts/index.md), [OpenSearch](../managed-opensearch/concepts/index.md), and SQL Server clusters.
* View info on [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/instance-types.md), [Yandex StoreDoc](../storedoc/concepts/instance-types.md), [MySQL®](../managed-mysql/concepts/instance-types.md), [PostgreSQL](../managed-postgresql/concepts/instance-types.md), [Valkey™](../managed-valkey/concepts/instance-types.md), and SQL Server cluster hosts.
* View info on database backups for [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/backup.md), [Yandex StoreDoc](../storedoc/concepts/backup.md), [MySQL®](../managed-mysql/concepts/backup.md), [PostgreSQL](../managed-postgresql/concepts/backup.md), [Valkey™](../managed-valkey/concepts/backup.md), and SQL Server clusters.
* View info on [Yandex StoreDoc](../storedoc/concepts/users-and-roles.md), [MySQL®](../managed-mysql/concepts/user-rights.md), [PostgreSQL](../managed-postgresql/concepts/roles.md), and SQL Server cluster users.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and SQL Server DBs.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and Valkey™ alerts.
* View info on the results of Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, and PostgreSQL cluster performance diagnostics.
* View info on [Yandex StoreDoc](../storedoc/concepts/sharding.md) and [Valkey™](../managed-valkey/concepts/sharding.md) cluster shards.
* View Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, PostgreSQL, Valkey™, and SQL Server cluster logs.
* View info on [Managed Service for ClickHouse®](../managed-clickhouse/concepts/limits.md#mch-quotas), [Managed Service for Apache Kafka®](../managed-kafka/concepts/limits.md#mkf-quotas), [Managed Service for OpenSearch](../managed-opensearch/concepts/limits.md#quotas), [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/limits.md#quotas), [Yandex StoreDoc](../storedoc/concepts/limits.md#mmg-quotas), [Managed Service for MySQL®](../managed-mysql/concepts/limits.md#mmy-quotas), [Managed Service for PostgreSQL](../managed-postgresql/concepts/limits.md#mpg-quotas), [Yandex Managed Service for Valkey™](../managed-valkey/concepts/limits.md#mrd-quotas), and SQL Server quotas.
* View info on resource operations for all Yandex Cloud managed DB services.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `dataproc.viewer` and `mdb.viewer` permissions.

#### dataproc.provisioner {#dataproc-provisioner}

The `dataproc.provisioner` role grants access to the API to create, update, and delete Yandex Data Processing cluster objects.

{% cut "Users with this role can:" %}

* View information on [DNS zones](../dns/concepts/dns-zone.md) as well as create, use, modify, and delete them.
* View information on [resource records](../dns/concepts/resource-record.md) as well as create, modify, and delete them.
* Create nested public DNS zones.
* View info on granted [access permissions](concepts/access-control/index.md) for DNS zones.
* View information on available [platforms](../compute/concepts/vm-platforms.md) and use them.
* Create, modify, start, restart, stop, move, and delete [instances](../compute/concepts/vm.md).
* View the list of instances, information on instances and on granted access permissions for them.
* Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link [security groups](../vpc/concepts/security-groups.md) to instance network interfaces.
* Create instances with custom [FQDNs](../vpc/concepts/address.md#fqdn) and create multi-interface instances.
* Bind [service accounts](concepts/users/service-accounts.md) to instances and activate AWS v1 tokens on instances.
* View the list of service accounts and info on them, as well as perform operations on behalf of a service account.
* Use the instance [serial port](../compute/operations/vm-info/get-serial-port-output.md) for reading and writing.
* Simulate instance maintenance events.
* View instance [metadata](../compute/concepts/vm-metadata.md).
* View information on the status of configuring access via [OS Login](../organization/concepts/os-login.md) on instances and connect to instances via OS Login using SSH certificates or SSH keys.
* View the list of [instance groups](../compute/concepts/instance-groups/index.md), information on instance groups and on granted access permissions for them, as well as use, create, modify, start, stop, and delete instance groups.
* View the list of [instance placement groups](../compute/concepts/placement-groups.md), information on instance placement groups and on granted access permissions for them, as well as use, modify, and delete instance placement groups.
* View lists of instances in placement groups.
* View the list of [dedicated host groups](../compute/concepts/dedicated-host.md#host-group-size), information on dedicated host groups and on granted access permissions for them, as well as use, modify, and delete dedicated host groups.
* View lists of [hosts](../compute/concepts/dedicated-host.md) and instances in dedicated host groups.
* Modify scheduled maintenance windows for hosts in dedicated host groups.
* Use [GPU clusters](../compute/concepts/gpus.md#gpu-clusters), as well as create, modify, and delete them.
* View info on GPU clusters and instances included in GPU clusters, as well as on granted access permissions for these clusters.
* View the list of [disks](../compute/concepts/disk.md), information on disks and on granted access permissions for them, as well as use, modify, move, and delete disks.
* Create [encrypted disks](../compute/concepts/disk.md#encryption).
* View and update disk links.
* View the list of [file storages](../compute/concepts/filesystem.md), information on file storages and on granted access permissions for them, as well as use, create, modify, and delete file storages.
* View the list of [non-replicated disk placement groups](../compute/concepts/disk-placement-group.md), information on non-replicated disk placement groups and on granted access permissions for them, as well as use, modify, and delete non-replicated disk placement groups.
* View lists of disks in placement groups.
* View the list of [images](../compute/concepts/image.md), information on images and on granted access permissions for them, as well as use, modify, and delete images.
* Create, modify, delete, and update [image families](../compute/concepts/image.md#family).
* View info on image families, on images within families, on the latest family image, as well as on granted access permissions for image families.
* View the list of [disk snapshots](../compute/concepts/snapshot.md), information on disk snapshots and on granted access permissions for them, as well as use, modify, and delete disk snapshots.
* View info on disk snapshot [schedules](../compute/concepts/snapshot-schedule.md) and on granted access permissions for them, as well as create, modify, and delete disk snapshot schedules.
* View the list of [cloud networks](../vpc/concepts/network.md#network) and info on them, as well as use them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and info on them, as well as use such addresses.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and info on them, as well as use them.
* View the list of security groups and info on them, as well as use them.
* View information on [NAT gateways](../vpc/concepts/gateways.md) and connect them to route tables.
* View information on the IP addresses used in subnets.
* View info on Monitoring [metrics](../monitoring/concepts/data-model.md#metric) and their [labels](../monitoring/concepts/data-model.md#label), as well as download metrics.
* View the list of Monitoring [dashboards](../monitoring/concepts/visualization/dashboard.md) and [widgets](../monitoring/concepts/visualization/widget.md), as well as the info on those.
* View the Monitoring [notification](../monitoring/concepts/alerting/notification-channel.md) history.
* View info on [log groups](../logging/concepts/log-group.md).
* View info on log sinks.
* View info on granted access permissions for Cloud Logging resources.
* View info on log exports.
* View information on Compute Cloud resource and [quota](../compute/concepts/limits.md#compute-quotas) consumption and [disk limits](../compute/concepts/limits.md#compute-limits-disks) in the management console.
* View info on the [Cloud DNS](../dns/concepts/limits.md#cloud-dns-quotas), [Virtual Private Cloud](../vpc/concepts/limits.md#vpc-quotas), and [Monitoring](../monitoring/concepts/limits.md#monitoring-quotas) quotas.
* View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
* View information on resource operations for Virtual Private Cloud.
* View the list of [availability zones](../overview/concepts/geo-scope.md), information on availability zones and on granted access permissions for them.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `iam.serviceAccounts.user`, `dns.editor`, `compute.editor`, `monitoring.viewer`, and `logging.viewer` permissions.

#### dataproc.editor {#dataproc-editor}

The `dataproc.editor` role allows you to manage Yandex Data Processing clusters, run jobs, and view information on them. It also grants access to the Data Proc component web interfaces.

{% cut "Users with this role can:" %}

* View info on Yandex Data Processing [clusters](../data-proc/concepts/index.md#resources), as well as create, modify, run, stop, and delete them.
* View info on [jobs](../data-proc/concepts/jobs.md) and create them.
* Use the web interface to access the Yandex Data Processing components.
* View info on [ClickHouse®](../managed-clickhouse/concepts/index.md), [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/index.md), [Apache Kafka®](../managed-kafka/concepts/index.md), [Yandex StoreDoc](../storedoc/concepts/index.md), [MySQL®](../managed-mysql/concepts/index.md), [PostgreSQL](../managed-postgresql/concepts/index.md), [Valkey™](../managed-valkey/concepts/index.md), [OpenSearch](../managed-opensearch/concepts/index.md), and SQL Server clusters.
* View info on [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/instance-types.md), [Yandex StoreDoc](../storedoc/concepts/instance-types.md), [MySQL®](../managed-mysql/concepts/instance-types.md), [PostgreSQL](../managed-postgresql/concepts/instance-types.md), [Valkey™](../managed-valkey/concepts/instance-types.md), and SQL Server cluster hosts.
* View info on database backups for [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/backup.md), [Yandex StoreDoc](../storedoc/concepts/backup.md), [MySQL®](../managed-mysql/concepts/backup.md), [PostgreSQL](../managed-postgresql/concepts/backup.md), [Valkey™](../managed-valkey/concepts/backup.md), and SQL Server clusters.
* View info on [Yandex StoreDoc](../storedoc/concepts/users-and-roles.md), [MySQL®](../managed-mysql/concepts/user-rights.md), [PostgreSQL](../managed-postgresql/concepts/roles.md), and SQL Server cluster users.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and SQL Server DBs.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and Valkey™ alerts.
* View info on the results of Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, and PostgreSQL cluster performance diagnostics.
* View info on [Yandex StoreDoc](../storedoc/concepts/sharding.md) and [Valkey™](../managed-valkey/concepts/sharding.md) cluster shards.
* View Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, PostgreSQL, Valkey™, and SQL Server cluster logs.
* View info on [Managed Service for ClickHouse®](../managed-clickhouse/concepts/limits.md#mch-quotas), [Managed Service for Apache Kafka®](../managed-kafka/concepts/limits.md#mkf-quotas), [Managed Service for OpenSearch](../managed-opensearch/concepts/limits.md#quotas), [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/limits.md#quotas), [Yandex StoreDoc](../storedoc/concepts/limits.md#mmg-quotas), [Managed Service for MySQL®](../managed-mysql/concepts/limits.md#mmy-quotas), [Managed Service for PostgreSQL](../managed-postgresql/concepts/limits.md#mpg-quotas), [Yandex Managed Service for Valkey™](../managed-valkey/concepts/limits.md#mrd-quotas), and SQL Server quotas.
* View info on resource operations for all Yandex Cloud managed DB services.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `dataproc.user` permissions.

#### dataproc.admin {#dataproc-admin}

The `dataproc.admin` role allows you to manage Yandex Data Processing clusters, run jobs, and view information on them. It also grants access to the Data Processing component web interfaces.

{% cut "Users with this role can:" %}

* View info on Yandex Data Processing [clusters](../data-proc/concepts/index.md#resources), as well as create, modify, run, stop, and delete them.
* View info on [jobs](../data-proc/concepts/jobs.md) and create them.
* Use the web interface to access the Yandex Data Processing components.
* View info on [ClickHouse®](../managed-clickhouse/concepts/index.md), [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/index.md), [Apache Kafka®](../managed-kafka/concepts/index.md), [Yandex StoreDoc](../storedoc/concepts/index.md), [MySQL®](../managed-mysql/concepts/index.md), [PostgreSQL](../managed-postgresql/concepts/index.md), [Valkey™](../managed-valkey/concepts/index.md), [OpenSearch](../managed-opensearch/concepts/index.md), and SQL Server clusters.
* View info on [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/instance-types.md), [Yandex StoreDoc](../storedoc/concepts/instance-types.md), [MySQL®](../managed-mysql/concepts/instance-types.md), [PostgreSQL](../managed-postgresql/concepts/instance-types.md), [Valkey™](../managed-valkey/concepts/instance-types.md), and SQL Server cluster hosts.
* View info on database backups for [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/backup.md), [Yandex StoreDoc](../storedoc/concepts/backup.md), [MySQL®](../managed-mysql/concepts/backup.md), [PostgreSQL](../managed-postgresql/concepts/backup.md), [Valkey™](../managed-valkey/concepts/backup.md), and SQL Server clusters.
* View info on [Yandex StoreDoc](../storedoc/concepts/users-and-roles.md), [MySQL®](../managed-mysql/concepts/user-rights.md), [PostgreSQL](../managed-postgresql/concepts/roles.md), and SQL Server cluster users.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and SQL Server DBs.
* View info on Yandex StoreDoc, MySQL®, PostgreSQL, and Valkey™ alerts.
* View info on the results of Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, and PostgreSQL cluster performance diagnostics.
* View info on [Yandex StoreDoc](../storedoc/concepts/sharding.md) and [Valkey™](../managed-valkey/concepts/sharding.md) cluster shards.
* View Yandex MPP Analytics for PostgreSQL, Yandex StoreDoc, MySQL®, PostgreSQL, Valkey™, and SQL Server cluster logs.
* View info on [Managed Service for ClickHouse®](../managed-clickhouse/concepts/limits.md#mch-quotas), [Managed Service for Apache Kafka®](../managed-kafka/concepts/limits.md#mkf-quotas), [Managed Service for OpenSearch](../managed-opensearch/concepts/limits.md#quotas), [Yandex MPP Analytics for PostgreSQL](../managed-greenplum/concepts/limits.md#quotas), [Yandex StoreDoc](../storedoc/concepts/limits.md#mmg-quotas), [Managed Service for MySQL®](../managed-mysql/concepts/limits.md#mmy-quotas), [Managed Service for PostgreSQL](../managed-postgresql/concepts/limits.md#mpg-quotas), [Yandex Managed Service for Valkey™](../managed-valkey/concepts/limits.md#mrd-quotas), and SQL Server quotas.
* View info on resource operations for all Yandex Cloud managed DB services.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `dataproc.editor` permissions.

#### mdb.dataproc.agent {#mdb-dataproc-agent}

The `mdb.dataproc.agent` role allows the service account linked to the Yandex Data Processing cluster to notify Data Processing of the cluster host state.

Service accounts with this role can:
* Notify Yandex Data Processing of the cluster host state.
* Get info on jobs and their progress statuses.
* Get info on log groups and add entries to them.

You can assign this role to a service account linked to the Yandex Data Processing cluster.

This role is no longer available. Please use `dataproc.agent` instead.

For more information, see [Access management in Yandex Data Processing](../data-proc/security/index.md).


## Yandex DataSphere {#datasphere-roles}

#### datasphere.community-projects.viewer {#datasphere-communityprojects-viewer}

The `datasphere.community-projects.viewer` role allows you to view information on [projects](../datasphere/concepts/project.md), project settings, and project [resources](../datasphere/concepts/resources.md), as well as on granted [access permissions](concepts/access-control/index.md) for these projects.

In the DataSphere interface, users with the `datasphere.community-projects.viewer` role have the `Viewer` role in the **Members** tab on the community page.

#### datasphere.community-projects.developer {#datasphere-communityprojects-developer}

The `datasphere.community-projects.developer` role allows you to work in projects and manage project resources.

Users with this role can:
* View info on [projects](../datasphere/concepts/project.md), project settings, and project [resources](../datasphere/concepts/resources.md).
* Create, modify, and delete resources within projects.
* Run IDEs and code cells in projects.
* View info on granted [access permissions](concepts/access-control/index.md) for projects.

This role includes the `datasphere.community-projects.viewer` permissions.

In the DataSphere interface, users with the `datasphere.community-projects.developer` role have the `Developer` role in the **Members** tab on the community page.

#### datasphere.community-projects.editor {#datasphere-communityprojects-editor}

The `datasphere.community-projects.editor` role allows you to work in projects, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:
* View info on [projects](../datasphere/concepts/project.md), project settings, and project resources, as well as modify and delete projects.
* Create, modify, and delete [resources](../datasphere/concepts/resources.md) within projects, as well as share the relevant project resources with the communities where the user has the `Developer` permissions (the `datasphere.communities.developer` role or higher).
* Run IDEs and code cells in projects.
* View info on granted [access permissions](concepts/access-control/index.md) for projects.

This role includes the `datasphere.community-projects.developer` permissions.

In the DataSphere interface, users with the `datasphere.community-projects.editor` role have the `Editor` role in the **Members** tab on the community page.

#### datasphere.community-projects.admin {#datasphere-communityprojects-admin}

The `datasphere.community-projects.admin` role allows you to manage access to projects, work in them, modify and delete them, as well as manage project resources and share them within the community.

Users with this role can:
* View info on granted [access permissions](concepts/access-control/index.md) for projects and modify access permissions.
* View info on [projects](../datasphere/concepts/project.md), project settings, and project resources, as well as modify and delete projects.
* Create, modify, and delete [resources](../datasphere/concepts/resources.md) within projects, as well as share the relevant project resources with the communities where the user has the `Developer` role (`datasphere.communities.developer`) or higher.
* Run IDEs and code cells in projects.

This role includes the `datasphere.community-projects.editor` permissions.

In the DataSphere interface, users with the `datasphere.community-projects.admin` role have the `Admin` role in the **Members** tab on the community page.

#### datasphere.communities.viewer {#datasphere-communities-viewer}

The `datasphere.communities.viewer` role allows you to view information on communities and projects, as well as on granted access permissions for them.

Users with this role can:
* View info on [communities](../datasphere/concepts/community.md) and granted [access permissions](concepts/access-control/index.md) for them.
* View info on community [projects](../datasphere/concepts/project.md), project settings, and project [resources](../datasphere/concepts/resources.md), as well as on granted access permissions for these projects.
* View info on the relevant [organization](../organization/concepts/organization.md).

This role includes the `datasphere.community-projects.viewer` permissions.

In the DataSphere interface, users with the `datasphere.communities.viewer` role have the `Viewer` role in the **Members** tab on the community page.

#### datasphere.communities.developer {#datasphere-communities-developer}

The `datasphere.communities.developer` role allows you to create new projects and publish project resources in communities, as well as view information on communities and projects.

Users with this role can:
* View info on [communities](../datasphere/concepts/community.md) and granted [access permissions](concepts/access-control/index.md) for them.
* Create new [projects](../datasphere/concepts/project.md) in communities.
* Publish project [resources](../datasphere/concepts/resources.md) in the communities where the user has the `Developer` permissions (the `datasphere.communities.developer` role) or higher.
* View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
* View info on the relevant [organization](../organization/concepts/organization.md).

This role includes the `datasphere.communities.viewer` permissions.

In the DataSphere interface, users with the `datasphere.communities.developer` role have the `Developer` role in the **Members** tab on the community page.

#### datasphere.communities.editor {#datasphere-communities-editor}

The `datasphere.communities.editor` role allows you to link a billing account to communities, delete communities, and edit community settings, as well as manage community projects and resources.

Users with this role can:
* View info on [communities](../datasphere/concepts/community.md) and granted [access permissions](concepts/access-control/index.md) for them, as well as modify and delete communities.
* Link a [billing account](../billing/concepts/billing-account.md) to communities.
* Create new [projects](../datasphere/concepts/project.md) in communities, as well as modify and delete projects.
* View info on projects, project settings, and project resources, as well as on granted access permissions for these projects.
* Create, modify, and delete [resources](../datasphere/concepts/resources.md) within projects, as well as publish project resources in the communities where the user has the `Developer` permissions (the `datasphere.communities.developer` role) or higher.
* Run IDEs and code cells in projects.
* View info on the relevant [organization](../organization/concepts/organization.md).

This role includes the `datasphere.communities.developer` and `datasphere.community-projects.editor` permissions.

In the DataSphere interface, users with the `datasphere.communities.editor` role have the `Editor` role in the **Members** tab on the community page.

#### datasphere.communities.admin {#datasphere-communities-admin}

The `datasphere.communities.admin` role allows you to manage communities and community projects, as well as access to them.

Users with this role can:
* View info on [communities](../datasphere/concepts/community.md), as well as modify and delete communities.
* View info on granted [access permissions](concepts/access-control/index.md) for communities and modify access permissions.
* Link a [billing account](../billing/concepts/billing-account.md) to communities.
* Create new [projects](../datasphere/concepts/project.md) in communities, as well as modify and delete projects.
* View info on projects, project settings, and project resources.
* View info on granted access permissions for projects and modify access permissions.
* Create, modify, and delete [resources](../datasphere/concepts/resources.md) within projects, as well as publish project resources in the communities where the user has the `Developer` permissions (the `datasphere.communities.developer` role or higher).
* Run IDEs and code cells in projects.
* View info on the relevant [organization](../organization/concepts/organization.md).

This role includes the `datasphere.communities.editor` and `datasphere.community-projects.admin` permissions.

In the DataSphere interface, users with the `datasphere.communities.admin` role have the `Admin` role in the **Members** tab on the community page.

#### datasphere.user {#datasphere-user}

The `datasphere.user` role allows you to run code cells in projects, view information on DataSphere projects and quotas, as well as on the relevant cloud and folder.

The `datasphere.user` role is deprecated and no longer in use.

#### data-sphere.user {#data-sphere-user}

The `data-sphere.user` role is no longer available.

#### datasphere.admin {#datasphere-admin}

The `datasphere.admin` role allows you to manage communities, community projects and access to them, and use cloud networks and Virtual Private Cloud resources.

{% cut "Users with this role can:" %}

* View info on communities, as well as modify and delete communities.
* View info on granted access permissions for communities and modify access permissions.
* Link a billing account to communities.
* Create new projects in communities, as well as modify and delete projects.
* View info on projects, project settings, and project resources.
* View info on granted access permissions for projects and modify access permissions.
* Create, modify, and delete resources within projects, as well as publish project resources in the communities where the user has the `Developer` permissions (the `datasphere.communities.developer` role or higher).
* Run IDEs and code cells in projects.
* View the list of service accounts and use them.
* View the list of cloud networks and info on them, as well as use them.
* View the list of subnets and info on them, as well as use them.
* View the list of cloud resource addresses and info on them, as well as use such addresses.
* View the list of route tables and info on them, as well as use them.
* View the list of security groups and info on them, as well as use them.
* View info on NAT gateways and connect them to route tables.
* View information on the IP addresses used in subnets.
* View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
* View info on the DataSphere and Virtual Private Cloud quotas.
* View info on the relevant organization, cloud, and folder.

{% endcut %}

The `datasphere.admin` role is deprecated and no longer in use.

#### data-sphere.admin {#data-sphere-admin}

The `data-sphere.admin` role is no longer available.

For more information, see [Access management in DataSphere](../datasphere/security/index.md).


## Yandex Data Streams {#yds-roles}

#### yds.auditor {#yds-auditor}

The `yds.auditor` role enables viewing metadata of streams in Yandex Data Streams, establishing YDB database connections, and viewing info on YDB databases and the relevant access permissions granted for them, as well as on the YDB database schema objects and backups.

Users with this role can:
* View [streams](../data-streams/concepts/glossary.md#stream-concepts) metadata in Yandex Data Streams.
* Establish [YDB database](../ydb/concepts/resources.md#database) connections.
* View the list of YDB databases and info on them, as well as on the relevant [access permissions](concepts/access-control/index.md) granted for them.
* View info on YDB database backups and the relevant access permissions granted for them.
* View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them.
* View info on the [quotas](../ydb/concepts/limits.md#ydb-quotas) for Managed Service for YDB.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ydb.auditor` permissions.

#### yds.viewer {#yds-viewer}

The `yds.viewer` role enables reading data from streams in Yandex Data Streams and viewing their settings, as well as establishing connections to YDB databases, querying them for reading, and viewing info on YDB databases and the relevant access permissions granted for them.

Users with this role can:
* View metadata of [streams](../data-streams/concepts/glossary.md#stream-concepts) in Yandex Data Streams and read data from those steams.
* Establish connections to [YDB databases](../ydb/concepts/resources.md#database) and query them for reading.
* View the list of YDB databases and info on them, as well as on the relevant [access permissions](concepts/access-control/index.md) granted for them.
* View info on YDB database backups and the relevant access permissions granted for them.
* View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them.
* View info on the [quotas](../ydb/concepts/limits.md#ydb-quotas) for Managed Service for YDB.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ydb.viewer` permissions.

#### yds.writer {#yds-writer}

The `yds.writer` role enables writing data to [streams in Yandex Data Streams](../data-streams/concepts/glossary.md#stream-concepts) and connecting to [YDB databases](../ydb/concepts/resources.md#database).

#### yds.editor {#yds-editor}

The `yds.editor` role enables creating, modifying, and deleting streams in Yandex Data Streams, as well as reading and writing data from and to those streams.

Users with this role can:
* View info on [data streams](../data-streams/concepts/glossary.md#stream-concepts) and create, modify, and delete them.
* Read and write data from and to streams in Yandex Data Streams.
* View the list of [YDB databases](../ydb/concepts/resources.md#database), info on them, and the relevant [access permissions](concepts/access-control/index.md) granted for them, as well as create, run, stop, modify, and delete YDB databases. 
* Establish connections to YDB databases and query them for reading and writing.
* View info on YDB database backups and the relevant access permissions granted for them, as well as create and delete them, and use them to restore databases.
* View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them, as well as create, modify, and delete such objects.
* View info on the [quotas](../ydb/concepts/limits.md#ydb-quotas) for Managed Service for YDB.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ydb.editor` and `yds.writer` permissions.

#### yds.admin {#yds-admin}

The `yds.admin` role enables creating, modifying, and deleting streams in Yandex Data Streams, as well as reading and writing data from and to those streams.

Users with this role can:
* View info on [data streams](../data-streams/concepts/glossary.md#stream-concepts) and create, modify, and delete them.
* Read and write data from and to streams in Yandex Data Streams.
* View the list of [YDB databases](../ydb/concepts/resources.md#database) and info on them, as well as create, run, stop, modify, and delete them.
* View info on granted [access permissions](concepts/access-control/index.md) for the relevant YDB databases and modify such permissions.
* Establish connections to YDB databases and query them for reading and writing.
* View info on YDB database backups, as well as create and delete them and use them to restore YDB databases.
* View info on granted access permissions to backups and modify such permissions.
* View the list of YDB database schema objects, such as tables, indexes, and folders, and info on them, as well as create, modify, and delete such objects.
* View info on the [quotas](../ydb/concepts/limits.md#ydb-quotas) for Managed Service for YDB.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ydb.admin` permissions.

For more information, see [Access management in Data Streams](../data-streams/security/index.md).


## Yandex Data Transfer {#data-transfer-roles}

#### data-transfer.auditor {#data-transfer-auditor}

The `data-transfer.auditor` role allows you to view the service metadata, including the information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder), [endpoints](../data-transfer/concepts/index.md#endpoint), and [transfers](../data-transfer/concepts/index.md#transfer), as well as on Data Transfer [quotas](../data-transfer/concepts/limits.md#dataproc-quotas).

Currently, this role can only be assigned for working with a folder or a cloud.

#### data-transfer.viewer {#data-transfer-viewer}

The `data-transfer.viewer` role allows you to view information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder), [endpoints](../data-transfer/concepts/index.md#endpoint), and [transfers](../data-transfer/concepts/index.md#transfer), as well as on Data Transfer [quotas](../data-transfer/concepts/limits.md#dataproc-quotas).

This role includes the `data-transfer.auditor` permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

#### data-transfer.privateAdmin {#data-transfer-privateadmin}

The `data-transfer.privateAdmin` role allows you to manage endpoints and transfers for transferring data only within Yandex Cloud networks, as well as to view information on the relevant folder and Data Transfer quotas.

Users with this role can:
* View information on [transfers](../data-transfer/concepts/index.md#transfer), as well as create, modify, delete, activate, use, and deactivate transfers for transferring data within Yandex Cloud networks.
* View information on [endpoints](../data-transfer/concepts/index.md#endpoint), as well as create, modify, and delete endpoints in Yandex Cloud.
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View information on Data Transfer [quotas](../data-transfer/concepts/limits.md#dataproc-quotas).

This role includes the `data-transfer.viewer` permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

#### data-transfer.admin {#data-transfer-admin}

The `data-transfer.admin` role allows you to manage endpoints and transfers for transferring data within Yandex Cloud networks and over the internet, as well as to view information on the relevant folder and Data Transfer quotas.

Users with this role can:
* View information on [transfers](../data-transfer/concepts/index.md#transfer), as well as create, modify, delete, activate, use, and deactivate transfers for transferring data both within Yandex Cloud networks and over the internet.
* View information on [endpoints](../data-transfer/concepts/index.md#endpoint), as well as create, modify, and delete endpoints both within and outside Yandex Cloud.
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View information on Data Transfer [quotas](../data-transfer/concepts/limits.md#dataproc-quotas).

This role includes the `data-transfer.privateAdmin` permissions.

Currently, this role can only be assigned for working with a folder or a cloud.

For more information, see [Access management in Data Transfer](../data-transfer/security/index.md).


## Yandex Identity and Access Management {#iam-roles}

#### iam.serviceAccounts.user {#iam-serviceAccounts-user}

The `iam.serviceAccounts.user` role enables viewing the list of service accounts and info on them, as well as performing operations on behalf of a service account.

For example, if you specify a [service account](concepts/users/accounts.md#sa) when creating an instance group, IAM will check whether you have a permission to use this service account.

#### iam.serviceAccounts.admin {#iam-serviceAccounts-admin}

The `iam.serviceAccounts.admin` role enables managing service accounts and access to them and their keys, as well as getting IAM tokens for service accounts.

Users with this role can:
* View the list of [service accounts](concepts/users/accounts.md#sa) and info on them, as well as create, use, modify, and delete them.
* View info on [access permissions](concepts/access-control/index.md) granted for service accounts and modify such permissions.
* Get [IAM tokens](concepts/authorization/iam-token.md) for service accounts.
* View the list of service accounts' [API keys](concepts/authorization/api-key.md) and info on them, as well as create, modify, and delete them.
* View the list of service accounts' [static access keys](concepts/authorization/access-key.md) and info on them, as well as create, modify, and delete them.
* View info on service accounts' [authorized keys](concepts/authorization/key.md), as well as create, modify, and delete them.
* Create [ephemeral access keys](concepts/authorization/ephemeral-keys.md) for service accounts.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and its settings.

#### iam.serviceAccounts.ephemeralAccessKeyAdmin {#iam-serviceAccounts-ephemeralAccessKeyAdmin}

The `iam.serviceAccounts.ephemeralAccessKeyAdmin` role enables creating [ephemeral access keys](concepts/authorization/ephemeral-keys.md) for service accounts.

#### iam.serviceAccounts.accessKeyAdmin {#iam-serviceAccounts-accessKeyAdmin}

The `iam.serviceAccounts.accessKeyAdmin` role enables managing static and ephemeral access keys for service accounts.

Users with this role can:
* View the list of service accounts' [static access keys](concepts/authorization/access-key.md) and info on them.
* Create, update, and delete static access keys for [service accounts](concepts/users/accounts.md#sa).
* Create [ephemeral access keys](concepts/authorization/ephemeral-keys.md) for service accounts.

This role includes the `iam.serviceAccounts.ephemeralAccessKeyAdmin` permissions.

#### iam.serviceAccounts.apiKeyAdmin {#iam-serviceAccounts-apiKeyAdmin}

The `iam.serviceAccounts.apiKeyAdmin` role enables managing API keys for service accounts.

Users with this role can:
* View the list of service account [API keys](concepts/authorization/api-key.md) and information on them.
* Create, update, and delete API keys for [service accounts](concepts/users/accounts.md#sa).

#### iam.serviceAccounts.authorizedKeyAdmin {#iam-serviceAccounts-authorizedKeyAdmin}

The `iam.serviceAccounts.authorizedKeyAdmin` role enables viewing info on service account [authorized keys](concepts/authorization/key.md), as well as create, modify, and delete them.

#### iam.serviceAccounts.keyAdmin {#iam-serviceAccounts-keyAdmin}

The `iam.serviceAccounts.keyAdmin` role enables managing access keys for service accounts, including static, ephemeral, authorized, and API keys.

Users with this role can:
* View the list of service accounts' [static access keys](concepts/authorization/access-key.md) and info on them, as well as create, modify, and delete them.
* View the list of service accounts' [API keys](concepts/authorization/api-key.md) and info on them, as well as create, modify, and delete them.
* View info on service accounts' [authorized keys](concepts/authorization/key.md), as well as create, modify, and delete them.
* Create [ephemeral access keys](concepts/authorization/ephemeral-keys.md) for service accounts.

This role includes the `iam.serviceAccounts.accessKeyAdmin`, `iam.serviceAccounts.apiKeyAdmin`, and `iam.serviceAccounts.authorizedKeyAdmin` permissions.

#### iam.serviceAccounts.tokenCreator {#iam-serviceAccounts-tokenCreator}

The `iam.serviceAccounts.tokenCreator` role enables getting IAM tokens for service accounts.

With such an [IAM token](concepts/authorization/iam-token.md) one can [impersonate](concepts/access-control/impersonation.md) to a [service account](concepts/users/accounts.md#sa) and perform operations allowed for it.

This role does not allow you to modify access permissions or delete a service account.

#### iam.serviceAccounts.federatedCredentialViewer {#iam-serviceAccounts-federatedCredentialViewer}

The `iam.serviceAccounts.federatedCredentialViewer` role enables viewing the list of [federation credentials](concepts/workload-identity.md#federated-credentials) in [workload identity federations](concepts/workload-identity.md) and info on such credentials.

#### iam.serviceAccounts.federatedCredentialEditor {#iam-serviceAccounts-federatedCredentialEditor}

The `iam.serviceAccounts.federatedCredentialEditor` role enables viewing the list of [federation credentials](concepts/workload-identity.md#federated-credentials) in [workload identity federations](concepts/workload-identity.md) and info on such credentials, as well as create and delete those.

This role includes the `iam.serviceAccounts.federatedCredentialViewer` permissions.

#### iam.workloadIdentityFederations.auditor {#iam-workloadIdentityFederations-auditor}

The `iam.workloadIdentityFederations.auditor` role enables viewing the [workload identity federation](concepts/workload-identity.md) metadata.

#### iam.workloadIdentityFederations.viewer {#iam-workloadIdentityFederations-viewer}

The `iam.workloadIdentityFederations.viewer` role enables viewing info on [workload identity federations](concepts/workload-identity.md).

This role includes the `iam.workloadIdentityFederations.auditor` permissions.

#### iam.workloadIdentityFederations.user {#iam-workloadIdentityFederations-user}

The `iam.workloadIdentityFederations.user` role enables using [workload identity federations](concepts/workload-identity.md).

#### iam.workloadIdentityFederations.editor {#iam-workloadIdentityFederations-editor}

The `iam.workloadIdentityFederations.editor` role enables viewing info on workload identity federations, as well as creating, modifying, and deleting such federations.

This role includes the `iam.workloadIdentityFederations.viewer` permissions.

#### iam.workloadIdentityFederations.admin {#iam-workloadIdentityFederations-admin}

The `iam.workloadIdentityFederations.admin` role enables viewing info on [workload identity federations](concepts/workload-identity.md), as well as creating, modifying, using, and deleting such federations.

This role includes the `iam.workloadIdentityFederations.editor` and `iam.workloadIdentityFederations.user` permissions.

#### iam.userAccounts.refreshTokenViewer {#iam-userAccounts-refreshTokenViewer}

The `iam.userAccounts.refreshTokenViewer` role enables viewing the lists of federated users’ [refresh tokens](concepts/authorization/refresh-token.md). To use this role, you need to assign it for an [organization](../organization/concepts/organization.md).

#### iam.userAccounts.refreshTokenRevoker {#iam-userAccounts-refreshTokenRevoker}

The `iam.userAccounts.refreshTokenRevoker` role enables revoking federated users’ [refresh tokens](concepts/authorization/refresh-token.md). To use this role, you need to assign it for an [organization](../organization/concepts/organization.md).

#### iam.auditor {#iam-auditor}

The `iam.auditor` role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:
* View the list of [service accounts](concepts/users/accounts.md#sa) and information on them.
* View info on [access permissions](concepts/access-control/index.md) assigned for service accounts.
* View the list of service account [API keys](concepts/authorization/api-key.md) and information on them.
* View the list of service account [static access keys](concepts/authorization/access-key.md) and information on them.
* View info on service account [authorized keys](concepts/authorization/key.md).
* View the list of operations and the info on IAM resource operations.
* View info on Identity and Access Management [quotas](concepts/limits.md#iam-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and its settings.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and its settings.

#### iam.viewer {#iam-viewer}

The `iam.viewer` role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:
* View the list of [service accounts](concepts/users/accounts.md#sa) and information on them.
* View info on [access permissions](concepts/access-control/index.md) assigned for service accounts.
* View the list of service account [API keys](concepts/authorization/api-key.md) and information on them.
* View the list of service account [static access keys](concepts/authorization/access-key.md) and information on them.
* View info on service account [authorized keys](concepts/authorization/key.md).
* View the list of operations and the info on IAM resource operations.
* View info on Identity and Access Management [quotas](concepts/limits.md#iam-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and its settings.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and its settings.

This role includes the `iam.auditor` permissions.

#### iam.editor {#iam-editor}

The `iam.editor` role enables managing service accounts and their keys, managing folders, and viewing info on IAM resource operations.

Users with this role can:
* View the list of [service accounts](concepts/users/accounts.md#sa) and info on them, as well as create, use, modify, and delete them.
* View the list of service accounts' [API keys](concepts/authorization/api-key.md) and info on them, as well as create, modify, and delete them.
* View the list of service accounts' [static access keys](concepts/authorization/access-key.md) and info on them, as well as create, modify, and delete them.
* View info on service accounts' [authorized keys](concepts/authorization/key.md), as well as create, modify, and delete them.
* Create [ephemeral access keys](concepts/authorization/ephemeral-keys.md) for service accounts.
* View info on [access permissions](concepts/access-control/index.md) granted for service accounts.
* View the list of operations and info on Identity and Access Management resource operations.
* View info on Identity and Access Management [quotas](concepts/limits.md#iam-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and its settings.
* View info on [folders](../resource-manager/concepts/resources-hierarchy.md#folder) and their settings.
* Create, modify, delete, and set up folders.

This role includes the `iam.viewer` permissions.

#### iam.admin {#iam-admin}

The `iam.admin` role enables managing service accounts and access to them and their keys, as well as managing folders, viewing info on IAM resource operations and quotas, and getting IAM tokens for service accounts.

Users with this role can:
* View the list of [service accounts](concepts/users/accounts.md#sa) and info on them, as well as create, use, modify, and delete them.
* View info on [access permissions](concepts/access-control/index.md) granted for service accounts and modify such permissions.
* Get [IAM tokens](concepts/authorization/iam-token.md) for service accounts.
* View the list of service accounts' [API keys](concepts/authorization/api-key.md) and info on them, as well as create, modify, and delete them.
* View the list of service accounts' [static access keys](concepts/authorization/access-key.md) and info on them, as well as create, modify, and delete them.
* View info on service accounts' [authorized keys](concepts/authorization/key.md), as well as create, modify, and delete them.
* Create [ephemeral access keys](concepts/authorization/ephemeral-keys.md) for service accounts.
* View info on [identity federations](concepts/federations.md).
* View the list of operations and info on Identity and Access Management resource operations.
* View info on Identity and Access Management [quotas](concepts/limits.md#iam-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and its settings.
* View info on [folders](../resource-manager/concepts/resources-hierarchy.md#folder) and their settings.
* Create, modify, delete, and set up folders.

This role includes the `iam.editor` and `iam.serviceAccounts.admin` permissions.

For more information, see [Access management in Identity and Access Management](security/index.md).


## Yandex Identity Hub {#organization-roles}

#### organization-manager.auditor {#organization-manager-auditor}

The `organization-manager.auditor` role enables viewing info on the organization and its settings, identity federations that belong to the organization, user pools, SAML and OIDC applications, and the organization's users and user groups.

{% cut "Users with this role can:" %}

* View info on the Yandex Identity Hub [organization](../organization/concepts/organization.md) and its settings.
* View info on [access permissions](concepts/access-control/index.md) granted for the organization.
* View [access policies](concepts/access-control/access-policies.md) assigned to the organization.
* View the organization's [branding](../organization/concepts/branding.md) settings.
* View the list of the organization's [users](../organization/concepts/domains.md), info from the user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/domains.md).
* View info on access permissions granted to [entities](concepts/access-control/index.md#subject) in an Yandex Identity Hub organization.
* View info on the organization's [identity federations](../organization/concepts/add-federation.md).
* View info on identity federation [certificates](../organization/concepts/add-federation.md#build-trust).
* View the list of [federated user](concepts/users/accounts.md#saml-federation) group [mappings](../organization/concepts/add-federation.md#group-mapping) and info on them.
* View info on the attributes of [federated](concepts/users/accounts.md#saml-federation) users.
* View info on [user pools](../organization/concepts/user-pools.md) and access permissions granted for them.
* View info on the attributes of [local](concepts/users/accounts.md#local) users belonging to user pools.
* View info on [domains](../organization/concepts/domains.md) linked to user pools.
* View info on SAML and OIDC applications, as well as on access permissions granted for them.
* View the list of users added to SAML and OIDC applications.
* Get the certificates of SAML applications.
* View the list of organization users that are [subscribed](../organization/operations/subscribe-user-for-notifications.md) to technical notifications on organization events.
* View info on [MFA policies](concepts/users/accounts.md#local).
* View info on the organization's [OS Login](../organization/concepts/os-login.md) settings.
* View the list of OS Login [profiles](../organization/concepts/os-login.md#os-login-profiles) for users and service accounts.
* View the list of the organization users' SSH keys and info on such keys.
* View info on [user groups](../organization/concepts/groups.md) and access permissions granted for them.
* View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
* View info on the organization users' [refresh tokens](concepts/authorization/refresh-token.md) and on the refresh token settings.
* View info on Yandex Identity Hub quotas.
* View info on the effective tech support [service plan](../support/pricing.md#effective-plans).
* View the list of technical support [requests](../support/overview.md) and info on them, as well as create and close such requests, leave comments, and attach files to them.

{% endcut %}

This role includes the `iam.userAccounts.refreshTokenViewer`, `organization-manager.federations.auditor`, `organization-manager.osLogins.viewer`, `organization-manager.userpools.auditor`, `organization-manager.samlApplications.auditor`, `organization-manager.oauthApplications.auditor`, and `organization-manager.groups.viewer` permissions.

#### organization-manager.viewer {#organization-manager-viewer}

The `organization-manager.viewer` role enables viewing info on the organization and its settings, identity federations that belong to the organization, user pools, SAML and OIDC applications, and the organization's users and user groups.

{% cut "Users with this role can:" %}

* View info on the Yandex Identity Hub [organization](../organization/concepts/organization.md) and its settings.
* View info on [access permissions](concepts/access-control/index.md) granted for the organization.
* View [access policies](concepts/access-control/access-policies.md) assigned to the organization.
* View the organization's [branding](../organization/concepts/branding.md) settings.
* View the list of the organization's [users](../organization/concepts/mfa.md), info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* View info on access permissions granted for [entities](concepts/access-control/index.md#subject) in an Yandex Identity Hub organization.
* View info on the organization's [identity federations](../organization/concepts/add-federation.md).
* View info on identity federation [certificates](../organization/concepts/add-federation.md#build-trust).
* View the list of [federated user](concepts/users/accounts.md#saml-federation) group [mappings](../organization/concepts/add-federation.md#group-mapping) and info on them.
* View info on the attributes of [federated](concepts/users/accounts.md#saml-federation) users.
* View info on [user pools](../organization/concepts/user-pools.md) and access permissions granted for them.
* View info on the attributes of [local](concepts/users/accounts.md#local) users belonging to user pools.
* View user audit events.
* View info on [domains](../organization/concepts/domains.md) linked to user pools.
* View info on SAML and OIDC applications, as well as on access permissions granted for them.
* View the list of users added to SAML and OIDC applications.
* Get the certificates of SAML applications.
* View the list of organization users that are [subscribed](../organization/operations/subscribe-user-for-notifications.md) to technical notifications on organization events.
* View info on [MFA policies](concepts/users/accounts.md#local).
* View info on the organization's [OS Login](../organization/concepts/os-login.md) settings.
* View the list of OS Login [profiles](../organization/concepts/os-login.md#os-login-profiles) for users and service accounts.
* View the list of the organization users' SSH keys and info on such keys.
* View info on [user groups](../organization/concepts/groups.md) and access permissions granted for them.
* View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
* View the list of and info on Yandex Identity Hub user groups associated with identity federations and user pools through synchronization with user groups in Active Directory or another external source.
* View info on a subscription to the paid-for Yandex Identity Hub features.
* View stats regarding the use of quotes within a subscription to the paid-for Yandex Identity Hub features.
* View the list of users who employ the Yandex Identity Hub authentication quota in the current [reporting period](../billing/concepts/reporting-period.md).
* View info on the organization users' [refresh tokens](concepts/authorization/refresh-token.md) and on the refresh token settings.
* View federated and local users' [sessions](../organization/concepts/sessions.md).
* View info on Yandex Identity Hub quotas.
* View info on the effective tech support [service plan](../support/pricing.md#effective-plans).
* View the list of technical support [requests](../support/overview.md) and info on them, as well as create and close such requests, leave comments, and attach files to them.

{% endcut %}

This role includes the `organization-manager.auditor`, `organization-manager.federations.viewer`, `organization-manager.users.viewer`, `organization-manager.samlApplications.viewer`, `organization-manager.oauthApplications.viewer`, `organization-manager.userpools.viewer`, and `organization-manager.idpInstances.billingViewer` permissions.

#### organization-manager.editor {#organization-manager-editor}

The `organization-manager.editor` role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, as well as users and user groups.

{% cut "Users with this role can:" %}

* View and edit info on the relevant Yandex Identity Hub [organization](../organization/concepts/organization.md).
* View and edit organization settings.
* View info on [access permissions](concepts/access-control/index.md) granted for the organization.
* View [access policies](concepts/access-control/access-policies.md) assigned to the organization.
* View and edit the organization's [branding](../organization/concepts/branding.md) settings.
* View the list of the organization's [users](../organization/concepts/mfa.md), info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* View info on access permissions granted for [entities](concepts/access-control/index.md#subject) in an Yandex Identity Hub organization.
* View info on [identity federations](../organization/concepts/add-federation.md) in an organization and create, modify, and delete such federations.
* Add and remove federated users.
* View info on identity federation [certificates](../organization/concepts/add-federation.md#build-trust) and add, modify, and delete them.
* Configure [federated user](concepts/users/accounts.md#saml-federation) group [mapping](../organization/concepts/add-federation.md#group-mapping).
* View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
* View info on the attributes of [federated](concepts/users/accounts.md#saml-federation) users, as well as create, modify, and delete such attributes.
* View info on [user pools](../organization/concepts/user-pools.md) and access permissions granted for them.
* Create, modify, and delete user pools.
* View info on [domains](../organization/concepts/domains.md) linked to user pools, as well as add, confirm, and remove domains.
* Create, delete, activate, and deactivate [local](concepts/users/accounts.md#local) users belonging to user pools.
* View info on the attributes of local users.
* View user audit events.
* Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
* View info on SAML and OIDC applications, as well as access permissions granted for them.
* Create, deactivate, activate, modify, and delete SAML and OIDC applications.
* View the list of users added to SAML and OIDC applications.
* Get the certificates of SAML applications and create, modify, and delete such certificates.
* View the list of organization users that are [subscribed](../organization/operations/subscribe-user-for-notifications.md) to technical notifications on organization events, as well as edit this list.
* View info on [MFA policies](../organization/concepts/mfa.md#mfa-policies) and create, modify, activate, deactivate, and delete such policies.
* Delete [MFA factors](concepts/users/accounts.md#saml-federation) for federated and [local](concepts/users/accounts.md#saml-federation) user accounts.
* Reset the verification date for federated and local user accounts.
* View info on the organization's [OS Login](../organization/concepts/os-login.md) settings.
* View the list of OS Login [profiles](../organization/concepts/os-login.md#os-login-profiles) for users and service accounts.
* View the list of the organization users' SSH keys and info on such keys.
* View info on [user groups](../organization/concepts/groups.md), as well as create, modify, and delete them.
* View info on access permissions granted for user groups.
* View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
* View the list of and info on Yandex Identity Hub user groups associated with identity federations and user pools through synchronization with user groups in Active Directory or another external source.
* View info on a subscription to the paid-for Yandex Identity Hub features.
* View stats regarding the use of quotes within a subscription to the paid-for Yandex Identity Hub features.
* View the list of users who employ the Yandex Identity Hub authentication quota in the current [reporting period](../billing/concepts/reporting-period.md).
* View and edit the [refresh token](concepts/authorization/refresh-token.md) settings in an organization.
* View info on the organization users' refresh tokens, as well as revoke such tokens.
* View and terminate federated and local users' [sessions](../organization/concepts/sessions.md).
* View info on Yandex Identity Hub quotas.
* View info on the effective tech support [service plan](../support/pricing.md#effective-plans).
* View the list of technical support [requests](../support/overview.md) and info on them, as well as create and close such requests, leave comments, and attach files to them.

{% endcut %}

This role includes the `organization-manager.viewer`, `organization-manager.federations.editor`, `organization-manager.userpools.editor`, `organization-manager.samlApplications.editor`, `organization-manager.oauthApplications.editor`, and `organization-manager.groups.editor` permissions.

To configure user group mapping, the role must be assigned for the Yandex Identity Hub groups you intend to map.

#### organization-manager.admin {#organization-manager-admin}

The `organization-manager.admin` role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, users and user groups, and users' access permissions to the organization and its resources.

{% cut "Users with this role can:" %}

* Link a [billing account](../billing/concepts/billing-account.md) to an [Yandex Identity Hub organization](../organization/concepts/organization.md).
* View and edit info on the relevant Yandex Identity Hub organization.
* View and edit organization settings.
* View info on [access permissions](concepts/access-control/index.md) granted for the organization and modify such permissions.
* View [access policies](concepts/access-control/access-policies.md) assigned to the relevant organization, as well as assign and revoke such policies.
* View and edit the organization's [branding](../organization/concepts/branding.md) settings.
* View the list of the organization's [users](../organization/concepts/mfa.md), info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* View info on access permissions granted for [entities](concepts/access-control/index.md#subject) in an Yandex Identity Hub organization.
* Remove users from the organization.
* View info on invites to the organization sent to users, as well as [send](../organization/operations/add-account.md#send-invitation) and delete such invites.
* View info on [identity federations](../organization/concepts/add-federation.md) in an organization and create, modify, and delete such federations.
* Add and remove federated users.
* View info on identity federation [certificates](../organization/concepts/add-federation.md#build-trust) and add, modify, and delete them.
* Configure [federated user](concepts/users/accounts.md#saml-federation) group [mapping](../organization/concepts/add-federation.md#group-mapping).
* View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
* View info on the attributes of [federated](concepts/users/accounts.md#saml-federation) users, as well as create, modify, and delete such attributes.
* View info on [user pools](../organization/concepts/user-pools.md) and create, modify, and delete them.
* View info on access permissions granted for user pools and modify such permissions.
* View info on [domains](../organization/concepts/domains.md) linked to user pools, as well as add, confirm, and remove domains.
* Create, delete, activate, and deactivate [local](concepts/users/accounts.md#local) users belonging to user pools.
* View info on the attributes of local users.
* View user audit events.
* Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
* View info on SAML and OIDC applications, as well as create, deactivate, activate, modify, and delete them.
* View info on access permissions granted for SAML and OIDC applications, as well as modify such permissions.
* View and edit the list of users added to SAML and OIDC applications.
* Get the certificates of SAML applications and create, modify, and delete such certificates.
* View the list of organization users that are [subscribed](../organization/operations/subscribe-user-for-notifications.md) to technical notifications on organization events, as well as edit this list.
* View info on [MFA policies](../organization/concepts/mfa.md#mfa-policies) and create, modify, activate, deactivate, and delete such policies.
* Delete [MFA factors](concepts/users/accounts.md#saml-federation) for federated and [local](concepts/users/accounts.md#saml-federation) user accounts.
* Reset the verification date for federated and local user accounts.
* View info on the organization's [OS Login](../organization/concepts/os-login.md) settings and modify them.
* View the list of users' and [service accounts'](concepts/users/service-accounts.md) OS Login [profiles](../organization/concepts/os-login.md#os-login-profiles), as well as create, modify, and delete such profiles.
* View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.
* View info on [user groups](../organization/concepts/groups.md), as well as create, modify, and delete them.
* Add users and service accounts to groups and remove them from groups.
* View info on access permissions granted for user groups and modify such permissions.
* View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
* View the list of and info on Yandex Identity Hub user groups associated with identity federations and user pools through synchronization with user groups in Active Directory or another external source.
* View the list of members belonging to Yandex Identity Hub user groups associated with user groups in Active Directory or another external source, as well as manage membership in such groups.
* Associate user groups with identity federations and user pools through synchronization with user groups in Active Directory or another external source, as well as disassociate them.
* Modify and delete Yandex Identity Hub user groups associated with user groups in Active Directory or another external source.
* Link Yandex Identity Hub to a billing account.
* View info on a subscription to the paid-for Yandex Identity Hub features.
* View info on stats regarding the use of the quotes within a subscription to the paid-for Yandex Identity Hub features, as well as edit these quotas.
* View the list of users who employ the Yandex Identity Hub authentication quota in the current [reporting period](../billing/concepts/reporting-period.md).
* View and edit the [refresh token](concepts/authorization/refresh-token.md) settings in an organization.
* View info on the organization users' refresh tokens, as well as revoke such tokens.
* View and terminate federated and local users' [sessions](../organization/concepts/sessions.md).
* View info on Yandex Identity Hub quotas.
* View info on the effective tech support [service plan](../support/pricing.md#effective-plans).
* View the list of technical support [requests](../support/overview.md) and info on them, as well as create and close such requests, leave comments, and attach files to them.
* View, create, modify, and delete SourceCraft repositories.
* Read files from a SourceCraft repository.
* View, create, edit, and delete pull requests in SourceCraft repositories.
* Merge pull requests in SourceCraft repositories.
* Push changes to regular and protected SourceCraft repository branches.
* View, create, and edit private and public issues in SourceCraft repositories.
* Change the issue access type in SourceCraft repositories.
* Add reactions to issues in SourceCraft repositories.
* View, create, edit, and delete comments to pull requests and private and public issues in SourceCraft repositories, as well as mark such comments as resolved.
* View, create, edit, and delete SourceCraft repository tags.
* Manage access permissions for a SourceCraft repository.
* View, get, create, modify, and delete secrets in SourceCraft repositories.

{% endcut %}

This role includes the `organization-manager.editor`, `organization-manager.federations.admin`, `organization-manager.osLogins.admin`, `organization-manager.userpools.admin`, `organization-manager.samlApplications.admin`, `organization-manager.oauthApplications.admin`, `organization-manager.groups.memberAdmin`, `organization-manager.groups.externalCreator`, `organization-manager.groups.externalManager`, `organization-manager.idpInstances.billingAdmin`, and `src.repositories.admin` permissions.

To configure user group mapping, the role must be assigned for the Yandex Identity Hub groups you intend to map.

#### organization-manager.organizations.owner {#organization-manager-organizations-owner}

The `organization-manager.organizations.owner` role enables performing any actions with the [organization resources](../organization/concepts/organization.md) and [billing accounts](../billing/concepts/billing-account.md), which includes creating billing accounts and linking them to [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud). This role also enables assigning additional organization owners.

Prior to assigning this role, make sure to check out the information on protecting [privileged accounts](../security/standard/all.md#privileged-users).

#### organization-manager.federations.extGroupsViewer {#organization-manager-federations-extGroupsViewer}

The `organization-manager.federations.extGroupsViewer` role enables viewing the list of and info on Yandex Identity Hub [user groups](../organization/concepts/groups.md) associated with [identity federations](../organization/concepts/groups.md) through synchronization with user groups in Active Directory or another external source.

#### organization-manager.federations.extGroupsManager {#organization-manager-federations-extGroupsManager}

The `organization-manager.federations.extGroupsManager` role enables viewing the list of and info on Yandex Identity Hub [user groups](../organization/concepts/groups.md) associated with [identity federations](../organization/concepts/add-federation.md) through synchronization with user groups in Active Directory or another external source, as well as associating such groups with identity federations.

This role includes the `organization-manager.federations.extGroupsViewer` permissions.

#### organization-manager.federations.extGroupsCleaner {#organization-manager-federations-extGroupsCleaner}

The `organization-manager.federations.extGroupsCleaner` role enables viewing the list of and info on Yandex Identity Hub [user groups](../organization/concepts/groups.md) associated with [identity federations](../organization/concepts/add-federation.md) through synchronization with user groups in Active Directory or another external source, as well as disassociating such groups from identity federations.

This role includes the `organization-manager.federations.extGroupsViewer` permissions.

#### organization-manager.federations.auditor {#organization-manager-federations-auditor}

The `organization-manager.federations.auditor` role enables viewing info on the organization and its settings, the identity federations, and user group mappings.

Users with this role can:
* View info on the Yandex Identity Hub [organization](../organization/concepts/organization.md) and its settings.
* View info on [identity federations](../organization/concepts/add-federation.md).
* View info on [certificates](../organization/concepts/add-federation.md#build-trust).
* View the list of [user group mappings](../organization/concepts/add-federation.md#group-mapping) and info on them.
* View the list of the organization’s [users](../organization/concepts/domains.md), info from user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/domains.md).
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the [attributes](../organization/operations/setup-federation.md#claims-mapping) of federated and local users.

#### organization-manager.federations.viewer {#organization-manager-federations-viewer}

The `organization-manager.federations.viewer` role enables viewing info on the organization and its settings, the identity federations, and user group mappings.

Users with this role can:
* View info on the Yandex Identity Hub [organization](../organization/concepts/organization.md) and its settings.
* View info on [identity federations](../organization/concepts/add-federation.md).
* View info on [certificates](../organization/concepts/add-federation.md#build-trust).
* View the list of [user group mappings](../organization/concepts/add-federation.md#group-mapping) and info on them.
* View the list of the organization's [users](../overview/roles-and-resources.md#users), info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the list of and info on Yandex Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.
* View the [attributes](../organization/operations/setup-federation.md#claims-mapping) of federated and local users.

This role includes the `organization-manager.federations.auditor` and `organization-manager.federations.extGroupsViewer` permissions.

#### organization-manager.federations.editor {#organization-manager-federations-editor}

The `organization-manager.federations.editor` role enables managing identity federations, federated users, and certificates, as well as viewing info on the organization, its settings, and users.

Users with this role can:
* View info on the Yandex Identity Hub [organization](../organization/concepts/organization.md) and its settings.
* View info on [identity federations](../organization/concepts/add-federation.md) and create, modify, and delete such federations.
* View info on [certificates](../organization/concepts/add-federation.md#build-trust) and create, modify, and delete them.
* Add and remove [federated users](concepts/users/accounts.md#saml-federation).
* Revoke federated users' [refresh tokens](concepts/authorization/refresh-token.md).
* Delete [MFA factors](concepts/users/accounts.md#saml-federation) for federated and [local](concepts/users/accounts.md#saml-federation) user accounts.
* Reset the verification date for federated and local user accounts.
* Configure [mapping](../organization/concepts/add-federation.md#group-mapping) for [federated user](concepts/users/accounts.md#saml-federation) groups.
* View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
* View the list of the organization's [users](../overview/roles-and-resources.md#users), info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the list of and info on Yandex Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.
* View the [attributes](../organization/operations/setup-federation.md#claims-mapping) of federated and local users.
* View and terminate federated and local users' [sessions](../organization/concepts/sessions.md).

This role includes the `organization-manager.federations.viewer` and `organization-manager.federations.userAdmin` permissions.

To configure user group mapping, the role must be assigned for the Yandex Identity Hub groups you intend to map.

#### organization-manager.federations.userAdmin {#organization-manager-federations-userAdmin}

The `organization-manager.federations.userAdmin` role enables adding and removing federated users to/from an organization, revoking refresh tokens, managing user accounts' MFA factors, and viewing the list of the organization's users as well as info from their accounts.

Users with this role can:
* Add and remove [federated users](concepts/users/accounts.md#saml-federation).
* Revoke federated users' [refresh tokens](concepts/authorization/refresh-token.md).
* Delete [MFA factors](concepts/users/accounts.md#saml-federation) for federated and [local](concepts/users/accounts.md#saml-federation) user accounts.
* Reset the verification date for federated and local user accounts.
* View the list of the organization's [users](../overview/roles-and-resources.md#users), info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the [attributes](../organization/operations/setup-federation.md#claims-mapping) of federated and local users.
* View and terminate federated and local users' [sessions](../organization/concepts/sessions.md).

This role includes the `iam.userAccounts.refreshTokenRevoker` permissions.

#### organization-manager.federations.admin {#organization-manager-federations-admin}

The `organization-manager.federations.admin` role enables managing identity federations, federated users, and certificates, as well as viewing info on the organization, its settings, and users.

Users with this role can:
* View info on the Yandex Identity Hub [organization](../organization/concepts/organization.md) and its settings.
* View info on [identity federations](../organization/concepts/add-federation.md) and create, modify, and delete such federations.
* View info on [certificates](../organization/concepts/add-federation.md#build-trust) and create, modify, and delete them.
* Add and remove [federated users](concepts/users/accounts.md#saml-federation).
* Revoke federated users' [refresh tokens](concepts/authorization/refresh-token.md).
* Delete [MFA factors](concepts/users/accounts.md#saml-federation) for federated and [local](concepts/users/accounts.md#saml-federation) user accounts.
* Reset the verification date for federated and local user accounts.
* Configure [mapping](../organization/concepts/add-federation.md#group-mapping) for [federated user](concepts/users/accounts.md#saml-federation) groups.
* View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
* View the list of the organization's [users](../overview/roles-and-resources.md#users), info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the list of and info on Yandex Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.
* Associate user groups with identity federations through synchronization with user groups in Active Directory or another external source, as well as disassociate them.
* View the [attributes](../organization/operations/setup-federation.md#claims-mapping) of federated and local users.
* View and terminate federated and local users' [sessions](../organization/concepts/sessions.md).

This role includes the `organization-manager.federations.editor`, `organization-manager.federations.extGroupsManager`, and `organization-manager.federations.extGroupsCleaner` permissions.

To configure user group mapping, the role must be assigned for the Yandex Identity Hub groups you intend to map.

#### organization-manager.osLogins.viewer {#organization-manager-osLogins-viewer}

The `organization-manager.osLogins.viewer` role enables viewing the [organization's](../organization/concepts/organization.md) OS Login settings and the list of the users' and [service accounts’](concepts/users/service-accounts.md) [OS Login profiles](../organization/concepts/os-login.md#os-login-profiles), as well as viewing the list of the [users'](../overview/roles-and-resources.md#users) SSH keys and the info on them.

#### organization-manager.osLogins.admin {#organization-manager-osLogins-admin}

The `organization-manager.osLogins.admin` role enables managing the organization's OS Login settings, as well as the users' OS Login profiles and SSH keys.

Users with this role can:
* View info on the organization's [OS Login](../organization/concepts/os-login.md) settings and modify them.
* View the list of the [organization](../organization/concepts/organization.md) users' and [service accounts’](concepts/users/service-accounts.md) OS Login [profiles](../organization/concepts/os-login.md#os-login-profiles), as well as create, modify, and delete such profiles.
* View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.

This role includes the `organization-manager.osLogins.viewer` permissions.

#### organization-manager.groups.externalCreator {#organization-manager-groups-externalCreator}

The `organization-manager.groups.externalCreator` role enables creating Yandex Identity Hub [user groups](../organization/concepts/groups.md) when synchronizing with user groups in Active Directory or another external source.

#### organization-manager.groups.externalConverter {#organization-manager-groups-externalConverter}

The `organization-manager.groups.externalConverter` role enables adding an attribute with an external group ID to Yandex Identity Hub [user groups](../organization/concepts/groups.md) when synchronizing with user groups in Active Directory or another external source.

#### organization-manager.groups.externalManager {#organization-manager-groups-externalManager}

The `organization-manager.groups.externalManager` role enables managing Yandex Identity Hub user groups associated with user groups in Active Directory or another external source.

Users with this role can:
* Associate Yandex Identity Hub [user groups](../organization/concepts/groups.md) with user groups in Active Directory or another external source.
* Modify and delete Yandex Identity Hub user groups associated with user groups in Active Directory or another external source.
* View the list of members belonging to Yandex Identity Hub user groups associated with user groups in Active Directory or another external source, as well as manage membership in such groups.
* View info on [access permissions](concepts/access-control/index.md) granted for Yandex Identity Hub user groups.

#### organization-manager.groups.viewer {#organization-manager-groups-viewer}

The `organization-manager.groups.viewer` role enables viewing info on [user groups](../organization/concepts/groups.md) and [access permissions](concepts/access-control/index.md) granted for them, as well as viewing the list of [users](../overview/roles-and-resources.md#users) and [service accounts](concepts/users/service-accounts.md) that are members of groups.

#### organization-manager.groups.editor {#organization-manager-groups-editor}

The `organization-manager.groups.editor` role enables managing user groups.

A role is assigned to an organization or user group.

Users with this role can:
* View info on [user groups](../organization/concepts/groups.md), as well as create, modify, and delete them.
* View the list of [users](../organization/concepts/groups.md) and [service accounts](../organization/concepts/groups.md) belonging to user groups.
* View info on [access permissions](concepts/access-control/index.md) granted for user groups.

This role includes the `organization-manager.groups.viewer` permissions.

#### organization-manager.groups.memberAdmin {#organization-manager-groups-memberAdmin}

The `organization-manager.groups.memberAdmin` role enables viewing the info on [user groups](../organization/concepts/groups.md), as well as viewing and modifying the lists of [users](../overview/roles-and-resources.md#users) and [service accounts](concepts/users/service-accounts.md) that are members of groups.

#### organization-manager.groups.admin {#organization-manager-groups-admin}

The `organization-manager.groups.admin` role enables managing user groups and access to them, as well as the users that belong to them.

A role is assigned to an organization or user group.

Users with this role can:
* View info on [user groups](../organization/concepts/groups.md), as well as create, modify, and delete them.
* View info on [access permissions](concepts/access-control/index.md) granted for the relevant user groups and modify such permissions.
* View the list of [users](../organization/concepts/groups.md) and [service accounts](../organization/concepts/groups.md) belonging to user groups.
* Add users and service accounts to and remove them from groups.

This role includes the `organization-manager.groups.editor` and `organization-manager.groups.memberAdmin` permissions.

#### organization-manager.users.viewer {#organization-manager-users-viewer}

The `organization-manager.users.viewer` role enables viewing the list of the organization’s [users](../overview/roles-and-resources.md#users), info on them (including their phone number), the [attributes](../organization/operations/setup-federation.md#claims-mapping) and date of the latest verification for [federated](../organization/operations/setup-federation.md#claims-mapping) and [local](../organization/operations/setup-federation.md#claims-mapping) accounts via [two-factor authentication](../organization/concepts/mfa.md), and the lists of [groups](../organization/operations/setup-federation.md#claims-mapping) to which the users belong.

#### organization-manager.passportUserAdmin {#organization-manager-passportUserAdmin}

The `organization-manager.passportUserAdmin` role enables viewing info on the organization’s users, as well as inviting users with Yandex accounts to the organization and removing them from it.

Users with this role can:
* [Send](../organization/operations/add-account.md#send-invitation) and [resend](../organization/operations/add-account.md#resend-invitation) invites to the organization to new [users](../organization/concepts/membership.md) with Yandex accounts, as well as view and [delete](../organization/operations/add-account.md#delete-invitation) such invites.
* [Delete](../organization/operations/edit-account.md) user accounts from the [organization](../organization/concepts/organization.md).
* View the list of the organization’s users, info from user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/domains.md).
* View the [attributes](../organization/operations/setup-federation.md#claims-mapping) of the organization’s [federated](../organization/operations/setup-federation.md#claims-mapping) and [local](../organization/operations/setup-federation.md#claims-mapping) users.

#### organization-manager.oauthApplications.auditor {#organization-manager-oauthApplications-auditor}

The `organization-manager.samlApplications.auditor` role enables viewing info on OIDC applications and the [access permissions](concepts/access-control/index.md) granted for them, as well as viewing the list of [users](../overview/roles-and-resources.md#users) added to OIDC applications.

#### organization-manager.oauthApplications.viewer {#organization-manager-oauthApplications-viewer}

The `organization-manager.samlApplications.viewer` role enables viewing info on OIDC applications and the [access permissions](concepts/access-control/index.md) granted for them, as well as viewing the list of [users](../overview/roles-and-resources.md#users) added to OIDC applications.

This role includes the `organization-manager.oauthApplications.auditor` permissions.

#### organization-manager.oauthApplications.editor {#organization-manager-oauthApplications-editor}

The `organization-manager.samlApplications.editor` role enables managing OIDC applications and viewing the users added to them.

Users with this role can:
* View info on OIDC applications and the [access permissions](concepts/access-control/index.md) granted for them.
* Create, deactivate, activate, modify, and delete OIDC applications.
* View the list of the [users](../overview/roles-and-resources.md#users) added to OIDC applications.

This role includes the `organization-manager.oauthApplications.viewer` permissions.

#### organization-manager.oauthApplications.userAdmin {#organization-manager-oauthApplications-userAdmin}

The `organization-manager.oauthApplications.userAdmin` role enables viewing and editing the list of the users added to an OIDC application.

#### organization-manager.oauthApplications.admin {#organization-manager-oauthApplications-admin}

The `organization-manager.oauthApplications.admin` role enables managing OIDC applications and access to them, as well as users added to such OIDC applications.

Users with this role can:
* View info on OIDC applications, as well as create, deactivate, activate, modify, and delete them.
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant OIDC applications and modify such permissions.
* View and edit the list of the [users](../overview/roles-and-resources.md#users) added to OIDC applications.

This role includes the `organization-manager.oauthApplications.editor` and `organization-manager.oauthApplications.userAdmin` permissions.

#### organization-manager.samlApplications.auditor {#organization-manager-samlApplications-auditor}

The `organization-manager.samlApplications.auditor` role enables viewing info on SAML applications and the [access permissions](concepts/access-control/index.md) granted for them, viewing the list of [users](../overview/roles-and-resources.md#users) added to SAML applications, and getting certificates for SAML applications.

#### organization-manager.samlApplications.viewer {#organization-manager-samlApplications-viewer}

The `organization-manager.samlApplications.viewer` role enables viewing info on SAML applications and the [access permissions](concepts/access-control/index.md) granted for them, viewing the list of [users](../overview/roles-and-resources.md#users) added to SAML applications, and getting certificates for SAML applications.

This role includes the `organization-manager.samlApplications.auditor` permissions.

#### organization-manager.samlApplications.editor {#organization-manager-samlApplications-editor}

The `organization-manager.samlApplications.editor` role enables managing SAML applications and viewing the users added to them.

Users with this role can:
* View info on SAML applications and the [access permissions](concepts/access-control/index.md) granted for them.
* Create, deactivate, activate, modify, and delete SAML applications.
* Get certificates of SAML applications and create, modify, and delete such certificates.
* View the list of the [users](../overview/roles-and-resources.md#users) added to SAML applications.
* View the list of the users added to OIDC applications.

This role includes the `organization-manager.samlApplications.viewer` permissions.

#### organization-manager.samlApplications.userAdmin {#organization-manager-samlApplications-userAdmin}

The `organization-manager.samlApplications.userAdmin` role enables viewing and editing the list of the [users](../overview/roles-and-resources.md#users) added to a SAML application.

#### organization-manager.samlApplications.admin {#organization-manager-samlApplications-admin}

The `organization-manager.samlApplications.admin` role enables managing SAML applications and access to them, as well as users added to such SAML applications.

Users with this role can:
* View info on SAML applications, as well as create, deactivate, activate, modify, and delete them.
* View info on the [access permissions](concepts/access-control/index.md) granted for the relevant SAML applications and modify such permissions.
* Get certificates of SAML applications and create, modify, and delete such certificates.
* View and edit the list of the [users](../overview/roles-and-resources.md#users) added to SAML applications.
* View the list of the users added to OIDC applications.

This role includes the `organization-manager.samlApplications.editor` and `organization-manager.samlApplications.userAdmin` permissions.

#### organization-manager.userpools.extGroupsViewer {#organization-manager-userpools-extGroupsViewer}

The `organization-manager.userpools.extGroupsViewer` role enables viewing the list of and info on Yandex Identity Hub [user groups](../organization/concepts/groups.md) associated with [user pools](../organization/concepts/groups.md) through synchronization with user groups in Active Directory or another external source.

#### organization-manager.userpools.extGroupsManager {#organization-manager-userpools-extGroupsManager}

The `organization-manager.userpools.extGroupsManager` role enables viewing the list of and info on Yandex Identity Hub [user groups](../organization/concepts/user-pools.md) associated with [user pools](../organization/concepts/user-pools.md) through synchronization with user groups in Active Directory or another external source, as well as associating such groups with user pools.

This role includes the `organization-manager.userpools.extGroupsViewer` permissions.

#### organization-manager.userpools.extGroupsCleaner {#organization-manager-userpools-extGroupsCleaner}

The `organization-manager.userpools.extGroupsCleaner` role enables viewing the list of and info on Yandex Identity Hub [user groups](../organization/concepts/groups.md) associated with [user pools](../organization/concepts/user-pools.md) through synchronization with user groups in Active Directory or another external source, as well as disassociating such groups from user pools.

This role includes the `organization-manager.userpools.extGroupsViewer` permissions.

#### organization-manager.userpools.syncAgent {#organization-manager-userpools-syncAgent}

The `organization-manager.userpools.syncAgent` role enables synchronizing Yandex Identity Hub users and groups with users and groups in Active Directory or another external source.

Users with this role can:
* View info on sync sessions between Identity Hub AD Sync Agent and Yandex Identity Hub, as well as create and modify such sessions.
* View info on [user pools](../organization/concepts/user-pools.md) and sync settings in user pools.
* View the list of and info on Yandex Identity Hub [user groups](../organization/concepts/groups.md) associated with user pools through synchronization with user groups in Active Directory or another external source.
* Associate user groups with user pools through synchronization with user groups in Active Directory or another external source.
* View info on Yandex Identity Hub users, create, modify, activate, deactivate, and delete such users, as well as edit their passwords and other data.

This role includes the `organization-manager.userpools.extGroupsManager` permissions.

#### organization-manager.userpools.auditor {#organization-manager-userpools-auditor}

The `organization-manager.userpools.auditor` role enables viewing info on user pools and the organization’s users.

Users with this role can:
* View info on [user pools](../organization/concepts/user-pools.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [domains](../organization/concepts/domains.md) linked to user pools.
* View the list of the organization’s [users](../organization/concepts/domains.md), info from user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/domains.md).
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the attributes of federated and local users.

#### organization-manager.userpools.viewer {#organization-manager-userpools-viewer}

The `organization-manager.userpools.viewer` role enables viewing info on user pools, as well as viewing the list of organization users and info on them.

Users with this role can:
* View info on [user pools](../organization/concepts/user-pools.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [domains](../organization/concepts/domains.md) linked to user pools.
* View the list of the organization's [users](../organization/concepts/mfa.md), info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* View user audit events.
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the list of and info on Yandex Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
* View the attributes of federated and local users.

This role includes the `organization-manager.userpools.auditor` and `organization-manager.userpools.extGroupsViewer` permissions.

#### organization-manager.userpools.editor {#organization-manager-userpools-editor}

The `organization-manager.userpools.editor` role enables managing user pools and users that belong to them.

Users with this role can:
* View info on [user pools](../organization/concepts/user-pools.md) and [access permissions](concepts/access-control/index.md) granted for them.
* Create, modify, and delete user pools.
* View info on [domains](../organization/concepts/domains.md) associated with user pools, as well as add, confirm, and remove domains.
* View the list of the organization's [users](../organization/concepts/mfa.md), info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* Create, delete, activate, and deactivate users belonging to user pools.
* Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
* Delete [MFA factors](concepts/users/accounts.md#saml-federation) for [federated](concepts/users/accounts.md#saml-federation) and [local](concepts/users/accounts.md#saml-federation) user accounts.
* Reset the verification date for federated and local user accounts.
* Revoke [refresh tokens](concepts/authorization/refresh-token.md) from users.
* View user audit events.
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the list of and info on Yandex Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
* View the attributes of federated and local users.
* View and terminate federated and local users' [sessions](../organization/concepts/sessions.md).

This role includes the `organization-manager.userpools.userAdmin` and `organization-manager.userpools.viewer` permissions.

#### organization-manager.userpools.userAdmin {#organization-manager-userpools-userAdmin}

The `organization-manager.userpools.userAdmin` role enables managing organization users belonging to user pools.

Users with this role can:
* View the list of the organization's [users](../organization/concepts/mfa.md), info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* Create, delete, activate, and deactivate local users belonging to [user pools](concepts/users/accounts.md#saml-federation).
* Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
* Delete [MFA factors](concepts/users/accounts.md#saml-federation) for [federated](concepts/users/accounts.md#saml-federation) and [local](concepts/users/accounts.md#saml-federation) user accounts.
* Reset the verification date for federated and local user accounts.
* Revoke [refresh tokens](concepts/authorization/refresh-token.md) from users.
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the attributes of federated and local users.
* View and terminate federated and local users' [sessions](../organization/concepts/sessions.md).

This role includes the `iam.userAccounts.refreshTokenRevoker` permissions.

#### organization-manager.userpools.admin {#organization-manager-userpools-admin}

The `organization-manager.userpools.admin` role enables managing user pools and access to them, as well as users that belong to them.

Users with this role can:
* View info on [user pools](../organization/concepts/user-pools.md) and create, modify, and delete them.
* View info on [access permissions](concepts/access-control/index.md) granted for user pools and modify such permissions.
* View info on [domains](../organization/concepts/domains.md) associated with user pools, as well as add, confirm, and remove domains.
* View the list of the organization's [users](../organization/concepts/mfa.md), info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via [two-factor authentication](../organization/concepts/mfa.md).
* Create, delete, activate, and deactivate users belonging to user pools.
* Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
* Delete [MFA factors](concepts/users/accounts.md#saml-federation) for [federated](concepts/users/accounts.md#saml-federation) and [local](concepts/users/accounts.md#saml-federation) user accounts.
* Reset the verification date for federated and local user accounts.
* Revoke [refresh tokens](concepts/authorization/refresh-token.md) from users.
* View user audit events.
* View the list of [groups](../organization/concepts/groups.md) that users are members of.
* View the list of and info on Yandex Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
* Associate user groups with user pools through synchronization with user groups in Active Directory or another external source, as well as disassociate them.
* View the attributes of federated and local users.
* View and terminate federated and local users' [sessions](../organization/concepts/sessions.md).

This role includes the `organization-manager.userpools.editor`, `organization-manager.userpools.extGroupsManager`, and `organization-manager.userpools.extGroupsCleaner` permissions.

#### organization-manager.idpInstances.billingViewer {#organization-manager-idpInstances-billingViewer}

The `organization-manager.idpInstances.billingViewer` role enables viewing the list of users who employ the Yandex Identity Hub authentication quota in the current [reporting period](../billing/concepts/reporting-period.md), as well as viewing info on a subscription to the paid-for Yandex Identity Hub features and stats regarding the use of the quotas within this subscription.

#### organization-manager.idpInstances.billingAdmin {#organization-manager-idpInstances-billingAdmin}

The `organization-manager.idpInstances.billingAdmin` role enables managing a subscription to the paid-for Yandex Identity Hub features.

Users with this role can:
* Link Yandex Identity Hub to a [billing account](../billing/concepts/billing-account.md).
* View info on a subscription to the paid-for Yandex Identity Hub features.
* View info on stats regarding the use of the quotes within a subscription to the paid-for Yandex Identity Hub features, as well as edit these quotas.
* View the list of users who employ the Yandex Identity Hub authentication quota in the current [reporting period](../billing/concepts/reporting-period.md).

This role includes the `organization-manager.idpInstances.billingViewer` permissions.

For more information, see [Access management in Yandex Identity Hub](../organization/security/index.md).


## Yandex IoT Core {#iot-core-roles}

#### iot.devices.writer {#iot-devices-writer}

The `iot.devices.writer` role grants permission to send [gRPC messages](../iot-core/concepts/mqtt-grpc.md) to Yandex IoT Core on behalf of a [device](../iot-core/concepts/index.md#device).

#### iot.registries.writer {#iot-registries-writer}

The `iot.registries.writer` role grants permission to send [gRPC messages](../iot-core/concepts/mqtt-grpc.md) to Yandex IoT Core on behalf of a [registry](../iot-core/concepts/index.md#registry).

#### iot.auditor {#iot-auditor}

The `iot.auditor` role allows you to view metadata of [devices](../iot-core/concepts/index.md#device), device [registries](../iot-core/concepts/index.md#registry), and [brokers](../iot-core/concepts/index.md#broker), as well as information on [quotas](../iot-core/concepts/limits.md#iot-quotas) in Yandex IoT Core.

#### iot.viewer {#iot-viewer}

The `iot.viewer` role allows you to view all Yandex IoT Core resources.

#### iot.editor {#iot-editor}

The `iot.editor` role allows users to create, edit, and delete all Yandex IoT Core resources.

For more information, see [Access management in Yandex IoT Core](../iot-core/security/index.md).


## Yandex Key Management Service {#kms-roles}

#### kms.keys.user {#kms-keys-user}

The `kms.keys.user` role enables viewing the list of [symmetric encryption keys](../kms/concepts/key.md) and information on them, as well as using such keys.

#### kms.keys.encrypter {#kms-keys-encrypter}

The `kms.keys.encrypter` role enables viewing info on [symmetric encryption keys](../kms/concepts/key.md) and using such keys to encrypt data.

#### kms.keys.decrypter {#kms-keys-decrypter}

The `kms.keys.decrypter` role enables viewing info on [symmetric encryption keys](../kms/concepts/key.md) and using such keys to decrypt data.

#### kms.keys.encrypterDecrypter {#kms-keys-encrypterDecrypter}

The `kms.keys.encrypterDecrypter` role enables viewing info on [symmetric encryption keys](../kms/concepts/key.md) and using such keys to encrypt or decrypt data.

This role includes the `kms.keys.encrypter` and `kms.keys.decrypter` permissions.

#### kms.asymmetricEncryptionKeys.publicKeyViewer {#kms-asymmetricEncryptionKeys-publicKeyViewer}

The `kms.asymmetricEncryptionKeys.publicKeyViewer` role enables viewing info on [asymmetric encryption key pairs](../kms/concepts/asymmetric-encryption-key.md), as well as getting a [public key](../kms/concepts/asymmetric-encryption.md#acquire-public-key) from an encryption key pair.

#### kms.asymmetricSignatureKeys.publicKeyViewer {#kms-asymmetricSignatureKeys-publicKeyViewer}

The `kms.asymmetricSignatureKeys.publicKeyViewer` role enables viewing info on [digital signature key pairs](../kms/concepts/asymmetric-signature-key.md), as well as getting a public key from a digital signature key pair.

#### kms.asymmetricSignatureKeys.signer {#kms-asymmetricSignatureKeys-signer}

The `kms.asymmetricSignatureKeys.signer` role enables signing data with a private key from a [digital signature key pair](../kms/concepts/asymmetric-signature-key.md).

#### kms.asymmetricEncryptionKeys.decrypter {#kms-asymmetricEncryptionKeys-decrypter}

The `kms.asymmetricEncryptionKeys.decrypter` role enables decrypting data with a private key from an [asymmetric encryption key pair](../kms/concepts/asymmetric-encryption-key.md).

#### kms.auditor {#kms-auditor}

The `kms.auditor` role enables viewing info on encryption keys and key pairs and access permissions assigned to them.

Users with this role can:
* View the list of [symmetric](../kms/concepts/key.md) encryption keys, info on them and on [access permissions](concepts/access-control/index.md) assigned to them.
* View info on [asymmetric encryption key pairs](../kms/concepts/asymmetric-encryption-key.md) and access permissions assigned to them.
* View information on [digital signature key pairs](../kms/concepts/asymmetric-signature-key.md) and on access permissions assigned to them.
* View details on the Key Management Service [quotas](../kms/concepts/limits.md#kms-quotas).

#### kms.viewer {#kms-viewer}

The `kms.viewer` role enables viewing info on encryption and digital signature keys and key pairs, access permissions assigned to them, and KMS quotas.

Users with this role can:
* View the list of [symmetric](../kms/concepts/key.md) encryption keys, info on them and on [access permissions](concepts/access-control/index.md) assigned to them.
* View info on [asymmetric encryption key pairs](../kms/concepts/asymmetric-encryption-key.md) and access permissions assigned to them.
* View information on [digital signature key pairs](../kms/concepts/asymmetric-signature-key.md) and on access permissions assigned to them.
* View details on the Key Management Service [quotas](../kms/concepts/limits.md#kms-quotas).

This role includes the `kms.auditor` permissions.

#### kms.editor {#kms-editor}

The `kms.editor` role allows you to create encryption and digital signature keys and key pairs as well as use them to encrypt, decrypt, and sign data.

Users with this role can:
* View the list of [symmetric](../kms/concepts/key.md) encryption keys, info on them and their [access permissions](concepts/access-control/index.md), as well as create, rotate, and modify symmetric key metadata, including rotation periods.
* Encrypt and decrypt data using symmetric encryption keys.
* View info on [asymmetric encryption key pairs](../kms/concepts/asymmetric-encryption-key.md) and access permissions assigned to them as well as create such key pairs or modify their metadata.
* Get a [public key](../kms/concepts/asymmetric-encryption.md#acquire-public-key) and decrypt data using a private key from an asymmetric encryption key pair.
* View info on [digital signature key pairs](../kms/concepts/asymmetric-signature-key.md) and access permissions assigned to them as well as create such key pairs or modify their metadata.
* Get a public key and sign data using a private key from a digital signature key pair.
* View details on the Key Management Service [quotas](../kms/concepts/limits.md#kms-quotas).

#### kms.admin {#kms-admin}

The `kms.admin` role enables managing encryption and digital signature keys and key pairs, as well as managing access to such keys or key pairs and using them to encrypt, decrypt, and sign data.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) assigned to [symmetric encryption keys](../kms/concepts/key.md) and modify such permissions.
* View the list of symmetric encryption keys and details on them, as well as create, activate, deactivate, rotate, and delete symmetric encryption keys, or change their default version and metadata (including rotation period).
* Encrypt and decrypt data using symmetric encryption keys.
* View info on access permissions assigned to [asymmetric encryption key pairs](../kms/concepts/asymmetric-encryption-key.md) and modify such permissions.
* View details on asymmetric encryption key pairs as well as create, activate, deactivate, and delete such key pairs, or modify their metadata.
* Get a [public key](../kms/concepts/asymmetric-encryption.md#acquire-public-key) and decrypt data using a private key from an asymmetric encryption key pair.
* View info on access permissions assigned to [digital signature key pairs](../kms/concepts/asymmetric-signature-key.md) and modify such permissions.
* View details on digital signature key pairs as well as create, activate, deactivate, and delete such key pairs, or modify their metadata.
* Get a public key and sign data using a private key from a digital signature key pair.
* View details on Key Management Service [quotas](../kms/concepts/limits.md#kms-quotas).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `kms.editor` permissions.

For more information, see [Access management in Key Management Service](../kms/security/index.md).


## Yandex Lockbox {#lockbox-roles}

#### lockbox.auditor {#lockbox-auditor}

The `lockbox.auditor` role enables viewing info on [secrets](../lockbox/concepts/secret.md#secret) and on [access permissions](concepts/access-control/index.md) assigned to them, as well as details on Yandex Lockbox [quotas](../lockbox/concepts/limits.md#quotas) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder) metadata.

#### lockbox.viewer {#lockbox-viewer}

The `lockbox.viewer` role enables viewing info on [secrets](../lockbox/concepts/secret.md#secret) and [access permissions](concepts/access-control/index.md) assigned to them, as well as info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and Yandex Lockbox [quotas](../lockbox/concepts/limits.md#quotas).

This role includes the `lockbox.auditor` permissions.

#### lockbox.editor {#lockbox-editor}

The `lockbox.editor` role enables managing secrets and their versions, as well as viewing info on access permissions assigned to secrets.

Users with this role can:
* View info on [secrets](../lockbox/concepts/secret.md#secret) and on [access permissions](concepts/access-control/index.md) assigned to them, as well as create, activate, deactivate, and delete secrets.
* Modify secret [version](../lockbox/concepts/secret.md#version) metadata, create and delete secret versions, as well as change current secret versions, schedule deleting a secret version, or cancel a scheduled deletion.
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View details on Yandex Lockbox [quotas](../lockbox/concepts/limits.md#quotas).

This role includes the `lockbox.viewer` permissions.

#### lockbox.admin {#lockbox-admin}

The `lockbox.admin` role enables managing secrets, their versions, and access to them, as well as viewing secret contents.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) assigned to secrets and modify such permissions.
* View info on [secrets](../lockbox/concepts/secret.md#secret), including secret contents.
* Create, activate, deactivate, and delete secrets.
* Modify secret [version](../lockbox/concepts/secret.md#version) metadata, create and delete secret versions, as well as change current secret versions, schedule deleting a secret version, or cancel a scheduled deletion.
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View details on Yandex Lockbox [quotas](../lockbox/concepts/limits.md#quotas).

This role includes the `lockbox.editor` and `lockbox.payloadViewer` permissions.

#### lockbox.payloadViewer {#lockbox-payloadViewer}

The `lockbox.payloadViewer` role enables viewing [secret](../lockbox/concepts/secret.md#secret) contents.

For more information, see [Access management in Yandex Lockbox](../lockbox/security/index.md).


## Managed databases {#mdb}

#### mdb.auditor {#mdb-auditor}

The `mdb.auditor` role grants the minimum permissions required to view info on managed database clusters (without access to data or logs).

Users with this role can view info on managed database clusters, quotas, and resource operations.

This role includes the `managed-opensearch.auditor`, `managed-kafka.auditor`, `managed-mysql.auditor`, `managed-postgresql.auditor`, `managed-spqr.auditor`, `managed-greenplum.auditor`, `managed-clickhouse.auditor`, `managed-redis.auditor`, and `managed-mongodb.auditor` permissions.

#### mdb.viewer {#mdb-viewer}

The `mdb.viewer` role grants read access to managed database clusters and cluster logs.

Users with this role can read from databases, view the logs of managed database clusters, and view info on cluster maintenance tasks, clusters, quotas, and resource operations.

This role includes the `managed-opensearch.viewer`, `managed-kafka.viewer`, `managed-mysql.viewer`, `managed-postgresql.viewer`, `managed-greenplum.viewer`, `managed-clickhouse.viewer`, `managed-redis.viewer`, `managed-mongodb.viewer`, and `dataproc.viewer` permissions.

#### mdb.admin {#mdb-admin}

The `mdb.admin` role grants full access to managed database clusters.

Users with this role can create, edit, delete, run, and stop managed database clusters, manage access to clusters, create cluster backups and restore clusters from backups, read and write to databases, view info on clusters, view and modify cluster maintenance tasks, and view cluster logs as well as info on quotas and resource operations.

This role includes the `mdb.viewer`, `vpc.user`, `managed-opensearch.admin`, `managed-kafka.admin`, `managed-mysql.admin`, `managed-postgresql.admin`, `managed-spqr.admin`, `managed-greenplum.admin`, `managed-clickhouse.admin`, `managed-redis.admin`, `managed-mongodb.admin`, and `dataproc.admin` permissions.

#### mdb.restorer {#mdb-restorer}

The `mdb.restorer` role enables restoring managed database clusters from backups and grants read access to such clusters and their logs.

Users with this role can restore managed database clusters from backups, read from databases, view cluster logs, and view info on clusters, their maintenance tasks, quotas, and resource operations.

This role includes the `mdb.viewer`, `managed-opensearch.restorer`, `managed-mysql.restorer`, `managed-postgresql.restorer`, `managed-spqr.restorer`, `managed-greenplum.restorer`, `managed-clickhouse.restorer`, `managed-redis.restorer`, and `managed-mongodb.restorer` permissions.

#### mdb.switcher {#mdb-switcher}

The `mdb.switcher` role enables re-assigning the master host in managed database clusters and grants access to information on such clusters and their logs.

Users with this role can re-assign the master host in managed database clusters, view info on such clusters, their hosts, databases, and users, as well as view cluster logs, service quotas, and resource operations.

This role includes the `mdb.viewer`, `managed-mongodb.switcher`, `managed-mysql.switcher`, `managed-postgresql.switcher`, and `managed-redis.switcher` permissions.

#### mdb.maintenanceTask.viewer {#mdb-maintenanceTask-viewer}

The `mdb.maintenanceTask.viewer` role grants access to information on maintenance tasks for managed database clusters.

Users with this role can view information on managed database clusters, their maintenance tasks, and access permissions granted for them, on hosts and cluster backups, as well as on service quotas and resource operations.

This role includes the `mdb.auditor`, `managed-clickhouse.maintenanceTask.viewer`, `managed-greenplum.maintenanceTask.viewer`, `managed-kafka.maintenanceTask.viewer`, `managed-mongodb.maintenanceTask.viewer`, `managed-mysql.maintenanceTask.viewer`, `managed-opensearch.maintenanceTask.viewer`, `managed-postgresql.maintenanceTask.viewer`, `managed-redis.maintenanceTask.viewer`, and `managed-spqr.maintenanceTask.viewer` permissions.

#### mdb.maintenanceTask.editor {#mdb-maintenanceTask-editor}

The `mdb.maintenanceTask.editor` role enables managing maintenance tasks for managed database clusters.

Users with this role can view information on maintenance tasks for managed database clusters and modify such tasks, view information on managed database clusters and access permissions granted for them, on cluster hosts and backups, as well as on service quotas and resource operations.

This role includes the `mdb.maintenanceTask.viewer`, `managed-clickhouse.maintenanceTask.editor`, `managed-greenplum.maintenanceTask.editor`, `managed-kafka.maintenanceTask.editor`, `managed-mongodb.maintenanceTask.editor`, `managed-mysql.maintenanceTask.editor`, `managed-opensearch.maintenanceTask.editor`, `managed-postgresql.maintenanceTask.editor`, `managed-redis.maintenanceTask.editor`, and `managed-spqr.maintenanceTask.editor` permissions.


## Yandex Managed Service for Apache Airflow™ {#managed-airflow-roles}

#### managed-airflow.auditor {#managed-airflow-auditor}

The `managed-airflow.auditor` role enables viewing info on [Apache Airflow™ clusters](../managed-airflow/concepts/index.md#cluster), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-airflow/concepts/limits.md#quotas) for Managed Service for Apache Airflow™.

#### managed-airflow.viewer {#managed-airflow-viewer}

The `managed-airflow.viewer` role enables viewing info on [Apache Airflow™ clusters](../managed-airflow/concepts/index.md#cluster), [access permissions](concepts/access-control/index.md) granted for them, and their [maintenance](../managed-airflow/concepts/maintenance.md) tasks, as well as on [quotas](../managed-airflow/concepts/limits.md#quotas) for Managed Service for Apache Airflow™.

This role includes the `managed-airflow.auditor` and `managed-airflow.maintenanceTask.viewer` permissions.

#### managed-airflow.user {#managed-airflow-user}

The `managed-airflow.user` role enables performing basic operations on Apache Airflow™ clusters.

Users with this role can:
* View info on [Apache Airflow™ clusters](../managed-airflow/concepts/index.md#cluster) and [access permissions](concepts/access-control/index.md) granted for them.
* Use the Apache Airflow™ [web interface](../managed-airflow/operations/af-interfaces.md#web-gui).
* [Send requests](../managed-airflow/operations/af-interfaces.md#rest-api) to the Apache Airflow™ API.
* View info on [maintenance](../managed-airflow/concepts/maintenance.md) tasks for Apache Airflow™ clusters.
* View info on [quotas](../managed-airflow/concepts/limits.md#quotas) for Managed Service for Apache Airflow™.

This role includes the `managed-airflow.viewer` permissions.

#### managed-airflow.editor {#managed-airflow-editor}

The `managed-airflow.editor` role enables managing Apache Airflow™ clusters.

Users with this role can:
* View info on [Apache Airflow™ clusters](../managed-airflow/concepts/index.md#cluster), as well as create, modify, run, stop, and delete them.
* View info on [access permissions](concepts/access-control/index.md) granted for Apache Airflow™ clusters.
* View info on [maintenance](../managed-airflow/concepts/maintenance.md) tasks for Apache Airflow™ clusters and modify such tasks.
* Use the Apache Airflow™ [web interface](../managed-airflow/operations/af-interfaces.md#web-gui).
* [Send requests](../managed-airflow/operations/af-interfaces.md#rest-api) to the Apache Airflow™ API.
* View info on [quotas](../managed-airflow/concepts/limits.md#quotas) for Managed Service for Apache Airflow™.

This role includes the `managed-airflow.user` and `managed-airflow.maintenanceTask.editor` permissions.

To create Apache Airflow™ clusters, you also need the `vpc.user` role.

#### managed-airflow.admin {#managed-airflow-admin}

The `managed-airflow.admin` role enables managing Apache Airflow™ clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [Apache Airflow™ clusters](../managed-airflow/concepts/index.md#cluster) and modify such permissions.
* View info on Apache Airflow™ clusters, as well as create, modify, run, stop, and delete them.
* View info on [maintenance](../managed-airflow/concepts/maintenance.md) tasks for Apache Airflow™ clusters and modify such tasks.
* Use the Apache Airflow™ [web interface](../managed-airflow/operations/af-interfaces.md#web-gui).
* [Send requests](../managed-airflow/operations/af-interfaces.md#rest-api) to the Apache Airflow™ API.
* View info on [quotas](../managed-airflow/concepts/limits.md#quotas) for Managed Service for Apache Airflow™.

This role includes the `managed-airflow.editor` permissions.

To create Apache Airflow™ clusters, you also need the `vpc.user` role.

#### managed-airflow.maintenanceTask.viewer {#managed-airflow-maintenanceTask-viewer}

The `managed-airflow.maintenanceTask.viewer` role enables viewing info on [Apache Airflow™ clusters](../managed-airflow/concepts/index.md#cluster), [access permissions](concepts/access-control/index.md) granted for them, and their [maintenance](../managed-airflow/concepts/maintenance.md) tasks, as well as on [quotas](../managed-airflow/concepts/limits.md#quotas) for Managed Service for Apache Airflow™.

This role includes the `managed-airflow.auditor` permissions.

#### managed-airflow.maintenanceTask.editor {#managed-airflow-maintenanceTask-editor}

The `managed-airflow.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-airflow/concepts/maintenance.md) tasks for Apache Airflow™ clusters and modifying such tasks, as well as viewing info on [Apache Airflow™ clusters](../managed-airflow/concepts/index.md#cluster), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-airflow/concepts/limits.md#quotas) for Managed Service for Apache Airflow™.

This role includes the `managed-airflow.maintenanceTask.viewer` permissions.

#### managed-airflow.integrationProvider {#managed-airflow-integrationProvider}

The `managed-airflow.integrationProvider` role allows the Apache Airflow™ cluster to work with user resources required for its operation on behalf of the service account. You can assign this role to a service account linked to the Apache Airflow™ cluster.

{% cut "Service accounts with this role can:" %}

* Add entries to [log groups](../logging/concepts/log-group.md).
* View info on log groups.
* View info on log sinks.
* View info on granted [access permissions](concepts/access-control/index.md) for Cloud Logging resources.
* View info on log exports.
* View info on Monitoring [metrics](../monitoring/concepts/data-model.md#metric) and their [labels](../monitoring/concepts/data-model.md#label), as well as upload and download metrics.
* View the list of Monitoring [dashboards](../monitoring/concepts/visualization/dashboard.md) and [widgets](../monitoring/concepts/visualization/widget.md) and info on them, as well as create, modify, and delete them.
* View the Monitoring [notification](../monitoring/concepts/alerting/notification-channel.md) history.
* View the list of [buckets](../storage/concepts/bucket.md) and info on them, including their deployment region, [versioning](../storage/concepts/versioning.md), [encryption](../storage/concepts/encryption.md), [CORS](../storage/concepts/cors.md) configuration, [static website hosting](../storage/concepts/hosting.md) configuration, [HTTPS](../storage/concepts/bucket.md#bucket-https) configuration, [logging](../storage/concepts/server-logs.md) settings, granted access permissions, [public access](../storage/concepts/bucket.md#bucket-access), and default [storage class](../storage/concepts/storage-class.md#default-storage-class).
* View lists of [objects](../storage/concepts/object.md) in buckets and info on these objects, including object [lifecycle](../storage/concepts/lifecycles.md) configuration, granted access permissions for these objects, current [multipart uploads](../storage/concepts/multipart.md), object versions with their [metadata](../storage/concepts/object.md#metadata), and [object locks](../storage/concepts/object-lock.md) (both with a retention period and legal hold).
* View bucket, object, and object version [labels](../storage/concepts/tags.md), as well as Object Storage statistics.
* View info on [Yandex Lockbox secrets](../lockbox/concepts/secret.md#secret) and granted access permissions for them.
* View details on [Object Storage](../storage/concepts/limits.md#storage-quotas), [Monitoring](../monitoring/concepts/limits.md#monitoring-quotas), and [Yandex Lockbox](../lockbox/concepts/limits.md#quotas) quotas.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `logging.writer`, `monitoring.editor`, `storage.viewer`, and `lockbox.viewer` permissions.

The role does not provide access to Yandex Lockbox secret contents. To grant the Apache Airflow™ cluster access to Yandex Lockbox secret contents, additionally assign the `lockbox.payloadViewer` [role ](../lockbox/security/index.md#lockbox-payloadViewer)to the [service account](concepts/users/service-accounts.md) either for the relevant folder or for specific secrets.

For more information, see [Access management in Managed Service for Apache Airflow™](../managed-airflow/security/index.md).


## Yandex Managed Service for Apache Kafka® {#managed-kafka-roles}

#### managed-kafka.auditor {#managed-kafka-auditor}

The `managed-kafka.auditor` role enables viewing info on [Apache Kafka® clusters](../managed-kafka/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-kafka/concepts/limits.md#mkf-quotas) and resource operations for Managed Service for Apache Kafka®.

#### managed-kafka.viewer {#managed-kafka-viewer}

The `managed-kafka.viewer` role enables viewing info on Apache Kafka® clusters, their logs, as well as info on quotas and resource operations for Managed Service for Apache Kafka®.

Users with this role can:
* View info on [Apache Kafka® clusters](../managed-kafka/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-kafka/concepts/maintenance.md) tasks for Apache Kafka® clusters.
* View Apache Kafka® cluster logs.
* View info on [quotas](../managed-kafka/concepts/limits.md#mkf-quotas) for Managed Service for Apache Kafka®.
* View info on resource operations for Managed Service for Apache Kafka®.

This role includes the `managed-kafka.auditor` and `managed-kafka.maintenanceTask.viewer` permissions.


#### managed-kafka.user {#managed-kafka-user}

The `managed-kafka.user` role enables using [Apache Kafka® clusters](../managed-kafka/concepts/index.md).

#### managed-kafka.editor {#managed-kafka-editor}

The `managed-kafka.editor` role enables managing Apache Kafka® clusters.

Users with this role can:
* View info on [Apache Kafka® clusters](../managed-kafka/concepts/index.md), as well as create, use, modify, delete, run, and stop them.
* View info on [access permissions](concepts/access-control/index.md) granted for Apache Kafka® clusters.
* Use [Kafka UI](../managed-kafka/concepts/kafka-ui.md) for Apache Kafka®.
* View info on [maintenance](../managed-kafka/concepts/maintenance.md) tasks for Apache Kafka® clusters and modify such tasks.
* View Apache Kafka® cluster logs.
* View info on [quotas](../managed-kafka/concepts/limits.md#mkf-quotas) for Managed Service for Apache Kafka®.
* View info on resource operations for Managed Service for Apache Kafka®.

This role includes the `managed-kafka.viewer`, `managed-kafka.user`, `managed-kafka.interfaceUser`, and `managed-kafka.maintenanceTask.editor` permissions.

To create Apache Kafka® clusters, you also need the `vpc.user` role.

#### managed-kafka.admin {#managed-kafka-admin}

The `managed-kafka.admin` role enables managing Apache Kafka® clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [Apache Kafka® clusters](../managed-kafka/concepts/index.md) and modify such permissions.
* View info on Apache Kafka® clusters, as well as create, use, modify, delete, run, and stop them.
* Use [Kafka UI](../managed-kafka/concepts/kafka-ui.md) for Apache Kafka®.
* View info on [maintenance](../managed-kafka/concepts/maintenance.md) tasks for Apache Kafka® clusters and modify such tasks.
* View Apache Kafka® cluster logs.
* View info on [quotas](../managed-kafka/concepts/limits.md#mkf-quotas) for Managed Service for Apache Kafka®.
* View info on resource operations for Managed Service for Apache Kafka®.

This role includes the `managed-kafka.editor` permissions.

To create Apache Kafka® clusters, you also need the `vpc.user` role.

#### managed-kafka.maintenanceTask.viewer {#managed-kafka-maintenanceTask-viewer}

The `managed-kafka.maintenanceTask.viewer` role enables viewing info on [Apache Kafka® clusters](../managed-kafka/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, their [maintenance](../managed-kafka/concepts/maintenance.md) tasks, and on [quotas](../managed-kafka/concepts/limits.md#mkf-quotas) and resource operations for Managed Service for Apache Kafka®.

This role includes the `managed-kafka.auditor` permissions.

#### managed-kafka.maintenanceTask.editor {#managed-kafka-maintenanceTask-editor}

The `managed-kafka.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-kafka/concepts/maintenance.md) tasks for Apache Kafka® clusters and modifying such tasks, as well as viewing info on [Apache Kafka® clusters](../managed-kafka/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-kafka/concepts/limits.md#mkf-quotas) and resource operations for Managed Service for Apache Kafka®.

This role includes the `managed-kafka.maintenanceTask.viewer` permissions.

#### managed-kafka.interfaceUser {#managed-kafka-interface-user}

The `managed-kafka.interfaceUser` role enables using [Kafka UI for Apache Kafka®](../managed-kafka/concepts/kafka-ui.md).

For more information, see [Access management in Managed Service for Apache Kafka®](../managed-kafka/security/index.md).


## Yandex Managed Service for Apache Spark™ {#msp-roles}

#### managed-spark.auditor {#managed-spark-auditor}

The `managed-spark.auditor` role enables viewing info on [Apache Spark™ clusters](../managed-spark/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-spark/concepts/limits.md#quotas) for Managed Service for Apache Spark™.

#### managed-spark.viewer {#managed-spark-viewer}

The `managed-spark.viewer` role enables viewing info on Apache Spark™ clusters, jobs, and quotas for Managed Service for Apache Spark™.

Users with this role can:
* View info on [Apache Spark™ clusters](../managed-spark/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-spark/concepts/maintenance.md) tasks for Apache Spark™ clusters.
* View info on [jobs](../managed-spark/operations/index.md#jobs).
* View info on [quotas](../managed-spark/concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.auditor` and `managed-spark.maintenanceTask.viewer` permissions.

#### managed-spark.user {#managed-spark-user}

The `managed-spark.user` role enables performing basic operations on Apache Spark™ clusters and jobs.

Users with this role can:
* Use the Apache Spark™ web interface.
* View info on [jobs](../managed-spark/operations/index.md#jobs), as well as create, run, and cancel them.
* View info on [Apache Spark™ clusters](../managed-spark/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-spark/concepts/maintenance.md) tasks for Apache Spark™ clusters.
* View info on [quotas](../managed-spark/concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.viewer` permissions.

#### managed-spark.editor {#managed-spark-editor}

The `managed-spark.editor` role enables managing Apache Spark™ clusters and jobs.

Users with this role can:
* View info on [Apache Spark™ clusters](../managed-spark/concepts/index.md), as well as create, modify, run, stop, and delete them.
* View info on [access permissions](concepts/access-control/index.md) granted for Apache Spark™ clusters.
* View info on [maintenance](../managed-spark/concepts/maintenance.md) tasks for Apache Spark™ clusters and modify such tasks.
* Use the Apache Spark™ web interface.
* View info on [jobs](../managed-spark/operations/index.md#jobs), as well as create, run, and cancel them.
* View info on [quotas](../managed-spark/concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.user` and `managed-spark.maintenanceTask.editor` permissions.

To create Apache Spark™ clusters, you also need the `vpc.user` role.

#### managed-spark.admin {#managed-spark-admin}

The `managed-spark.admin` role enables managing Apache Spark™ clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [Apache Spark™ clusters](../managed-spark/concepts/index.md) and modify such permissions.
* View info on Apache Spark™ clusters, as well as create, modify, run, stop, and delete them.
* View info on [maintenance](../managed-spark/concepts/maintenance.md) tasks for Apache Spark™ clusters and modify such tasks.
* Use the Apache Spark™ web interface.
* View info on [jobs](../managed-spark/operations/index.md#jobs), as well as create, run, and cancel them.
* View info on [quotas](../managed-spark/concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.editor` permissions.

To create Apache Spark™ clusters, you also need the `vpc.user` role.

#### managed-spark.maintenanceTask.viewer {#managed-spark-maintenanceTask-viewer}

The `managed-spark.maintenanceTask.viewer` role enables viewing info on [Apache Spark™ clusters](../managed-spark/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, their [maintenance tasks](../managed-spark/concepts/maintenance.md), and on [quotas](../managed-spark/concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.auditor` permissions.

#### managed-spark.maintenanceTask.editor {#managed-spark-maintenanceTask-editor}

The `managed-spark.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-spark/concepts/maintenance.md) tasks for Apache Spark™ clusters and modifying such tasks, as well as viewing info on [Apache Spark™ clusters](../managed-spark/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-spark/concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.maintenanceTask.viewer` permissions.

#### managed-spark.integrationProvider {#managed-spark-integrationProvider}

The `managed-spark.integrationProvider` role enables an Apache Spark™ cluster to work with user resources required for its operation on behalf of a service account. You need to assign this role to a service account linked to an Apache Spark™ cluster.

Users with this role can:
* Add entries to [log groups](../logging/concepts/log-group.md).
* View info on log groups.
* View info on log sinks.
* View info on granted [access permissions](concepts/access-control/index.md) for Cloud Logging resources.
* View info on log exports.
* View info on [metrics](../monitoring/concepts/data-model.md#metric) and their [labels](../monitoring/concepts/data-model.md#label), as well as upload and download metrics.
* View lists of [dashboards](../monitoring/concepts/visualization/dashboard.md) and [widgets](../monitoring/concepts/visualization/widget.md) and info on them, as well as create, modify, and delete them.
* View [notification](../monitoring/concepts/alerting/notification-channel.md) history.
* View details on [Monitoring quotas](../monitoring/concepts/limits.md#monitoring-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.writer` and `monitoring.editor` permissions.

For more information, see [Managing access to Yandex Managed Service for Apache Spark™](../managed-spark/security.md).


## Yandex Managed Service for ClickHouse® {#managed-clickhouse-roles}

#### managed-clickhouse.auditor {#managed-clickhouse-auditor}

The `managed-clickhouse.auditor` role enables viewing info on [ClickHouse® clusters](../managed-clickhouse/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-clickhouse/concepts/limits.md#mch-quotas) and resource operations for Managed Service for ClickHouse®.

#### managed-clickhouse.viewer {#managed-clickhouse-viewer}

The `managed-clickhouse.viewer` role enables viewing info on ClickHouse® clusters, their logs, and on quotas and resource operations for Managed Service for ClickHouse®.

Users with this role can:
* View info on [ClickHouse® clusters](../managed-clickhouse/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-clickhouse/concepts/maintenance.md) tasks for ClickHouse® clusters.
* View ClickHouse® cluster logs.
* View info on the results of ClickHouse® cluster performance diagnostics.
* View info on [quotas](../managed-clickhouse/concepts/limits.md#mch-quotas) for Managed Service for ClickHouse®.
* View info on resource operations for Managed Service for ClickHouse®.

This role includes the `managed-clickhouse.auditor` and `managed-clickhouse.maintenanceTask.viewer` permissions.

#### managed-clickhouse.restorer {#managed-clickhouse-restorer}

The `managed-clickhouse.restorer` role enables restoring ClickHouse® clusters from backups and viewing info on such clusters, their logs, and details on quotas and resource operations for Managed Service for ClickHouse®.

Users with this role can:
* Restore [ClickHouse® clusters](../managed-clickhouse/concepts/index.md) from backups.
* View info on ClickHouse® clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-clickhouse/concepts/maintenance.md) tasks for ClickHouse® clusters.
* View ClickHouse® cluster logs.
* View info on the results of ClickHouse® cluster performance diagnostics.
* View info on [quotas](../managed-clickhouse/concepts/limits.md#mch-quotas) for Managed Service for ClickHouse®.
* View info on resource operations for Managed Service for ClickHouse®.

This role includes the `managed-clickhouse.viewer` permissions.

#### managed-clickhouse.user {#managed-clickhouse-user}

The `managed-clickhouse.user` role enables using [ClickHouse® clusters](../managed-clickhouse/concepts/index.md).

#### managed-clickhouse.editor {#managed-clickhouse-editor}

The `managed-clickhouse.editor` role enables managing ClickHouse® clusters.

Users with this role can:
* View info on [ClickHouse® clusters](../managed-clickhouse/concepts/index.md), as well as create, use, modify, delete, run, and stop them.
* View info on [access permissions](concepts/access-control/index.md) granted for ClickHouse® clusters.
* View info on [maintenance](../managed-clickhouse/concepts/maintenance.md) tasks for ClickHouse® clusters and modify such tasks.
* Restore ClickHouse® clusters from backups.
* View ClickHouse® cluster logs.
* View info on the results of ClickHouse® cluster performance diagnostics.
* View info on [quotas](../managed-clickhouse/concepts/limits.md#mch-quotas) for Managed Service for ClickHouse®.
* View info on resource operations for Managed Service for ClickHouse®.

This role includes the `managed-clickhouse.viewer`, `managed-clickhouse.user`, `managed-clickhouse.restorer`, and `managed-clickhouse.maintenanceTask.editor` permissions.

To create ClickHouse® clusters, you also need the `vpc.user` role.

#### managed-clickhouse.admin {#managed-clickhouse-admin}

The `managed-clickhouse.admin` role enables managing ClickHouse® clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [ClickHouse® clusters](../managed-clickhouse/concepts/index.md) and modify such permissions.
* View info on ClickHouse® clusters, as well as create, use, modify, delete, run, and stop them.
* View info on [maintenance](../managed-clickhouse/concepts/maintenance.md) tasks for ClickHouse® clusters and modify such tasks.
* Restore ClickHouse® clusters from backups.
* View ClickHouse® cluster logs.
* View info on the results of ClickHouse® cluster performance diagnostics.
* View info on [quotas](../managed-clickhouse/concepts/limits.md#mch-quotas) for Managed Service for ClickHouse®.
* View info on resource operations for Managed Service for ClickHouse®.

This role includes the `managed-clickhouse.editor` permissions.

To create ClickHouse® clusters, you also need the `vpc.user` role.

#### managed-clickhouse.maintenanceTask.viewer {#managed-clickhouse-maintenanceTask-viewer}

The `managed-clickhouse.maintenanceTask.viewer` role enables viewing info on [ClickHouse® clusters](../managed-clickhouse/concepts/index.md), their [maintenance tasks](../managed-clickhouse/concepts/maintenance.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-clickhouse/concepts/limits.md#mch-quotas) and resource operations for Managed Service for ClickHouse®.

This role includes the `managed-clickhouse.auditor` permissions.

#### managed-clickhouse.maintenanceTask.editor {#managed-clickhouse-maintenanceTask-editor}

The `managed-clickhouse.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-clickhouse/concepts/maintenance.md) tasks for ClickHouse® clusters and modifying such tasks, as well as viewing info on [ClickHouse® clusters](../managed-clickhouse/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-clickhouse/concepts/limits.md#mch-quotas) and resource operations for Managed Service for ClickHouse®.

This role includes the `managed-clickhouse.maintenanceTask.viewer` permissions.

For more information, see [Access management in Managed Service for ClickHouse®](../managed-clickhouse/security.md).


## Yandex Managed Service for GitLab {#managed-gitlab-roles}

#### gitlab.auditor {#gitlab-auditor}

The `gitlab.auditor` role enables viewing info on the Managed Service for GitLab [instances](../managed-gitlab/concepts/index.md#instance) and [quotas](../managed-gitlab/concepts/limits.md#quotas).

#### gitlab.viewer {#gitlab-viewer}

The `gitlab.viewer` role enables viewing info on the Managed Service for GitLab [instances](../managed-gitlab/concepts/index.md#instance) and [quotas](../managed-gitlab/concepts/limits.md#quotas).

This role includes the `gitlab.auditor` permissions.

#### gitlab.editor {#gitlab-editor}

The `gitlab.editor` role enables managing the Managed Service for GitLab instances and migrating them to other availability zones.

Users with this role can:
* View info on the Managed Service for GitLab [instances](../managed-gitlab/concepts/index.md#instance), as well as create, modify, and delete such instances.
* Migrate instances to another [availability zones](../overview/concepts/geo-scope.md).
* View info on the [quotas](../managed-gitlab/concepts/limits.md#quotas) for Managed Service for GitLab.

This role includes the `gitlab.viewer` permissions.

To create Managed Service for GitLab instances, you also need the `vpc.user` role.

#### gitlab.admin {#gitlab-admin}

The `gitlab.admin` role enables managing the Managed Service for GitLab instances and migrating them to other availability zones.

Users with this role can:
* View info on the Managed Service for GitLab [instances](../managed-gitlab/concepts/index.md#instance), as well as create, modify, and delete such instances.
* Migrate instances to another [availability zones](../overview/concepts/geo-scope.md).
* View info on the [quotas](../managed-gitlab/concepts/limits.md#quotas) for Managed Service for GitLab.

This role includes the `gitlab.editor` permissions.

To create Managed Service for GitLab instances, you also need the `vpc.user` role.

For more information, see [Access management in Managed Service for GitLab](../managed-gitlab/security/index.md).


## Yandex MPP Analytics for PostgreSQL {#managed-greenplum-roles}

#### managed-greenplum.clusters.connector {#managed-greenplum-clusters-connector}

The `managed-greenplum.clusters.connector` role enables Yandex Cloud [users](concepts/users/accounts.md) to connect to databases in [Yandex MPP Analytics for PostgreSQL clusters](../managed-mysql/concepts/index.md) within Yandex MPP Analytics for PostgreSQL via [Yandex Identity and Access Management](index.md).

#### managed-greenplum.auditor {#managed-greenplum-auditor}

The `managed-greenplum.auditor` role enables viewing info on [Yandex MPP Analytics for PostgreSQL clusters](../managed-greenplum/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, [hosts](../managed-greenplum/concepts/instance-types.md) and cluster [backups](../managed-greenplum/concepts/backup.md), and on [quotas](../managed-greenplum/concepts/limits.md#quotas) and resource operations for Yandex MPP Analytics for PostgreSQL.

#### managed-greenplum.viewer {#managed-greenplum-viewer}

The `managed-greenplum.viewer` role enables viewing info on Yandex MPP Analytics for PostgreSQL clusters and their hosts within Yandex MPP Analytics for PostgreSQL, as well as viewing cluster logs and info on quotas and service resource operations.

Users with this role can:
* View info on [Yandex MPP Analytics for PostgreSQL clusters](../managed-greenplum/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-greenplum/concepts/maintenance.md) tasks for Yandex MPP Analytics for PostgreSQL clusters.
* View info on Yandex MPP Analytics for PostgreSQL cluster [hosts](../managed-greenplum/concepts/instance-types.md).
* View info on Yandex MPP Analytics for PostgreSQL cluster [backups](../managed-greenplum/concepts/backup.md).
* View Yandex MPP Analytics for PostgreSQL cluster logs.
* View info on the results of Yandex MPP Analytics for PostgreSQL cluster performance diagnostics.
* View info on [quotas](../managed-greenplum/concepts/limits.md#quotas) for Yandex MPP Analytics for PostgreSQL.
* View info on resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the `managed-greenplum.auditor` and `managed-greenplum.maintenanceTask.viewer` permissions.

#### managed-greenplum.restorer {#managed-greenplum-restorer}

The `managed-greenplum.restorer` role enables restoring Yandex MPP Analytics for PostgreSQL clusters from backups within Yandex MPP Analytics for PostgreSQL, viewing info on Yandex MPP Analytics for PostgreSQL clusters and hosts, their logs, as well as info on quotas and service resource operations.

Users with this role can:
* View info on [Yandex MPP Analytics for PostgreSQL cluster](../managed-greenplum/concepts/index.md) backups and restore clusters from [backups](../managed-greenplum/concepts/backup.md).
* View info on Yandex MPP Analytics for PostgreSQL clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-greenplum/concepts/maintenance.md) tasks for Yandex MPP Analytics for PostgreSQL clusters.
* View info on Yandex MPP Analytics for PostgreSQL cluster [hosts](../managed-greenplum/concepts/instance-types.md).
* View Yandex MPP Analytics for PostgreSQL cluster logs.
* View info on the results of Yandex MPP Analytics for PostgreSQL cluster performance diagnostics.
* View info on [quotas](../managed-greenplum/concepts/limits.md#quotas) for Yandex MPP Analytics for PostgreSQL.
* View info on resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the `managed-greenplum.viewer` permissions.

#### managed-greenplum.user {#managed-greenplum-user}

The `managed-greenplum.user` role enables using [Yandex MPP Analytics for PostgreSQL clusters](../managed-greenplum/concepts/index.md).

#### managed-greenplum.editor {#managed-greenplum-editor}

The `managed-greenplum.editor` role enables managing Yandex MPP Analytics for PostgreSQL clusters in Yandex MPP Analytics for PostgreSQL.

Users with this role can:
* View info on [Yandex MPP Analytics for PostgreSQL clusters](../managed-greenplum/concepts/index.md), as well as create, use, modify, delete, run, and stop them.
* View info on [access permissions](concepts/access-control/index.md) granted for Yandex MPP Analytics for PostgreSQL clusters.
* View info on [maintenance](../managed-greenplum/concepts/maintenance.md) tasks for Yandex MPP Analytics for PostgreSQL clusters and modify such tasks.
* View info on Yandex MPP Analytics for PostgreSQL cluster [hosts](../managed-greenplum/concepts/instance-types.md), as well as create, modify, and delete them.
* View info on Yandex MPP Analytics for PostgreSQL cluster [backups](../managed-greenplum/concepts/backup.md), create and delete such backups, as well as restore clusters from backups.
* View Yandex MPP Analytics for PostgreSQL cluster logs.
* View info on the results of Yandex MPP Analytics for PostgreSQL cluster performance diagnostics.
* View info on [quotas](../managed-greenplum/concepts/limits.md#quotas) for Yandex MPP Analytics for PostgreSQL.
* View info on resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the `managed-greenplum.viewer`, `managed-greenplum.user`, `managed-greenplum.restorer`, and `managed-greenplum.maintenanceTask.editor` permissions.

To create Yandex MPP Analytics for PostgreSQL clusters within Yandex MPP Analytics for PostgreSQL, you also need the `vpc.user` role.

#### managed-greenplum.admin {#managed-greenplum-admin}

The `managed-greenplum.admin` role enables managing Yandex MPP Analytics for PostgreSQL clusters and access to them in Yandex MPP Analytics for PostgreSQL.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [Yandex MPP Analytics for PostgreSQL clusters](../managed-greenplum/concepts/index.md) and modify such permissions.
* View info on Yandex MPP Analytics for PostgreSQL clusters, as well as create, use, modify, delete, run, and stop them.
* View info on [maintenance](../managed-greenplum/concepts/maintenance.md) tasks for Yandex MPP Analytics for PostgreSQL clusters and modify such tasks.
* View info on Yandex MPP Analytics for PostgreSQL cluster [hosts](../managed-greenplum/concepts/instance-types.md), as well as create, modify, and delete them.
* View info on Yandex MPP Analytics for PostgreSQL cluster [backups](../managed-greenplum/concepts/backup.md), create and delete such backups, as well as restore clusters from backups.
* View Yandex MPP Analytics for PostgreSQL cluster logs.
* View info on the results of Yandex MPP Analytics for PostgreSQL cluster performance diagnostics.
* View info on [quotas](../managed-greenplum/concepts/limits.md#quotas) for Yandex MPP Analytics for PostgreSQL.
* View info on resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the `managed-greenplum.editor` permissions.

To create Yandex MPP Analytics for PostgreSQL clusters within Yandex MPP Analytics for PostgreSQL, you also need the `vpc.user` role.

#### managed-greenplum.maintenanceTask.viewer {#managed-greenplum-maintenanceTask-viewer}

The `managed-greenplum.maintenanceTask.viewer` role enables viewing info on [Yandex MPP Analytics for PostgreSQL clusters](../managed-greenplum/concepts/index.md), their [maintenance](../managed-greenplum/concepts/maintenance.md) tasks, and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-greenplum/concepts/instance-types.md) and cluster [backups](../managed-greenplum/concepts/backup.md), and on [quotas](../managed-greenplum/concepts/limits.md#quotas) and resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the `managed-greenplum.auditor` permissions.

#### managed-greenplum.maintenanceTask.editor {#managed-greenplum-maintenanceTask-editor}

The `managed-greenplum.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-greenplum/concepts/maintenance.md) tasks for Yandex MPP Analytics for PostgreSQL clusters and modifying such tasks, as well as viewing info on [Yandex MPP Analytics for PostgreSQL clusters](../managed-greenplum/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-greenplum/concepts/instance-types.md) and [cluster backups](../managed-greenplum/concepts/backup.md), and on [quotas](../managed-greenplum/concepts/limits.md#quotas) and resource operations for Yandex MPP Analytics for PostgreSQL.

This role includes the `managed-greenplum.maintenanceTask.viewer` permissions.

For more information, see [Access management in Yandex MPP Analytics for PostgreSQL](../managed-greenplum/security/index.md).


## Yandex Managed Service for Kubernetes {#managed-kubernetes-roles}

#### k8s.viewer {#k8s-viewer}

The `k8s.viewer` role enables viewing info about Kubernetes clusters and node groups.

Users with this role can:
* View the list of [Kubernetes clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) as well as info on them, on settings defining their interaction with Cloud Marketplace, and on [access permissions](concepts/access-control/index.md) granted for them.
* View the list of Kubernetes clusters' [node groups](../managed-kubernetes/concepts/index.md#node-group) and info on such node groups.
* View info on Cloud Marketplace applications and access permissions granted for them.
* View resource usage stats and info on the [quotas](../managed-kubernetes/concepts/limits.md#managed-k8s-quotas) for Managed Service for Kubernetes.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

#### k8s.editor {#k8s-editor}

The `k8s.editor` role enables managing Kubernetes clusters and node groups.

Users with this role can:
* View the list of [Kubernetes clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) as well as info on them and on [access permissions](concepts/access-control/index.md) granted for them.
* Create, modify, start, stop and delete Kubernetes clusters.
* View the list of Kubernetes clusters' [node groups](../managed-kubernetes/concepts/index.md#node-group) and info on such node groups.
* Create, modify, and delete Kubernetes clusters' node groups.
* View and edit settings defining interaction between Kubernetes clusters and Cloud Marketplace.
* View info on Cloud Marketplace applications and access permissions granted for them, as well as install, update, and delete such applications.
* View resource usage stats and info on the [quotas](../managed-kubernetes/concepts/limits.md#managed-k8s-quotas) for Managed Service for Kubernetes.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `k8s.viewer` permissions.

#### k8s.admin {#k8s-admin}

The `k8s.admin` role enables managing Kubernetes clusters and node groups as well as access to Kubernetes clusters.

Users with this role can:
* View the list of [Kubernetes clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) and info on them, as well as create, modify, start, stop, and delete Kubernetes clusters.
* View info on [access permissions](concepts/access-control/index.md) granted for Kubernetes clusters and modify such permissions.
* View the list of Kubernetes clusters' [node groups](../managed-kubernetes/concepts/index.md#node-group) and info on such node groups, as well as create, modify, and delete Kubernetes clusters' node groups.
* View and edit settings defining interaction between Kubernetes clusters and Cloud Marketplace.
* View info on Cloud Marketplace applications, as well as install, update, and delete such applications.
* View info on access permissions granted for Cloud Marketplace applications and modify such permissions.
* View resource usage stats and info on the [quotas](../managed-kubernetes/concepts/limits.md#managed-k8s-quotas) for Managed Service for Kubernetes.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `k8s.editor` permissions.

#### k8s.cluster-api.viewer {#k8s-cluster-api-viewer}

Users with the `k8s.cluster-api.viewer` role get the `yc:viewer` group and the `view` role in Kubernetes RBAC for all namespaces in a cluster.

#### k8s.cluster-api.editor {#k8s-cluster-api-editor}

Users with the `k8s.cluster-api.editor` role get the `yc:editor` group and the `edit` role in Kubernetes RBAC for all namespaces in a cluster.

#### k8s.cluster-api.admin {#k8s-cluster-api-admin}

Users with the `k8s.cluster-api.admin` role get the `yc:k8s-core-admin` group and the `admin` role in Kubernetes RBAC.

#### k8s.cluster-api.cluster-admin {#k8s-cluster-api-cluster-admin}

Users with the `k8s.cluster-api.cluster-admin` role get the `yc:admin` group and the `cluster-admin` role in Kubernetes RBAC.

#### k8s.tunnelClusters.agent {#k8s-tunnelclusters-agent}

`k8s.tunnelClusters.agent` is a special role for creating [Kubernetes clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) with tunnel mode. It enables you to create [node groups](../managed-kubernetes/concepts/index.md#node-group), disks, and internal load balancers. You can use previously created Yandex Key Management Service [keys](../kms/concepts/key.md) to encrypt and decrypt secrets.

This role includes the `compute.admin`, `iam.serviceAccounts.user`, `k8s.viewer`, `kms.keys.encrypterDecrypter`, and `load-balancer.privateAdmin` permissions.

#### k8s.clusters.agent {#k8s-clusters-agent}

`k8s.clusters.agent` is a special role for the [Kubernetes cluster](../managed-kubernetes/concepts/index.md#kubernetes-cluster) service account. It enables you to create [node groups](../managed-kubernetes/concepts/index.md#node-group), disks, and internal load balancers. You can use previously created Yandex Key Management Service [keys](../kms/concepts/key.md) to encrypt and decrypt secrets and connect previously created [security groups](../vpc/concepts/security-groups.md). When combined with the `load-balancer.admin` [role](../network-load-balancer/security/index.md#load-balancer-admin), it enables you to create a [network load balancer](../network-load-balancer/concepts/index.md) with a public IP address.

This role includes the `k8s.tunnelClusters.agent` and `vpc.privateAdmin` permissions.

For more information, see [Access management in Managed Service for Kubernetes](../managed-kubernetes/security/index.md).


## Yandex Managed Service for MySQL® {#managed-mysql-roles}

#### managed-mysql.clusters.connector {#managed-mysql-clusters-connector}

The `managed-mysql.clusters.connector` role enables Yandex Cloud [users](concepts/users/accounts.md) to connect to databases in [MySQL® clusters](../managed-mysql/concepts/index.md) via [Yandex Identity and Access Management](index.md).

#### managed-mysql.auditor {#managed-mysql-auditor}

The `managed-mysql.auditor` role enables viewing info on [MySQL® clusters](../managed-mysql/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-mysql/concepts/instance-types.md) and cluster [backups](../managed-mysql/concepts/backup.md), and on [quotas](../managed-mysql/concepts/limits.md#mmy-quotas) and resource operations for Managed Service for MySQL®.

#### managed-mysql.viewer {#managed-mysql-viewer}

The `managed-mysql.viewer` role enables viewing info on MySQL® clusters, hosts, databases, users, cluster logs, quotas, and resource operations.

Users with this role can:
* View info on [MySQL® clusters](../managed-mysql/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-mysql/concepts/maintenance.md) tasks for MySQL® clusters.
* View info on MySQL® cluster [hosts](../managed-mysql/concepts/instance-types.md).
* View info on MySQL® databases.
* View info on MySQL® [users](../managed-mysql/concepts/user-rights.md).
* View info on MySQL® cluster [backups](../managed-mysql/concepts/backup.md).
* View info on MySQL® alerts.
* View MySQL® cluster logs.
* View info on the results of MySQL® cluster performance diagnostics.
* View info on [quotas](../managed-mysql/concepts/limits.md#mmy-quotas) for Managed Service for MySQL®.
* View info on resource operations for Managed Service for MySQL®.

This role includes the `managed-mysql.auditor` and `managed-mysql.maintenanceTask.viewer` permissions.

#### managed-mysql.restorer {#managed-mysql-restorer}

The `managed-mysql.restorer` role enables restoring MySQL® clusters from backups and viewing info on MySQL® clusters, hosts, databases, and users, viewing cluster logs, as well as viewing info on quotas and resource operations.

Users with this role can:
* View info on MySQL® [cluster](../managed-mysql/concepts/index.md) backups and restore clusters from [backups](../managed-mysql/concepts/backup.md).
* View info on MySQL® clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-mysql/concepts/maintenance.md) tasks for MySQL® clusters.
* View info on MySQL® cluster [hosts](../managed-mysql/concepts/instance-types.md).
* View info on MySQL® databases.
* View info on MySQL® [users](../managed-mysql/concepts/user-rights.md).
* View info on MySQL® alerts.
* View MySQL® cluster logs.
* View info on the results of MySQL® cluster performance diagnostics.
* View info on [quotas](../managed-mysql/concepts/limits.md#mmy-quotas) for Managed Service for MySQL®.
* View info on resource operations for Managed Service for MySQL®.

This role includes the `managed-mysql.viewer` permissions.

#### managed-mysql.user {#managed-mysql-user}

The `managed-mysql.user` role enables using [MySQL® clusters](../managed-mysql/concepts/index.md).

#### managed-mysql.switcher {#managed-mysql-switcher}

The `managed-mysql.switcher` role enables re-assigning the master host in MySQL® clusters, viewing info on MySQL® clusters, hosts, databases, and users, as well as viewing cluster logs, quotas, and resource operations.

Users with this role can:
* Re-assign the master host in [MySQL® clusters](../managed-mysql/concepts/index.md).
* View info on MySQL® clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-mysql/concepts/maintenance.md) tasks for MySQL® clusters.
* View info on MySQL® cluster [hosts](../managed-mysql/concepts/instance-types.md).
* View info on MySQL® databases.
* View info on MySQL® [users](../managed-mysql/concepts/user-rights.md).
* View info on MySQL® cluster [backups](../managed-mysql/concepts/backup.md).
* View info on MySQL® alerts.
* View MySQL® cluster logs.
* View info on the results of MySQL® cluster performance diagnostics.
* View info on [quotas](../managed-mysql/concepts/limits.md#mmy-quotas) for Managed Service for MySQL®.
* View info on resource operations for Managed Service for MySQL®.

This role includes the `managed-mysql.viewer` permissions.

#### managed-mysql.editor {#managed-mysql-editor}

The `managed-mysql.editor` role enables managing MySQL® clusters.

Users with this role can:
* View info on MySQL® [clusters](../managed-mysql/concepts/index.md), as well as create, use, modify, delete, run, and stop them.
* View info on [access permissions](concepts/access-control/index.md) granted for MySQL® clusters.
* View info on [maintenance](../managed-mysql/concepts/maintenance.md) tasks for MySQL® clusters and modify such tasks.
* View info on MySQL® cluster [hosts](../managed-mysql/concepts/instance-types.md), as well as create, modify, and delete them.
* Re-assign the master host in MySQL® clusters.
* View info on MySQL® databases, as well as create, modify, and delete them.
* View info on MySQL® [users](../managed-mysql/concepts/user-rights.md), as well as create, modify, and delete them.
* View info on MySQL® cluster [backups](../managed-mysql/concepts/backup.md), create and delete such backups, as well as restore clusters from backups.
* View info on MySQL® alerts, as well as create, modify, and delete them.
* View MySQL® cluster logs.
* View info on the results of MySQL® cluster performance diagnostics.
* View info on [quotas](../managed-mysql/concepts/limits.md#mmy-quotas) for Managed Service for MySQL®.
* View info on resource operations for Managed Service for MySQL®.

This role includes the `managed-mysql.viewer`, `managed-mysql.restorer`, `managed-mysql.user`, `managed-mysql.switcher`, and `managed-mysql.maintenanceTask.editor` permissions.

To create MySQL® clusters, you also need the `vpc.user` role.

#### managed-mysql.admin {#managed-mysql-admin}

The `managed-mysql.admin` role enables managing MySQL® clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [MySQL® clusters](../managed-mysql/concepts/index.md) and modify such permissions.
* View info on MySQL® clusters, as well as create, use, modify, delete, run, and stop them.
* View info on [maintenance](../managed-mysql/concepts/maintenance.md) tasks for MySQL® clusters and modify such tasks.
* View info on MySQL® cluster [hosts](../managed-mysql/concepts/instance-types.md), as well as create, modify, and delete them.
* Re-assign the master host in MySQL® clusters.
* View info on MySQL® databases, as well as create, modify, and delete them.
* View info on MySQL® [users](../managed-mysql/concepts/user-rights.md), as well as create, modify, and delete them.
* View info on MySQL® cluster [backups](../managed-mysql/concepts/backup.md), create and delete such backups, as well as restore clusters from backups.
* View info on MySQL® alerts, as well as create, modify, and delete them.
* View MySQL® cluster logs.
* View info on the results of MySQL® cluster performance diagnostics.
* View info on [quotas](../managed-mysql/concepts/limits.md#mmy-quotas) for Managed Service for MySQL®.
* View info on resource operations for Managed Service for MySQL®.

This role includes the `managed-mysql.editor` permissions.

To create MySQL® clusters, you also need the `vpc.user` role.

#### managed-mysql.maintenanceTask.viewer {#managed-mysql-maintenanceTask-viewer}

The `managed-mysql.maintenanceTask.viewer` role enables viewing info on [MySQL® clusters](../managed-mysql/concepts/index.md), their [maintenance](../managed-mysql/concepts/maintenance.md) tasks, and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-mysql/concepts/instance-types.md) and cluster [backups](../managed-mysql/concepts/backup.md), and on [quotas](../managed-mysql/concepts/limits.md#mmy-quotas) and resource operations for Yandex Managed Service for MySQL®.

This role includes the `managed-mysql.auditor` permissions.

#### managed-mysql.maintenanceTask.editor {#managed-mysql-maintenanceTask-editor}

The `managed-mysql.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-mysql/concepts/maintenance.md) tasks for MySQL® clusters and modifying such tasks, as well as viewing info on [MySQL® clusters](../managed-mysql/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-mysql/concepts/instance-types.md) and cluster [backups](../managed-mysql/concepts/backup.md), and on [quotas](../managed-mysql/concepts/limits.md#mmy-quotas) and resource operations for Yandex Managed Service for MySQL®.

This role includes the `managed-mysql.maintenanceTask.viewer` permissions.

For more information, see [Access management in Managed Service for MySQL®](../managed-mysql/security/index.md).


## Yandex Managed Service for OpenSearch {#opensearch-roles}

#### managed-opensearch.auditor {#managed-opensearch-auditor}

The `managed-opensearch.auditor` role enables viewing info on [OpenSearch clusters](../managed-opensearch/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-opensearch/concepts/limits.md#quotas) and resource operations for Managed Service for OpenSearch.

#### managed-opensearch.viewer {#managed-opensearch-viewer}

The `managed-opensearch.viewer` role enables viewing info on OpenSearch clusters, their logs, and info on quotas and resource operations for Managed Service for OpenSearch.

Users with this role can:
* View info on [OpenSearch clusters](../managed-opensearch/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-opensearch/concepts/maintenance.md) tasks for OpenSearch clusters.
* View OpenSearch cluster logs.
* View info on [quotas](../managed-opensearch/concepts/limits.md#quotas) for Managed Service for OpenSearch.
* View info on resource operations for Managed Service for OpenSearch.

This role includes the `managed-opensearch.auditor` and `managed-opensearch.maintenanceTask.viewer` permissions.

#### managed-opensearch.restorer {#managed-opensearch-restorer}

The `managed-opensearch.restorer` role enables restoring OpenSearch clusters from backups and viewing info on OpenSearch clusters, their logs, as well as info on quotas and resource operations for Managed Service for OpenSearch.

Users with this role can:
* View info on [OpenSearch clusters](../managed-opensearch/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* Restore OpenSearch clusters from backups.
* View info on [maintenance](../managed-opensearch/concepts/maintenance.md) tasks for OpenSearch clusters.
* View OpenSearch cluster logs.
* View info on [quotas](../managed-opensearch/concepts/limits.md#quotas) for Managed Service for OpenSearch.
* View info on resource operations for Managed Service for OpenSearch.

This role includes the `managed-opensearch.viewer` permissions.

#### managed-opensearch.user {#managed-opensearch-user}

The `managed-opensearch.user` role enables using [OpenSearch clusters](../managed-opensearch/concepts/index.md).

#### managed-opensearch.editor {#managed-opensearch-editor}

The `managed-opensearch.editor` role enables managing OpenSearch clusters.

Users with this role can:
* View info on [OpenSearch clusters](../managed-opensearch/concepts/index.md), as well as create, use, modify, delete, run, and stop them.
* View info on [access permissions](concepts/access-control/index.md) granted for OpenSearch clusters.
* Restore OpenSearch clusters from backups.
* View info on [maintenance](../managed-opensearch/concepts/maintenance.md) tasks for OpenSearch clusters and modify such tasks.
* View OpenSearch cluster logs.
* View info on [quotas](../managed-opensearch/concepts/limits.md#quotas) for Managed Service for OpenSearch.
* View info on resource operations for Managed Service for OpenSearch.

This role includes the `managed-opensearch.viewer`, `managed-opensearch.user`, `managed-opensearch.restorer`, and `managed-opensearch.maintenanceTask.editor` permissions.

To create OpenSearch clusters, you also need the `vpc.user` role.

#### managed-opensearch.admin {#managed-opensearch-admin}

The `managed-opensearch.admin` role enables managing OpenSearch clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [OpenSearch clusters](../managed-opensearch/concepts/index.md) and modify such permissions.
* View info on OpenSearch clusters, as well as create, use, modify, delete, run, and stop them.
* Restore OpenSearch clusters from backups.
* View info on [maintenance](../managed-opensearch/concepts/maintenance.md) tasks for OpenSearch clusters and modify such tasks.
* View OpenSearch cluster logs.
* View info on [quotas](../managed-opensearch/concepts/limits.md#quotas) for Managed Service for OpenSearch.
* View info on resource operations for Managed Service for OpenSearch.

This role includes the `managed-opensearch.editor` permissions.

To create OpenSearch clusters, you also need the `vpc.user` role.

#### managed-opensearch.maintenanceTask.viewer {#managed-opensearch-maintenanceTask-viewer}

The `managed-opensearch.maintenanceTask.viewer` role enables viewing info on [OpenSearch clusters](../managed-opensearch/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, their [maintenance](../managed-opensearch/concepts/maintenance.md) tasks, and on [quotas](../managed-opensearch/concepts/limits.md#quotas) and resource operations for Managed Service for OpenSearch.

This role includes the `managed-opensearch.auditor` permissions.

#### managed-opensearch.maintenanceTask.editor {#managed-opensearch-maintenanceTask-editor}

The `managed-opensearch.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-opensearch/concepts/maintenance.md) tasks for OpenSearch clusters and modifying such tasks, as well as viewing info on [OpenSearch clusters](../managed-opensearch/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-opensearch/concepts/limits.md#quotas) and resource operations for Managed Service for OpenSearch.

This role includes the `managed-opensearch.maintenanceTask.viewer` permissions.

For more information, see [Managing access to Managed Service for OpenSearch](../managed-opensearch/security/index.md).


## Yandex Managed Service for PostgreSQL {#mpg-roles}

#### managed-postgresql.clusters.connector {#managed-postgresql-clusters-connector}

The `managed-postgresql.clusters.connector` role enables Yandex Cloud [users](concepts/users/accounts.md) to connect to databases in [PostgreSQL clusters](../managed-mysql/concepts/index.md) via [Yandex Identity and Access Management](index.md).

#### managed-postgresql.auditor {#managed-postgresql-auditor}

The `managed-postgresql.auditor` role enables viewing info on [PostgreSQL clusters](../managed-postgresql/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-postgresql/concepts/instance-types.md) and cluster [backups](../managed-postgresql/concepts/backup.md), and on [quotas](../managed-postgresql/concepts/limits.md#mpg-quotas) and resource operations for Managed Service for PostgreSQL.

#### managed-postgresql.viewer {#managed-postgresql-viewer}

The `managed-postgresql.viewer` role enables viewing info on PostgreSQL clusters, hosts, databases, users, and cluster logs, as well as on quotas and resource operations.

Users with this role can:
* View info on [PostgreSQL clusters](../managed-postgresql/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-postgresql/concepts/maintenance.md) tasks for PostgreSQL clusters.
* View info on PostgreSQL cluster [hosts](../managed-postgresql/concepts/instance-types.md).
* View info on PostgreSQL databases.
* View info on PostgreSQL [users](../managed-postgresql/concepts/roles.md).
* View info on PostgreSQL cluster [backups](../managed-postgresql/concepts/backup.md).
* View info on PostgreSQL alerts.
* View PostgreSQL cluster logs.
* View info on the results of PostgreSQL cluster performance diagnostics.
* View info on [quotas](../managed-postgresql/concepts/limits.md#mpg-quotas) for Managed Service for PostgreSQL.
* View info on resource operations for Managed Service for PostgreSQL.

This role includes the `managed-postgresql.auditor` and `managed-postgresql.maintenanceTask.viewer` permissions.

#### managed-postgresql.restorer {#managed-postgresql-restorer}

The `managed-postgresql.restorer` role enables restoring PostgreSQL clusters from backups and viewing info on PostgreSQL clusters, hosts, databases, and users, viewing cluster logs, as well as viewing info on quotas and resource operations.

Users with this role can:
* View info on [PostgreSQL cluster](../managed-postgresql/concepts/index.md) backups and restore clusters from [backups](../managed-postgresql/concepts/backup.md).
* View info on PostgreSQL clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-postgresql/concepts/maintenance.md) tasks for PostgreSQL clusters.
* View info on PostgreSQL cluster [hosts](../managed-postgresql/concepts/instance-types.md).
* View info on PostgreSQL databases.
* View info on PostgreSQL [users](../managed-postgresql/concepts/roles.md).
* View info on PostgreSQL alerts.
* View PostgreSQL cluster logs.
* View info on the results of PostgreSQL cluster performance diagnostics.
* View info on [quotas](../managed-postgresql/concepts/limits.md#mpg-quotas) for Managed Service for PostgreSQL.
* View info on resource operations for Managed Service for PostgreSQL.

This role includes the `managed-postgresql.viewer` permissions.

#### managed-postgresql.user {#managed-postgresql-user}

The `managed-postgresql.user` role enables using [PostgreSQL clusters](../managed-postgresql/concepts/index.md).

#### managed-postgresql.switcher {#managed-postgresql-switcher}

The `managed-postgresql.switcher` role enables re-assigning the master host in PostgreSQL clusters, viewing info on PostgreSQL clusters, hosts, databases, and users, as well as viewing cluster logs, quotas, and resource operations.

Users with this role can:
* Re-assign the master host in [PostgreSQL clusters](../managed-postgresql/concepts/index.md).
* View info on PostgreSQL clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-postgresql/concepts/maintenance.md) tasks for PostgreSQL clusters.
* View info on PostgreSQL cluster [hosts](../managed-postgresql/concepts/instance-types.md).
* View info on PostgreSQL databases.
* View info on PostgreSQL [users](../managed-postgresql/concepts/roles.md).
* View info on PostgreSQL cluster [backups](../managed-postgresql/concepts/backup.md).
* View info on PostgreSQL alerts.
* View PostgreSQL cluster logs.
* View info on the results of PostgreSQL cluster performance diagnostics.
* View info on [quotas](../managed-postgresql/concepts/limits.md#mpg-quotas) for Managed Service for PostgreSQL.
* View info on resource operations for Managed Service for PostgreSQL.

This role includes the `managed-postgresql.viewer` permissions.

#### managed-postgresql.editor {#managed-postgresql-editor}

The `managed-postgresql.editor` role enables managing PostgreSQL clusters.

Users with this role can:
* View info on [PostgreSQL clusters](../managed-postgresql/concepts/index.md), as well as create, use, modify, delete, run, and stop them.
* View info on [access permissions](concepts/access-control/index.md) granted for PostgreSQL clusters.
* View info on [maintenance](../managed-postgresql/concepts/maintenance.md) tasks for PostgreSQL clusters and modify such tasks.
* View info on PostgreSQL cluster [hosts](../managed-postgresql/concepts/instance-types.md), as well as create, modify, and delete them.
* Re-assign the master host in PostgreSQL clusters.
* View info on PostgreSQL databases, as well as create, modify, and delete them.
* View info on PostgreSQL [users](../managed-postgresql/concepts/roles.md), as well as create, modify, and delete them.
* View info on PostgreSQL cluster [backups](../managed-postgresql/concepts/backup.md), create and delete such backups, as well as restore clusters from backups.
* View info on PostgreSQL alerts, as well as create, modify, and delete them.
* View PostgreSQL cluster logs.
* View info on the results of PostgreSQL cluster performance diagnostics.
* View info on [quotas](../managed-postgresql/concepts/limits.md#mpg-quotas) for Managed Service for PostgreSQL.
* View info on resource operations for Managed Service for PostgreSQL.

This role includes the `managed-postgresql.viewer`, `managed-postgresql.restorer`, `managed-postgresql.user`, `managed-postgresql.switcher`, and `managed-postgresql.maintenanceTask.editor` permissions.

To create PostgreSQL clusters, you also need the `vpc.user` role.

#### managed-postgresql.admin {#managed-postgresql-admin}

The `managed-postgresql.admin` role enables managing PostgreSQL clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [PostgreSQL clusters](../managed-postgresql/concepts/index.md) and modify such permissions.
* View info on PostgreSQL clusters, as well as create, use, modify, delete, run, and stop them.
* View info on [maintenance](../managed-postgresql/concepts/maintenance.md) tasks for PostgreSQL clusters and modify such tasks.
* View info on PostgreSQL cluster [hosts](../managed-postgresql/concepts/instance-types.md), as well as create, modify, and delete them.
* Re-assign the master host in PostgreSQL clusters.
* View info on PostgreSQL databases, as well as create, modify, and delete them.
* View info on PostgreSQL [users](../managed-postgresql/concepts/roles.md), as well as create, modify, and delete them.
* View info on PostgreSQL cluster [backups](../managed-postgresql/concepts/backup.md), create and delete such backups, as well as restore clusters from backups.
* View info on PostgreSQL alerts, as well as create, modify, and delete them.
* View PostgreSQL cluster logs.
* View info on the results of PostgreSQL cluster performance diagnostics.
* View info on [quotas](../managed-postgresql/concepts/limits.md#mpg-quotas) for Managed Service for PostgreSQL.
* View info on resource operations for Managed Service for PostgreSQL.

This role includes the `managed-postgresql.editor` permissions.

To create PostgreSQL clusters, you also need the `vpc.user` role.

#### managed-postgresql.maintenanceTask.viewer {#managed-postgresql-maintenanceTask-viewer}

The `managed-postgresql.maintenanceTask.viewer` role enables viewing info on [PostgreSQL clusters](../managed-postgresql/concepts/index.md), their [maintenance](../managed-postgresql/concepts/maintenance.md) tasks, and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-postgresql/concepts/instance-types.md) and cluster [backups](../managed-postgresql/concepts/backup.md), and on [quotas](../managed-postgresql/concepts/limits.md#mpg-quotas) and resource operations for Managed Service for PostgreSQL.

This role includes the `managed-postgresql.auditor` permissions.

#### managed-postgresql.maintenanceTask.editor {#managed-postgresql-maintenanceTask-editor}

The `managed-postgresql.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-postgresql/concepts/maintenance.md) tasks for PostgreSQL clusters and modifying such tasks, as well as viewing info on [PostgreSQL clusters](../managed-postgresql/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-postgresql/concepts/instance-types.md) and cluster [backups](../managed-postgresql/concepts/backup.md), and on [quotas](../managed-postgresql/concepts/limits.md#mpg-quotas) and resource operations for Managed Service for PostgreSQL.

This role includes the `managed-postgresql.maintenanceTask.viewer` permissions.

For more information, see [Access management in Managed Service for PostgreSQL](../managed-postgresql/security/index.md).


## Yandex Managed Service for Sharded PostgreSQL {#mspqr-roles}

#### managed-spqr.auditor {#managed-spqr-auditor}

The `managed-spqr.auditor` role enables viewing info on Sharded PostgreSQL [hosts](../managed-spqr/concepts/instance-types.md) and [clusters](../managed-spqr/concepts/index.md), on [access permissions](concepts/access-control/index.md) granted for clusters, as well as on [quotas](../managed-spqr/concepts/limits.md#mspqr-quotas) and resource operations for Managed Service for Sharded PostgreSQL.

#### managed-spqr.viewer {#managed-spqr-viewer}

The `managed-spqr.viewer` role enables viewing info on Sharded PostgreSQL clusters, hosts, databases, and users, cluster logs, and info on quotas and resource operations.

Users with this role can:
* View info on Sharded PostgreSQL [clusters](../managed-spqr/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on maintenance tasks for Sharded PostgreSQL clusters.
* View info on Sharded PostgreSQL cluster [hosts](../managed-spqr/concepts/instance-types.md).
* View info on databases in Sharded PostgreSQL clusters.
* View info on users in Sharded PostgreSQL clusters.
* View info on Sharded PostgreSQL cluster backups.
* View Sharded PostgreSQL cluster logs.
* View info on [quotas](../managed-spqr/concepts/limits.md#mspqr-quotas) for Managed Service for Sharded PostgreSQL.
* View info on resource operations for Managed Service for Sharded PostgreSQL.

This role includes the `managed-spqr.auditor` and `managed-spqr.maintenanceTask.viewer` permissions.

#### managed-spqr.restorer {#managed-spqr-restorer}

The `managed-spqr.restorer` role enables restoring Sharded PostgreSQL clusters from backups and viewing info on Sharded PostgreSQL clusters, hosts, databases, and users, cluster logs, as well as info on quotas and resource operations.

Users with this role can:
* View info on Sharded PostgreSQL [cluster](../managed-spqr/concepts/index.md) backups and restore clusters from backups.
* View info on Sharded PostgreSQL clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on maintenance tasks for Sharded PostgreSQL clusters.
* View info on Sharded PostgreSQL cluster [hosts](../managed-spqr/concepts/instance-types.md).
* View info on databases in Sharded PostgreSQL clusters.
* View info on users in Sharded PostgreSQL clusters.
* View Sharded PostgreSQL cluster logs.
* View info on [quotas](../managed-spqr/concepts/limits.md#mspqr-quotas) for Managed Service for Sharded PostgreSQL.
* View info on resource operations for Managed Service for Sharded PostgreSQL.

This role includes the `managed-spqr.viewer` permissions.

#### managed-spqr.editor {#managed-spqr-editor}

The `managed-spqr.editor` role enables managing Sharded PostgreSQL clusters.

Users with this role can:
* View info on Sharded PostgreSQL [clusters](concepts/access-control/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* Create, modify, delete, run, and stop Sharded PostgreSQL clusters.
* View info on maintenance tasks for Sharded PostgreSQL clusters and modify such tasks.
* View info on Sharded PostgreSQL cluster [hosts](../managed-spqr/concepts/instance-types.md), as well as create, modify, and delete them.
* View info on databases in Sharded PostgreSQL clusters as well as create, modify, and delete such databases.
* View info on users in Sharded PostgreSQL clusters as well as create, modify, and delete such users.
* View info on Sharded PostgreSQL cluster backups, create and delete such backups, as well as restore clusters from backups.
* View Sharded PostgreSQL cluster logs.
* View info on [quotas](../managed-spqr/concepts/limits.md#mspqr-quotas) for Managed Service for Sharded PostgreSQL.
* View info on resource operations for Managed Service for Sharded PostgreSQL.

This role includes the `managed-spqr.viewer`, `managed-spqr.restorer` , and `managed-spqr.maintenanceTask.editor` permissions.

#### managed-spqr.admin {#managed-spqr-admin}

The `managed-spqr.admin` role enables managing Sharded PostgreSQL clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [Sharded PostgreSQL clusters](../managed-spqr/concepts/index.md) and modify such permissions.
* View info on Sharded PostgreSQL clusters as well as create, modify, delete, run, and stop them.
* View info on maintenance tasks for Sharded PostgreSQL clusters and modify such tasks.
* View info on Sharded PostgreSQL cluster [hosts](../managed-spqr/concepts/instance-types.md), as well as create, modify, and delete them.
* View info on databases in Sharded PostgreSQL clusters as well as create, modify, and delete such databases.
* View info on users in Sharded PostgreSQL clusters as well as create, modify, and delete such users.
* View info on Sharded PostgreSQL cluster backups, create and delete such backups, as well as restore clusters from backups.
* View Sharded PostgreSQL cluster logs.
* View info on [quotas](../managed-spqr/concepts/limits.md#mspqr-quotas) for Managed Service for Sharded PostgreSQL.
* View info on resource operations for Managed Service for Sharded PostgreSQL.

This role includes the `managed-spqr.editor` permissions.

#### managed-spqr.maintenanceTask.viewer {#managed-spqr-maintenanceTask-viewer}

The `managed-spqr.maintenanceTask.viewer` role enables viewing info on [Sharded PostgreSQL clusters](../managed-spqr/concepts/index.md), their maintenance tasks, [access permissions](concepts/access-control/index.md) granted for them, [hosts](../managed-spqr/concepts/instance-types.md), and on [quotas](../managed-spqr/concepts/limits.md#mspqr-quotas) and resource operations for Managed Service for Sharded PostgreSQL.

This role includes the `managed-spqr.auditor` permissions.

#### managed-spqr.maintenanceTask.editor {#managed-spqr-maintenanceTask-editor}

The `managed-spqr.maintenanceTask.editor` role enables viewing info on maintenance tasks for [Sharded PostgreSQL clusters](../managed-spqr/concepts/index.md) and modifying such tasks, as well as viewing info on Sharded PostgreSQL clusters, [access permissions](concepts/access-control/index.md) granted for them, cluster [hosts](../managed-spqr/concepts/instance-types.md), [quotas](../managed-spqr/concepts/limits.md#mspqr-quotas), and resource operations for Managed Service for Sharded PostgreSQL.

This role includes the `managed-spqr.maintenanceTask.viewer` permissions.

For more information, see [Access management in Managed Service for Sharded PostgreSQL](../managed-spqr/security.md).


## Yandex Managed Service for Valkey™ {#mrd-roles}

#### managed-redis.clusters.connector {#managed-redis-clusters-connector}

The `managed-redis.clusters.connector` role enables Yandex Cloud [users](concepts/users/accounts.md) to connect to databases in [Valkey™ clusters](../managed-valkey/concepts/index.md) via [Yandex Identity and Access Management](index.md).

#### managed-redis.auditor {#managed-redis-auditor}

The `managed-redis.auditor` role enables viewing info on Valkey™ [clusters](../managed-valkey/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-valkey/concepts/instance-types.md) and cluster [backups](../managed-valkey/concepts/backup.md), and on [quotas](../managed-valkey/concepts/limits.md#mrd-quotas) and resource operations for Yandex Managed Service for Valkey™.

#### managed-redis.viewer {#managed-redis-viewer}

The `managed-redis.viewer` role enables viewing info on Valkey™ hosts, clusters and their logs, as well as on quotas and resource operations.

Users with this role can:
* View info on Valkey™ [clusters](../managed-valkey/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-valkey/concepts/maintenance.md) tasks for Valkey™ clusters.
* View info on Valkey™ cluster [hosts](../managed-valkey/concepts/instance-types.md).
* View info on Valkey™ cluster [shards](../managed-valkey/concepts/sharding.md).
* View [info](../managed-valkey/operations/user-list.md) on Valkey™ users.
* View info on Valkey™ cluster [backups](../managed-valkey/concepts/backup.md).
* View info on Valkey™ alerts.
* View Valkey™ cluster logs.
* View info on [quotas](../managed-valkey/concepts/limits.md#mrd-quotas) for Yandex Managed Service for Valkey™.
* View info on resource operations for Yandex Managed Service for Valkey™.

This role includes the `managed-redis.auditor` and `managed-redis.maintenanceTask.viewer` permissions.

#### managed-redis.restorer {#managed-redis-restorer}

The `managed-redis.restorer` role enables restoring Valkey™ clusters from backups, viewing info on Valkey™ hosts, clusters, and their logs, as well as on quotas and resource operations.

Users with this role can:
* View info on Valkey™ cluster [backups](../managed-valkey/concepts/backup.md) and restore [clusters](../managed-valkey/concepts/index.md) from backups.
* View info on Valkey™ clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-valkey/concepts/maintenance.md) tasks for Valkey™ clusters.
* View info on Valkey™ cluster [hosts](../managed-valkey/concepts/instance-types.md).
* View info on Valkey™ cluster [shards](../managed-valkey/concepts/sharding.md).
* View [info](../managed-valkey/operations/user-list.md) on Valkey™ users.
* View info on Valkey™ alerts.
* View Valkey™ cluster logs.
* View info on [quotas](../managed-valkey/concepts/limits.md#mrd-quotas) for Yandex Managed Service for Valkey™.
* View info on resource operations for Yandex Managed Service for Valkey™.

This role includes the `managed-redis.viewer` permissions.

#### managed-redis.user {#managed-redis-user}

The `managed-redis.user` role enables using [Valkey™ clusters](../managed-valkey/concepts/index.md).

#### managed-redis.switcher {#managed-redis-switcher}

The `managed-redis.switcher` enables re-assigning the master host in Valkey™ clusters and viewing info on Valkey™ hosts, clusters and their logs, as well as on quotas and resource operations.

Users with this role can:
* Re-assign the master host in Valkey™ [clusters](../managed-valkey/concepts/index.md).
* View info on Valkey™ clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-valkey/concepts/maintenance.md) tasks for Valkey™ clusters.
* View info on Valkey™ cluster [hosts](../managed-valkey/concepts/instance-types.md).
* View info on Valkey™ cluster [shards](../managed-valkey/concepts/sharding.md).
* View [info](../managed-valkey/operations/user-list.md) on Valkey™ users.
* View info on Valkey™ cluster [backups](../managed-valkey/concepts/backup.md).
* View info on Valkey™ alerts.
* View Valkey™ cluster logs.
* View info on [quotas](../managed-valkey/concepts/limits.md#mrd-quotas) for Yandex Managed Service for Valkey™.
* View info on resource operations for Yandex Managed Service for Valkey™.

This role includes the `managed-redis.viewer` permissions.

#### managed-redis.editor {#managed-redis-editor}

The `managed-redis.editor` role enables managing Valkey™ clusters.

Users with this role can:
* View info on Valkey™ [clusters](../managed-valkey/concepts/index.md), as well as create, use, modify, delete, run, and stop them.
* View info on [access permissions](concepts/access-control/index.md) granted for Valkey™ clusters.
* View info on [maintenance](../managed-valkey/concepts/maintenance.md) tasks for Valkey™ clusters and modify such tasks.
* View info on Valkey™ cluster [hosts](../managed-valkey/concepts/instance-types.md), as well as create, modify, and delete them.
* Re-assign the master host in Valkey™ clusters.
* View info on Valkey™ cluster [shards](../managed-valkey/concepts/sharding.md), as well as create and delete them.
* View [info](../managed-valkey/operations/user-list.md) on Valkey™ users, as well as create, modify, and delete them.
* View info on Valkey™ cluster [backups](../managed-valkey/concepts/backup.md), create cluster backups, and restore clusters from backups.
* View info on Valkey™ alerts, as well as create, modify, and delete them.
* View Valkey™ cluster logs.
* View info on [quotas](../managed-valkey/concepts/limits.md#mrd-quotas) for Yandex Managed Service for Valkey™.
* View info on resource operations for Yandex Managed Service for Valkey™.

This role includes the `managed-redis.viewer`, `managed-redis.restorer`, `managed-redis.user`, `managed-redis.switcher`, and `managed-redis.maintenanceTask.editor` permissions.

To create Valkey™ clusters, you also need the `vpc.user` role.

#### managed-redis.admin {#managed-redis-admin}

The `managed-redis.admin` role enables managing Valkey™ clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for Valkey™ [clusters](../managed-valkey/concepts/index.md) and modify such permissions.
* View info on Valkey™ clusters, as well as create, use, modify, delete, run, and stop them.
* View info on [maintenance](../managed-valkey/concepts/maintenance.md) tasks for Valkey™ clusters and modify such tasks.
* View info on Valkey™ cluster [hosts](../managed-valkey/concepts/instance-types.md), as well as create, modify, and delete them.
* Re-assign the master host in Valkey™ clusters.
* View info on Valkey™ cluster [shards](../managed-valkey/concepts/sharding.md), as well as create and delete them.
* View [info](../managed-valkey/operations/user-list.md) on Valkey™ users, as well as create, modify, and delete them.
* View info on Valkey™ cluster [backups](../managed-valkey/concepts/backup.md), create cluster backups, and restore clusters from backups.
* View info on Valkey™ alerts, as well as create, modify, and delete them.
* View Valkey™ cluster logs.
* View info on [quotas](../managed-valkey/concepts/limits.md#mrd-quotas) for Yandex Managed Service for Valkey™.
* View info on resource operations for Yandex Managed Service for Valkey™.

This role includes the `managed-redis.editor` permissions.

To create Valkey™ clusters, you also need the `vpc.user` role.

#### managed-redis.maintenanceTask.viewer {#managed-redis-maintenanceTask-viewer}

The `managed-redis.maintenanceTask.viewer` role enables viewing info on Valkey™ [clusters](../managed-valkey/concepts/index.md), their [maintenance](../managed-valkey/concepts/maintenance.md) tasks, and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-valkey/concepts/instance-types.md) and cluster [backups](../managed-valkey/concepts/backup.md), and on [quotas](../managed-valkey/concepts/limits.md#mrd-quotas) and resource operations for Yandex Managed Service for Valkey™.

This role includes the `managed-redis.auditor` permissions.

#### managed-redis.maintenanceTask.editor {#managed-redis-maintenanceTask-editor}

The `managed-redis.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-valkey/concepts/maintenance.md) tasks for Valkey™ clusters and modifying such tasks, as well as viewing info on Valkey™ [clusters](../managed-valkey/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../managed-valkey/concepts/instance-types.md) and cluster [backups](../managed-valkey/concepts/backup.md), and on [quotas](../managed-valkey/concepts/limits.md#mrd-quotas) and resource operations for Yandex Managed Service for Valkey™.

This role includes the `managed-redis.maintenanceTask.viewer` permissions.

For more information, see [Access management in Yandex Managed Service for Valkey™](../managed-valkey/security/index.md).


## Yandex Managed Service for SQL Server {#mms-roles}

#### managed-sqlserver.auditor {#managed-sqlserver-auditor}

The `managed-sqlserver.auditor` role allows you to view information on SQL Server clusters, hosts, users, databases, cluster backups, as well as on quotas and resource operations for Managed Service for SQL Server.

#### managed-sqlserver.viewer {#managed-sqlserver-viewer}

The `managed-sqlserver.viewer` role allows you to view SQL Server cluster logs, as well as information on SQL Server clusters, hosts, users, databases, and DB backups.

Users with this role can:
* View info on SQL Server clusters.
* View info on SQL Server cluster hosts.
* View info on SQL Server users.
* View info on SQL Server databases.
* View info on SQL Server cluster backups.
* View SQL Server cluster logs.
* View info on resource operations for Managed Service for SQL Server.
* View info on the quotas for Managed Service for SQL Server.

This role includes the `managed-sqlserver.auditor` permissions.

#### managed-sqlserver.restorer {#managed-sqlserver-restorer}

The `managed-sqlserver.restorer` role allows you to restore SQL Server clusters from backups, view SQL Server cluster logs, as well as information on SQL Server clusters, hosts, users, databases, and cluster backups.

Users with this role can:
* Restore SQL Server clusters from backups.
* View info on SQL Server clusters.
* View info on SQL Server cluster hosts.
* View info on SQL Server users.
* View info on SQL Server databases.
* View info on SQL Server DB backups.
* View SQL Server cluster logs.
* View info on resource operations for Managed Service for SQL Server.
* View info on the quotas for Managed Service for SQL Server.

This role includes the `managed-sqlserver.viewer` permissions.

#### managed-sqlserver.editor {#managed-sqlserver-editor}

The `managed-sqlserver.editor` role allows you to manage SQL Server clusters, hosts, users, and databases, create cluster backups and restore clusters from backups, as well as view SQL Server cluster logs.

Users with this role can:
* View info on SQL Server clusters, as well as use, create, start, stop, modify, and delete them.
* View info on SQL Server cluster hosts, as well as create, modify, and delete them.
* View info on SQL Server users, as well as create, modify, and delete them.
* View info on SQL Server databases, as well as create, modify, and delete them.
* View info on SQL Server cluster backups, create such backups and restore clusters from backups.
* View SQL Server cluster logs.
* View info on resource operations for Managed Service for SQL Server.
* View info on the quotas for Managed Service for SQL Server.

This role includes the `managed-sqlserver.viewer` and `managed-sqlserver.restorer` permissions.

#### managed-sqlserver.admin {#managed-sqlserver-admin}

The `managed-sqlserver.admin` role allows you to manage SQL Server clusters, hosts, users, and databases, create cluster backups, restore clusters from backups, as well as view SQL Server cluster logs.

Users with this role can:
* View info on SQL Server clusters, as well as use, create, start, stop, modify, and delete them.
* View info on SQL Server cluster hosts, as well as create, modify, and delete them.
* View info on SQL Server users, as well as create, modify, and delete them.
* View info on SQL Server databases, as well as create, modify, and delete them.
* View info on SQL Server cluster backups, create such backups, as well as restore clusters from backups.
* View SQL Server cluster logs.
* View info on resource operations for Managed Service for SQL Server.
* View info on the quotas for Managed Service for SQL Server.

This role includes the `managed-sqlserver.editor` permissions.


## Yandex Managed Service for Trino {#mtr-roles}

#### managed-trino.auditor {#managed-trino-auditor}

The `managed-trino.auditor` role enables viewing info on [Trino clusters](../managed-trino/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-trino/concepts/limits.md#quotas) for Managed Service for Trino.

#### managed-trino.viewer {#managed-trino-viewer}

The `managed-trino.viewer` role enables viewing info on Trino clusters and quotas for Managed Service for Trino.

Users with this role can:
* View info on [Trino clusters](../managed-trino/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-trino/concepts/maintenance.md) tasks for Trino clusters.
* View info on [quotas](../managed-trino/concepts/limits.md#quotas) for Managed Service for Trino.

This role includes the `managed-trino.auditor` and `managed-trino.maintenanceTask.viewer` permissions.

#### managed-trino.user {#managed-trino-user}

The `managed-trino.user` role enables performing basic operations on Trino clusters.

Users with this role can:
* Use the Trino web UI.
* Send requests to the Trino API.
* View info on [Trino clusters](../managed-trino/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../managed-trino/concepts/maintenance.md) tasks for Trino clusters.
* View info on quotas for Managed Service for Trino.

This role includes the `managed-trino.viewer` permissions.

#### managed-trino.editor {#managed-trino-editor}

The `managed-trino.editor` role enables managing Trino clusters.

Users with this role can:
* View info on [Trino clusters](../managed-trino/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* Create, modify, start, stop and delete Trino clusters.
* View info on [maintenance](../managed-trino/concepts/maintenance.md) tasks for Trino clusters and modify such tasks.
* Use the Trino web UI.
* Send requests to the Trino API.
* View info on [quotas](../managed-trino/concepts/limits.md#quotas) for Managed Service for Trino.

This role includes the `managed-trino.user` and `managed-trino.maintenanceTask.editor` permissions.

To create Trino clusters, you also need the `vpc.user` role.

#### managed-trino.admin {#managed-trino-admin}

The `managed-trino.admin` role enables managing Trino clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [Trino clusters](../managed-trino/concepts/index.md) and modify such permissions.
* View info on Trino clusters, as well as create, modify, run, stop, and delete them.
* View info on [maintenance](../managed-trino/concepts/maintenance.md) tasks for Trino clusters and modify such tasks.
* Use the Trino web UI.
* Send requests to the Trino API.
* View info on [quotas](../managed-trino/concepts/limits.md#quotas) for Managed Service for Trino.

This role includes the `managed-trino.editor` permissions.

To create Trino clusters, you also need the `vpc.user` role.

#### managed-trino.maintenanceTask.viewer {#managed-trino-maintenanceTask-viewer}

The `managed-trino.maintenanceTask.viewer` role enables viewing info on [Trino clusters](../managed-trino/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, their [maintenance](../managed-trino/concepts/maintenance.md) tasks, and on [quotas](../managed-trino/concepts/limits.md#quotas) for Managed Service for Trino.

This role includes the `managed-trino.auditor` permissions.

#### managed-trino.maintenanceTask.editor {#managed-trino-maintenanceTask-editor}

The `managed-trino.maintenanceTask.editor` role enables viewing info on [maintenance](../managed-trino/concepts/maintenance.md) tasks for Trino clusters and modifying such tasks, as well as viewing info on [Trino clusters](../managed-trino/concepts/index.md), [access permissions](concepts/access-control/index.md) granted for them, and on [quotas](../managed-trino/concepts/limits.md#quotas) for Managed Service for Trino.

This role includes the `managed-trino.maintenanceTask.viewer` permissions.

#### managed-trino.integrationProvider {#managed-trino-integrationProvider}

The `managed-trino.integrationProvider` role enables a Trino cluster to work with user resources required for its operation on behalf of a service account. You need to assign this role to a service account linked to a Trino cluster.

Users with this role can:
* Add entries to [log groups](../logging/concepts/log-group.md).
* View info on log groups.
* View info on log sinks.
* View info on granted [access permissions](concepts/access-control/index.md) for Cloud Logging resources.
* View info on log exports.
* View info on [metrics](../monitoring/concepts/data-model.md#metric) and their [labels](../monitoring/concepts/data-model.md#label), as well as upload and download metrics.
* View lists of [dashboards](../monitoring/concepts/visualization/dashboard.md) and [widgets](../monitoring/concepts/visualization/widget.md) and info on them, as well as create, modify, and delete them.
* View [notification](../monitoring/concepts/alerting/notification-channel.md) history.
* View details on [Monitoring quotas](../monitoring/concepts/limits.md#monitoring-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.writer` and `monitoring.editor` permissions.

For more information, see [Managing access to Managed Service for Trino](../managed-trino/security.md).


## Yandex Managed Service for YTsaurus {#myt-roles}

#### managed-ytsaurus.auditor {#managed-ytsaurus-auditor}

The `managed-ytsaurus.auditor` role enables viewing info on YTsaurus clusters as well as data on the [quotas](../managed-ytsaurus/concepts/limits.md#quotas) and resource operations for Managed Service for YTsaurus.

#### managed-ytsaurus.viewer {#managed-ytsaurus-viewer}

The `managed-ytsaurus.viewer` role enables viewing info on YTsaurus clusters, [quotas](../managed-ytsaurus/concepts/limits.md#quotas), and resource operations for Managed Service for YTsaurus.

This role includes the `managed-ytsaurus.auditor` permissions.

#### managed-ytsaurus.user {#managed-ytsaurus-user}

The `managed-ytsaurus.user` role enables performing basic operations on YTsaurus clusters.

Users with this role can:
* Use the YTsaurus web UI.
* View info on YTsaurus clusters.
* View info on the [quotas](../managed-ytsaurus/concepts/limits.md#quotas) for Managed Service for YTsaurus.
* View info on resource operations for Managed Service for YTsaurus.

This role includes the `managed-ytsaurus.viewer` permissions.

#### managed-ytsaurus.editor {#managed-ytsaurus-editor}

The `managed-ytsaurus.editor` role enables managing YTsaurus clusters, as well as getting info on the quotas and service resource operations.

Users with this role can:
* View information on YTsaurus clusters, as well as create, modify, delete, run, and stop them.
* View info on the [quotas](../managed-ytsaurus/concepts/limits.md#quotas) for Managed Service for YTsaurus.
* View info on resource operations for Managed Service for YTsaurus.
* Use the YTsaurus web UI.

This role includes the `managed-ytsaurus.user` permissions.

To create YTsaurus clusters, you also need the `vpc.user` role.

#### managed-ytsaurus.admin {#managed-ytsaurus-admin}

The `managed-ytsaurus.admin` role enables managing YTsaurus clusters, as well as getting info on the quotas and service resource operations for Managed Service for YTsaurus.

Users with this role can:
* View info on YTsaurus clusters, as well as create, modify, run, stop, and delete them.
* View info on the [quotas](../managed-ytsaurus/concepts/limits.md#quotas) for Managed Service for YTsaurus.
* View info on resource operations for Managed Service for YTsaurus.
* Use the YTsaurus web UI.

This role includes the `managed-ytsaurus.editor` permissions.

To create YTsaurus clusters, you also need the `vpc.user` role.

For more information, see [Access management in Managed Service for YTsaurus](../managed-ytsaurus/security/index.md).


## Yandex Managed Service for YDB {#ydb-roles}

#### ydb.auditor {#ydb-auditor}

The `ydb.auditor` role enables establishing connections to databases, viewing info on databases and access permissions granted to them, as well as on the database schema objects and backups.

Users with this role can:
* Establish [database](../ydb/concepts/resources.md#database) connections.
* View the list of databases and info on them, as well as on the [access permissions](concepts/access-control/index.md) granted to them.
* View info on database backups and the access permissions granted to them.
* View the list of database schema objects, such as tables, indexes, and folders, and info on them.
* View info on the [quotas](../ydb/concepts/limits.md#ydb-quotas) for Managed Service for YDB.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

#### ydb.viewer {#ydb-viewer}

The `ydb.viewer` role enables establishing connections to databases and querying them for reading, viewing info on databases and access permissions granted to them, as well as on the database schema objects and backups.

Users with this role can:
* Establish connections with [databases](../ydb/concepts/resources.md#database) and query them for reading.
* View the list of databases and info on them, as well as on the [access permissions](concepts/access-control/index.md) granted to them.
* View info on database backups and the access permissions granted to them.
* View the list of database schema objects, such as tables, indexes, and folders, and info on them.
* View info on the [quotas](../ydb/concepts/limits.md#ydb-quotas) for Managed Service for YDB.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ydb.auditor` permissions.

#### ydb.editor {#ydb-editor}

The `ydb.editor` role enables managing databases, schema objects, and database backups, as well as querying DBs for both reading and writing.

Users with this role can:
* View the list of [databases](../ydb/concepts/resources.md#database), info on them and the [access permissions](concepts/access-control/index.md) granted to them, as well as create, run, stop, modify, and delete DBs.
* Establish connections with databases and query them for reading and writing.
* View info on database backups and the access permissions granted to them, as well as create and delete them and use them to restore databases.
* View the list of schema objects, such as tables, indexes, and folders, and info on those, as well as create, modify, and delete such objects.
* View info on the [quotas](../ydb/concepts/limits.md#ydb-quotas) for Managed Service for YDB.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ydb.viewer` permissions.

#### ydb.admin {#ydb-admin}

The `ydb.admin` role enables managing databases and access to them, as well as schema objects and database backups. It also allows you to query DBs for both reading and writing.

Users with this role can:
* View the list of [databases](../ydb/concepts/resources.md#database) and info on them, as well as create, run, stop, modify, and delete them.
* View info on granted [access permissions](concepts/access-control/index.md) to databases and modify such permissions.
* Establish connections with databases and query them for reading and writing.
* View info on database backups, as well as create and delete them and use them to restore databases.
* View info on granted access permissions to backups and modify such permissions.
* View the list of schema objects, such as tables, indexes, and folders, and info on those, as well as create, modify, and delete such objects.
* View info on the [quotas](../ydb/concepts/limits.md#ydb-quotas) for Managed Service for YDB.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `ydb.editor` permissions.

#### ydb.kafkaApi.client {#ydb-kafkaapi-client}

The `ydb.kafkaApi.client` role allows you to work with `ydb` over the [Kafka API](https://ydb.tech/docs/en/reference/kafka-api) protocol using plain authentication over an SSL connection.

For more information, see [Access management in Managed Service for YDB](../ydb/security/index.md).


## Yandex StoreDoc {#storedoc-roles}

#### managed-mongodb.clusters.connector {#managed-mongodb-clusters-connector}

The `managed-mongodb.clusters.connector ` role enables Yandex Cloud [users](concepts/users/accounts.md) to connect to databases in [Yandex StoreDoc clusters](../storedoc/concepts/index.md) via [Yandex Identity and Access Management](index.md).

#### managed-mongodb.auditor {#managed-mongodb-auditor}

The `managed-mongodb.auditor` role enables viewing info on [Yandex StoreDoc clusters](../storedoc/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../storedoc/concepts/instance-types.md) and cluster [backups](../storedoc/concepts/backup.md), and on [quotas](../storedoc/concepts/limits.md#mmg-quotas) and resource operations.

#### managed-mongodb.viewer {#managed-mongodb-viewer}

The `managed-mongodb.viewer` role enables viewing info on Yandex StoreDoc clusters, hosts, shards, databases, users, cluster logs, quotas, and resource operations.

Users with this role can:
* View info on [Yandex StoreDoc clusters](../storedoc/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../storedoc/concepts/maintenance.md) tasks for Yandex StoreDoc clusters and modify such tasks.
* View info on Yandex StoreDoc cluster [hosts](../storedoc/concepts/instance-types.md).
* View info on Yandex StoreDoc cluster [shards](../storedoc/concepts/sharding.md).
* View info on Yandex StoreDoc databases.
* View info on Yandex StoreDoc [users](../storedoc/concepts/users-and-roles.md).
* View info on Yandex StoreDoc cluster [backups](../storedoc/concepts/backup.md).
* View info on Yandex StoreDoc alerts.
* View Yandex StoreDoc cluster [logs](../storedoc/operations/cluster-logs.md).
* View info on the results of Yandex StoreDoc cluster performance diagnostics.
* View info on Yandex StoreDoc [quotas](../storedoc/concepts/limits.md#mmg-quotas).
* View info on resource operations for Yandex StoreDoc.

This role includes the `managed-mongodb.auditor` and `managed-mongodb.maintenanceTask.viewer` permissions.

#### managed-mongodb.restorer {#managed-mongodb-restorer}

The `managed-mongodb.restorer` role enables restoring Yandex StoreDoc clusters from backups and viewing info on Yandex StoreDoc clusters, hosts, shards, databases, users, cluster logs, quotas, and resource operations.

Users with this role can:
* View info on [Yandex StoreDoc cluster](../storedoc/concepts/index.md) backups and restore clusters from [backups](../storedoc/concepts/backup.md).
* View info on Yandex StoreDoc clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../storedoc/concepts/maintenance.md) tasks for Yandex StoreDoc clusters and modify such tasks.
* View info on Yandex StoreDoc cluster [hosts](../storedoc/concepts/instance-types.md).
* View info on Yandex StoreDoc cluster [shards](../storedoc/concepts/sharding.md).
* View info on Yandex StoreDoc databases.
* View info on Yandex StoreDoc [users](../storedoc/concepts/users-and-roles.md).
* View info on Yandex StoreDoc alerts.
* View Yandex StoreDoc cluster [logs](../storedoc/operations/cluster-logs.md).
* View info on the results of Yandex StoreDoc cluster performance diagnostics.
* View info on Yandex StoreDoc [quotas](../storedoc/concepts/limits.md#mmg-quotas).
* View info on resource operations for Yandex StoreDoc.

This role includes the `managed-mongodb.viewer` permissions.

#### managed-mongodb.user {#managed-mongodb-user}

The `managed-mongodb.user` role enables using [Yandex StoreDoc clusters](../storedoc/concepts/index.md).

#### managed-mongodb.switcher {#managed-mongodb-switcher}

The `managed-mongodb.switcher` role enables re-assigning the master host in Yandex StoreDoc clusters and viewing info on Yandex StoreDoc clusters, hosts, shards, databases, users, cluster logs, quotas, and resource operations.

Users with this role can:
* Re-assign the master host in [Yandex StoreDoc clusters](../storedoc/concepts/index.md).
* View info on Yandex StoreDoc clusters and [access permissions](concepts/access-control/index.md) granted for them.
* View info on [maintenance](../storedoc/concepts/maintenance.md) tasks for Yandex StoreDoc clusters and modify such tasks.
* View info on Yandex StoreDoc cluster [hosts](../storedoc/concepts/instance-types.md).
* View info on Yandex StoreDoc cluster [shards](../storedoc/concepts/sharding.md).
* View info on Yandex StoreDoc databases.
* View info on Yandex StoreDoc [users](../storedoc/concepts/users-and-roles.md).
* View info on Yandex StoreDoc cluster [backups](../storedoc/concepts/backup.md).
* View info on Yandex StoreDoc alerts.
* View Yandex StoreDoc cluster [logs](../storedoc/operations/cluster-logs.md).
* View info on the results of Yandex StoreDoc cluster performance diagnostics.
* View info on Yandex StoreDoc [quotas](../storedoc/concepts/limits.md#mmg-quotas).
* View info on resource operations for Yandex StoreDoc.

This role includes the `managed-mongodb.viewer` permissions.

#### managed-mongodb.editor {#managed-mongodb-editor}

The `managed-mongodb.editor` role enables managing Yandex StoreDoc clusters.

Users with this role can:
* Create, use, modify, delete, run and stop [Yandex StoreDoc clusters](../storedoc/concepts/index.md) and view info on them.
* View info on [access permissions](concepts/access-control/index.md) granted for Yandex StoreDoc clusters.
* View info on [maintenance](../storedoc/concepts/maintenance.md) tasks for Yandex StoreDoc clusters and modify such tasks.
* Create, modify, and delete Yandex StoreDoc cluster [hosts](../storedoc/concepts/instance-types.md) and view info on them.
* Re-assign the master host in Yandex StoreDoc clusters.
* Create and delete Yandex StoreDoc cluster [shards](../storedoc/concepts/sharding.md) and view info on them.
* Create and delete Yandex StoreDoc databases and view info on them.
* Create, modify, and delete Yandex StoreDoc [users](../storedoc/concepts/users-and-roles.md) and view info on them.
* Create Yandex StoreDoc cluster [backups](../storedoc/concepts/backup.md), view info on them, as well as restore clusters from backups.
* Create, modify, and delete Yandex StoreDoc alerts and view info on them.
* View Yandex StoreDoc cluster logs.
* View info on the results of Yandex StoreDoc cluster performance diagnostics.
* View info on Yandex StoreDoc [quotas](../storedoc/concepts/limits.md#mmg-quotas).
* View info on resource operations for Yandex StoreDoc.

This role includes the `managed-mongodb.viewer`, `managed-mongodb.restorer`, `managed-mongodb.user`, `managed-mongodb.switcher`, and `managed-mongodb.maintenanceTask.editor` permissions.

To create Yandex StoreDoc clusters, you also need the `vpc.user` role.

#### managed-mongodb.admin {#managed-mongodb-admin}

The `managed-mongodb.admin` role enables managing Yandex StoreDoc clusters and access to them.

Users with this role can:
* View info on [access permissions](concepts/access-control/index.md) granted for [Yandex StoreDoc clusters](../storedoc/concepts/index.md) and modify such permissions.
* Create, use, modify, delete, run and stop Yandex StoreDoc clusters and view info on them.
* View info on [maintenance](../storedoc/concepts/maintenance.md) tasks for Yandex StoreDoc clusters and modify such tasks.
* Create, modify, and delete Yandex StoreDoc cluster [hosts](../storedoc/concepts/instance-types.md) and view info on them.
* Re-assign the master host in Yandex StoreDoc clusters.
* Create and delete Yandex StoreDoc cluster [shards](../storedoc/concepts/sharding.md) and view info on them.
* Create and delete Yandex StoreDoc databases and view info on them.
* Create, modify, and delete Yandex StoreDoc [users](../storedoc/concepts/users-and-roles.md) and view info on them.
* Create Yandex StoreDoc cluster [backups](../storedoc/concepts/backup.md), view info on them, as well as restore clusters from backups.
* Create, modify, and delete Yandex StoreDoc alerts and view info on them.
* View Yandex StoreDoc cluster logs.
* View info on the results of Yandex StoreDoc cluster performance diagnostics.
* View info on Yandex StoreDoc [quotas](../storedoc/concepts/limits.md#mmg-quotas).
* View info on resource operations for Yandex StoreDoc.

This role includes the `managed-mongodb.editor` permissions.

To create Yandex StoreDoc clusters, you also need the `vpc.user` role.

#### managed-mongodb.maintenanceTask.viewer {#managed-mongodb-maintenanceTask-viewer}

The `managed-mongodb.maintenanceTask.viewer` role enables viewing info on [Yandex StoreDoc clusters](../storedoc/concepts/index.md), their [maintenance](../storedoc/concepts/maintenance.md) tasks, and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../storedoc/concepts/instance-types.md) and cluster [backups](../storedoc/concepts/backup.md), and on [quotas](../storedoc/concepts/limits.md#mmg-quotas) and resource operations.

This role includes the `managed-mongodb.auditor` permissions.

#### managed-mongodb.maintenanceTask.editor {#managed-mongodb-maintenanceTask-editor}

The `managed-mongodb.maintenanceTask.editor` role enables viewing info on [maintenance](../storedoc/concepts/maintenance.md) tasks for Yandex StoreDoc clusters and modifying such tasks, as well as viewing info on [Yandex StoreDoc clusters](../storedoc/concepts/index.md) and [access permissions](concepts/access-control/index.md) granted for them, on [hosts](../storedoc/concepts/instance-types.md) and cluster [backups](../storedoc/concepts/backup.md), and on [quotas](../storedoc/concepts/limits.md#mmg-quotas) and resource operations.

This role includes the `managed-mongodb.maintenanceTask.viewer` permissions.

For more information, see [Access management in Yandex StoreDoc](../storedoc/security/index.md).


## Yandex Message Queue {#message-queue-roles}

#### ymq.reader {#ymq-reader}

The `ymq.reader` role grants permission to read and delete [messages](../message-queue/concepts/message.md), set message [visibility timeouts](../message-queue/concepts/visibility-timeout.md), and clear a [queue](../message-queue/concepts/queue.md) of messages. It allows you to get a list of queues and queue information.

#### ymq.writer {#ymq-writer}

The `ymq.writer` role grants permission to write [messages](../message-queue/concepts/message.md) to a [queue](../message-queue/concepts/queue.md) and create new queues. It allows you to list queues and view queue information.

#### ymq.admin {#ymq-admin}

The `ymq.admin` role includes access rights of the `ymq.reader` and `ymq.writer` roles and allows updating [queue](../message-queue/concepts/queue.md) attributes and deleting queues. It allows you to get a list of queues and queue information.

For more information, see [Access management in Message Queue](../message-queue/security/index.md).


## Yandex Monitoring {#monitoring-roles}

#### monitoring.viewer {#monitoring-viewer}

The `monitoring.viewer` role enables downloading metrics and viewing info on metrics, dashboards, and widgets.

Users with this role can:
* View info on [metrics](../monitoring/concepts/data-model.md#metric) and their [labels](../monitoring/concepts/data-model.md#label), as well as download metrics.
* View the list of [dashboards](../monitoring/concepts/visualization/dashboard.md) and [widgets](../monitoring/concepts/visualization/widget.md), as well as the info on those.
* View [notification](../monitoring/concepts/alerting/notification-channel.md) history.
* View details on [Monitoring](../monitoring/concepts/limits.md#monitoring-quotas) quotas.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

#### monitoring.editor {#monitoring-editor}

The `monitoring.editor` role enables managing dashboards and widgets, uploading and downloading metrics, and viewing the notification history and quota details.

Users with this role can:
* View info on [metrics](../monitoring/concepts/data-model.md#metric) and their [labels](../monitoring/concepts/data-model.md#label), as well as upload and download metrics.
* View lists of [dashboards](../monitoring/concepts/visualization/dashboard.md) and [widgets](../monitoring/concepts/visualization/widget.md) and info on them, as well as create, modify, and delete them.
* View [notification](../monitoring/concepts/alerting/notification-channel.md) history.
* View details on [Monitoring](../monitoring/concepts/limits.md#monitoring-quotas) quotas.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `monitoring.viewer` permissions.

#### monitoring.admin {#monitoring-admin}

The `monitoring.admin` role enables managing dashboards and widgets, uploading and downloading metrics, and viewing the notification history, info on quotas, and folder metadata.

Users with this role can:
* View info on [metrics](../monitoring/concepts/data-model.md#metric) and their [labels](../monitoring/concepts/data-model.md#label), as well as upload and download metrics.
* View lists of [dashboards](../monitoring/concepts/visualization/dashboard.md) and [widgets](../monitoring/concepts/visualization/widget.md) and info on them, as well as create, modify, and delete them.
* View [notification](../monitoring/concepts/alerting/notification-channel.md) history.
* View details on [Monitoring](../monitoring/concepts/limits.md#monitoring-quotas) quotas.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `monitoring.editor` permissions.

For more information, see [Access management in Monitoring](../monitoring/security/index.md).


## Yandex Network Load Balancer {#network-load-balancer-roles}

#### load-balancer.auditor {#load-balancer-auditor}

The `load-balancer.auditor` role enables viewing the list of target groups and network load balancers, as well as viewing the info on them and on the Network Load Balancer quotas.

Users with this role can:
* View the list of [target groups](../network-load-balancer/concepts/target-resources.md) and the info on them.
* View the list of [network load balancers](../network-load-balancer/concepts/index.md) and the info on them.
* View the list of operations with the Network Load Balancer resources.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on Network Load Balancer [quotas](../network-load-balancer/concepts/limits.md#load-balancer-quotas).

#### load-balancer.viewer {#load-balancer-viewer}

The `load-balancer.viewer` role enables viewing the list of target groups and network load balancers, as well as viewing the info on them, the list of operations on them, the info on the relevant cloud and folder, and the Network Load Balancer quotas.

Users with this role can:
* View the list of [target groups](../network-load-balancer/concepts/target-resources.md) and the info on them.
* View the list of [network load balancers](../network-load-balancer/concepts/index.md) and the info on them.
* View the list of operations with the Network Load Balancer resources.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on Network Load Balancer [quotas](../network-load-balancer/concepts/limits.md#load-balancer-quotas).

This role includes the `load-balancer.auditor` permissions.

#### load-balancer.privateAdmin {#load-balancer-private-admin}

The `load-balancer.privateAdmin` role enables managing internal network load balancers and target groups, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses.

Users with this role can:
* View the list of [network load balancers](../network-load-balancer/concepts/index.md) and the info on them, as well as create internal network load balances (including those with UDP listeners), modify, delete, start, and stop them.
* View the list of [target groups](../network-load-balancer/concepts/target-resources.md) and the info on them, as well as create, modify, delete, and use target groups.
* View the list of [cloud networks](../vpc/concepts/network.md#network) and the info on them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and the info on them.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and the info on them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and the info on them.
* View information on [NAT gateways](../vpc/concepts/gateways.md).
* View the info on the used IP addresses in subnets, as well as create [internal addresses](../vpc/concepts/address.md#internal-addresses).
* View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
* View the list of operations with the Network Load Balancer resources.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on [Network Load Balancer](../network-load-balancer/concepts/limits.md#load-balancer-quotas) and [Virtual Private Cloud](../vpc/concepts/limits.md#vpc-quotas) quotas.

This role includes the `load-balancer.viewer` and `vpc.viewer` permissions.

#### load-balancer.editor {#load-balancer-editor}

The `load-balancer.editor` role enables managing internal and external network load balancers and target groups, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses. The role does not allow creating public IP addresses.

Users with this role can:
* View the list of [network load balancers](../network-load-balancer/concepts/index.md) and info on them.
* Create internal and external network load balancers and those with UDP listeners, as well as modify, delete, start, and stop load balancers.
* View the list of [target groups](../network-load-balancer/concepts/target-resources.md) and the info on them, as well as create, modify, delete, and use target groups.
* View the list of [cloud networks](../vpc/concepts/network.md#network) and info on them, as well as set up external access to them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and the info on them.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and the info on them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and the info on them.
* View information on [NAT gateways](../vpc/concepts/gateways.md).
* View the info on the used IP addresses, create [private](../vpc/concepts/address.md#internal-addresses) addresses and use them.
* View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
* View the list of operations with the Network Load Balancer resources.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on [Network Load Balancer](../network-load-balancer/concepts/limits.md#load-balancer-quotas) and [Virtual Private Cloud](../vpc/concepts/limits.md#vpc-quotas) quotas.

This role includes the `load-balancer.privateAdmin` permissions.

#### load-balancer.admin {#load-balancer-admin}

The `load-balancer.admin` role enables managing internal and external network load balancers and target groups, as well as viewing info on them and on the cloud networks, subnets, route tables, gateways, security groups, and IP addresses.

Users with this role can:
* View the list of [network load balancers](../network-load-balancer/concepts/index.md) and info on them.
* Create internal and external network load balancers and those with UDP listeners, as well as modify, delete, start, and stop load balancers.
* View the list of [target groups](../network-load-balancer/concepts/target-resources.md) and the info on them, as well as create, modify, delete, and use target groups.
* View the list of [cloud networks](../vpc/concepts/network.md#network) and info on them, as well as set up external access to them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and the info on them.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and the info on them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and the info on them.
* View information on [NAT gateways](../vpc/concepts/gateways.md).
* View the info on the used IP addresses, create [private](../vpc/concepts/address.md#internal-addresses) and [public](../vpc/concepts/address.md#public-addresses) addresses, and use them.
* View the info on operations with the Virtual Private Cloud and Compute Cloud resources.
* View the list of operations with the Network Load Balancer resources.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).
* View info on [Network Load Balancer](../network-load-balancer/concepts/limits.md#load-balancer-quotas) and [Virtual Private Cloud](../vpc/concepts/limits.md#vpc-quotas) quotas.

This role includes the `load-balancer.editor` permissions.

For more information, see [Access management in Network Load Balancer](../network-load-balancer/security/index.md).


## Yandex Object Storage {#storage-roles}

#### storage.viewer {#storage-viewer}

The `storage.viewer` role allows you to read data in buckets, view info on buckets and objects inside them, as well as info on the Object Storage folder and quotas.

{% cut "Users with this role can:" %}

* View the list of [buckets](../storage/concepts/bucket.md).
* View the lists of [objects](../storage/concepts/object.md) in buckets, object info and content.
* View info on [access permissions](concepts/access-control/index.md) assigned for buckets and objects inside them.
* View bucket [CORS](../storage/concepts/cors.md) configuration info.
* View bucket [static website hosting](../storage/concepts/hosting.md) configuration info.
* View bucket access [protocol](../storage/concepts/bucket.md#bucket-https) info.
* View bucket action [logging](../storage/concepts/server-logs.md) settings.
* View bucket [versioning](../storage/concepts/versioning.md) settings.
* View bucket [encryption](../storage/concepts/encryption.md) settings.
* View bucket default [storage class](../storage/concepts/storage-class.md#default-storage-class) info.
* View bucket [labels](../storage/concepts/tags.md).
* View bucket region info.
* View object [lifecycle](../storage/concepts/lifecycles.md) configuration info.
* View lists of object versions and version info.
* View [object version locks](../storage/concepts/object-lock.md) info.
* View object and object version [labels](../storage/concepts/tags.md#object-tags).
* View info on current [multipart uploads](../storage/concepts/multipart.md) of objects and their parts.
* View [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View info on Object Storage [quotas](../storage/concepts/limits.md#storage-quotas).
* View folder info.

{% endcut %}

#### storage.configViewer {#storage-config-viewer}

The `storage.configViewer` role allows you to view the settings info of buckets and objects inside them but not the data inside the bucket.

{% cut "Users with this role can:" %}

* View the list of [buckets](../storage/concepts/bucket.md) and lists of [objects](../storage/concepts/object.md) in buckets without access to object content.
* View info on [access permissions](concepts/access-control/index.md) assigned for buckets and objects inside them.
* View bucket [access policy](../storage/concepts/policy.md) info.
* View bucket [CORS](../storage/concepts/cors.md) configuration info.
* View bucket [static website hosting](../storage/concepts/hosting.md) configuration info.
* View bucket access [protocol](../storage/concepts/bucket.md#bucket-https) info.
* View bucket action [logging](../storage/concepts/server-logs.md) settings.
* View bucket [versioning](../storage/concepts/versioning.md) settings.
* View bucket region info.
* View [object version locks](../storage/concepts/object-lock.md) info.
* View lists of object versions in buckets.
* View bucket [encryption](../storage/concepts/encryption.md) settings.
* View bucket default [storage class](../storage/concepts/storage-class.md#default-storage-class) info.
* View bucket [labels](../storage/concepts/tags.md).
* View object [lifecycle](../storage/concepts/lifecycles.md) configuration info.
* View info on current [multipart uploads](../storage/concepts/multipart.md) of objects and their parts.
* View [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View folder info.

{% endcut %}

#### storage.configurer {#storage-configurer}

The `storage.configurer` role allows you to manage object lifecycle, static website hosting, access policy, and CORS settings. It does not allow you to manage access control list (ACL) or public access settings, nor does it provide access to bucket data.

{% cut "Users with this role can:" %}

* View bucket [access policy](../storage/concepts/policy.md) info, create, modify, and delete bucket access policies.
* View bucket [CORS](../storage/concepts/cors.md) configuration info and modify the CORS configuration.
* View bucket [static website hosting](../storage/concepts/hosting.md) configuration info and modify the static website hosting configuration.
* View bucket access [protocol](../storage/concepts/bucket.md#bucket-https) info and change the access protocol.
* View bucket action [logging](../storage/concepts/server-logs.md) settings and change the logging settings.
* View bucket [encryption](../storage/concepts/encryption.md) settings and change the encryption settings.
* View bucket region info.
* View object [lifecycle](../storage/concepts/lifecycles.md) configuration info and change the lifecycle configuration.
* View bucket [versioning](../storage/concepts/versioning.md) settings.
* View [folder](../resource-manager/concepts/resources-hierarchy.md#folder) info.

{% endcut %}

#### storage.uploader {#storage-uploader}

The `storage.uploader` role allows you to upload objects into buckets with or without overwriting the previously uploaded ones, read data in buckets, view info on buckets and objects inside them, as well as info on the Object Storage folder and quotas. The role does not allow you to delete objects or configure buckets.

{% cut "Users with this role can:" %}

* View the list of [buckets](../storage/concepts/bucket.md).
* View the lists of [objects](../storage/concepts/object.md) in buckets, object info and content.
* Upload objects into a bucket.
* View info on [access permissions](concepts/access-control/index.md) assigned for buckets and objects inside them.
* View bucket [CORS](../storage/concepts/cors.md) configuration info.
* View bucket [static website hosting](../storage/concepts/hosting.md) configuration info.
* View bucket access [protocol](../storage/concepts/bucket.md#bucket-https) info.
* View bucket action [logging](../storage/concepts/server-logs.md) settings.
* View bucket [versioning](../storage/concepts/versioning.md) settings.
* View bucket [encryption](../storage/concepts/encryption.md) settings.
* View bucket default [storage class](../storage/concepts/storage-class.md#default-storage-class) info.
* View bucket [labels](../storage/concepts/tags.md).
* View bucket region info.
* View object [lifecycle](../storage/concepts/lifecycles.md) configuration info.
* View lists of object versions and version info.
* View info on [object version locks](../storage/concepts/object-lock.md) and set up such locks.
* View object and object version [labels](../storage/concepts/tags.md#object-tags), modify such labels.
* View info on current [multipart uploads](../storage/concepts/multipart.md) of objects and their parts, delete partially uploaded objects.
* View [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View info on Object Storage [quotas](../storage/concepts/limits.md#storage-quotas).
* View folder info.

{% endcut %}

This role includes the `storage.viewer` permissions.

#### storage.editor {#storage-editor}

The `storage.editor` role allows any operations with buckets and objects: creating, deleting, and editing them. The role does not allow managing access control list (ACL) settings and creating public buckets.

{% cut "Users with this role can:" %}

* View the list of [buckets](../storage/concepts/bucket.md), create and delete buckets.
* View the lists of [objects](../storage/concepts/object.md) in buckets, object info and content.
* View info on [access permissions](concepts/access-control/index.md) assigned for buckets and objects inside them.
* Upload objects into a bucket, delete objects and object versions.
* View bucket [CORS](../storage/concepts/cors.md) configuration info and modify the CORS configuration.
* View bucket [static website hosting](../storage/concepts/hosting.md) configuration info and modify the static website hosting configuration.
* View bucket access [protocol](../storage/concepts/bucket.md#bucket-https) info and change the access protocol.
* View bucket action [logging](../storage/concepts/server-logs.md) settings and change the logging settings.
* View bucket [versioning](../storage/concepts/versioning.md) settings.
* View bucket [encryption](../storage/concepts/encryption.md) settings and change the encryption settings.
* View bucket default [storage class](../storage/concepts/storage-class.md#default-storage-class) info, change the default storage class.
* View and modify bucket [labels](../storage/concepts/tags.md).
* View bucket region info.
* View object [lifecycle](../storage/concepts/lifecycles.md) configuration info and change the lifecycle configuration.
* View lists of object versions and version info.
* Restore object versions in versioning-enabled buckets.
* View info on [object version locks](../storage/concepts/object-lock.md) and set up such locks.
* View object and object version [labels](../storage/concepts/tags.md#object-tags), modify and delete such labels.
* View info on current [multipart uploads](../storage/concepts/multipart.md) of objects and their parts, delete partially uploaded objects.
* View [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View info on Object Storage [quotas](../storage/concepts/limits.md#storage-quotas).
* View folder info.

{% endcut %}

This role includes the `storage.uploader` permissions.

#### storage.admin {#storage-admin}

The `storage.admin` role allows you to manage Object Storage.

{% cut "Users with this role can:" %}

* View the list of [buckets](../storage/concepts/bucket.md).
* Create buckets, including public ones, and delete buckets.
* View the lists of [objects](../storage/concepts/object.md) in buckets, object info and content.
* View info on [access permissions](concepts/access-control/index.md) assigned for buckets and objects inside them, modify access permissions for buckets and objects.
* View bucket [access policy](../storage/concepts/policy.md) info, create, modify, and delete bucket access policies.
* Assign an [access control list](../storage/concepts/acl.md) (ACL).
* Set up access to a bucket via a [service connection](../vpc/concepts/private-endpoint.md) from a Virtual Private Cloud.
* Upload objects into a bucket, delete objects and object versions.
* View bucket [CORS](../storage/concepts/cors.md) configuration info and modify the CORS configuration.
* View bucket [static website hosting](../storage/concepts/hosting.md) configuration info and modify the static website hosting configuration.
* View bucket access [protocol](../storage/concepts/bucket.md#bucket-https) info and change the access protocol.
* View bucket action [logging](../storage/concepts/server-logs.md) settings and change the logging settings.
* View bucket [versioning](../storage/concepts/versioning.md) settings and change the versioning settings.
* View bucket [encryption](../storage/concepts/encryption.md) settings and change the encryption settings.
* View bucket default [storage class](../storage/concepts/storage-class.md#default-storage-class) info, change the default storage class.
* View and modify bucket [labels](../storage/concepts/tags.md).
* View bucket region info.
* View object [lifecycle](../storage/concepts/lifecycles.md) configuration info and change the lifecycle configuration.
* View lists of object versions and version info.
* Restore object versions in versioning-enabled buckets.
* View info on [object version locks](../storage/concepts/object-lock.md) and set up such locks.
* Bypass [governance-mode retention](../storage/concepts/object-lock.md#types).
* View object and object version [labels](../storage/concepts/tags.md#object-tags), modify and delete such labels.
* View info on current [multipart uploads](../storage/concepts/multipart.md) of objects and their parts, delete partially uploaded objects.
* View [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View info on Object Storage [quotas](../storage/concepts/limits.md#storage-quotas).
* View folder info.

{% endcut %}

This role includes the `storage.editor`, `storage.configViewer`, and `storage.configurer` permissions.

For more information, see [Managing access with Yandex Identity and Access Management](../storage/security/index.md).


## Yandex Query {#query-roles}

#### yq.auditor {#query-auditor}

The `yq.auditor` role allows you to view the service metadata, including the information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder), [connections](../query/concepts/glossary.md#connection), [bindings](../query/concepts/glossary.md#binding), [queries](../query/concepts/glossary.md#query), and [runs](../query/concepts/glossary.md#jobs).

#### yq.viewer {#query-viewer}

The `yq.viewer` role allows you to view the service metadata, including the information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder), [connections](../query/concepts/glossary.md#connection), [bindings](../query/concepts/glossary.md#binding), [queries](../query/concepts/glossary.md#query), and [runs](../query/concepts/glossary.md#jobs), including query texts and results.

This role includes the `yq.auditor` permissions.

#### yq.editor {#query-editor}

Users with the `yq.editor` role can manage connections and the queries they create.

Users with this role can:
* View info on the [queries](../query/concepts/glossary.md#query) they create and on such query [runs](../query/concepts/glossary.md#jobs), including query texts and results.
* Create queries, as well as run and cancel the runs of the queries they create.
* View info on [connections](../query/concepts/glossary.md#connection), as well as create, use, update, and delete them.
* View info on [bindings](../query/concepts/glossary.md#binding), as well as create, use, update, and delete them.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `yq.viewer` and `yq.invoker` permissions.

#### yq.admin {#query-admin}

The `yq.admin` role allows you to manage any Yandex Query resources, including those labeled as private.

Users with this role can:
* View info on [queries](../query/concepts/glossary.md#query) and query [runs](../query/concepts/glossary.md#jobs), view query texts and results.
* Create queries, as well as run and cancel query runs.
* View info on [connections](../query/concepts/glossary.md#connection), as well as create, use, update, and delete them.
* View info on [bindings](../query/concepts/glossary.md#binding), as well as create, use, update, and delete them.
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `yq.editor` permissions.

#### yq.invoker {#query-invoker}

The `yq.invoker` role allows you to create and run [queries](../query/concepts/glossary.md#query), use [connections](../query/concepts/glossary.md#connection) and [bindings](../query/concepts/glossary.md#binding), as well as view information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder) and queries, including query texts and results.

The role is designed to automate query execution by service accounts. For example, you can use it to run queries by an event or on schedule.

For more information, see [Access management in Query](../query/security/index.md).


## Yandex Resource Manager {#resource-manager-roles}

#### resource-manager.auditor {#resource-manager-auditor}

The `resource-manager.auditor` role enables viewing cloud and folder metadata, as well as the info on the access permissions granted to clouds and folders.

Users with this role can:
* View info on [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) and their settings, as well as on the [access permissions](concepts/access-control/index.md) granted to clouds.
* View info on [folders](../resource-manager/concepts/resources-hierarchy.md#folder) and their settings, as well as on the access permissions granted to folders.
* View [access policies](concepts/access-control/access-policies.md) assigned to clouds and folders.
* View info on the Resource Manager [quotas](../resource-manager/concepts/limits.md#resmgr-quotas).

#### resource-manager.viewer {#resource-manager-viewer}

The `resource-manager.viewer` role enables viewing info on clouds and folders, as well as on the access permissions to clouds and folders.

Users with this role can:
* View info on [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) and their settings, as well as on the [access permissions](concepts/access-control/index.md) to clouds.
* View info on [folders](../resource-manager/concepts/resources-hierarchy.md#folder) and their settings, as well as on the access permissions to folders.
* View [access policies](concepts/access-control/access-policies.md) assigned to clouds and folders.
* View info on the Resource Manager [quotas](../resource-manager/concepts/limits.md#resmgr-quotas).

This role includes the `resource-manager.auditor` permissions.

#### resource-manager.editor {#resource-manager-editor}

The `resource-manager.editor` role enables managing clouds and folders, as well as viewing the info on the access permissions granted to clouds and folders.

Users with this role can:
* View info on [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud), their settings, and the [access permissions](concepts/access-control/index.md) to such clouds, as well as create, modify, and delete clouds.
* View info on [folders](../resource-manager/concepts/resources-hierarchy.md#folder), their settings, and the access permissions to such folders, as well as create, modify, and delete folders.
* View [access policies](concepts/access-control/access-policies.md) assigned to clouds and folders.
* View info on the Resource Manager [quotas](../resource-manager/concepts/limits.md#resmgr-quotas).

This role includes the `resource-manager.viewer` permissions.

#### resource-manager.admin {#resource-manager-admin}

The `resource-manager.admin` role enables managing clouds and folders, as well as access to those.

Users with this role can:
* View info on granted [access permissions](concepts/access-control/index.md) to [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) and modify such permissions.
* View info on clouds and their settings, as well as create, modify, and delete clouds.
* View info on granted access permissions to [folders](../resource-manager/concepts/resources-hierarchy.md#folder) and modify such permissions.
* View [access policies](concepts/access-control/access-policies.md) assigned to clouds and folders, as well as assign such policies to clouds and folders and revoke them.
* View info on folders and their settings, as well as create, modify, and delete folders.
* View info on the Resource Manager [quotas](../resource-manager/concepts/limits.md#resmgr-quotas).

This role includes the `resource-manager.editor` permissions.

#### resource-manager.clouds.member {#resource-manager-clouds-member}

The `resource-manager.clouds.member` role enables viewing info on the relevant cloud and contacting the Yandex Cloud support.

The role can only be assigned for a cloud.

Users with this role can:
* View the list of technical support [requests](../support/overview.md#response-time) and the info on them, as well as create and close such requests, leave comments, and attach files to them.
* View info on [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) and their settings.

#### resource-manager.clouds.owner {#resource-manager-clouds-owner}

The `resource-manager.clouds.owner` role enables running any operations within the [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and its child [resources](../resource-manager/concepts/resources-hierarchy.md).

It also allows you to manage linking the cloud to a [billing account](../billing/concepts/billing-account.md) (for that purpose, you also need permissions for that billing account). For more information on managing access to a billing account, see the [Yandex Cloud Billing documentation](../billing/security/index.md#billing-account).

By default, the users with this role get [notifications](../resource-manager/concepts/notify.md) on what happens to the cloud and its folders.

You can only assign this role for a cloud. Any user creating a cloud automatically gets such a role for the cloud.

This role includes the `admin` and `resource-manager.clouds.member` permissions.

For more information, see [Access management in Resource Manager](../resource-manager/security/index.md).


## Yandex Schema Registry {#schema-registry-roles}

#### schema-registry.auditor {#schema-registry-auditor}

The `schema-registry.auditor` role enables viewing information on [namespaces](../metadata-hub/concepts/schema-registry.md#namespace).

#### schema-registry.viewer {#schema-registry-viewer}

The `schema-registry.viewer` role enables viewing info on [schemas](../metadata-hub/concepts/schema-registry.md#schema) and [namespaces](../metadata-hub/concepts/schema-registry.md#namespace) and comparing schema versions.

This role includes the `schema-registry.auditor` permissions.

#### schema-registry.editor {#schema-registry-editor}

The `schema-registry.editor` role enables managing schemas and namespaces.

Users with this role can:
* View info on [schemas](../metadata-hub/concepts/schema-registry.md#schema), create, modify, and delete them, and compare schema versions.
* View info on [namespaces](../metadata-hub/concepts/schema-registry.md#namespace) and create, modify, and delete them.

This role includes the `schema-registry.viewer` permissions.

#### schema-registry.admin {#schema-registry-admin}

The `schema-registry.admin` role enables managing Schema Registry, as well as schemas and namespaces.

Users with this role can:
* View info on [schemas](../metadata-hub/concepts/schema-registry.md#schema), create, modify, and delete them, and compare schema versions.
* View info on [namespaces](../metadata-hub/concepts/schema-registry.md#namespace) and create, modify, and delete them.

This role includes the `schema-registry.editor` permissions.

For more information, see [Service roles for managing data schemas using Schema Registry](../metadata-hub/security/schema-registry-roles.md).


## Yandex Search API {#search-api-roles}

#### search-api.executor {#search-api-executor}

The `search-api.executor` role was used by an API that is now deprecated.

The `search-api.executor` role is no longer available.

#### search-api.webSearch.user {#search-api-webSearch-user}

The `search-api.webSearch.user` role enables running search queries in Yandex Search API, as well as viewing info on the [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and Yandex Search API [quotas](https://aistudio.yandex.ru/docs/en/search-api/concepts/limits#search-api-quotas).

#### search-api.auditor {#search-api-auditor}

The `search-api.auditor` role was used by an API that is now deprecated. The role enables viewing Yandex Search API quotas, as well as information on the relevant cloud and folder.

The `search-api.auditor` role should no longer be used.

#### search-api.viewer {#search-api-viewer}

The `search-api.viewer` role was used by an API that is now deprecated. The role enables viewing Yandex Search API quotas, as well as information on the relevant cloud and folder.

The `search-api.viewer` role should no longer be used.

#### search-api.editor {#search-api-editor}

The `search-api.editor` role was used by an API that is now deprecated. The role enables viewing Yandex Search API quotas, as well as information on the relevant cloud and folder.

The `search-api.editor` role should no longer be used.

#### search-api.admin {#search-api-admin}

The `search-api.admin` role was used by an API that is now deprecated. The role enables viewing Yandex Search API quotas, as well as information on the relevant cloud and folder.

The `search-api.admin` role should no longer be used.

Learn more in [Access management in Yandex Search API](https://aistudio.yandex.ru/docs/en/search-api/security/index).


## Yandex Security Deck {#security-deck-roles}

### Common Security Deck roles {#general-sd-roles}

#### security-deck.worker {#security-deck-worker}

The `security-deck.worker` role allows the user to view info on DSPM scan area, as well as info on KSPM and CSPM controlled resources in Security Deck.

Users with this role can:

* View the [organization](../organization/concepts/organization.md) info, view the list of and info on [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../resource-manager/concepts/resources-hierarchy.md#folder), and [buckets](../storage/concepts/bucket.md) in the [scan area](../security-deck/concepts/dspm.md#data-source) configured by the DSPM user, view data in buckets subject to scanning.
* View the list of clouds and folders and their info as controlled resources of a Security Deck [workspace](../security-deck/concepts/workspace.md) for [KSPM](../security-deck/concepts/kspm.md).
* View the list of Kubernetes clusters and info on them and their settings as controlled resources of a Security Deck workspace for KSPM.
* View the organization info, view the list of clouds and folders and their info as controlled resources of a Security Deck workspace for [CSPM](../security-deck/concepts/cspm.md).

The role is issued to the [service account](concepts/users/service-accounts.md) to perform the DSPM [scan](../security-deck/concepts/dspm.md#scanning), KSPM or CSPM check. The role extends to an organization, cloud, folder, or bucket (if using [DSPM](../security-deck/concepts/dspm.md)).

The role does not allow viewing data in [encrypted buckets](../storage/concepts/encryption.md). To scan an encrypted bucket, additionally assign to the service account the `kms.keys.decrypter` [role](../kms/security/index.md#kms-keys-encrypter) for the [encryption key](../kms/security/index.md#kms-keys-encrypter) or for the folder, cloud, or organization this key resides in.

This role includes the `dspm.worker`, `kspm.worker`, and `cspm.worker` permissions.

{% note info %}

The role cannot guarantee access to a bucket with a Yandex Object Storage [access policy](../storage/security/policy.md) applied.

{% endnote %}

#### security-deck.auditor {#security-deck-auditor}

The `security-deck.auditor` role enables viewing info on DSPM, CSPM, and KSPM resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:
* View info on DSPM profiles.
* View info on DSPM [data sources](../security-deck/concepts/dspm.md#data-source).
* View info on DSPM security [scan](../security-deck/concepts/dspm.md#scanning) jobs.
* View info on data types and [categories](../security-deck/concepts/dspm.md#data-categories).
* View DSPM scan results and info on detected threats.
* View info on Security Deck [workspaces](../security-deck/concepts/workspace.md) and resources managed in them, as well as on [access permissions](concepts/access-control/index.md) granted for them.
* View info on [connectors](../security-deck/concepts/workspace.md#connectors).
* View info on cloud infrastructure checks for compliance with [security standards](../security-deck/concepts/cspm.md#standards) configured in the [CSPM](../security-deck/concepts/cspm.md) settings.
* View info on the [KSPM settings](../security-deck/concepts/kspm.md) and operations, as well as the list of exceptions from rules.
* View info on [alert sinks](../security-deck/concepts/workspace.md#alert-sinks) and access permissions granted for them.

This role includes the `dspm.auditor`, `cspm.auditor`, `kspm.auditor`, and `security-deck.alertSinks.auditor` permissions.

#### security-deck.viewer {#security-deck-viewer}

The `security-deck.viewer` role enables viewing info on events of access to organization resources by Yandex Cloud employees, on DSPM, CSPM, and KSPM resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

{% cut "Users with this role can:" %}

* View the list of events when Yandex Cloud employees access organization resources.
* Approve or disapprove the result of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
* View info on DSPM profiles.
* View info on DSPM [data sources](../security-deck/concepts/dspm.md#data-source).
* View info on DSPM security [scan](../security-deck/concepts/dspm.md#scanning) jobs.
* View info on data types and [categories](../security-deck/concepts/dspm.md#data-categories).
* View DSPM scan results and info on detected threats.
* View info on Security Deck [workspaces](../security-deck/concepts/workspace.md) and resources managed in them, as well as on [access permissions](concepts/access-control/index.md) granted for them.
* View info on [connectors](../security-deck/concepts/workspace.md#connectors).
* View info on cloud infrastructure checks for compliance with [security standards](../security-deck/concepts/cspm.md#standards) configured in the [CSPM](../security-deck/concepts/cspm.md) settings, the results of such checks, and [exceptions](../security-deck/concepts/cspm.md#exceptions) from check rules.
* View info on the [KSPM](../security-deck/concepts/kspm.md) settings, Managed Service for Kubernetes [clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) connected to KSPM, exceptions from rules, exceptions from the control scope, KSPM users, and KSPM operations.
* View info on [alert sinks](../security-deck/concepts/workspace.md#alert-sinks) and access permissions granted for them.
* View info on [alerts](../security-deck/concepts/alerts.md) and access permissions granted for them.
* View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.

{% endcut %}

This role includes the `access-transparency.viewer`, `dspm.viewer`, `cspm.viewer`, `kspm.viewer`, and `security-deck.alertSinks.viewer` permissions.

#### security-deck.editor {#security-deck-editor}

The `security-deck.editor` role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well DSPM, CSPM, and KSPM resources. With this role, you cannot view masked and unprocessed data.

{% cut "Users with this role can:" %}

* Select a [billing account](../billing/concepts/billing-account.md) in Access Transparency.
* View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
* View the list of events when Yandex Cloud employees access organization resources.
* Approve or disapprove the result of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
* View info on DSPM profiles and use them.
* View info on DSPM [data sources](../security-deck/concepts/dspm.md#data-source), as well as create, modify, use, and delete them.
* View info on DSPM security [scan](../security-deck/concepts/dspm.md#scanning) jobs, as well as create, modify, and delete such jobs.
* Run DSPM security scan jobs and view their results, as well as info on detected threats.
* View info on DSPM data [types and categories](../security-deck/concepts/dspm.md#data-categories).
* View [bucket](../storage/concepts/bucket.md) metadata.
* View info on Security Deck [workspaces](../security-deck/concepts/workspace.md) and resources managed in them, as well as on [access permissions](concepts/access-control/index.md) granted for them.
* Create, modify, and delete Security Deck workspaces.
* View info on [connectors](../security-deck/concepts/workspace.md#connectors), as well as create, use, modify, and delete them.
* View info on cloud infrastructure checks for compliance with [security standards](../security-deck/concepts/cspm.md#standards) configured in the [CSPM](../security-deck/concepts/cspm.md) settings.
* View CSPM check results.
* Create, suspend, resume, update, and delete CSPM checks.
* View [exceptions](../security-deck/concepts/cspm.md#exceptions) from CSPM check rules, create and delete such exceptions.
* Engage, set up, and disconnect [KSPM](../security-deck/concepts/kspm.md), as well as create, modify, and delete exceptions from rules and exceptions from the control scope.
* View info on Managed Service for Kubernetes [clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) connected to KSPM, KSPM users, and KSPM operations.
* View info on [alert sinks](../security-deck/concepts/workspace.md#alert-sinks) and access permissions granted for them.
* Create, use, modify, and delete alert sinks.
* View info on [alerts](../security-deck/concepts/alerts.md) and access permissions granted for them.
* View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
* Create, modify, and delete alerts.
* View the list of comments to alerts, as well as create, modify, and delete such comments.

{% endcut %}

This role includes the `access-transparency.editor`, `dspm.editor`, `cspm.editor`, `kspm.editor`, and `security-deck.alertSinks.editor` permissions.

#### security-deck.admin {#security-deck-admin}

The `security-deck.admin` role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well DSPM, CSPM, and KSPM resources. With this role, you can view masked and unprocessed data in scan results.

{% cut "Users with this role can:" %}

* Select a [billing account](../billing/concepts/billing-account.md) in Access Transparency.
* View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
* View the list of events when Yandex Cloud employees access organization resources.
* Approve or disapprove the result of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
* View info on DSPM profiles and use them.
* View info on DSPM [data sources](../security-deck/concepts/dspm.md#data-source), as well as create, modify, use, and delete them.
* Use Yandex Cloud resources in DSPM data sources.
* View info on DSPM data [types and categories](../security-deck/concepts/dspm.md#data-categories).
* View info on DSPM security [scan](../security-deck/concepts/dspm.md#scanning) jobs, as well as create, modify, and delete such jobs.
* Run DSPM security scan jobs, view their result and info on detected threats, which includes viewing masked and unprocessed data in the scan results.
* View [bucket](../storage/concepts/bucket.md) metadata.
* View info on Security Deck [workspaces](../security-deck/concepts/workspace.md) and resources managed in them, as well as create, update, and delete Security Deck workspaces.
* View info on [access permissions](concepts/access-control/index.md) granted for Security Deck workspaces and modify such permissions.
* View info on [connectors](../security-deck/concepts/workspace.md#connectors), as well as create, use, modify, and delete them.
* View info on cloud infrastructure checks for compliance with [security standards](../security-deck/concepts/cspm.md#standards) configured in the [CSPM](../security-deck/concepts/cspm.md) settings.
* View CSPM check results.
* Create, suspend, resume, update, and delete CSPM checks.
* View [exceptions](../security-deck/concepts/cspm.md#exceptions) from CSPM check rules, create and delete such exceptions.
* Engage, set up, and disconnect [KSPM](../security-deck/concepts/kspm.md), as well as create, modify, and delete exceptions from rules and exceptions from the control scope.
* View info on Managed Service for Kubernetes [clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) connected to KSPM, KSPM users, and KSPM operations.
* View info on [alert sinks](../security-deck/concepts/workspace.md#alert-sinks), as well as create, use, modify, and delete them.
* View info on access permissions granted for alert sinks and modify such permissions.
* View info on [alerts](../security-deck/concepts/alerts.md), as well as create, modify, and delete them.
* View info on access permissions granted for alerts and modify such permissions.
* View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
* View the list of comments to alerts, as well as create, modify, and delete such comments.

{% endcut %}

This role includes the `access-transparency.admin`, `dspm.admin`, `cspm.admin`, `kspm.admin`, and `security-deck.alertSinks.admin` permissions.

For more information, see [Common Yandex Security Deck roles](../security-deck/security/index.md).

### Data Security Posture Management (DSPM) service roles {#dspm-roles}

#### dspm.worker {#dspm-worker}

The `dspm.worker` role enables viewing info on an [organization](../organization/concepts/organization.md), viewing the list of [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../resource-manager/concepts/resources-hierarchy.md#cloud), and [buckets](../storage/concepts/bucket.md) in a [scan zone](../resource-manager/concepts/resources-hierarchy.md#cloud) specified by the user and info on them, as well as viewing data in buckets being scanned.

The role is granted to the [service account](concepts/users/service-accounts.md) that will be used to perform [scans](concepts/users/service-accounts.md) for an organization, cloud, folder, or bucket.

The role does not enable viewing data in [encrypted buckets](../storage/concepts/encryption.md). To scan an encrypted bucket, additionally grant the `kms.keys.decrypter` [role](../kms/security/index.md#kms-keys-encrypter) to your service account either for the [encryption key](../kms/security/index.md#kms-keys-encrypter) at hand or for the folder, cloud, or organization hosting this key.

{% note info %}

The role cannot guarantee access to a bucket if it has a Yandex Object Storage [access policy](../storage/security/policy.md) applied to it.

{% endnote %}

#### dspm.inspector {#dspm-inspector}

The `dspm.inspector` role enables creating DSPM data sources using the specified Yandex Cloud resources. To create a DSPM data source, assign this role to a user for the appropriate cloud resource.

The `dspm.inspector` role is deprecated and no longer in use.

#### dspm.auditor {#dspm-auditor}

The `dspm.auditor` role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:
* View info on DSPM profiles.
* View info on DSPM [data sources](../security-deck/concepts/dspm.md#data-source).
* View info on security [scan](../security-deck/concepts/dspm.md#scanning) jobs.

#### dspm.viewer {#dspm-viewer}

The `dspm.viewer` role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. With this role, you cannot view masked and unprocessed data.

Users with this role can:
* View info on DSPM profiles.
* View info on DSPM [data sources](../security-deck/concepts/dspm.md#data-source).
* View info on security [scan](../security-deck/concepts/dspm.md#scanning) jobs.

This role includes the `dspm.auditor` permissions.

#### dspm.editor {#dspm-editor}

The `dspm.editor` role enables using DSPM profiles and managing data sources and security scans. With this role, you cannot view masked and unprocessed data.

Users with this role can:
* View info on DSPM profiles and use them.
* View info on DSPM [data sources](../security-deck/concepts/dspm.md#data-source), as well as create, modify, use, and delete them.
* View info on security [scan](../security-deck/concepts/dspm.md#scanning) jobs, as well as create, run, modify, and delete such jobs.

This role includes the `dspm.viewer` permissions.

#### dspm.admin {#dspm-admin}

The `dspm.admin` role enables using DSPM profiles and managing data sources and security scans, which includes viewing masked and unprocessed data in the scan results.

Users with this role can:
* View info on DSPM profiles and use them.
* View info on DSPM [data sources](../security-deck/concepts/dspm.md#data-source), as well as create, modify, use, and delete them.
* Use Yandex Cloud resources in DSPM data sources.
* View info on DSPM [data categories](../security-deck/concepts/dspm.md#data-categories).
* View info on security [scan](../security-deck/concepts/dspm.md#scanning) jobs, as well as create, modify, and delete such jobs.
* Run security scan jobs and view their results and info on detected threats, which includes viewing masked and unprocessed data in the scan results.

This role includes the `dspm.editor` permissions.

Learn more in [Access management in DSPM](../security-deck/security/dspm-roles.md).

### Kubernetes® Security Posture Management (KSPM) service roles {#kspm-roles}

#### kspm.worker {#kspm-worker}

The `kspm.worker` role allows the user to view info on Managed Service for Kubernetes [clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) and install [KSPM](../security-deck/concepts/kspm.md) components in them.

The role is issued to the [service account](concepts/users/service-accounts.md) to perform cluster checks and extends to an organization, cloud, or folder. This service account should be specified when [creating](../security-deck/operations/workspaces/create.md) the workspace.

#### kspm.auditor {#kspm-auditor}

The `kspm.auditor` role allows the user to view info on [KSPM](../security-deck/concepts/kspm.md) settings, KSPM operations, and the list of exceptions from the rules.

#### kspm.viewer {#kspm-viewer}

The `kspm.viewer` role allows the user to view info on [KSPM](../security-deck/concepts/kspm.md) settings, Managed Service for Kubernetes [clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) connected to KSPM, exceptions from the rules, exceptions from the scope of control, KSPM users, and KSPM operations.

This role includes the `kspm.auditor` permissions.

#### kspm.editor {#kspm-editor}

The `kspm.editor` role allows the user to engage, set up, and disconnect [KSPM](../security-deck/concepts/kspm.md), create, modify, and delete exceptions from the rules and exceptions from the scope of control, view info on Managed Service for Kubernetes [clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) connected to KSPM, KSPM users, and KSPM operations.

This role includes the `kspm.viewer` permissions.

#### kspm.admin {#kspm-admin}

The `kspm.admin` role allows the user to engage, set up, and disconnect [KSPM](../security-deck/concepts/kspm.md), create, modify, and delete exceptions from the rules and exceptions from the scope of control, view info on Managed Service for Kubernetes [clusters](../managed-kubernetes/concepts/index.md#kubernetes-cluster) connected to KSPM, KSPM users, and KSPM operations.

This role includes the `kspm.editor` permissions.

Learn more in [Access management in KSPM](../security-deck/security/kspm-roles.md).

### Cloud Security Posture Management (CSPM) service roles {#cspm-roles}

#### cspm.worker {#cspm-worker}

The `cspm.worker` role allows the user to view the [organization](../organization/concepts/organization.md) info, view the list of [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folders](../resource-manager/concepts/resources-hierarchy.md#folder) and their info as controlled resources of a Security Deck [workspace](../security-deck/concepts/workspace.md).

The role is issued to the [service account](concepts/users/service-accounts.md) to perform checks for compliance with [security standards](../security-deck/concepts/cspm.md#standards) configured in [CSPM](../security-deck/concepts/cspm.md) settings and extends to an organization, cloud, or folder.

#### cspm.auditor {#cspm-auditor}

The `cspm.auditor` role allows the user to view info on cloud infrastructure checks for compliance with [security standards](../security-deck/concepts/cspm.md#standards) configured in [CSPM](../security-deck/concepts/cspm.md) settings.

#### cspm.viewer {#cspm-viewer}

The `cspm.viewer` role allows the user to view info on cloud infrastructure checks for compliance with [security standards](../security-deck/concepts/cspm.md#standards) configured in [CSPM](../security-deck/concepts/cspm.md) settings, the results of such checks, and [exceptions](../security-deck/concepts/cspm.md#exceptions) from related rules.

This role includes the `cspm.auditor` permissions.

#### cspm.editor {#cspm-editor}

The `cspm.editor` role allows the user to manage cloud infrastructure checks for compliance with CSPM security standards and exceptions from related rules.

Users with this role can:
* View info on cloud infrastructure checks for compliance with [security standards](../security-deck/concepts/cspm.md#standards) configured in [CSPM](../security-deck/concepts/cspm.md) settings.
* View the results of CSPM checks.
* Create, suspend, resume, update, and delete CSPM checks.
* View [exceptions](../security-deck/concepts/cspm.md#exceptions) from CSPM check rules, create and delete such exceptions.

This role includes the `cspm.viewer` permissions.

#### cspm.admin {#cspm-admin}

The `cspm.admin` role allows the user to manage cloud infrastructure checks for compliance with CSPM security standards and exceptions from related rules.

Users with this role can:
* View info on cloud infrastructure checks for compliance with [security standards](../security-deck/concepts/cspm.md#standards) configured in [CSPM](../security-deck/concepts/cspm.md) settings.
* View the results of CSPM checks.
* Create, suspend, resume, update, and delete CSPM checks.
* View [exceptions](../security-deck/concepts/cspm.md#exceptions) from CSPM check rules, create and delete such exceptions.

This role includes the `cspm.editor` permissions.

Learn more in [Access management in CSPM](../security-deck/security/cspm-roles.md).

### Service roles for Access Transparency data analysis {#access-transparency-roles}

#### access-transparency.viewer {#access-transparency-viewer}

The `access-transparency.viewer` role enables viewing the list of subscriptions to the events when Yandex Cloud employees access organization resources and approving or disapproving the result of the neural network-driven analysis of such events.

#### access-transparency.editor {#access-transparency-editor}

The `access-transparency.editor` role enables selecting a billing account in Access Transparency, managing subscriptions to the events when Yandex Cloud employees access organization resources, viewing the list of such events, and approving or disapproving the result of the neural network-driven analysis of such events.

This role includes the `access-transparency.billingProvider` and `access-transparency.subscriptionManager` permissions.

#### access-transparency.admin {#access-transparency-admin}

The `access-transparency.admin` role enables selecting a billing account in Access Transparency, managing subscriptions to the events when Yandex Cloud employees access organization resources, viewing the list of such events, and approving or disapproving the result of the neural network-driven analysis of such events.

This role includes the `access-transparency.editor` permissions.

#### access-transparency.billingProvider {#access-transparency-billingProvider}

The `access-transparency.billingProvider` role enables selecting a billing account in Access Transparency.

#### access-transparency.subscriptionManager {#access-transparency-subscriptionManager}

The `access-transparency.subscriptionManager` role enables managing subscriptions to the events when Yandex Cloud employees access organization resources, viewing the list of such events, and approving or disapproving the result of the neural network-driven analysis of such events.

This role includes the `access-transparency.viewer` permissions.

Learn more in [Access management in Access Transparency](../security-deck/security/access-transparency-roles.md).

### Service roles for Alerts {#alerts-roles}

#### security-deck.alertSinks.user {#security-deck-alertSinks-user}

The `security-deck.alertSinks.user` role enables viewing info on [alert sinks](../security-deck/concepts/workspace.md#alert-sinks) and using them.

#### security-deck.alertSinks.auditor {#security-deck-alertSinks-auditor}

The `security-deck.alertSinks.auditor` role enables viewing info on [alert sinks](../security-deck/concepts/workspace.md#alert-sinks) and [access permissions](concepts/access-control/index.md) granted for them.

#### security-deck.alertSinks.viewer {#security-deck-alertSinks-viewer}

The `security-deck.alertSinks.viewer` role enables viewing info on alerts and alert sinks as well as on access permissions granted for them.

Users with this role can:
* View info on [alert sinks](../security-deck/concepts/workspace.md#alert-sinks) and access permissions granted for them.
* View info on [alerts](../security-deck/concepts/alerts.md) and access permissions granted for them.
* View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.

This role includes the `security-deck.alertSinks.auditor` permissions.

#### security-deck.alertSinks.editor {#security-deck-alertSinks-editor}

The `security-deck.alertSinks.editor` role enables managing alert sinks, alerts, and comments in them.

Users with this role can:
* View info on [alert sinks](../security-deck/concepts/workspace.md#alert-sinks) and [access permissions](concepts/access-control/index.md) granted for them.
* Create, use, modify, and delete alert sinks.
* View info on [alerts](../security-deck/concepts/alerts.md) and access permissions granted for them.
* View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
* Create, modify, and delete alerts.
* View the list of comments to alerts, as well as create, modify, and delete such comments.

This role includes the `security-deck.alertSinks.viewer` and `security-deck.alertSinks.user` permissions.

#### security-deck.alertSinks.admin {#security-deck-alertSinks-admin}

The `security-deck.alertSinks.admin` role enables managing alert sinks and alerts, as well as access to them.

Users with this role can:
* View info on [alert sinks](../security-deck/concepts/workspace.md#alert-sinks), as well as create, use, modify, and delete them.
* View info on [access permissions](concepts/access-control/index.md) granted for alert sinks and modify such permissions.
* View info on [alerts](../security-deck/concepts/alerts.md), as well as create, modify, and delete them.
* View info on access permissions granted for alerts and modify such permissions.
* View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
* View the list of comments to alerts, as well as create, modify, and delete such comments.

This role includes the `security-deck.alertSinks.editor` permissions.

For more information, see [Access management in Alerts](../security-deck/security/alerts-roles.md).


## Yandex Serverless Containers {#serverless-containers-roles}

#### serverless-containers.auditor {#serverless-containers-auditor}

The `serverless-containers.auditor` role enables viewing info on [containers](../serverless-containers/concepts/container.md), except for the info on the [revision](../serverless-containers/concepts/container.md#revision) [environment variables](../serverless-containers/concepts/runtime.md#environment-variables).

#### serverless-containers.viewer {#serverless-containers-viewer}

The `serverless-containers.viewer` role enables viewing info on containers, as well as on the relevant cloud and folder.

Users with this role can:
* View info on [containers](../serverless-containers/concepts/container.md), including the [revision](../serverless-containers/concepts/container.md#revision) [environment variables](../serverless-containers/concepts/runtime.md#environment-variables).
* View info on granted [access permissions](concepts/access-control/index.md) to containers.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `serverless-containers.auditor` permissions.

#### serverless-containers.editor {#serverless-containers-editor}

The `serverless-containers.editor` role enables managing containers and viewing info on them, as well as on the relevant cloud and folder.

Users with this role can:
* Create, invoke, modify, and delete [containers](../serverless-containers/concepts/container.md).
* View info on containers, including the [revision](../serverless-containers/concepts/container.md#revision) [environment variables](../serverless-containers/concepts/runtime.md#environment-variables), as well as on the granted [access permissions](concepts/access-control/index.md) to containers.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `serverless-containers.viewer` permissions.

#### serverless-containers.admin {#serverless-containers-admin}

The `serverless-containers.admin` role enables managing containers and access to them, as well as viewing info on containers and the relevant cloud and folder.

Users with this role can:
* Create, invoke, modify, and delete [containers](../serverless-containers/concepts/container.md).
* View info on granted [access permissions](concepts/access-control/index.md) to containers and modify such permissions.
* View info on containers, including the [revision](../serverless-containers/concepts/container.md#revision) [environment variables](../serverless-containers/concepts/runtime.md#environment-variables).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `serverless-containers.editor` permissions.

#### serverless-containers.containerInvoker {#serverless-containers-containerinvoker}

The `serverless-containers.containerInvoker` role enables invoking [containers](../serverless-containers/concepts/container.md).

#### serverless.containers.viewer {#serverless-containers-viewer-deprecated}

The `serverless.containers.viewer` role enables viewing info on containers, as well as on the relevant cloud and folder.

Users with this role can:
* View info on containers, including the revision environment variables.
* View info on granted access permissions to containers.
* View info on the relevant cloud.
* View info on the relevant folder.

This role is no longer available. Please use `serverless-containers.viewer` instead.

#### serverless.containers.editor {#serverless-containers-editor-deprecated}

The `serverless.containers.editor` role enables managing containers and viewing info on them, as well as on the relevant cloud and folder.

Users with this role can:
* Create, invoke, modify, and delete containers.
* View info on containers, including the revision environment variables, as well as on the granted access permissions to containers.
* View info on the relevant cloud.
* View info on the relevant folder.

This role is no longer available. Please use `serverless-containers.editor` instead.

#### serverless.containers.admin {#serverless-containers-admin-deprecated}

The `serverless.containers.admin` role enables managing containers and access to them, as well as viewing info on containers and the relevant cloud and folder.

Users with this role can:
* Create, invoke, modify, and delete containers.
* View info on granted access permissions to containers and modify such permissions.
* View info on containers, including the revision environment variables.
* View info on the relevant cloud.
* View info on the relevant folder.

This role is no longer available. Please use `serverless-containers.admin` instead.

#### serverless.containers.invoker {#serverless-containers-invoker-deprecated}

The `serverless.containers.invoker` role enables invoking containers.

This role is no longer available. Please use `serverless-containers.containerInvoker` instead.

For more information, see [Access management in Serverless Containers](../serverless-containers/security/index.md).


## Yandex Serverless Integrations {#serverless-integrations-roles}

### Yandex EventRouter service roles {#eventrouter-roles}

#### serverless.eventrouter.auditor {#serverless-eventrouter-auditor}

The `serverless.eventrouter.auditor` role enables viewing info on [buses](../serverless-integrations/concepts/eventrouter/rule.md), [connectors](../serverless-integrations/concepts/eventrouter/rule.md), and [rules](../serverless-integrations/concepts/eventrouter/rule.md), as well as [access permissions](../serverless-integrations/concepts/eventrouter/rule.md) granted for them.

#### serverless.eventrouter.viewer {#serverless-eventrouter-viewer}

The `serverless.eventrouter.viewer` role enables viewing info on [buses](../serverless-integrations/concepts/eventrouter/connector.md), [connectors](../serverless-integrations/concepts/eventrouter/connector.md), and [rules](../serverless-integrations/concepts/eventrouter/connector.md), as well as [access permissions](../serverless-integrations/concepts/eventrouter/connector.md) granted for them.

This role includes the `serverless.eventrouter.auditor` permissions.

#### serverless.eventrouter.supplier {#serverless-eventrouter-supplier}

The `serverless.eventrouter.supplier` enables sending user events to buses and transmitting audit events.

Users with this role can:
* Send user events to [buses](../serverless-integrations/concepts/eventrouter/bus.md) using the [EventService/Send](../serverless-integrations/eventrouter/api-ref/grpc/Event/send.md) gRPC API call.
* Send user events to buses using the [EventService/Put](../serverless-integrations/eventrouter/api-ref/grpc/Event/put.md) gRPC API call.
* Transmit audit events.

#### serverless.eventrouter.editor {#serverless-eventrouter-editor}

The `serverless.eventrouter.editor` role enables managing buses, connectors, and rules, as well as sending user and audit events to buses.

Users with this role can:
* View info on [buses](../serverless-integrations/concepts/eventrouter/bus.md) and [access permissions](concepts/access-control/index.md) granted for them, as well as create, modify, and delete buses.
* View info on [connectors](concepts/access-control/index.md) and access permissions granted for them, as well as create, modify, and delete connectors.
* View info on [rules](concepts/access-control/index.md) and access permissions granted for them, as well as create, modify, and delete rules.
* Send user events to buses using the [EventService/Send](../serverless-integrations/eventrouter/api-ref/grpc/Event/send.md) gRPC API call.
* Send user events to buses using the [EventService/Put](../serverless-integrations/eventrouter/api-ref/grpc/Event/put.md) gRPC API call.
* Transmit audit events.

This role includes the `serverless.eventrouter.viewer` and `serverless.eventrouter.supplier` permissions.

#### serverless.eventrouter.admin {#serverless-eventrouter-admin}

The `serverless.eventrouter.admin` role enables managing buses, connectors, rules, and access to them, as well as sending user and audit events to buses.

Users with this role can:
* View info on [buses](../serverless-integrations/concepts/eventrouter/bus.md) as well as create, modify, and delete them.
* View info on [access permissions](concepts/access-control/index.md) granted for buses and modify such permissions.
* View info on [connectors](concepts/access-control/index.md) as well as create, modify, and delete them.
* View info on access permissions granted for connectors and modify such permissions.
* View info on [rules](../serverless-integrations/concepts/eventrouter/rule.md) as well as create, modify, and delete them.
* View info on access permissions granted for rules and modify such permissions.
* Send user events to buses using the [EventService/Send](../serverless-integrations/eventrouter/api-ref/grpc/Event/send.md) gRPC API call.
* Send user events to buses using the [EventService/Put](../serverless-integrations/eventrouter/api-ref/grpc/Event/put.md) gRPC API call.
* Transmit audit events.
* View info on the EventRouter [quotes](../serverless-integrations/concepts/limits.md#eventrouter).

This role includes the `serverless.eventrouter.editor` permissions.

Learn more in [Access management in EventRouter](../serverless-integrations/security/eventrouter.md).

### Yandex Workflows service roles {#workflows-roles}

#### serverless.workflows.auditor {#serverless-workflows-auditor}

The `serverless.workflows.auditor` role enables viewing info on [workflows](../serverless-integrations/concepts/limits.md#workflows) and [access permissions](concepts/access-control/index.md) assigned to them, viewing the history of workflow [executions](../serverless-integrations/concepts/limits.md#workflows), as well as info on Yandex Workflows [quotas](../serverless-integrations/concepts/limits.md#workflows).

#### serverless.workflows.viewer {#serverless-workflows-viewer}

The `serverless.workflows.viewer` role enables viewing info on [workflows](../serverless-integrations/concepts/limits.md#workflows) and [access permissions](concepts/access-control/index.md) assigned to them, viewing the history of workflow [executions](../serverless-integrations/concepts/limits.md#workflows), as well as info on Yandex Workflows [quotas](../serverless-integrations/concepts/limits.md#workflows).

This role includes the `serverless.workflows.auditor` permissions.

#### serverless.workflows.executor {#serverless-workflows-executor}

The `serverless.workflows.executor` role enables executing, pausing, resuming, and stopping [workflows](../serverless-integrations/concepts/workflows/workflow.md).

#### serverless.workflows.editor {#serverless-workflows-editor}

The `serverless.workflows.editor` role enables managing workflows.

Users with this role can:
* View info on [workflows](../serverless-integrations/concepts/workflows/workflow.md) and [access permissions](concepts/access-control/index.md) assigned to them;
* Create, update, and delete workflows.
* Execute, pause, resume, and stop workflows.
* View the history of workflow [executions](../serverless-integrations/concepts/workflows/execution.md).
* View info on Yandex Workflows [quotas](../serverless-integrations/concepts/limits.md#workflows).

This role includes the `serverless.workflows.viewer` and `serverless.workflows.executor` permissions.

#### serverless.workflows.admin {#serverless-workflows-admin}

The `serverless.workflows.admin` role enables managing workflows.

Users with this role can:
* View info on [workflows](../serverless-integrations/concepts/workflows/workflow.md) as well as create, update, and delete them.
* View info on [access permissions](concepts/access-control/index.md) assigned to workflows and modify such permissions.
* Execute, pause, resume, and stop workflows.
* View the history of workflow [executions](../serverless-integrations/concepts/workflows/execution.md).
* View info on Yandex Workflows [quotas](../serverless-integrations/concepts/limits.md#workflows).

This role includes the `serverless.workflows.editor` permissions.

Learn more in [Access management in Workflows](../serverless-integrations/security/workflows.md).


## Yandex SIEM {#yandex-siem-roles}

#### ycem.inspector {#ycem-inspector}

The `ycem.inspector` role enables managing queries, investigations, and datasets.

{% cut "Users with this role can:" %}

* View info on [investigations](../yandex-siem/concepts/investigations.md), as well as create, update, delete, and conduct them.
* View info on [datasets](../yandex-siem/concepts/investigations.md#datasets-schema), as well as create, update, and delete them.
* View info on [queries](../yandex-siem/concepts/queries.md), as well as create, update, delete, and run them.
* View info on Yandex SIEM [instances](../yandex-siem/concepts/index.md).

{% endcut %}

#### ycem.executor {#ycem-executor}

The `ycem.executor` role enables managing queries, investigations, datasets, and correlation rules.

{% cut "Users with this role can:" %}

* View info on [investigations](../yandex-siem/concepts/investigations.md), as well as create, update, delete, and conduct them.
* View info on [datasets](../yandex-siem/concepts/investigations.md#datasets-schema) and their contents, as well as create, update, and delete datasets.
* View info on [queries](../yandex-siem/concepts/queries.md), as well as create, update, delete, and run them.
* View info on [correlation rules](../yandex-siem/concepts/correlation-rules.md#correlation-rules) and update them.
* View info on [exceptions](../yandex-siem/concepts/correlation-rules.md#exceptions) and the list of queries that use these exceptions.
* View info on Yandex SIEM [instances](../yandex-siem/concepts/index.md) and their components.

{% endcut %}

This role includes the `ycem.inspector` permissions.

For more information, see [Access management in Yandex SIEM](../yandex-siem/security/index.md).


## Yandex SmartCaptcha {#captcha-roles}

#### smart-captcha.auditor {#smart-captcha-auditor}

The `smart-captcha.auditor` role enables viewing info on [CAPTCHAs](../smartcaptcha/concepts/validation.md) and [access permissions](concepts/access-control/index.md) assigned to them.

#### smart-captcha.viewer {#smart-captcha-viewer}

The `smart-captcha.viewer` role enables viewing info on [CAPTCHAs](../smartcaptcha/concepts/validation.md) and [access permissions](concepts/access-control/index.md) assigned to them, as well as getting CAPTCHA [keys](../smartcaptcha/concepts/keys.md).

This role includes the `smart-captcha.auditor` permissions.

#### smart-captcha.editor {#smart-captcha-editor}

The `smart-captcha.editor` role enables you to manage CAPTCHAs, view info on them, and get CAPTCHA keys.

Users with this role can:
* View info on [CAPTCHAs](../smartcaptcha/concepts/validation.md) and create, modify, and delete them.
* View info on CAPTCHA [access permissions](concepts/access-control/index.md).
* Get [CAPTCHA keys](../smartcaptcha/concepts/keys.md).

This role includes the `smart-captcha.viewer` permissions.

#### smart-captcha.admin {#smart-captcha-admin}

The `smart-captcha.admin` role enables managing CAPTCHAs and access to them, as well as getting CAPTCHA keys.

Users with this role can:
* View info on [CAPTCHAs](../smartcaptcha/concepts/validation.md) and create, modify, and delete them.
* View info on [access permissions](concepts/access-control/index.md) assigned for CAPTCHAs and modify such permissions.
* Get [CAPTCHA keys](../smartcaptcha/concepts/keys.md).

This role includes the `smart-captcha.editor` permissions.

For more information, see [Access management in SmartCaptcha](../smartcaptcha/security/index.md).


## Yandex Smart Web Security {#sws-roles}

#### smart-web-security.auditor {#smart-web-security-auditor}

The `smart-web-security.auditor` role enables viewing info on Smart Web Security resources, as well as on the relevant cloud and folder.

Users with this role can:
* View info on [security profiles](../smartwebsecurity/concepts/profiles.md).
* View the list of [resources](../smartwebsecurity/operations/host-connect.md) to which a security profile is connected.
* View info on [WAF profiles](../smartwebsecurity/concepts/waf.md).
* View info on [ARL profiles](../smartwebsecurity/concepts/arl.md).
* View info on [proxy servers](../smartwebsecurity/concepts/domain-protect.md#proxy).
* View info on [lists](../smartwebsecurity/concepts/lists.md).
* View info on [response page templates](../smartwebsecurity/concepts/response-templates.md).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

To assign the `smart-web-security.auditor` role, you need the `admin` role for the cloud or `smart-web-security.admin` for the folder.

#### smart-web-security.viewer {#smart-web-security-viewer}

The `smart-web-security.viewer` role enables viewing info on Smart Web Security resources, as well as on the relevant cloud and folder.

Users with this role can:
* View info on [security profiles](../smartwebsecurity/concepts/profiles.md).
* View the list of [resources](../smartwebsecurity/operations/host-connect.md) to which a security profile is connected.
* View info on [WAF profiles](../smartwebsecurity/concepts/waf.md).
* View info on [ARL profiles](../smartwebsecurity/concepts/arl.md).
* View info on [proxy servers](../smartwebsecurity/concepts/domain-protect.md#proxy).
* View info on [lists](../smartwebsecurity/concepts/lists.md).
* View info on [response page templates](../smartwebsecurity/concepts/response-templates.md).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `smart-web-security.auditor` permissions.

To assign the `smart-web-security.viewer` role, you need the `admin` role for the cloud or `smart-web-security.admin` for the folder.

#### smart-web-security.user {#smart-web-security-user}

The `smart-web-security.user` role enables viewing info on Smart Web Security resources, as well as connecting such security profiles to protected resources.

Users with this role can:
* View info on [security profiles](../smartwebsecurity/concepts/profiles.md) in Smart Web Security and connect them to protected resources.
* View the list of [resources](../smartwebsecurity/operations/host-connect.md) to which a security profile is connected.
* View info on [WAF profiles](../smartwebsecurity/concepts/waf.md).
* View info on [ARL profiles](../smartwebsecurity/concepts/arl.md).
* View info on [proxy servers](../smartwebsecurity/concepts/domain-protect.md#proxy).
* View info on [lists](../smartwebsecurity/concepts/lists.md).
* View info on [response page templates](../smartwebsecurity/concepts/response-templates.md).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `smart-web-security.viewer` permissions.

To assign the `smart-web-security.user` role, you need the `admin` role for the cloud or `smart-web-security.admin` for the folder.

#### smart-web-security.editor {#smart-web-security-editor}

The `smart-web-security.editor` role enables using Smart Web Security resources and managing them.

Users with this role can:
* View info on [security profiles](../smartwebsecurity/concepts/profiles.md) in Smart Web Security, create, modify, and delete them, as well as connect such security profiles to protected resources.
* View the list of [resources](../smartwebsecurity/operations/host-connect.md) to which a security profile is connected.
* View info on [WAF profiles](../smartwebsecurity/concepts/waf.md), as well as create, modify, use, and delete them.
* View info on [ARL profiles](../smartwebsecurity/concepts/arl.md), as well as create, modify, use, and delete them.
* View info on [proxy servers](../smartwebsecurity/concepts/domain-protect.md#proxy), as well as create, modify, and delete them.
* View info on [lists](../smartwebsecurity/concepts/lists.md), as well as create, modify, use, and delete them.
* View info on [response page templates](../smartwebsecurity/concepts/response-templates.md), as well as create, modify, use, and delete them.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `smart-web-security.user` permissions.

To enable or disable [logging](../smartwebsecurity/concepts/logging.md) in a security profile, you also need the `logging.writer` role or higher for the [log group](../logging/concepts/log-group.md) to which logs are transferred.

To assign the `smart-web-security.editor` role, you need the `admin` role for the cloud or `smart-web-security.admin` for the folder.

#### smart-web-security.admin {#smart-web-security-admin}

The `smart-web-security.admin` role enables using Smart Web Security resources and managing them.

Users with this role can:
* View info on [security profiles](../smartwebsecurity/concepts/profiles.md) in Smart Web Security, create, modify, and delete them, as well as connect such security profiles to protected resources.
* View the list of [resources](../smartwebsecurity/operations/host-connect.md) to which a security profile is connected.
* View info on [WAF profiles](../smartwebsecurity/concepts/waf.md), as well as create, modify, use, and delete them.
* View info on [ARL profiles](../smartwebsecurity/concepts/arl.md), as well as create, modify, use, and delete them.
* View info on [proxy servers](../smartwebsecurity/concepts/domain-protect.md#proxy), as well as create, modify, and delete them.
* View info on [lists](../smartwebsecurity/concepts/lists.md), as well as create, modify, use, and delete them.
* View info on [response page templates](../smartwebsecurity/concepts/response-templates.md), as well as create, modify, use, and delete them.
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `smart-web-security.editor` permissions.

To enable or disable [logging](../smartwebsecurity/concepts/logging.md) in a security profile, you also need the `logging.writer` role or higher for the [log group](../logging/concepts/log-group.md) to which logs are transferred.

To assign the `smart-web-security.admin` role, you need the `admin` role for the cloud.

For more information, see [Access management in Smart Web Security](../smartwebsecurity/security/index.md).


## Yandex SpeechKit {#speechkit-roles}

#### ai.speechkit-stt.user {#ai-speechkit-stt-user}

The `ai.speechkit-stt.user` role allows you to use Yandex SpeechKit for [speech recognition](https://aistudio.yandex.ru/docs/en/speechkit/stt/), as well as view info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and [quotas](https://aistudio.yandex.ru/docs/en/speechkit/concepts/limits#speechkit-quotas).

#### ai.speechkit-tts.user {#ai-speechkit-tts-user}

The `ai.speechkit-tts.user` role allows you to use Yandex SpeechKit for [speech synthesis](https://aistudio.yandex.ru/docs/en/speechkit/tts/), as well as view info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and [quotas](https://aistudio.yandex.ru/docs/en/speechkit/concepts/limits#speechkit-quotas).

Learn more in [Access management in SpeechKit](https://aistudio.yandex.ru/docs/en/speechkit/security/index).


## Yandex SpeechSense {#speechsense-roles}

#### speech-sense.auditor {#speechsense-auditor}

The `speech-sense.auditor` role enables you to view names, descriptions, and lists of members of a [project](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#project) or a [space](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#space) with all of its projects. The role does not provide access to project data.

#### speech-sense.viewer {#speechsense-viewer}

The `speech-sense.viewer` role enables you to view [project](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#project) or [space](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#space) characteristics, the list of their members, [connections](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#connection), and dashboards.

This role includes the `speech-sense.auditor` permissions.

#### speech-sense.editor {#speechsense-editor}

The `speech-sense.editor` role enables you to edit a [project](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#project), its description, dashboards, and alerts, create and edit its classifiers, and run analyses. When assigned for a [space](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#space), the role allows you to edit the space and create projects, [connections](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#connection), and [dictionaries](https://aistudio.yandex.ru/docs/en/speechsense/concepts/dictionaries) within it.

This role includes the `speech-sense.viewer` and `speech-sense.spaces.creator` permissions.

#### speech-sense.admin {#speechsense-admin}

The `speech-sense.admin` role assigned for a [space](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#space) or [project](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#project) enables you to perform any action in them: view [dialogs](https://aistudio.yandex.ru/docs/en/speechsense/concepts/dialogs), edit [connections](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#connection), or run [analyses](https://aistudio.yandex.ru/docs/en/speechsense/concepts/assistants#analysis). The role grants permission to assign roles to other users.

This role includes the `speech-sense.editor` and `speech-sense.data.editor` permissions.

#### speech-sense.spaces.creator {#speechsense-spaces-creator}

The `speech-sense.spaces.creator` role allows you to create [spaces](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#space) in SpeechSense.

#### speech-sense.data.viewer {#speechsense-data-viewer}

The `speech-sense.data.viewer` role allows you to view a project's name or description, the list of [connections](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#connection), dashboards, and [project](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#project) members. It also enables you to search inside documents, listen to [dialogs](https://aistudio.yandex.ru/docs/en/speechsense/concepts/dialogs), and view their text [transcripts](https://aistudio.yandex.ru/docs/en/speechsense/concepts/dialogs#contents). When assigned for a [space](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#space), this role enables you to view all of its projects without editing them.

#### speech-sense.data.editor {#speechsense-data-editor}

The `speech-sense.data.editor` role enables you to upload [dialogs](https://aistudio.yandex.ru/docs/en/speechsense/concepts/dialogs) to [project](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#project) or [space](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#space) [connections](https://aistudio.yandex.ru/docs/en/speechsense/concepts/resources-hierarchy#connection), evaluate these dialogs, and comment on them in the system.

This role includes the `speech-sense.data.viewer` permissions.

Users with roles like `speech-sense.data.*` can view and rate the contents of documents but do not have access to aggregate information.

For more information, see [Access management in Yandex SpeechSense](https://aistudio.yandex.ru/docs/en/speechsense/security/).


## Yandex Translate {#translate-roles}

#### ai.translate.user {#translate-user}

The `ai.translate.user` role allows you to use Yandex Translate to [translate texts](https://aistudio.yandex.ru/docs/en/translate/quickstart), as well as view info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and [quotas](https://aistudio.yandex.ru/docs/en/translate/concepts/limits#translate-quotas).

Learn more in [Access management in Translate](https://aistudio.yandex.ru/docs/en/translate/security/index).


## Yandex Virtual Private Cloud {#vpc-roles}

#### vpc.auditor {#vpc-auditor}

The `vpc.auditor` roles allows you to view service metadata, including information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../vpc/concepts/network.md#network) and the info on them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and the info on them.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and the info on them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and the info on them.
* View information on [NAT gateways](../vpc/concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

#### vpc.viewer {#vpc-viewer}

The `vpc.viewer` role allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on the quotas and resource operations.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../vpc/concepts/network.md#network) and the info on them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and the info on them.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and the info on them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and the info on them.
* View information on [NAT gateways](../vpc/concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.auditor` permissions.

#### vpc.user {#vpc-user}

The `vpc.user` role allows you to use cloud networks, subnets, route tables, gateways, security groups, and IP addresses, get information on these resources, as well as on the quotas and resource operations.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../vpc/concepts/network.md#network) and info on them, as well as use them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and info on them, as well as use such addresses.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and info on them, as well as use them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and info on them, as well as use them.
* View information on [NAT gateways](../vpc/concepts/gateways.md) and connect them to route tables.
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.externalAddresses.user {#vpc-externalAddresses-user}

The `vpc.externalAddresses.user` role allows you to view the list of [private](../vpc/concepts/address.md#internal-addresses) and [public](../vpc/concepts/address.md#public-addresses) addresses of the cloud resources; it also enables viewing info on such addresses, using them, and managing the external network connectivity.

#### vpc.admin {#vpc-admin}

The `vpc.admin` role allows you to manage cloud networks, subnets, route tables, NAT gateways, security groups, internal and public IP addresses, as well as external network connectivity.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../vpc/concepts/network.md#network) and info on them, as well as create, modify, and delete them.
* Configure external access to cloud networks.
* Manage connectivity of multiple cloud networks.
* Manage multi-interface instances that provide connectivity between multiple networks.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as create, modify, and delete them.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and info on them, as well as create, modify, and delete them.
* Link route tables to subnets.
* View information on [NAT gateways](../vpc/concepts/gateways.md), as well as create, modify, and delete them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and info on them, as well as create, modify, and delete them.
* Create and delete default security groups in [cloud networks](../vpc/concepts/network.md#network).
* Create and delete security group [rules](../vpc/concepts/security-groups.md#security-groups-rules), as well as edit their metadata.
* Configure [DHCP](../vpc/concepts/dhcp-options.md) in subnets.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and info on them, as well as create, update, and delete internal and public IP addresses.
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.privateAdmin`, `vpc.publicAdmin`, and `vpc.securityGroups.admin` permissions.

#### vpc.bridgeAdmin {#vpc-bridge-admin}

The `vpc.bridgeAdmin` role allows you to use subnets and manage connectivity of multiple cloud networks. This role also allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

{% cut "Users with this role can:" %}

* Manage connectivity of multiple cloud networks.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud networks](../vpc/concepts/network.md#network) and the info on them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and the info on them.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and the info on them.
* View the list of [security groups](../vpc/concepts/security-groups.md) and the info on them.
* View information on [NAT gateways](../vpc/concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.privateAdmin {#vpc-private-admin}

The `vpc.privateAdmin` role allows you to manage cloud networks, subnets, and route tables, as well as view information on the quotas, resources, and resource operations. This role also allows you to manage connectivity within Yandex Cloud, while it does not allow doing so from the internet.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../vpc/concepts/network.md#network) and info on them, as well as create, modify, and delete them.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as create, modify, and delete them.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and info on them, as well as create, modify, and delete them.
* Link route tables to subnets.
* View the list of [security groups](../vpc/concepts/security-groups.md) and info on them, as well as create default security groups within cloud networks.
* Configure [DHCP](../vpc/concepts/dhcp-options.md) in subnets.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and info on them, as well as create internal IP addresses.
* View information on [NAT gateways](../vpc/concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.publicAdmin {#vpc-public-admin}

The `vpc.publicAdmin` role allows you to manage NAT gateways, public IP addresses, and external network connectivity, as well as view information on the quotas, resources, and resource operations. This role grants administrator privileges for multi-interface instances that provide connectivity between multiple networks.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../vpc/concepts/network.md#network) and info on them, as well as set up external access to them.
* Manage connectivity of multiple cloud networks.
* Manage multi-interface instances that provide connectivity between multiple networks.
* View the list of [subnets](../vpc/concepts/network.md#subnet) and info on them, as well as modify them.
* View information on [NAT gateways](../vpc/concepts/gateways.md), as well as create, modify, and delete them.
* View the list of [cloud resource addresses](../vpc/concepts/address.md) and info on them, as well as create, update, and delete public IP addresses.
* View the list of [route tables](../vpc/concepts/routing.md#rt-vpc) and info on them, as well as link them to subnets.
* View the list of [security groups](../vpc/concepts/security-groups.md) and the info on them.
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

You can assign a role for a cloud or folder.

{% note warning %}

If a network and subnet are in different folders, the `vpc.publicAdmin` role is checked for the folder where the network is located.

{% endnote %}

#### vpc.gateways.viewer {#vpc-gw-viewer}

The `vpc.gateways.viewer` role allows you to view information on [NAT gateways](../vpc/concepts/gateways.md).

#### vpc.gateways.user {#vpc-gw-user}

The `vpc.gateways.user` role allows you to view information on [NAT gateways](../vpc/concepts/gateways.md) and connect them to [route tables](../vpc/concepts/routing.md#rt-vpc).

#### vpc.gateways.editor {#vpc-gw-editor}

The `vpc.gateways.editor` role allows you to view information on [NAT gateways](../vpc/concepts/gateways.md), as well as create, modify, and delete them.

#### vpc.securityGroups.user {#vpc-sg-user}

The `vpc.securityGroups.user` role allows you to assign security groups to network interfaces and view information on the resources, quotas, and resource operations.

{% cut "Users with this role can:" %}

* Assign security groups to instance network interfaces.
* Get a list of [cloud networks](../vpc/concepts/network.md#network) and view information on them.
* Get a list of [subnets](../vpc/concepts/network.md#subnet) and view information on them.
* Get a list of [cloud resource addresses](../vpc/concepts/address.md) and view information on them.
* Get a list of [route tables](../vpc/concepts/routing.md#rt-vpc) and view information on them.
* Get a list of [security groups](../vpc/concepts/security-groups.md) and view information on them.
* View information on [NAT gateways](../vpc/concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.securityGroups.admin {#vpc-sg-admin}

The `vpc.securityGroups.admin` role allows you to manage security groups and view information on the resources, quotas, and resource operations.

{% cut "Users with this role can:" %}

* View information on [security groups](../vpc/concepts/security-groups.md), as well as create, modify, and delete them.
* Create and delete default security groups in [cloud networks](../vpc/concepts/network.md#network).
* Create and delete security group [rules](../vpc/concepts/security-groups.md#security-groups-rules), as well as edit their metadata.
* Get a list of cloud networks and view information on them.
* Get a list of [subnets](../vpc/concepts/network.md#subnet) and view information on them.
* Get a list of [cloud resource addresses](../vpc/concepts/address.md) and view information on them.
* Get a list of [route tables](../vpc/concepts/routing.md#rt-vpc) and view information on them.
* View information on [NAT gateways](../vpc/concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../vpc/concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.privateEndpoints.viewer {#vpc-privateEndpoints-viewer}

The `vpc.privateEndpoints.viewer` role enables viewing info on the [service connections](../vpc/concepts/private-endpoint.md).

#### vpc.privateEndpoints.editor {#vpc-privateEndpoints-editor}

The `vpc.privateEndpoints.editor` role enables viewing info on the [service connections](../vpc/concepts/private-endpoint.md), as well as creating, modifying, and deleting such connections.

This role includes the `vpc.privateEndpoints.viewer` permissions.

#### vpc.privateEndpoints.admin {#vpc-privateEndpoints-admin}

The `vpc.privateEndpoints.admin` role enables viewing info on the [service connections](../vpc/concepts/private-endpoint.md), as well as creating, modifying, and deleting such connections.

This role includes the `vpc.privateEndpoints.editor` permissions.

For more information, see [Access management in Virtual Private Cloud](../vpc/security/index.md).


## Yandex Vision OCR {#vision-roles}

#### ai.vision.user {#vision-user}

The `ai.vision.user` role allows you to use Yandex Vision OCR to [analyze images](https://aistudio.yandex.ru/docs/en/vision/concepts/ocr/), as well as view info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../resource-manager/concepts/resources-hierarchy.md#folder), and [quotas](https://aistudio.yandex.ru/docs/en/vision/concepts/limits#vision-quotas).

Learn more in [Access management in Vision OCR](https://aistudio.yandex.ru/docs/en/vision/security/index).


## Yandex WebSQL {#websql-roles}

#### websql.executedQueries.auditor {#websql-executedQueries-auditor}

The `websql.executedQueries.auditor` role enables viewing the metadata of a published query from the history as well as information on [access permissions](concepts/access-control/index.md) assigned to it.

#### websql.savedQueries.auditor {#websql-savedQueries-auditor}

The `websql.savedQueries.auditor` role enables viewing the metadata of a published saved query as well as information on [access permissions](concepts/access-control/index.md) assigned to it.

#### websql.executedQueries.viewer {#websql-executedQueries-viewer}

The `websql.executedQueries.viewer` role enables viewing info on a published query from the history and [access permissions](concepts/access-control/index.md) assigned to it.

This role includes the `websql.executedQueries.auditor` permissions.

#### websql.savedQueries.viewer {#websql-savedQueries-viewer}

The `websql.savedQueries.viewer` role enables viewing info on a published saved query and [access permissions](concepts/access-control/index.md) assigned to it.

This role includes the `websql.savedQueries.auditor` permissions.

#### websql.executedQueries.editor {#websql-executedQueries-editor}

The `websql.executedQueries.editor` role enables viewing info on a published query from the history and delete such a query.

Users with this role can:
* View info on a published query from the history and delete such a query.
* View info on the [access permissions](concepts/access-control/index.md) assigned to a published query from the history.

This role includes the `websql.executedQueries.viewer` permissions.

#### websql.savedQueries.editor {#websql-savedQueries-editor}

The `websql.savedQueries.editor` role enables modifying and deleting a published saved query. 

Users with this role can:
* View info on a published saved query, as well as modify and delete it.
* View info on the [access permissions](concepts/access-control/index.md) assigned to a published saved query.

This role includes the `websql.savedQueries.viewer` permissions.

#### websql.executedQueries.admin {#websql-executedQueries-admin}

The `websql.executedQueries.admin` role enables managing a published query from the history and access to such a query.

Users with this role can:
* View info on the [access permissions](concepts/access-control/index.md) assigned to a published query from the history and modify such permissions.
* View info on a published query from the history and delete such a query.

This role includes the `websql.executedQueries.editor` permissions.

#### websql.savedQueries.admin {#websql-savedQueries-admin}

The `websql.savedQueries.admin` role enables managing a published saved query and access to it.

Users with this role can:
* View info on the [access permissions](concepts/access-control/index.md) assigned to a published saved query and modify such permissions.
* View info on a published saved query, as well as modify and delete it.

This role includes the `websql.savedQueries.editor` permissions.

#### websql.auditor {#websql-auditor}

The `websql.auditor` role enables viewing the metadata of all published queries within WebSQL as well as information on [access permissions](concepts/access-control/index.md) assigned to them.

This role includes the `websql.savedQueries.auditor` and `websql.executedQueries.auditor` permissions.

#### websql.viewer {#websql-viewer}

The `websql.viewer` role enables viewing info on all published queries within WebSQL and access permissions assigned to them.

Users with this role can:
* View info on the published saved queries and [access permissions](concepts/access-control/index.md) assigned to them.
* View info on the published queries from the history and access permissions assigned to them.

This role includes the `websql.savedQueries.viewer` and `websql.executedQueries.viewer` permissions.

#### websql.user {#websql-user}

The `websql.user` role enables viewing info on the published queries within WebSQL, as well as create, modify, and delete such queries.

Users with this role can:
* View info on the published saved queries and [access permissions](concepts/access-control/index.md) assigned to them.
* Privately save queries and modify and delete privately saved queries.
* View info on the published queries from the history and access permissions assigned to them.
* Save the run queries to private history and delete them from history.

This role includes the `websql.viewer` permissions.

#### websql.editor {#websql-editor}

The `websql.editor` role enables managing published and private queries within WebSQL.

Users with this role can:
* View info on the published saved queries and [access permissions](concepts/access-control/index.md) assigned to them, as well as modify and delete such queries.
* Save queries privately, as well as modify, delete, and publish private saved queries.
* View info on the published queries from the history and access permissions assigned to them, as well as modify and delete such queries.
* Save the run queries to private history, as well publish private queries from the history and delete them.

This role includes the `websql.user`, `websql.savedQueries.editor`, and `websql.executedQueries.editor` permissions.

#### websql.admin {#websql-admin}

The `websql.admin` role enables managing private queries and publishing them, as well as manage published queries and access to those.

Users with this role can:
* View info on the [access permissions](concepts/access-control/index.md) assigned to the published saved queries and modify such permissions.
* View info on the published saved queries, as well as modify and delete them.
* Save queries privately, as well as modify, delete, and publish private saved queries.
* View info on the access permissions assigned to the published queries from the history and modify such permissions.
* View info on the published queries from the history and delete them.
* Save the run queries to private history, as well publish private queries from the history and delete them.

This role includes the `websql.editor`, `websql.savedQueries.admin`, and `websql.executedQueries.admin` permissions.

For more information, see [Access management in WebSQL](../websql/security/index.md).


## Yandex Wiki {#wiki-roles}

#### wiki.viewer {#wiki-viewer}

The `wiki.viewer` role is assigned for an organization.

It grants permission to view pages in the organization's Yandex Wiki.

#### wiki.admin {#wiki-admin}

The `wiki.admin` role is assigned for an organization.

It grants permission to edit pages, set up access rights for other users, edit the list of authors, and appoint a page's owner.

_ClickHouse® is a registered trademark of [ClickHouse, Inc](https://clickhouse.com)._