[Yandex Cloud documentation](../../index.md) > [Yandex Identity and Access Management](../index.md) > Access management

# Access management in Identity and Access Management

In this section, you will learn about:
* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).
* [Roles required](#choosing-roles) for specific actions.

## Access management {#about-access-control}

[Yandex Identity and Access Management](../index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../concepts/users/accounts.md#passport), [service account](../concepts/users/service-accounts.md), [local user](../concepts/users/accounts.md#local), [federated user](../concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../concepts/access-control/system-group.md), or [public group](../concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../concepts/access-control/index.md).

To assign a role for a resource, you need the `iam.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

{% note info %}

Even if an [operation](../../api-design-guide/concepts/about-async.md) with resources pertaining to Yandex Cloud [services](../../overview/concepts/services.md) is allowed by a [role](../concepts/access-control/roles.md), it may still be blocked if the [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) is subject to an [access policy](../concepts/access-control/access-policies.md) prohibiting this operation.

{% endnote %}

## Resources supporting role assignment {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

You can also assign roles for individual resources within the service:

{% list tabs group=instructions %}

- Management console {#console}

  You can use the [management console](https://console.yandex.cloud) to assign roles for a [service account](../concepts/users/service-accounts.md).

- CLI {#cli}

  You can use the [Yandex Cloud CLI](../../cli/cli-ref/iam/cli-ref/index.md) to assign roles for the following resources:

  * [Service account](../concepts/users/service-accounts.md)
  * [Workload identity federation](../concepts/workload-identity.md)

- Terraform {#tf}

  You can use [Terraform](../../terraform/index.md) to assign roles for the following resources:

  * [Service account](../concepts/users/service-accounts.md)
  * [Workload identity federation](../concepts/workload-identity.md)

- API {#api}

  You can use the [Yandex Cloud](../api-ref/authentication.md) API to assign roles for the following resources:

  * [Service account](../concepts/users/service-accounts.md)
  * [Workload identity federation](../concepts/workload-identity.md)

{% endlist %}

## Roles this service has {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

```mermaid
%%{
  init: {
    "flowchart": { "defaultRenderer": "elk" },
    "elk": { "nodePlacementStrategy": "NETWORK_SIMPLEX" }
  }
}%%
flowchart BT
    iam.serviceAccounts.admin ---> iam.admin
    iam.workloadIdentityFederations.admin["`iam.workloadIdentityFederations.
    admin`"]
    iam.workloadIdentityFederations.admin --> iam.admin
    iam.workloadIdentityFederations.user["`iam.workloadIdentityFederations.
    user`"]
    iam.workloadIdentityFederations.user --> iam.workloadIdentityFederations.admin
    iam.workloadIdentityFederations.editor["`iam.workloadIdentityFederations.
    editor`"]
    iam.workloadIdentityFederations.editor --> iam.workloadIdentityFederations.admin
    iam.workloadIdentityFederations.viewer["`iam.workloadIdentityFederations.
    viewer`"]    
    iam.workloadIdentityFederations.viewer --> iam.workloadIdentityFederations.editor
    iam.workloadIdentityFederations.auditor["`iam.workloadIdentityFederations.
    auditor`"]     
    iam.workloadIdentityFederations.auditor --> iam.workloadIdentityFederations.viewer
    iam.serviceAccounts.user["`iam.serviceAccounts.
    user`"]
    iam.serviceAccounts.user ---> iam.admin
    iam.editor ---> iam.admin
    iam.serviceAccounts.tokenCreator["`iam.serviceAccounts.
    tokenCreator`"]
    iam.serviceAccounts.tokenCreator --> iam.serviceAccounts.admin
    iam.serviceAccounts.authorizedKeyAdmin["`iam.serviceAccounts.
    authorizedKeyAdmin`"]
    iam.serviceAccounts.authorizedKeyAdmin --> iam.serviceAccounts.keyAdmin
    iam.serviceAccounts.apiKeyAdmin["`iam.serviceAccounts.
    apiKeyAdmin`"]
    iam.serviceAccounts.apiKeyAdmin --> iam.serviceAccounts.keyAdmin
    iam.serviceAccounts.ephemeralAccessKeyAdmin["`iam.serviceAccounts.
    ephemeralAccessKeyAdmin`"]
    iam.serviceAccounts.ephemeralAccessKeyAdmin --> iam.serviceAccounts.accessKeyAdmin
    iam.serviceAccounts.accessKeyAdmin["`iam.serviceAccounts.
    accessKeyAdmin`"]
    iam.serviceAccounts.accessKeyAdmin --> iam.serviceAccounts.keyAdmin
    iam.serviceAccounts.federatedCredentialEditor["`iam.serviceAccounts.
    federatedCredentialEditor`"]
    iam.serviceAccounts.federatedCredentialEditor --> iam.editor
    iam.serviceAccounts.federatedCredentialViewer["`iam.serviceAccounts.
    federatedCredentialViewer`"]
    iam.serviceAccounts.federatedCredentialViewer --> iam.serviceAccounts.federatedCredentialEditor
    iam.userAccounts.refreshTokenViewer["`iam.userAccounts.
    refreshTokenViewer`"]
    iam.userAccounts.refreshTokenViewer --> iam.editor
    iam.userAccounts.refreshTokenRevoker["`iam.userAccounts.
    refreshTokenRevoker`"]
    iam.userAccounts.refreshTokenRevoker --> iam.editor
    iam.viewer --> iam.editor
    iam.auditor --> iam.viewer
    iam.serviceAccounts.keyAdmin["`iam.serviceAccounts.
    keyAdmin`"]
    iam.serviceAccounts.keyAdmin --> iam.serviceAccounts.admin
```

### Service roles {#service-roles}

#### iam.serviceAccounts.user {#iam-serviceAccounts-user}

The `iam.serviceAccounts.user` role enables viewing the list of service accounts and info on them, as well as performing operations on behalf of a service account.

For example, if you specify a [service account](../concepts/users/accounts.md#sa) when creating an instance group, IAM will check whether you have a permission to use this service account.

#### iam.serviceAccounts.admin {#iam-serviceAccounts-admin}

The `iam.serviceAccounts.admin` role enables managing service accounts and access to them and their keys, as well as getting IAM tokens for service accounts.

Users with this role can:
* View the list of [service accounts](../concepts/users/accounts.md#sa) and info on them, as well as create, use, modify, and delete them.
* View info on [access permissions](../concepts/access-control/index.md) granted for service accounts and modify such permissions.
* Get [IAM tokens](../concepts/authorization/iam-token.md) for service accounts.
* View the list of service accounts' [API keys](../concepts/authorization/api-key.md) and info on them, as well as create, modify, and delete them.
* View the list of service accounts' [static access keys](../concepts/authorization/access-key.md) and info on them, as well as create, modify, and delete them.
* View info on service accounts' [authorized keys](../concepts/authorization/key.md), as well as create, modify, and delete them.
* Create [ephemeral access keys](../concepts/authorization/ephemeral-keys.md) for service accounts.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and its settings.

For some services, e.g., [Instance Groups](../../compute/concepts/instance-groups/index.md) or [Managed Service for Kubernetes](https://yandex.cloud/en/services/managed-kubernetes), you need a service account to perform operations. If you specified a service account in the request, IAM will check whether you have permissions to use this account.

#### iam.serviceAccounts.ephemeralAccessKeyAdmin {#iam-serviceAccounts-ephemeralAccessKeyAdmin}

The `iam.serviceAccounts.ephemeralAccessKeyAdmin` role enables creating [ephemeral access keys](../concepts/authorization/ephemeral-keys.md) for service accounts.

#### iam.serviceAccounts.accessKeyAdmin {#iam-serviceAccounts-accessKeyAdmin}

The `iam.serviceAccounts.accessKeyAdmin` role enables managing static and ephemeral access keys for service accounts.

Users with this role can:
* View the list of service accounts' [static access keys](../concepts/authorization/access-key.md) and info on them.
* Create, update, and delete static access keys for [service accounts](../concepts/users/accounts.md#sa).
* Create [ephemeral access keys](../concepts/authorization/ephemeral-keys.md) for service accounts.

This role includes the `iam.serviceAccounts.ephemeralAccessKeyAdmin` permissions.

#### iam.serviceAccounts.apiKeyAdmin {#iam-serviceAccounts-apiKeyAdmin}

The `iam.serviceAccounts.apiKeyAdmin` role enables managing API keys for service accounts.

Users with this role can:
* View the list of service account [API keys](../concepts/authorization/api-key.md) and information on them.
* Create, update, and delete API keys for [service accounts](../concepts/users/accounts.md#sa).

#### iam.serviceAccounts.authorizedKeyAdmin {#iam-serviceAccounts-authorizedKeyAdmin}

The `iam.serviceAccounts.authorizedKeyAdmin` role enables viewing info on service account [authorized keys](../concepts/authorization/key.md), as well as create, modify, and delete them.

#### iam.serviceAccounts.keyAdmin {#iam-serviceAccounts-keyAdmin}

The `iam.serviceAccounts.keyAdmin` role enables managing access keys for service accounts, including static, ephemeral, authorized, and API keys.

Users with this role can:
* View the list of service accounts' [static access keys](../concepts/authorization/access-key.md) and info on them, as well as create, modify, and delete them.
* View the list of service accounts' [API keys](../concepts/authorization/api-key.md) and info on them, as well as create, modify, and delete them.
* View info on service accounts' [authorized keys](../concepts/authorization/key.md), as well as create, modify, and delete them.
* Create [ephemeral access keys](../concepts/authorization/ephemeral-keys.md) for service accounts.

This role includes the `iam.serviceAccounts.accessKeyAdmin`, `iam.serviceAccounts.apiKeyAdmin`, and `iam.serviceAccounts.authorizedKeyAdmin` permissions.

#### iam.serviceAccounts.tokenCreator {#iam-serviceAccounts-tokenCreator}

The `iam.serviceAccounts.tokenCreator` role enables getting IAM tokens for service accounts.

With such an [IAM token](../concepts/authorization/iam-token.md) one can [impersonate](../concepts/access-control/impersonation.md) to a [service account](../concepts/users/accounts.md#sa) and perform operations allowed for it.

This role does not allow you to modify access permissions or delete a service account.

#### iam.serviceAccounts.federatedCredentialViewer {#iam-serviceAccounts-federatedCredentialViewer}

The `iam.serviceAccounts.federatedCredentialViewer` role enables viewing the list of [federation credentials](../concepts/workload-identity.md#federated-credentials) in [workload identity federations](../concepts/workload-identity.md) and info on such credentials.

#### iam.serviceAccounts.federatedCredentialEditor {#iam-serviceAccounts-federatedCredentialEditor}

The `iam.serviceAccounts.federatedCredentialEditor` role enables viewing the list of [federation credentials](../concepts/workload-identity.md#federated-credentials) in [workload identity federations](../concepts/workload-identity.md) and info on such credentials, as well as create and delete those.

This role includes the `iam.serviceAccounts.federatedCredentialViewer` permissions.

#### iam.workloadIdentityFederations.auditor {#iam-workloadIdentityFederations-auditor}

The `iam.workloadIdentityFederations.auditor` role enables viewing the [workload identity federation](../concepts/workload-identity.md) metadata.

#### iam.workloadIdentityFederations.viewer {#iam-workloadIdentityFederations-viewer}

The `iam.workloadIdentityFederations.viewer` role enables viewing info on [workload identity federations](../concepts/workload-identity.md).

This role includes the `iam.workloadIdentityFederations.auditor` permissions.

#### iam.workloadIdentityFederations.user {#iam-workloadIdentityFederations-user}

The `iam.workloadIdentityFederations.user` role enables using [workload identity federations](../concepts/workload-identity.md).

#### iam.workloadIdentityFederations.editor {#iam-workloadIdentityFederations-editor}

The `iam.workloadIdentityFederations.editor` role enables viewing info on workload identity federations, as well as creating, modifying, and deleting such federations.

This role includes the `iam.workloadIdentityFederations.viewer` permissions.

#### iam.workloadIdentityFederations.admin {#iam-workloadIdentityFederations-admin}

The `iam.workloadIdentityFederations.admin` role enables viewing info on [workload identity federations](../concepts/workload-identity.md), as well as creating, modifying, using, and deleting such federations.

This role includes the `iam.workloadIdentityFederations.editor` and `iam.workloadIdentityFederations.user` permissions.

#### iam.userAccounts.refreshTokenViewer {#iam-userAccounts-refreshTokenViewer}

The `iam.userAccounts.refreshTokenViewer` role enables viewing the lists of federated users’ [refresh tokens](../concepts/authorization/refresh-token.md). To use this role, you need to assign it for an [organization](../../organization/concepts/organization.md).

#### iam.userAccounts.refreshTokenRevoker {#iam-userAccounts-refreshTokenRevoker}

The `iam.userAccounts.refreshTokenRevoker` role enables revoking federated users’ [refresh tokens](../concepts/authorization/refresh-token.md). To use this role, you need to assign it for an [organization](../../organization/concepts/organization.md).

#### iam.auditor {#iam-auditor}

The `iam.auditor` role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:
* View the list of [service accounts](../concepts/users/accounts.md#sa) and information on them.
* View info on [access permissions](../concepts/access-control/index.md) assigned for service accounts.
* View the list of service account [API keys](../concepts/authorization/api-key.md) and information on them.
* View the list of service account [static access keys](../concepts/authorization/access-key.md) and information on them.
* View info on service account [authorized keys](../concepts/authorization/key.md).
* View the list of operations and the info on IAM resource operations.
* View info on Identity and Access Management [quotas](../concepts/limits.md#iam-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and its settings.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and its settings.

#### iam.viewer {#iam-viewer}

The `iam.viewer` role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:
* View the list of [service accounts](../concepts/users/accounts.md#sa) and information on them.
* View info on [access permissions](../concepts/access-control/index.md) assigned for service accounts.
* View the list of service account [API keys](../concepts/authorization/api-key.md) and information on them.
* View the list of service account [static access keys](../concepts/authorization/access-key.md) and information on them.
* View info on service account [authorized keys](../concepts/authorization/key.md).
* View the list of operations and the info on IAM resource operations.
* View info on Identity and Access Management [quotas](../concepts/limits.md#iam-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and its settings.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and its settings.

This role includes the `iam.auditor` permissions.

#### iam.editor {#iam-editor}

The `iam.editor` role enables managing service accounts and their keys, managing folders, and viewing info on IAM resource operations.

Users with this role can:
* View the list of [service accounts](../concepts/users/accounts.md#sa) and info on them, as well as create, use, modify, and delete them.
* View the list of service accounts' [API keys](../concepts/authorization/api-key.md) and info on them, as well as create, modify, and delete them.
* View the list of service accounts' [static access keys](../concepts/authorization/access-key.md) and info on them, as well as create, modify, and delete them.
* View info on service accounts' [authorized keys](../concepts/authorization/key.md), as well as create, modify, and delete them.
* Create [ephemeral access keys](../concepts/authorization/ephemeral-keys.md) for service accounts.
* View info on [access permissions](../concepts/access-control/index.md) granted for service accounts.
* View the list of operations and info on Identity and Access Management resource operations.
* View info on Identity and Access Management [quotas](../concepts/limits.md#iam-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and its settings.
* View info on [folders](../../resource-manager/concepts/resources-hierarchy.md#folder) and their settings.
* Create, modify, delete, and set up folders.

This role includes the `iam.viewer` permissions.

#### iam.admin {#iam-admin}

The `iam.admin` role enables managing service accounts and access to them and their keys, as well as managing folders, viewing info on IAM resource operations and quotas, and getting IAM tokens for service accounts.

Users with this role can:
* View the list of [service accounts](../concepts/users/accounts.md#sa) and info on them, as well as create, use, modify, and delete them.
* View info on [access permissions](../concepts/access-control/index.md) granted for service accounts and modify such permissions.
* Get [IAM tokens](../concepts/authorization/iam-token.md) for service accounts.
* View the list of service accounts' [API keys](../concepts/authorization/api-key.md) and info on them, as well as create, modify, and delete them.
* View the list of service accounts' [static access keys](../concepts/authorization/access-key.md) and info on them, as well as create, modify, and delete them.
* View info on service accounts' [authorized keys](../concepts/authorization/key.md), as well as create, modify, and delete them.
* Create [ephemeral access keys](../concepts/authorization/ephemeral-keys.md) for service accounts.
* View info on [identity federations](../concepts/federations.md).
* View the list of operations and info on Identity and Access Management resource operations.
* View info on Identity and Access Management [quotas](../concepts/limits.md#iam-quotas).
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and its settings.
* View info on [folders](../../resource-manager/concepts/resources-hierarchy.md#folder) and their settings.
* Create, modify, delete, and set up folders.

This role includes the `iam.editor` and `iam.serviceAccounts.admin` permissions.


### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../roles-reference.md#primitive-roles).

## Required roles {#choosing-roles}

The table below lists the roles required for specific actions. You can always assign a role with more permissions, e.g., `editor` instead of `viewer`.

Action | Methods | Required roles
----- | ----- | -----
**Viewing data** | |
[Getting an IAM token](../operations/iam-token/create.md) | `create` | None, authentication only
[Viewing user data](../../organization/operations/users-get.md) | `get`, `getByLogin` | None, authentication only
[Viewing service account data](../operations/sa/get-id.md) | `get`, `list`, `listOperations` | `iam.serviceAccounts.user` or `viewer` for the service account
Viewing information about a folder or cloud | `get`, `list` | `iam.auditor` for the folder or cloud
Viewing information about any resource | `get`, `list` | `viewer` for the resource
**Managing resources** | |
[Creating](../operations/sa/create.md) service accounts in the folder | `create` | `iam.serviceAccounts.admin` for the folder
[Updating](../operations/sa/update.md) and [deleting](../operations/sa/delete.md) service accounts | `update`, `delete` | `editor` for the service account
Creating and deleting keys for a service account | `create`, `delete` | `iam.serviceAccounts.accessKeyAdmin`, `iam.serviceAccounts.apiKeyAdmin`, `iam.serviceAccounts.authorizedKeyAdmin`, `iam.serviceAccounts.keyAdmin`<br/> for the service account
**Managing resource access** | |
[Making a new user the owner of the cloud](../operations/roles/grant.md) | `setAccessBindings`, `updateAccessBindings` | `resource-manager.clouds.owner` role for the cloud
[Granting](../operations/roles/grant.md), [revoking](../operations/roles/revoke.md), and viewing assigned resource roles | `setAccessBindings`, `updateAccessBindings`, `listAccessBindings` | `admin` for the resource
Getting an IAM token for a service account | `create` | `iam.serviceAccounts.tokenCreator` for the service account

#### What's next {#what-is-next}

* [How to assign a role](../operations/roles/grant.md).
* [How to revoke a role](../operations/roles/revoke.md).
* [Learn more about access management in Yandex Cloud](../concepts/access-control/index.md).
* [Learn more about role inheritance](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance).