[Yandex Cloud documentation](../../index.md) > [Yandex Query](../index.md) > Access management

# Access management in Query

Query uses [roles](../../iam/concepts/access-control/roles.md) to manage access permissions.

Yandex Cloud users can only perform operations on resources within the permissions of the [roles](../../iam/concepts/access-control/roles.md) assigned to them. With no roles assigned, almost no operations are allowed.

To grant access to Yandex Query resources, assign the relevant roles from the list below to a Yandex account, [service account](../../iam/concepts/users/service-accounts.md), [federated](../../iam/concepts/users/accounts.md#saml-federation) or [local](../../iam/concepts/users/accounts.md#local) users, [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). Currently, a role can only be assigned for a parent resource, i.e., folder or cloud, whose roles are inherited by nested resources.

To learn more about role inheritance, see [Inheriting access permissions](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) for Yandex Resource Manager.

To assign a role for a resource, you need the `yq.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Assigning roles {#grant-roles}

To assign a role to a user:

1. [Add](../../organization/operations/add-account.md) the appropriate user, if required.
1. In the [management console](https://console.yandex.cloud), on the left, [select](../../resource-manager/operations/cloud/switch-cloud.md) a cloud.
1. Navigate to the **Access bindings** tab.
1. Click **Configure access**.
1. In the window that opens, select **User accounts**.
1. Select a user from the list or use the user search option.
1. Click ![image](../../_assets/console-icons/plus.svg) **Add role** and select a role for the cloud.
1. Click **Save**.

## Roles available in the service {#roles-list}

You can manage access to Query objects using both service roles and primitive roles. The diagram below shows available service roles and their permission inheritance hierarchy. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the diagram.

```mermaid
flowchart BT
    yq.editor --> yq.admin
    yq.invoker --> yq.editor
    yq.viewer --> yq.editor
    yq.auditor --> yq.viewer
```

The list below shows all the roles used for access control in Query.

### Service roles {#service-roles}

#### yq.auditor {#query-auditor}

The `yq.auditor` role allows you to view the service metadata, including the information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), [connections](../concepts/glossary.md#connection), [bindings](../concepts/glossary.md#binding), [queries](../concepts/glossary.md#query), and [runs](../concepts/glossary.md#jobs).

#### yq.viewer {#query-viewer}

The `yq.viewer` role allows you to view the service metadata, including the information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), [connections](../concepts/glossary.md#connection), [bindings](../concepts/glossary.md#binding), [queries](../concepts/glossary.md#query), and [runs](../concepts/glossary.md#jobs), including query texts and results.

This role includes the `yq.auditor` permissions.

#### yq.editor {#query-editor}

Users with the `yq.editor` role can manage connections and the queries they create.

Users with this role can:
* View info on the [queries](../concepts/glossary.md#query) they create and on such query [runs](../concepts/glossary.md#jobs), including query texts and results.
* Create queries, as well as run and cancel the runs of the queries they create.
* View info on [connections](../concepts/glossary.md#connection), as well as create, use, update, and delete them.
* View info on [bindings](../concepts/glossary.md#binding), as well as create, use, update, and delete them.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `yq.viewer` and `yq.invoker` permissions.

#### yq.admin {#query-admin}

The `yq.admin` role allows you to manage any Yandex Query resources, including those labeled as private.

Users with this role can:
* View info on [queries](../concepts/glossary.md#query) and query [runs](../concepts/glossary.md#jobs), view query texts and results.
* Create queries, as well as run and cancel query runs.
* View info on [connections](../concepts/glossary.md#connection), as well as create, use, update, and delete them.
* View info on [bindings](../concepts/glossary.md#binding), as well as create, use, update, and delete them.
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `yq.editor` permissions.

#### yq.invoker {#query-invoker}

The `yq.invoker` role allows you to create and run [queries](../concepts/glossary.md#query), use [connections](../concepts/glossary.md#connection) and [bindings](../concepts/glossary.md#binding), as well as view information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) and queries, including query texts and results.

The role is designed to automate query execution by service accounts. For example, you can use it to run queries by an event or on schedule.

### Primitive roles {#primitive-roles}

#### viewer

Users with the `viewer` role can view information about resources, e.g., query runs.

#### editor

Users with the `editor` role can manage any resources, e.g., create or delete queries. The `editor` role includes all permissions of the `viewer` role.

#### admin

Users with the `admin` role can manage resource access permissions, e.g., grant other users permission to create queries. The `admin` role includes all permissions of the `editor` role.