[Yandex Cloud documentation](../../index.md) > [Yandex Resource Manager](../index.md) > Access management

# Access management in Resource Manager

In this section, you will learn about:
* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).
* [Roles required](#required-roles) for specific actions.

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign roles for a resource, you need to have one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../concepts/resources-hierarchy.md#cloud), or [folder](../concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

## Roles this service has {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

```mermaid
%%{init: {"flowchart": {'defaultRenderer': 'elk'}} }%%
flowchart BT
resource-manager.auditor --> resource-manager.viewer --> resource-manager.editor --> resource-manager.admin --> resource-manager.clouds.owner
resource-manager.clouds.member --> resource-manager.clouds.owner
```

### Service roles {#service-roles}

#### resource-manager.auditor {#resource-manager-auditor}

The `resource-manager.auditor` role enables viewing cloud and folder metadata, as well as the info on the access permissions granted to clouds and folders.

Users with this role can:
* View info on [clouds](../concepts/resources-hierarchy.md#cloud) and their settings, as well as on the [access permissions](../../iam/concepts/access-control/index.md) granted to clouds.
* View info on [folders](../concepts/resources-hierarchy.md#folder) and their settings, as well as on the access permissions granted to folders.
* View [access policies](../../iam/concepts/access-control/access-policies.md) assigned to clouds and folders.
* View info on the Resource Manager [quotas](../concepts/limits.md#resmgr-quotas).

#### resource-manager.viewer {#resource-manager-viewer}

The `resource-manager.viewer` role enables viewing info on clouds and folders, as well as on the access permissions to clouds and folders.

Users with this role can:
* View info on [clouds](../concepts/resources-hierarchy.md#cloud) and their settings, as well as on the [access permissions](../../iam/concepts/access-control/index.md) to clouds.
* View info on [folders](../concepts/resources-hierarchy.md#folder) and their settings, as well as on the access permissions to folders.
* View [access policies](../../iam/concepts/access-control/access-policies.md) assigned to clouds and folders.
* View info on the Resource Manager [quotas](../concepts/limits.md#resmgr-quotas).

This role includes the `resource-manager.auditor` permissions.

#### resource-manager.editor {#resource-manager-editor}

The `resource-manager.editor` role enables managing clouds and folders, as well as viewing the info on the access permissions granted to clouds and folders.

Users with this role can:
* View info on [clouds](../concepts/resources-hierarchy.md#cloud), their settings, and the [access permissions](../../iam/concepts/access-control/index.md) to such clouds, as well as create, modify, and delete clouds.
* View info on [folders](../concepts/resources-hierarchy.md#folder), their settings, and the access permissions to such folders, as well as create, modify, and delete folders.
* View [access policies](../../iam/concepts/access-control/access-policies.md) assigned to clouds and folders.
* View info on the Resource Manager [quotas](../concepts/limits.md#resmgr-quotas).

This role includes the `resource-manager.viewer` permissions.

#### resource-manager.admin {#resource-manager-admin}

The `resource-manager.admin` role enables managing clouds and folders, as well as access to those.

Users with this role can:
* View info on granted [access permissions](../../iam/concepts/access-control/index.md) to [clouds](../concepts/resources-hierarchy.md#cloud) and modify such permissions.
* View info on clouds and their settings, as well as create, modify, and delete clouds.
* View info on granted access permissions to [folders](../concepts/resources-hierarchy.md#folder) and modify such permissions.
* View [access policies](../../iam/concepts/access-control/access-policies.md) assigned to clouds and folders, as well as assign such policies to clouds and folders and revoke them.
* View info on folders and their settings, as well as create, modify, and delete folders.
* View info on the Resource Manager [quotas](../concepts/limits.md#resmgr-quotas).

This role includes the `resource-manager.editor` permissions.

#### resource-manager.clouds.member {#resource-manager-clouds-member}

The `resource-manager.clouds.member` role enables viewing info on the relevant cloud and contacting the Yandex Cloud support.

The role can only be assigned for a cloud.

Users with this role can:
* View the list of technical support [requests](../../support/overview.md#response-time) and the info on them, as well as create and close such requests, leave comments, and attach files to them.
* View info on [clouds](../concepts/resources-hierarchy.md#cloud) and their settings.

#### resource-manager.clouds.owner {#resource-manager-clouds-owner}

The `resource-manager.clouds.owner` role enables running any operations within the [cloud](../concepts/resources-hierarchy.md#cloud) and its child [resources](../concepts/resources-hierarchy.md).

It also allows you to manage linking the cloud to a [billing account](../../billing/concepts/billing-account.md) (for that purpose, you also need permissions for that billing account). For more information on managing access to a billing account, see the [Yandex Cloud Billing documentation](../../billing/security/index.md#billing-account).

By default, the users with this role get [notifications](../concepts/notify.md) on what happens to the cloud and its folders.

You can only assign this role for a cloud. Any user creating a cloud automatically gets such a role for the cloud.

This role includes the `admin` and `resource-manager.clouds.member` permissions.


### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## Required roles {#required-roles}

The table below lists the roles required for specific actions. You can always assign a role with more permissions, e.g., `editor` instead of `viewer`.

Action | Methods | Required roles
----- | ----- | -----
**Viewing data** | |
Viewing resource details | `get`, `list` | `viewer` for this resource
Viewing information about a folder or cloud | `get`, `list` | `resource-manager.viewer` for the folder or cloud
View metadata about a folder or cloud | `get`, `list` | `resource-manager.auditor` for the folder or cloud
**Managing resources** | |
[Creating a cloud](../operations/cloud/create.md) | | To create your first cloud, no roles are required. You only need to authenticate (a user is automatically assigned the `resource-manager.clouds.owner` role in the created organization). Later, you will need the `resource-manager.editor` or `editor` role for the organization.
[Updating a cloud](../operations/cloud/update.md) | `update` | `editor` or `resource-manager.editor` for the cloud
[Deleting a cloud](../operations/cloud/delete.md) | `delete` | `resource-manager.clouds.owner` for the cloud
[Create a folder in the cloud](../operations/folder/create.md) | `create` | `editor` or `resource-manager.editor` for the cloud
[Updating a folder](../operations/folder/update.md) | `update` | `editor` or `resource-manager.editor` for the folder
[Deleting a folder](../operations/folder/delete.md) | `delete` | `editor` or `resource-manager.editor` for the folder
**Managing resource access** | |
Invite a new user to an organization | | `organization-manager.admin` |
[Making a new user the owner of the cloud](../operations/cloud/set-access-bindings.md) | `setAccessBindings`, `updateAccessBindings` | `resource-manager.clouds.owner` for this cloud
View roles granted for a resource | `listAccessBindings` | `viewer` for this resource
View roles granted for the folder or cloud | `listAccessBindings` | `resource-manager.viewer` for the folder or cloud
[Assign a role](../../iam/operations/roles/grant.md) and [revoke a role](../../iam/operations/roles/revoke.md) for the folder or cloud | `setAccessBindings`, `updateAccessBindings` | `admin` or `resource-manager.admin` for the folder or cloud

#### What's next {#what-is-next}

* [How to assign a role](../../iam/operations/roles/grant.md).
* [How to revoke a role](../../iam/operations/roles/revoke.md).
* [Learn more about access management in Yandex Cloud](../../iam/concepts/access-control/index.md).
* [Learn more about role inheritance](../concepts/resources-hierarchy.md#access-rights-inheritance).