[Yandex Cloud documentation](../../index.md) > [Monium](../index.md) > Access management

# Access management in Monium

Yandex Cloud users can only perform operations on resources within the permissions of the [roles](../../iam/concepts/access-control/roles.md) assigned to them. With no roles assigned, almost no operations are allowed.

To allow access to Monium.Metrics resources, assign the relevant roles from the list below to a Yandex account, [service account](../../iam/concepts/users/service-accounts.md), [federated](../../iam/concepts/users/accounts.md#saml-federation) or [local](../../iam/concepts/users/accounts.md#local) users, [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md).

For more information about role inheritance, see [Inheriting access permissions](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) for Yandex Resource Manager.

Currently, a role can only be assigned for a parent resource, such as a folder or cloud. Roles are inherited by nested resources.

To assign roles for a resource, you need to have one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Roles this service has {#roles-list}

{% cut "Alerting roles" %}

```mermaid
flowchart BT
    monium.editor --> monium.admin
    monium.alerts.viewer ---> monium.alerts.editor
    monium.alerts.viewer --> monium.viewer
    monium.channels.viewer ---> monium.channels.editor
    monium.channels.viewer --> monium.viewer
    monium.escalations.viewer --> monium.viewer
    monium.escalations.viewer ---> monium.escalations.editor
    monium.auditor --> monium.viewer
    monium.escalationPolicies.viewer["monium.<br>escalationPolicies.<br>viewer"] --> monium.viewer
    monium.escalationPolicies.viewer["monium.<br>escalationPolicies.<br>viewer"] ---> monium.escalationPolicies.editor["monium.<br>escalationPolicies.<br>editor"]
    monium.mutes.viewer --> monium.viewer
    monium.mutes.viewer ---> monium.mutes.editor
    monium.channels.editor --> monium.editor
    monium.alerts.editor --> monium.editor
    monium.viewer --> monium.editor
    monium.escalations.editor --> monium.editor
    monium.escalationPolicies.editor["monium.<br>escalationPolicies.<br>editor"] --> monium.editor
    monium.mutes.editor --> monium.editor
```

{% endcut %}

{% cut "Telemetry roles" %}

```mermaid
flowchart BT
    monium.editor --> monium.admin
    monium.metrics.writer --> monium.telemetry.writer
    monium.logs.writer --> monium.telemetry.writer
    monium.traces.writer --> monium.telemetry.writer
    monium.metrics.reader --> monium.telemetry.reader
    monium.logs.reader --> monium.telemetry.reader
    monium.traces.reader --> monium.telemetry.reader
    monium.logErrorLabels.viewer["monium.<br>logErrorLabels.<br>viewer"] --> monium.logErrorLabels.editor["monium.<br>logErrorLabels.<br>editor"]
    monium.logErrorLabels.viewer["monium.<br>logErrorLabels.<br>viewer"] --> monium.viewer
    monium.auditor --> monium.viewer
    monium.telemetry.reader --> monium.viewer
    monium.telemetry.writer --> monium.editor
    monium.logErrorLabels.editor["monium.<br>logErrorLabels.<br>editor"] --> monium.editor
    monium.viewer --> monium.editor
    monium.dashboards.editor --> monium.editor
    monium.shards.editor --> monium.editor
```

{% endcut %}

{% cut "Configuration and visualization roles" %}

```mermaid
flowchart BT
    monium.editor --> monium.admin
    monium.quickLinks.viewer --> monium.quickLinks.editor
    monium.quickLinks.viewer --> monium.viewer
    monium.contextLinks.viewer --> monium.contextLinks.editor
    monium.contextLinks.viewer --> monium.viewer
    monium.auditor --> monium.viewer
    monium.serviceLevelObjectives.viewer["monium.<br>serviceLevelObjectives.<br>viewer"] --> monium.viewer
    monium.serviceLevelObjectives.viewer["monium.<br>serviceLevelObjectives.<br>viewer"] --> monium.serviceLevelObjectives.editor["monium.<br>serviceLevelObjectives.<br>editor"]
    monium.dashboards.viewer --> monium.viewer
    monium.dashboards.viewer --> monium.dashboards.editor
    monium.shards.viewer --> monium.viewer  
    monium.shards.viewer --> monium.shards.editor
    monium.quickLinks.editor --> monium.editor
    monium.contextLinks.editor --> monium.editor
    monium.viewer --> monium.editor
    monium.serviceLevelObjectives.editor["monium.<br>serviceLevelObjectives.<br>editor"] --> monium.editor
    monium.dashboards.editor --> monium.editor
    monium.shards.editor --> monium.editor
```

{% endcut %}

In Monium, you can manage access using both service and primitive roles.

### Service roles {#service-roles}

#### monium.alerts.viewer {#monium-alerts-viewer}

The `monium.alerts.viewer` role enables viewing the list of [alerts](../concepts/alerting/alert.md), their settings, and trigger history.

#### monium.alerts.editor {#monium-alerts-editor}

The `monium.alerts.editor` role enables viewing the list of [alerts](../concepts/alerting/alert.md), their settings, and trigger history, as well as creating, modifying, and deleting alerts.

This role includes the `monium.alerts.viewer` permissions.

#### monium.channels.viewer {#monium-channels-viewer}

The `monium.channels.viewer` role enables viewing the list of [alert](../concepts/alerting/alert.md) notification [channels](../concepts/alerting/notification-channel.md) and info on them.

#### monium.channels.editor {#monium-channels-editor}

The `monium.channels.editor` role enables viewing the list of [alert](../concepts/alerting/alert.md) notification [channels](../concepts/alerting/notification-channel.md) and info on them, as well as creating, modifying, and deleting such channels.

This role includes the `monium.channels.viewer` permissions.

#### monium.contextLinks.viewer {#monium-contextlinks-viewer}

The `monium.contextLinks.viewer` role enables viewing the set-up context links on dashboard [charts](../concepts/visualization/widget.md#chart).

#### monium.contextLinks.editor {#monium-contextLinks-editor}

The `monium.contextLinks.editor` role enables viewing the set-up context links on dashboard [charts](../concepts/visualization/widget.md#chart), as well as creating, editing, and deleting such links.

This role includes the `monium.contextLinks.viewer` permissions.

#### monium.quickLinks.viewer {#monium-quickLinks-viewer}

The `monium.quickLinks.viewer` role enables viewing the list of the set-up [quick links](../concepts/glossary.md#project-menu) and info on them in the [project](../concepts/glossary.md#project) menu.

#### monium.quickLinks.editor {#monium-quickLinks-editor}

The `monium.quickLinks.editor` role enables viewing the list of the set-up [quick links](../concepts/glossary.md#project-menu) and info on them in the [project](../concepts/glossary.md#project) menu, as well as creating, modifying, and deleting such links.

This role includes the `monium.quickLinks.viewer` permissions.

#### monium.dashboards.viewer {#monium-dashboards-viewer}

The `monium.dashboards.viewer` role enables viewing [dashboards](../concepts/visualization/dashboard.md) and their [widgets](../concepts/visualization/widget.md).

#### monium.dashboards.editor {#monium-dashboards-editor}

The `monium.dashboards.editor` role enables viewing [dashboards](../concepts/visualization/dashboard.md) and their [widgets](../concepts/visualization/widget.md), as well as creating, modifying, and deleting dashboards.

This role includes the `monium.dashboards.viewer` permissions.

#### monium.escalations.viewer {#monium-escalations-viewer}

The `monium.escalations.viewer` role enables viewing info on [alert](../concepts/alerting/alert.md) notifications and [escalations](../concepts/alerting/escalations.md).

#### monium.escalations.editor {#monium-escalations-editor}

The `monium.escalations.editor` role enables viewing info on [alert](../concepts/alerting/alert.md) notifications and [escalations](../concepts/alerting/escalations.md), as well as creating, modifying, and deleting escalations.

This role includes the `monium.escalations.viewer` permissions.

#### monium.escalationPolicies.viewer {#monium-escalationPolicies-viewer}

The `monium.escalationPolicies.viewer` role enables viewing the list and settings of [alert](../concepts/alerting/alert.md) [escalation policies](../concepts/alerting/escalations.md#intro).

#### monium.escalationPolicies.editor {#monium-escalationPolicies-editor}

The `monium.escalationPolicies.editor` role enables viewing the list and settings of [alert](../concepts/alerting/alert.md) escalation [policies](../concepts/alerting/escalations.md#intro), as well as creating, modifying, and deleting such policies.

This role includes the `monium.escalationPolicies.viewer` permissions.

#### monium.logErrorLabels.viewer {#monium-logErrorLabels-viewer}

The `monium.logErrorLabels.viewer` role enables viewing [labels](../traces/operations/traces-explorer.md) assigned to log errors.

#### monium.logErrorLabels.editor {#monium-logErrorLabels-editor}

The `monium.logErrorLabels.editor` role enables viewing, adding new, editing, and deleting the existing [labels](../traces/operations/traces-explorer.md) to [log](../logs/quickstart.md) errors.

This role includes the `monium.logErrorLabels.viewer` permissions.

#### monium.mutes.viewer {#monium-mutes-viewer}

The `monium.mutes.viewer` role enables viewing [mutes](../alerts/mutes.md), i.e., rules for temporarily disabling [alert](../concepts/alerting/alert.md) [notifications](../concepts/alerting/notification-channel.md).

#### monium.mutes.editor {#monium-mutes-editor}

The `monium.mutes.editor` role enables viewing, creating, editing, and deleting [mutes](../alerts/mutes.md), i.e., rules for temporarily disabling [alert](../concepts/alerting/alert.md) [notifications](../concepts/alerting/notification-channel.md).

This role includes the `monium.mutes.viewer` permissions.

#### monium.serviceLevelObjectives.viewer {#monium-serviceLevelObjectives-viewer}

The `monium.serviceLevelObjectives.viewer` role enables viewing the set-up [service level objectives (SLOs)](../slo/index.md).

#### monium.serviceLevelObjectives.editor {#monium-serviceLevelObjectives-editor}

The `monium.serviceLevelObjectives.editor` role enables viewing the set-up [service level objectives (SLOs)](../slo/index.md), as well as creating, modifying, and deleting SLOs.

This role includes the `monium.serviceLevelObjectives.viewer` permissions.

#### monium.shards.viewer {#monium-shards-viewer}

The `monium.shards.viewer` role enables viewing info on [shards](../concepts/glossary.md#shard), [clusters](../concepts/glossary.md#cluster), [services](../concepts/glossary.md#service) and their quotas.

#### monium.shards.editor {#monium-shards-editor}

The `monium.shards.editor` enables viewing info on [shards](../concepts/glossary.md#shard), [clusters](../concepts/glossary.md#cluster), [services](../concepts/glossary.md#service) and their quotas, as well as creating, modifying, and deleting shards.

This role includes the `monium.shards.viewer` permissions.

#### monium.metrics.reader {#monium-metrics-reader}

The `monium.metrics.reader` role enables reading [metrics](../metrics/quickstart.md), their values, and [labels](../../resource-manager/concepts/labels.md).

#### monium.metrics.writer {#monium-metrics-writer}

The `monium.metrics.writer` role enables writing [metrics](../metrics/quickstart.md).

#### monium.logs.reader {#monium-logs-reader}

The `monium.logs.reader` role enables reading [logs](../logs/quickstart.md) and viewing log error stats.

#### monium.logs.writer {#monium-logs-writer}

The `monium.logs.writer` role enables writing Monium [logs](../logs/quickstart.md).

#### monium.traces.reader {#monium-traces-reader}

The `monium.traces.reader` role enables viewing [distributed tracing](../traces/index.md) data.

#### monium.traces.writer {#monium-traces-writer}

The `monium.traces.writer` role enables writing [distributed tracing](../traces/index.md) data.

#### monium.telemetry.reader {#monium-telemetry-reader}

The `monium.telemetry.reader` role enables reading all types of Monium telemetry, such as [metrics](../metrics/quickstart.md), [logs](../logs/quickstart.md), and [distributed tracing](../traces/index.md).

This role includes the `monium.metrics.reader`, `monium.logs.reader`, and `monium.traces.reader` permissions.

#### monium.telemetry.writer {#monium-telemetry-writer}

The `monium.telemetry.writer` role enables writing all types of Monium telemetry, such as [metrics](../metrics/quickstart.md), [logs](../logs/quickstart.md), and [distributed tracing](../traces/index.md).

This role includes the `monium.metrics.writer`, `monium.logs.writer`, and `monium.traces.writer` permissions.

#### monium.auditor {#monium-auditor}

The `monium.auditor` role enables viewing information on Monium resources. However, it does not allow reading the telemetry data.

Users with this role can:
* View info on [projects](../concepts/glossary.md#project) and [access permissions](../../iam/concepts/access-control/index.md) assigned to them.
* View [dashboards](../concepts/visualization/dashboard.md) and their [widgets](../concepts/visualization/widget.md).
* View the set-up context links on dashboard [charts](../concepts/visualization/widget.md#chart).
* View the list of the set-up [quick links](../concepts/glossary.md#project-menu) and info on them in the project menu.
* View info on [shards](../concepts/glossary.md#shard), [clusters](../concepts/glossary.md#cluster), [services](../concepts/glossary.md#service) and their quotas.
* View the list of [alerts](../concepts/alerting/alert.md), their settings, and trigger history.
* View the set-up [service level objectives (SLOs)](../slo/index.md).
* View the list of alert [notification channels](../concepts/alerting/notification-channel.md) and info on them.
* View the list and settings of alert [escalation policies](../concepts/alerting/escalations.md#intro).
* View info on alert notifications and [escalations](../concepts/alerting/escalations.md).
* View [mutes](../alerts/mutes.md), i.e., rules for temporarily disabling alert [notifications](../concepts/alerting/notification-channel.md).
* View [labels](../traces/operations/traces-explorer.md) assigned to log errors.
* View info on the Yandex Managed Service for Prometheus® [rules](../operations/prometheus/recording-rules.md).

This role includes the `monium.dashboards.viewer`, `monium.shards.viewer`, `monium.contextLinks.viewer`, `monium.quickLinks.viewer`, `monium.alerts.viewer`, `monium.serviceLevelObjectives.viewer`, `monium.channels.viewer`, `monium.escalationPolicies.viewer`, `monium.escalations.viewer`, `monium.mutes.viewer`, and `monium.logErrorLabels.viewer` permissions.

#### monium.viewer {#monium-viewer}

The `monium.viewer` role enables viewing information on Monium resources. It also enables reading all types of telemetry data.

Users with this role can:

* View info on [projects](../concepts/glossary.md#project) and [access permissions](../../iam/concepts/access-control/index.md) assigned to them.
* Read all types of Monium telemetry, such as [metrics](../metrics/quickstart.md), [logs](../logs/quickstart.md), and [distributed tracing](../traces/index.md).
* View [dashboards](../concepts/visualization/dashboard.md) and their [widgets](../concepts/visualization/widget.md).
* View the set-up context links on dashboard [charts](../concepts/visualization/widget.md#chart).
* View the list of the set-up [quick links](../concepts/glossary.md#project-menu) and info on them in the project menu.
* View info on [shards](../concepts/glossary.md#shard), [clusters](../concepts/glossary.md#cluster), [services](../concepts/glossary.md#service) and their quotas.
* View the list of [alerts](../concepts/alerting/alert.md), their settings, and trigger history.
* View the set-up [service level objectives (SLOs)](../slo/index.md).
* View the list of alert [notification channels](../concepts/alerting/notification-channel.md) and info on them.
* View the list and settings of alert [escalation policies](../concepts/alerting/escalations.md#intro).
* View info on alert notifications and [escalations](../concepts/alerting/escalations.md).
* View [mutes](../alerts/mutes.md), i.e., rules for temporarily disabling alert [notifications](../concepts/alerting/notification-channel.md).
* View [labels](../traces/operations/traces-explorer.md) assigned to log errors.
* View info on the Yandex Managed Service for Prometheus® [rules](../operations/prometheus/recording-rules.md).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `monium.auditor` and `monium.telemetry.reader` permissions.

#### monium.editor {#monium-editor}

The `monium.editor` role enables managing Monium resources, as well as reading and writing all types of telemetry.

Users with this role can:
* View info on [projects](../concepts/glossary.md#project) and [access permissions](../../iam/concepts/access-control/index.md) assigned to them, as well as set up projects.
* Read and write all types of Monium telemetry, such as [metrics](../metrics/quickstart.md), [logs](../logs/quickstart.md), and [distributed tracing](../traces/index.md).
* View [dashboards](../concepts/visualization/dashboard.md) and their [widgets](../concepts/visualization/widget.md), as well as create, modify, and delete dashboards.
* View the set-up context links on dashboard [charts](../concepts/visualization/widget.md#chart), as well as create, edit, and delete such links.
* View the list of the set-up [quick links](../concepts/glossary.md#project-menu) and info on them in the [project](../concepts/glossary.md#project) menu, as well as create, modify, and delete such links.
* View info on [shards](../concepts/glossary.md#shard), [clusters](../concepts/glossary.md#cluster), [services](../concepts/glossary.md#service) and their quotas, as well as create, modify, and delete shards.
* View the list of [alerts](../concepts/alerting/alert.md), their settings, and trigger history, as well as create, modify, and delete alerts.
* View the set-up [service level objectives (SLOs)](../slo/index.md), as well as create, modify, and delete SLOs.
* View the list of alert [notification channels](../concepts/alerting/notification-channel.md) and info on them, as well as create, modify, and delete such channels.
* View the list and settings of alert [escalation policies](../concepts/alerting/escalations.md#intro), as well as create, modify, and delete such policies.
* View info on alert notifications and [escalations](../concepts/alerting/escalations.md), as well as create, modify, and delete escalations.
* View, create, edit, and delete [mutes](../alerts/mutes.md), i.e., rules for temporarily disabling alert [notifications](../concepts/alerting/notification-channel.md).
* View, add new, edit, and delete the existing [labels](../traces/operations/traces-explorer.md) to log errors.
* View info on the Yandex Managed Service for Prometheus® [rules](../operations/prometheus/recording-rules.md), as well as create, modify, and delete such rules.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `monium.viewer`, `monium.telemetry.writer`, `monium.dashboards.editor`, `monium.shards.editor`, `monium.contextLinks.editor`, `monium.quickLinks.editor`, `monium.alerts.editor`, `monium.serviceLevelObjectives.editor`, `monium.channels.editor`, `monium.escalationPolicies.editor`, `monium.escalations.editor`, `monium.mutes.editor`, and `monium.logErrorLabels.editor` permissions.

#### monium.admin {#monium-admin}

The `monium.admin` role enables managing Monium resources, read and write all types of telemetry, and manage projects and access to them.

Users with this role can:
* View info on [projects](../concepts/glossary.md#project) and create, set up, and delete them.
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for projects and modify such permissions.
* Read and write all types of Monium telemetry, such as [metrics](../metrics/quickstart.md), [logs](../logs/quickstart.md), and [distributed tracing](../traces/index.md).
* View [dashboards](../concepts/visualization/dashboard.md) and their [widgets](../concepts/visualization/widget.md), as well as create, modify, and delete dashboards.
* View the set-up context links on dashboard [charts](../concepts/visualization/widget.md#chart), as well as create, edit, and delete such links.
* View the list of the set-up [quick links](../concepts/glossary.md#project-menu) and info on them in the [project](../concepts/glossary.md#project) menu, as well as create, modify, and delete such links.
* View info on [shards](../concepts/glossary.md#shard), [clusters](../concepts/glossary.md#cluster), [services](../concepts/glossary.md#service) and their quotas, as well as create, modify, and delete shards.
* View the list of [alerts](../concepts/alerting/alert.md), their settings, and trigger history, as well as create, modify, and delete alerts.
* View the set-up [service level objectives (SLOs)](../slo/index.md), as well as create, modify, and delete SLOs.
* View the list of alert [notification channels](../concepts/alerting/notification-channel.md) and info on them, as well as create, modify, and delete such channels.
* View the list and settings of alert [escalation policies](../concepts/alerting/escalations.md#intro), as well as create, modify, and delete such policies.
* View info on alert notifications and [escalations](../concepts/alerting/escalations.md), as well as create, modify, and delete escalations.
* View, create, edit, and delete [mutes](../alerts/mutes.md), i.e., rules for temporarily disabling alert [notifications](../concepts/alerting/notification-channel.md).
* View, add new, edit, and delete the existing [labels](../traces/operations/traces-explorer.md) to log errors.
* View info on the Yandex Managed Service for Prometheus® [rules](../operations/prometheus/recording-rules.md), as well as create, modify, and delete such rules.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `monium.editor` permissions.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## Assigning roles {#grant-roles}

To assign a role to a user:

1. [Add](../../organization/operations/add-account.md) the appropriate user, if required.
1. In the [management console](https://console.yandex.cloud), on the left, [select](../../resource-manager/operations/cloud/switch-cloud.md) a cloud.
1. Navigate to the **Access bindings** tab.
1. Click **Configure access**.
1. In the window that opens, select **User accounts**.
1. Select a user from the list or use the user search option.
1. Click ![image](../../_assets/console-icons/plus.svg) **Add role** and select a role for the cloud.
1. Click **Save**.