# Access management in Monitoring

Yandex Cloud users can only perform operations on resources within the permissions of the [roles](../../iam/concepts/access-control/roles.md) assigned to them. With no roles assigned, almost no operations are allowed.

To allow access to Yandex Monitoring resources, assign the relevant roles from the list below to a Yandex account, [service account](../../iam/concepts/users/service-accounts.md), [federated](../../iam/concepts/users/accounts.md#saml-federation) or [local](../../iam/concepts/users/accounts.md#local) users, [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md).

For more information about role inheritance, see [Inheriting access permissions](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) for Yandex Resource Manager.

Currently, a role can only be assigned for a parent resource, such as a folder or cloud. Roles are inherited by nested resources.

To assign roles for a resource, you need to have one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Assigning roles {#grant-roles}

To assign a role to a user:

1. [Add](../../organization/operations/add-account.md) the appropriate user, if required.
1. In the [management console](https://console.yandex.cloud), on the left, [select](../../resource-manager/operations/cloud/switch-cloud.md) a cloud.
1. Navigate to the **Access bindings** tab.
1. Click **Configure access**.
1. In the window that opens, select **User accounts**.
1. Select a user from the list or use the user search option.
1. Click ![image](../../_assets/console-icons/plus.svg) **Add role** and select a role for the cloud.
1. Click **Save**.

## Roles this service has {#roles-list}

The list below shows all the roles used for access control in Yandex Monitoring.

```mermaid
flowchart BT
    monitoring.editor --> monitoring.admin
    monitoring.viewer --> monitoring.editor
```

### Service roles {#service-roles}

#### monitoring.viewer {#monitoring-viewer}

The `monitoring.viewer` role enables downloading metrics and viewing info on metrics, dashboards, and widgets.

Users with this role can:
* View info on [metrics](../concepts/data-model.md#metric) and their [labels](../concepts/data-model.md#label), as well as download metrics.
* View the list of [dashboards](../concepts/visualization/dashboard.md) and [widgets](../concepts/visualization/widget.md), as well as the info on those.
* View [notification](../concepts/alerting/notification-channel.md) history.
* View details on [Monitoring](../concepts/limits.md#monitoring-quotas) quotas.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

#### monitoring.editor {#monitoring-editor}

The `monitoring.editor` role enables managing dashboards and widgets, uploading and downloading metrics, and viewing the notification history and quota details.

Users with this role can:
* View info on [metrics](../concepts/data-model.md#metric) and their [labels](../concepts/data-model.md#label), as well as upload and download metrics.
* View lists of [dashboards](../concepts/visualization/dashboard.md) and [widgets](../concepts/visualization/widget.md) and info on them, as well as create, modify, and delete them.
* View [notification](../concepts/alerting/notification-channel.md) history.
* View details on [Monitoring](../concepts/limits.md#monitoring-quotas) quotas.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `monitoring.viewer` permissions.

#### monitoring.admin {#monitoring-admin}

The `monitoring.admin` role enables managing dashboards and widgets, uploading and downloading metrics, and viewing the notification history, info on quotas, and folder metadata.

Users with this role can:
* View info on [metrics](../concepts/data-model.md#metric) and their [labels](../concepts/data-model.md#label), as well as upload and download metrics.
* View lists of [dashboards](../concepts/visualization/dashboard.md) and [widgets](../concepts/visualization/widget.md) and info on them, as well as create, modify, and delete them.
* View [notification](../concepts/alerting/notification-channel.md) history.
* View details on [Monitoring](../concepts/limits.md#monitoring-quotas) quotas.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `monitoring.editor` permissions.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).