[Yandex Cloud documentation](../../index.md) > [Yandex Cloud Logging](../index.md) > Access management

# Access management in Cloud Logging

Cloud Logging uses [roles](../../iam/concepts/access-control/roles.md) to manage access permissions.

In this section, you will learn:

* [What resources you can assign a role for](#resources).
* [What roles exist in this service](#roles-list).

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign a role for a resource, a user should have the `logging.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

You can also assign roles for individual resources within the service:

{% list tabs group=instructions %}

- CLI {#cli}

  You can use the [Yandex Cloud CLI](../../cli/cli-ref/logging/cli-ref/index.md) to assign roles for the following resources:

  * [Log group](../concepts/log-group.md)
  * [Log target](../operations/create-sink.md)

- API {#api}

  You can use the [Yandex Cloud API](../api-ref/authentication.md) to assign roles for the following resources:

  # Cloud Logging resources for which you can assign roles
  
  * [Log group](../concepts/log-group.md)
  * [Log target](../operations/create-sink.md)
  * [Export](../operations/export-logs.md)

{% endlist %}

## Roles this service has {#roles-list}

The list below shows all roles used for access control in Cloud Logging.

```mermaid
flowchart BT
    logging.viewer --> logging.editor
    logging.viewer --> logging.reader
    logging.viewer --> logging.writer

    logging.editor --> logging.admin
    logging.reader --> logging.admin
    logging.writer --> logging.admin
```

### Service roles {#service-roles}

#### logging.viewer {#logging-viewer}

The `logging.viewer` role enables viewing info on log groups and sinks and access permissions assigned to them, as well as on the relevant cloud and folder.

Users with this role can:
* View info on [log groups](../concepts/log-group.md).
* View info on log sinks.
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned to Cloud Logging resources.
* View info on log exports.
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

#### logging.editor {#logging-editor}

The `logging.editor` role enables viewing info on Cloud Logging resources and managing them.

Users with this role can:
* View info on [log groups](../concepts/log-group.md), as well as create, modify, delete, and use them.
* View info on log sinks, as well as create, modify, delete, and use them.
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned to Cloud Logging resources.
* View info on log exports, run export, and create, modify, and delete exported files.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.viewer` permissions.

#### logging.reader {#logging-reader}

The `logging.reader` role enables viewing log group entries and info on the Cloud Logging resources, as well as the cloud and folder metadata.

Users with this role can:
* View [log group](../concepts/log-group.md) entries.
* View info on log groups.
* View info on log sinks.
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned to Cloud Logging resources.
* View info on log exports.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.viewer` permissions.

#### logging.writer {#logging-writer}

The `logging.writer` role enables adding entries to log groups and viewing info on the Cloud Logging resources, as well as on the relevant cloud and folder.

Users with this role can:
* Add entries to [log groups](../concepts/log-group.md).
* View info on log groups.
* View info on log sinks.
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned to Cloud Logging resources.
* View info on log exports.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.viewer` permissions.

#### logging.admin {#logging-admin}

The `logging.admin` role enables managing your Cloud Logging resources and access to them, as well as viewing and adding entries to log groups.

Users with this role can:
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned to Cloud Logging resources and modify such permissions.
* View info on [log groups](../concepts/log-group.md), as well as create, modify, delete, and use them.
* View info on log sinks, as well as create, modify, delete, and use them.
* View info on log exports, run export, and create, modify, and delete exported files.
* View and add entries to log groups.
* View info on Cloud Logging [quotas](../concepts/limits.md#logging-quotas).
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.editor`, `logging.reader`, and `logging.writer` permissions.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).