[Yandex Cloud documentation](../../index.md) > [Yandex Security Deck](../index.md) > Access management > Common Security Deck roles

# Common Yandex Security Deck roles

Yandex Cloud users can only perform operations on resources within the permissions of the [roles](../../iam/concepts/access-control/roles.md) assigned to them. With no roles assigned, almost no operations are allowed.

To allow access to Security Deck resources, assign relevant roles from the list below to a Yandex account, [service account](../../iam/concepts/users/service-accounts.md), [federated](../../iam/concepts/users/accounts.md#saml-federation) or [local](../../iam/concepts/users/accounts.md#local) users, [user group](../../organization/operations/manage-groups.md), or [system group](../../iam/concepts/access-control/system-group.md). Currently, a role can only be assigned for a parent resource, i.e., folder or cloud, whose roles are inherited by nested resources.

For more information about role inheritance, see [Inheritance of access permissions](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) in the Resource Manager documentation.

## Roles this service has {#roles-list}

```mermaid
flowchart BT
    security-deck.worker ~~~ security-deck.auditor
    security-deck.auditor --> security-deck.viewer
    security-deck.viewer --> security-deck.editor
    security-deck.editor --> security-deck.admin
```

In Security Deck, you can manage access using both service and primitive roles.

### Service roles {#service-roles}

#### security-deck.worker {#security-deck-worker}

The `security-deck.worker` enables viewing info on the DSPM scan area, as well as on controlled KSPM, CSPM, and TD resources in Security Deck.

Users with this role can:

* View info on the [organization](../../organization/concepts/organization.md), the list of and info on [clouds](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folders](../../resource-manager/concepts/resources-hierarchy.md#folder), and [buckets](../../storage/concepts/bucket.md) in the DSPM [scan area](../concepts/dspm.md#data-source) configured by the user, and data in scanned buckets.
* View the list of clouds and folders and their info as controlled resources of a Security Deck [workspace](../concepts/workspace.md) for [KSPM](../concepts/kspm.md).
* View the list of Kubernetes clusters and info on them and their settings as controlled resources of a Security Deck workspace for KSPM.
* View info on the organization, the list of clouds and folders, and their info as controlled resources of a Security Deck workspace for [CSPM](../concepts/cspm.md).
* View logs registered in the customer's infrastructure using [Yandex Audit Trails](../../audit-trails/index.md) for [TD](../concepts/threat-detector.md).

The role is assigned to the [service account](../../iam/concepts/users/service-accounts.md) to perform the DSPM [scan](../concepts/dspm.md#scanning) or the KSPM, CSPM, or TD check. The role extends to an organization, cloud, folder, or bucket (if using [DSPM](../concepts/dspm.md)).

The role does not allow viewing data in [encrypted buckets](../../storage/concepts/encryption.md). To scan an encrypted bucket, additionally assign to the service account the `kms.keys.decrypter` [role](../../kms/security/index.md#kms-keys-encrypter) for the [encryption key](../../kms/security/index.md#kms-keys-encrypter) or for the folder, cloud, or organization this key resides in.

This role includes the `dspm.worker`, `kspm.worker`, `cspm.worker`, and `td.worker` permissions.

{% note info %}

The role cannot guarantee access to a bucket with a Yandex Object Storage [access policy](../../storage/security/policy.md) applied.

{% endnote %}

#### security-deck.auditor {#security-deck-auditor}

The `security-deck.auditor` role enables viewing info on DSPM, CSPM, KSPM, VM, and TD resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. This role does not enable viewing masked and unprocessed data.

Users with this role can:
* View info on DSPM profiles.
* View info on DSPM [data sources](../concepts/dspm.md#data-source) and their scan areas.
* View info on sensitive data [scan](../concepts/dspm.md#scanning) jobs in DSPM.
* View info on data types and [categories](../concepts/dspm.md#data-categories).
* View info on sensitive data scan jobs in DSPM.
* View the lists of results and scan errors.
* View DSPM scan results and info on detected threats.
* View info on DSPM [data analysis](../concepts/dspm.md#discovery-mode) results.
* View info on Security Deck [workspaces](../concepts/workspace.md) and resources managed in them, as well as on [access permissions](../../iam/concepts/access-control/index.md) granted for them.
* View info on [connectors](../concepts/workspace.md#connectors).
* View info on cloud infrastructure checks for compliance with [security standards](../concepts/cspm.md#standards), as well as on jobs for such checks configured in the [CSPM](../concepts/cspm.md) settings.
* View info on the [KSPM](../concepts/kspm.md) settings and operations, as well as the list of exceptions from rules.
* View info on [alert sinks](../concepts/workspace.md#alert-sinks) and access permissions granted for them.
* View [VM](../concepts/vulnerability-management.md) scan results.
* View info on [TD](../concepts/threat-detector.md) security management rules and access permissions granted for TD.

This role includes the `dspm.auditor`, `cspm.auditor`, `kspm.auditor`, `security-deck.alertSinks.auditor`, `vulnerability-manager.auditor`, and `threat-detector.auditor` permissions.

#### security-deck.viewer {#security-deck-viewer}

The `security-deck.viewer` role enables viewing info on events of access to organization resources by Yandex Cloud employees, on DSPM, CSPM, KSPM, VM, and TD resources, on alerts and alert sinks, as well as on scan jobs and the number of detected security threats. This role does not enable viewing masked and unprocessed data.

{% cut "Users with this role can:" %}

* View the list of events when Yandex Cloud employees access organization resources.
* Approve or disapprove the results of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
* View info on DSPM profiles.
* View info on DSPM [data sources](../concepts/dspm.md#data-source) and their scan areas.
* View info on sensitive data [scan](../concepts/dspm.md#scanning) jobs in DSPM.
* View info on data types and [categories](../concepts/dspm.md#data-categories).
* View info on sensitive data scan jobs in DSPM.
* View the lists of results and scan errors.
* View DSPM scan results and info on detected threats.
* View info on DSPM [data analysis](../concepts/dspm.md#discovery-mode) results.
* View info on Security Deck [workspaces](../concepts/workspace.md) and resources managed in them, as well as on [access permissions](../../iam/concepts/access-control/index.md) granted for them.
* View info on [connectors](../concepts/workspace.md#connectors).
* View info on cloud infrastructure checks for compliance with [security standards](../concepts/cspm.md#standards) and their results, as well as on jobs for such checks and [exceptions](../concepts/cspm.md#exceptions) from check rules configured in the [CSPM](../concepts/cspm.md) settings.
* View info on the [KSPM](../concepts/kspm.md) settings, Managed Service for Kubernetes [clusters](../../managed-kubernetes/concepts/index.md#kubernetes-cluster) connected to KSPM, exceptions from rules, exceptions from the scope of control, and KSPM users and operations.
* View info on [alert sinks](../concepts/workspace.md#alert-sinks) and access permissions granted for them.
* View info on [alerts](../concepts/alerts.md) and access permissions granted for them.
* View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
* View info on [VM](../concepts/vulnerability-management.md) scan jobs and their results.
* View info on [TD](../concepts/threat-detector.md) security management rules and access permissions granted for TD.

{% endcut %}

This role includes the `access-transparency.viewer`, `dspm.viewer`, `cspm.viewer`, `kspm.viewer`, `security-deck.alertSinks.viewer`, `vulnerability-manager.viewer`, and `threat-detector.viewer` permissions.

#### security-deck.editor {#security-deck-editor}

The `security-deck.editor` role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well as DSPM, CSPM, KSPM, VM, and TD resources. This role does not enable viewing masked and unprocessed data.

{% cut "Users with this role can:" %}

* Select a [billing account](../../billing/concepts/billing-account.md) in Access Transparency.
* View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
* View the list of events when Yandex Cloud employees access organization resources.
* Approve or disapprove the results of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
* View info on DSPM profiles and use them.
* View info on DSPM [data sources](../concepts/dspm.md#data-source) and their scan areas, as well as create, modify, use, and delete such sources.
* View info on DSPM sensitive data [scan](../concepts/dspm.md#scanning) jobs, as well as create, run, suspend, resume, modify, and delete such jobs.
* View info on sensitive data scans, as well as create, suspend, resume, modify, and delete them.
* View the lists of results and scan errors when scanning for sensitive data.
* View DSPM sensitive data scan results and info on detected threats.
* View info on DSPM data types and [categories](../concepts/dspm.md#data-categories).
* View info on DSPM [data analysis](../concepts/dspm.md#discovery-mode) results.
* View [bucket](../../storage/concepts/bucket.md) metadata.
* View info on Security Deck [workspaces](../concepts/workspace.md) and resources managed in them, as well as on [access permissions](../../iam/concepts/access-control/index.md) granted for them.
* Create, modify, and delete Security Deck workspaces.
* View info on [connectors](../concepts/workspace.md#connectors), as well as create, use, modify, and delete them.
* View info on cloud infrastructure checks for compliance with [security standards](../concepts/cspm.md#standards) configured in the [CSPM settings](../concepts/cspm.md), as well as delete checks.
* View info on CSPM check jobs.
* Manually run checks for compliance with CSPM security standards.
* View CSPM check results.
* Create, suspend, resume, modify, and delete CSPM check jobs.
* View [exceptions](../concepts/cspm.md#exceptions) from CSPM check rules, as well as create and delete such exceptions.
* Engage, set up, and disconnect [KSPM](../concepts/kspm.md), as well as create, modify, and delete exceptions from rules and from the control scope.
* View info on Managed Service for Kubernetes [clusters](../../managed-kubernetes/concepts/index.md#kubernetes-cluster) connected to KSPM, as well as on KSPM users and operations.
* View info on [alert sinks](../concepts/workspace.md#alert-sinks) and access permissions granted for them.
* Create, use, modify, and delete alert sinks.
* View info on [alerts](../concepts/alerts.md) and access permissions granted for them.
* View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
* Create, modify, and delete alerts.
* View the list of comments to alerts, as well as create, modify, and delete such comments.
* View info on Vulnerability Management [scan](../concepts/vulnerability-management.md#scanning) jobs and modify such jobs.
* Run [Vulnerability Management](../concepts/vulnerability-management.md) scan jobs and view their results.
* View info on [TD](../concepts/threat-detector.md) security management rules and create exceptions from such rules.
* View info on access permissions granted for TD.

{% endcut %}

This role includes the `access-transparency.editor`, `dspm.editor`, `cspm.editor`, `kspm.editor`, `security-deck.alertSinks.editor`, `vulnerability-manager.editor`, and `threat-detector.editor` permissions.

#### security-deck.admin {#security-deck-admin}

The `security-deck.admin` role enables managing subscriptions to events of access to organization resources by Yandex Cloud employees, managing workspaces, alerts, and alert sinks, as well as DSPM, CSPM, KSPM, VM, and TD resources. This role enables viewing masked and unprocessed data in scan results.

{% cut "Users with this role can:" %}

* Select a [billing account](../../billing/concepts/billing-account.md) in Access Transparency.
* View info on subscriptions to events of access to organization resources by Yandex Cloud employees, as well as create, delete, and cancel deletion of such subscriptions.
* View the list of events when Yandex Cloud employees access organization resources.
* Approve or disapprove the results of a neural network-driven analysis of events when Yandex Cloud employees access organization resources.
* View info on DSPM profiles and use them.
* View info on DSPM [data sources](../concepts/dspm.md#data-source) and their scan areas, as well as create, modify, use, and delete such sources.
* Use Yandex Cloud resources in DSPM data sources.
* View info on DSPM data types and [categories](../concepts/dspm.md#data-categories).
* View info on DSPM [data analysis](../concepts/dspm.md#discovery-mode) results.
* View info on DSPM sensitive data [scan](../concepts/dspm.md#scanning) jobs, as well as create, run, suspend, resume, modify, and delete such jobs.
* View info on sensitive data scans, as well as create, suspend, resume, modify, and delete them.
* View the lists of results and scan errors when scanning for sensitive data.
* View the results of DSPM scan jobs and info on detected threats, which includes viewing masked and unprocessed data in the scan results.
* View [bucket](../../storage/concepts/bucket.md) metadata.
* View info on Security Deck [workspaces](../concepts/workspace.md) and resources managed in them, as well as create, modify, and delete Security Deck workspaces.
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for Security Deck workspaces and modify such permissions.
* View info on [connectors](../concepts/workspace.md#connectors), as well as create, use, modify, and delete them.
* View info on cloud infrastructure checks for compliance with [security standards](../concepts/cspm.md#standards) configured in the [CSPM settings](../concepts/cspm.md), as well as delete checks.
* View info on CSPM check jobs.
* Manually run checks for compliance with CSPM security standards.
* View CSPM check results.
* Create, suspend, resume, modify, and delete CSPM check jobs.
* View [exceptions](../concepts/cspm.md#exceptions) from CSPM check rules, as well as create and delete such exceptions.
* Engage, set up, and disconnect [KSPM](../concepts/kspm.md), as well as create, modify, and delete exceptions from rules and from the control scope.
* View info on Managed Service for Kubernetes [clusters](../../managed-kubernetes/concepts/index.md#kubernetes-cluster) connected to KSPM, as well as on KSPM users and operations.
* View info on [alert sinks](../concepts/workspace.md#alert-sinks), as well as create, use, modify, and delete them.
* View info on access permissions granted for alert sinks and modify such permissions.
* View info on [alerts](../concepts/workspace.md#connectors), as well as create, modify, and delete them.
* View info on access permissions granted for alerts and modify such permissions.
* View additional info on alerts and their sources, the list of affected resources, and tips on resolving issues.
* View the list of comments to alerts, as well as create, modify, and delete such comments.
* View info on Vulnerability Management [scan](../concepts/vulnerability-management.md#scanning) jobs and modify such jobs.
* Run [Vulnerability Management](../concepts/vulnerability-management.md) scan jobs and view their results.
* View info on [TD](../concepts/threat-detector.md) security management rules and create exceptions from such rules.
* View info on access permissions granted for TD and modify such permissions.

{% endcut %}

This role includes the `access-transparency.admin`, `dspm.admin`, `cspm.admin`, `kspm.admin`, `security-deck.alertSinks.admin`, `vulnerability-manager.admin`, and `threat-detector.admin` permissions.

Yandex Cloud also supports a separate list of roles for each Security Deck module. For more information, see:

* [Roles for Data Security Posture Management](dspm-roles.md).
* [Roles for security management with KSPM](kspm-roles.md).
* [Roles for Cloud Infrastructure Entitlement Management](ciem-roles.md).
* [Roles for security management with CSPM](cspm-roles.md).
* [Roles for Access Transparency data analysis](access-transparency-roles.md).
* [Roles for managing alerts and alert sinks](alerts-roles.md).

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## Useful links {#see-also}

[Hierarchy of Yandex Cloud](../../resource-manager/concepts/resources-hierarchy.md) resources