[Yandex Cloud documentation](../../index.md) > [Yandex Security Deck](../index.md) > [Access management](index.md) > DSPM roles

# Data Security Posture Management (DSPM) service roles

With [DSPM](../concepts/dspm.md) service roles, you can manage user access to the DSPM resources and their settings, as well as to the results of scans of sources for sensitive information.

```mermaid
flowchart BT
    dspm.admin --> security-deck.admin
    dspm.editor --> dspm.admin
    dspm.editor --> security-deck.editor
    dspm.viewer --> dspm.editor
    dspm.viewer --> security-deck.viewer
    dspm.auditor --> dspm.viewer
    dspm.auditor --> security-deck.auditor
    dspm.worker --> security-deck.worker

    security-deck.auditor --> security-deck.viewer
    security-deck.viewer --> security-deck.editor
    security-deck.editor --> security-deck.admin

    security-deck.auditor ~~~ security-deck.admin
```

#### dspm.worker {#dspm-worker}

The `dspm.worker` role enables viewing info on an [organization](../../organization/concepts/organization.md), viewing the list of [clouds](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../../resource-manager/concepts/resources-hierarchy.md#cloud), and [buckets](../../storage/concepts/bucket.md) in a [scan zone](../../resource-manager/concepts/resources-hierarchy.md#cloud) specified by the user and info on them, as well as viewing data in buckets being scanned.

The role is granted to the [service account](../../iam/concepts/users/service-accounts.md) that will be used to perform [scans](../../iam/concepts/users/service-accounts.md) for an organization, cloud, folder, or bucket.

The role does not enable viewing data in [encrypted buckets](../../storage/concepts/encryption.md). To scan an encrypted bucket, additionally grant the `kms.keys.decrypter` [role](../../kms/security/index.md#kms-keys-encrypter) to your service account either for the [encryption key](../../kms/security/index.md#kms-keys-encrypter) at hand or for the folder, cloud, or organization hosting this key.

{% note info %}

The role cannot guarantee access to a bucket if it has a Yandex Object Storage [access policy](../../storage/security/policy.md) applied to it.

{% endnote %}

#### dspm.inspector {#dspm-inspector}

The `dspm.inspector` role enables creating DSPM data sources using the specified Yandex Cloud resources. To create a DSPM data source, assign this role to a user for the appropriate cloud resource.

The `dspm.inspector` role is deprecated and no longer in use.

#### dspm.auditor {#dspm-auditor}

The `dspm.auditor` role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. This role does not enable viewing masked and unprocessed data.

Users with this role can:
* View info on DSPM profiles.
* View info on DSPM [data sources](../concepts/dspm.md#data-source) and their scan areas.
* View info on DSPM [data categories](../concepts/dspm.md#data-categories).
* View info on sensitive data [scan](../concepts/dspm.md#scanning) jobs.
* View info on sensitive data scan jobs.
* View the lists of results and scan errors.
* View info on DSPM [data analysis](../concepts/dspm.md#discovery-mode) results.

#### dspm.viewer {#dspm-viewer}

The `dspm.viewer` role enables viewing info on DSPM resources, as well as on scan jobs and the number of detected security threats. This role does not enable viewing masked and unprocessed data.

Users with this role can:
* View info on DSPM profiles.
* View info on DSPM [data sources](../concepts/dspm.md#data-source) and their scan areas.
* View info on DSPM [data categories](../concepts/dspm.md#data-categories).
* View info on sensitive data [scan](../concepts/dspm.md#scanning) jobs.
* View info on sensitive data scan jobs.
* View the lists of results and scan errors when scanning for sensitive data.
* View info on DSPM [data analysis](../concepts/dspm.md#discovery-mode) results.

This role includes the `dspm.auditor` permissions.

#### dspm.editor {#dspm-editor}

The `dspm.editor` role enables using DSPM profiles and managing data sources and sensitive data scans. This role does not enable viewing masked and unprocessed data.

Users with this role can:
* View info on DSPM profiles and use them.
* View info on DSPM [data sources](../concepts/dspm.md#data-source) and their scan areas, as well as create, modify, use, and delete such sources.
* View info on DSPM [data categories](../concepts/dspm.md#data-categories).
* View info on sensitive data [scan](../concepts/dspm.md#scanning) jobs, as well as create, run, suspend, resume, modify, and delete such jobs.
* View info on sensitive data scans, as well as create, suspend, resume, modify, and delete them.
* View the lists of results and scan errors when scanning for sensitive data.
* View info on DSPM [data analysis](../concepts/dspm.md#discovery-mode) results.

This role includes the `dspm.viewer` permissions.

#### dspm.admin {#dspm-admin}

The `dspm.admin` role enables using DSPM profiles and managing data sources and sensitive data scans, which includes viewing masked and unprocessed data in the scan results.

Users with this role can:
* View info on DSPM profiles and use them.
* View info on DSPM [data sources](../concepts/dspm.md#data-source) and their scan areas, as well as create, modify, use, and delete such sources.
* Use Yandex Cloud resources in DSPM data sources.
* View info on DSPM [data categories](../concepts/dspm.md#data-categories).
* View info on sensitive data [scan](../concepts/dspm.md#scanning) jobs, as well as create, run, suspend, resume, modify, and delete such jobs.
* View info on sensitive data scans, as well as create, suspend, resume, modify, and delete them.
* View the lists of results and scan errors when scanning for sensitive data.
* View info on DSPM [data analysis](../concepts/dspm.md#discovery-mode) results.
* Run security scan jobs and view their results and info on detected threats, which includes viewing masked and unprocessed data in the scan results.

This role includes the `dspm.editor` permissions.