[Yandex Cloud documentation](../index.md) > [Yandex Managed Service for Apache Spark™](index.md) > Access management

# Managing access to Yandex Managed Service for Apache Spark™


In this section, you will learn about the following:

* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).
* [Roles required for specific actions](#required-roles).

To use the service, log in to the management console with your [Yandex account](../iam/concepts/users/accounts.md#passport), [federated account](../iam/concepts/users/accounts.md#saml-federation), or [local account](../iam/concepts/users/accounts.md#local).

## Access management {#about-access-control}

[Yandex Identity and Access Management](../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../iam/concepts/users/accounts.md#passport), [service account](../iam/concepts/users/service-accounts.md), [local user](../iam/concepts/users/accounts.md#local), [federated user](../iam/concepts/federations.md), [user group](../organization/operations/manage-groups.md), [system group](../iam/concepts/access-control/system-group.md), or [public group](../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../iam/concepts/access-control/index.md).

To assign a role for a resource, you need the `managed-spark.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../organization/concepts/organization.md), [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

To allow access to Yandex Managed Service for Apache Spark™ resources, such as clusters and accounts, give the user the relevant roles for the folder, cloud, or organization containing those resources.

You can also assign a role for an individual cluster from the [management console](https://console.yandex.cloud), via the [CLI](../cli/index.md), or [API](api-ref/authentication.md).

## Roles existing in this service {#roles-list}

The list below shows all the roles used for access control in this service.

```mermaid
%%{
  init: {
    "flowchart": { "defaultRenderer": "elk" }
  }
}%%
flowchart BT
    managed-spark.auditor --> managed-spark.viewer
    managed-spark.viewer --> managed-spark.user
    managed-spark.user --> managed-spark.editor
    managed-spark.editor --> managed-spark.admin
    managed-spark.auditor --> managed-spark.maintenanceTask.viewer["`managed-spark.
    maintenanceTask.viewer`"]
    managed-spark.maintenanceTask.viewer --> managed-spark.maintenanceTask.editor["`managed-spark.
    maintenanceTask.editor`"]
    managed-spark.maintenanceTask.viewer --> managed-spark.viewer
    managed-spark.maintenanceTask.editor --> managed-spark.editor
    managed-spark.integrationProvider["`managed-spark.
    integrationProvider`"]
```

### Service roles {#service-roles}

#### managed-spark.auditor {#managed-spark-auditor}

The `managed-spark.auditor` role enables viewing info on [Apache Spark™ clusters](concepts/index.md), [access permissions](../iam/concepts/access-control/index.md) granted for them, and on [quotas](concepts/limits.md#quotas) for Managed Service for Apache Spark™.

#### managed-spark.viewer {#managed-spark-viewer}

The `managed-spark.viewer` role enables viewing info on Apache Spark™ clusters, jobs, and quotas for Managed Service for Apache Spark™.

Users with this role can:
* View info on [Apache Spark™ clusters](concepts/index.md) and [access permissions](../iam/concepts/access-control/index.md) granted for them.
* View info on [maintenance](concepts/maintenance.md) tasks for Apache Spark™ clusters.
* View info on [jobs](operations/index.md#jobs).
* View info on [quotas](concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.auditor` and `managed-spark.maintenanceTask.viewer` permissions.

#### managed-spark.user {#managed-spark-user}

The `managed-spark.user` role enables performing basic operations on Apache Spark™ clusters and jobs.

Users with this role can:
* Use the Apache Spark™ web interface.
* View info on [jobs](operations/index.md#jobs), as well as create, run, and cancel them.
* View info on [Apache Spark™ clusters](concepts/index.md) and [access permissions](../iam/concepts/access-control/index.md) granted for them.
* View info on [maintenance](concepts/maintenance.md) tasks for Apache Spark™ clusters.
* View info on [quotas](concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.viewer` permissions.

#### managed-spark.editor {#managed-spark-editor}

The `managed-spark.editor` role enables managing Apache Spark™ clusters and jobs.

Users with this role can:
* View info on [Apache Spark™ clusters](concepts/index.md), as well as create, modify, run, stop, and delete them.
* View info on [access permissions](../iam/concepts/access-control/index.md) granted for Apache Spark™ clusters.
* View info on [maintenance](concepts/maintenance.md) tasks for Apache Spark™ clusters and modify such tasks.
* Use the Apache Spark™ web interface.
* View info on [jobs](operations/index.md#jobs), as well as create, run, and cancel them.
* View info on [quotas](concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.user` and `managed-spark.maintenanceTask.editor` permissions.

To create Apache Spark™ clusters, you also need the `vpc.user` role.

#### managed-spark.admin {#managed-spark-admin}

The `managed-spark.admin` role enables managing Apache Spark™ clusters and access to them.

Users with this role can:
* View info on [access permissions](../iam/concepts/access-control/index.md) granted for [Apache Spark™ clusters](concepts/index.md) and modify such permissions.
* View info on Apache Spark™ clusters, as well as create, modify, run, stop, and delete them.
* View info on [maintenance](concepts/maintenance.md) tasks for Apache Spark™ clusters and modify such tasks.
* Use the Apache Spark™ web interface.
* View info on [jobs](operations/index.md#jobs), as well as create, run, and cancel them.
* View info on [quotas](concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.editor` permissions.

To create Apache Spark™ clusters, you also need the `vpc.user` role.

#### managed-spark.maintenanceTask.viewer {#managed-spark-maintenanceTask-viewer}

The `managed-spark.maintenanceTask.viewer` role enables viewing info on [Apache Spark™ clusters](concepts/index.md), [access permissions](../iam/concepts/access-control/index.md) granted for them, their [maintenance tasks](concepts/maintenance.md), and on [quotas](concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.auditor` permissions.

#### managed-spark.maintenanceTask.editor {#managed-spark-maintenanceTask-editor}

The `managed-spark.maintenanceTask.editor` role enables viewing info on [maintenance](concepts/maintenance.md) tasks for Apache Spark™ clusters and modifying such tasks, as well as viewing info on [Apache Spark™ clusters](concepts/index.md), [access permissions](../iam/concepts/access-control/index.md) granted for them, and on [quotas](concepts/limits.md#quotas) for Managed Service for Apache Spark™.

This role includes the `managed-spark.maintenanceTask.viewer` permissions.

#### managed-spark.integrationProvider {#managed-spark-integrationProvider}

The `managed-spark.integrationProvider` role enables an Apache Spark™ cluster to work with user resources required for its operation on behalf of a service account. You need to assign this role to a service account linked to an Apache Spark™ cluster.

Users with this role can:
* Add entries to [log groups](../logging/concepts/log-group.md).
* View info on log groups.
* View info on log sinks.
* View info on granted [access permissions](../iam/concepts/access-control/index.md) for Cloud Logging resources.
* View info on log exports.
* View info on [metrics](../monitoring/concepts/data-model.md#metric) and their [labels](../monitoring/concepts/data-model.md#label), as well as upload and download metrics.
* View lists of [dashboards](../monitoring/concepts/visualization/dashboard.md) and [widgets](../monitoring/concepts/visualization/widget.md) and info on them, as well as create, modify, and delete them.
* View [notification](../monitoring/concepts/alerting/notification-channel.md) history.
* View details on [Monitoring quotas](../monitoring/concepts/limits.md#monitoring-quotas).
* View info on the relevant [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `logging.writer` and `monitoring.editor` permissions.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../iam/roles-reference.md#primitive-roles).

## Required roles {#required-roles}

As a user, you need the `managed-spark.editor` role or higher for the folder that will contain the new cluster. The `managed-spark.viewer` role only allows you to view the cluster list.

To create an Yandex Managed Service for Apache Spark™ cluster, the following roles are required: [vpc.user](../vpc/security/index.md#vpc-user), [iam.serviceAccounts.user](../iam/security/index.md#iam-serviceAccounts-user), and `managed-spark.admin` or higher.

You can always assign a role with more permissions, e.g., `managed-spark.admin` instead of `managed-spark.editor`.

## What's next {#whats-next}

* [How to assign a role](../iam/operations/roles/grant.md)
* [How to revoke a role](../iam/operations/roles/revoke.md)
* [Learn more about access management in Yandex Cloud](../iam/concepts/access-control/index.md)
* [Learn more about role inheritance](../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance)