[Yandex Cloud documentation](../../index.md) > [Yandex Object Storage](../index.md) > [Access management](overview.md) > Identity and Access Management

# Managing access with Yandex Identity and Access Management

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see [Access management methods in Object Storage: Overview](overview.md).

In this section, you will learn:

* [What resources you can assign a role for](#resources).
* [What roles exist in the service](#roles-list).

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign a role for a resource, a user should have the `storage.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

You can assign a role for a separate bucket in the [management console](https://console.yandex.cloud) or using the [Yandex Cloud API](../api-ref/Bucket/setAccessBindings.md) or [Terraform](../../terraform/resources/storage_bucket_iam_binding.md).

To learn how to manage access to buckets and objects in them, see [Access control list (ACL)](../concepts/acl.md).

## Roles this service has {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

```mermaid
%%{init: {"flowchart": {'defaultRenderer': 'elk'}} }%%
flowchart BT
    storage.editor --> storage.admin
    storage.configurer --> storage.admin
    storage.configViewer --> storage.admin
    storage.uploader --> storage.editor
    storage.viewer --> storage.uploader 
```

### Service roles {#service-roles}

#### storage.viewer {#storage-viewer}

The `storage.viewer` role allows you to read data in buckets, view info on buckets and objects inside them, as well as info on the Object Storage folder and quotas.

{% cut "Users with this role can:" %}

* View the list of [buckets](../concepts/bucket.md).
* View the lists of [objects](../concepts/object.md) in buckets, object info and content.
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned for buckets and objects inside them.
* View bucket [CORS](../concepts/cors.md) configuration info.
* View bucket [static website hosting](../concepts/hosting.md) configuration info.
* View bucket access [protocol](../concepts/bucket.md#bucket-https) info.
* View bucket action [logging](../concepts/server-logs.md) settings.
* View bucket [versioning](../concepts/versioning.md) settings.
* View bucket [encryption](../concepts/encryption.md) settings.
* View bucket default [storage class](../concepts/storage-class.md#default-storage-class) info.
* View bucket [labels](../concepts/tags.md).
* View bucket region info.
* View object [lifecycle](../concepts/lifecycles.md) configuration info.
* View lists of object versions and version info.
* View [object version locks](../concepts/object-lock.md) info.
* View object and object version [labels](../concepts/tags.md#object-tags).
* View info on current [multipart uploads](../concepts/multipart.md) of objects and their parts.
* View [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View info on Object Storage [quotas](../concepts/limits.md#storage-quotas).
* View folder info.

{% endcut %}

#### storage.configViewer {#storage-config-viewer}

The `storage.configViewer` role allows you to view the settings info of buckets and objects inside them but not the data inside the bucket.

{% cut "Users with this role can:" %}

* View the list of [buckets](../concepts/bucket.md) and lists of [objects](../concepts/object.md) in buckets without access to object content.
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned for buckets and objects inside them.
* View bucket [access policy](../concepts/policy.md) info.
* View bucket [CORS](../concepts/cors.md) configuration info.
* View bucket [static website hosting](../concepts/hosting.md) configuration info.
* View bucket access [protocol](../concepts/bucket.md#bucket-https) info.
* View bucket action [logging](../concepts/server-logs.md) settings.
* View bucket [versioning](../concepts/versioning.md) settings.
* View bucket region info.
* View [object version locks](../concepts/object-lock.md) info.
* View lists of object versions in buckets.
* View bucket [encryption](../concepts/encryption.md) settings.
* View bucket default [storage class](../concepts/storage-class.md#default-storage-class) info.
* View bucket [labels](../concepts/tags.md).
* View object [lifecycle](../concepts/lifecycles.md) configuration info.
* View info on current [multipart uploads](../concepts/multipart.md) of objects and their parts.
* View [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View folder info.

{% endcut %}

#### storage.configurer {#storage-configurer}

The `storage.configurer` role allows you to manage object lifecycle, static website hosting, access policy, and CORS settings. It does not allow you to manage access control list (ACL) or public access settings, nor does it provide access to bucket data.

{% cut "Users with this role can:" %}

* View bucket [access policy](../concepts/policy.md) info, create, modify, and delete bucket access policies.
* View bucket [CORS](../concepts/cors.md) configuration info and modify the CORS configuration.
* View bucket [static website hosting](../concepts/hosting.md) configuration info and modify the static website hosting configuration.
* View bucket access [protocol](../concepts/bucket.md#bucket-https) info and change the access protocol.
* View bucket action [logging](../concepts/server-logs.md) settings and change the logging settings.
* View bucket [encryption](../concepts/encryption.md) settings and change the encryption settings.
* View bucket region info.
* View object [lifecycle](../concepts/lifecycles.md) configuration info and change the lifecycle configuration.
* View bucket [versioning](../concepts/versioning.md) settings.
* View [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) info.

{% endcut %}

#### storage.uploader {#storage-uploader}

The `storage.uploader` role allows you to upload objects into buckets with or without overwriting the previously uploaded ones, read data in buckets, view info on buckets and objects inside them, as well as info on the Object Storage folder and quotas. The role does not allow you to delete objects or configure buckets.

{% cut "Users with this role can:" %}

* View the list of [buckets](../concepts/bucket.md).
* View the lists of [objects](../concepts/object.md) in buckets, object info and content.
* Upload objects into a bucket.
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned for buckets and objects inside them.
* View bucket [CORS](../concepts/cors.md) configuration info.
* View bucket [static website hosting](../concepts/hosting.md) configuration info.
* View bucket access [protocol](../concepts/bucket.md#bucket-https) info.
* View bucket action [logging](../concepts/server-logs.md) settings.
* View bucket [versioning](../concepts/versioning.md) settings.
* View bucket [encryption](../concepts/encryption.md) settings.
* View bucket default [storage class](../concepts/storage-class.md#default-storage-class) info.
* View bucket [labels](../concepts/tags.md).
* View bucket region info.
* View object [lifecycle](../concepts/lifecycles.md) configuration info.
* View lists of object versions and version info.
* View info on [object version locks](../concepts/object-lock.md) and set up such locks.
* View object and object version [labels](../concepts/tags.md#object-tags), modify such labels.
* View info on current [multipart uploads](../concepts/multipart.md) of objects and their parts, delete partially uploaded objects.
* View [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View info on Object Storage [quotas](../concepts/limits.md#storage-quotas).
* View folder info.

{% endcut %}

This role includes the `storage.viewer` permissions.

#### storage.editor {#storage-editor}

The `storage.editor` role allows any operations with buckets and objects: creating, deleting, and editing them. The role does not allow managing access control list (ACL) settings and creating public buckets.

{% cut "Users with this role can:" %}

* View the list of [buckets](../concepts/bucket.md), create and delete buckets.
* View the lists of [objects](../concepts/object.md) in buckets, object info and content.
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned for buckets and objects inside them.
* Upload objects into a bucket, delete objects and object versions.
* View bucket [CORS](../concepts/cors.md) configuration info and modify the CORS configuration.
* View bucket [static website hosting](../concepts/hosting.md) configuration info and modify the static website hosting configuration.
* View bucket access [protocol](../concepts/bucket.md#bucket-https) info and change the access protocol.
* View bucket action [logging](../concepts/server-logs.md) settings and change the logging settings.
* View bucket [versioning](../concepts/versioning.md) settings.
* View bucket [encryption](../concepts/encryption.md) settings and change the encryption settings.
* View bucket default [storage class](../concepts/storage-class.md#default-storage-class) info, change the default storage class.
* View and modify bucket [labels](../concepts/tags.md).
* View bucket region info.
* View object [lifecycle](../concepts/lifecycles.md) configuration info and change the lifecycle configuration.
* View lists of object versions and version info.
* Restore object versions in versioning-enabled buckets.
* View info on [object version locks](../concepts/object-lock.md) and set up such locks.
* View object and object version [labels](../concepts/tags.md#object-tags), modify and delete such labels.
* View info on current [multipart uploads](../concepts/multipart.md) of objects and their parts, delete partially uploaded objects.
* View [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View info on Object Storage [quotas](../concepts/limits.md#storage-quotas).
* View folder info.

{% endcut %}

This role includes the `storage.uploader` permissions.

#### storage.admin {#storage-admin}

The `storage.admin` role allows you to manage Object Storage.

{% cut "Users with this role can:" %}

* View the list of [buckets](../concepts/bucket.md).
* Create buckets, including public ones, and delete buckets.
* View the lists of [objects](../concepts/object.md) in buckets, object info and content.
* View info on [access permissions](../../iam/concepts/access-control/index.md) assigned for buckets and objects inside them, modify access permissions for buckets and objects.
* View bucket [access policy](../concepts/policy.md) info, create, modify, and delete bucket access policies.
* Assign an [access control list](../concepts/acl.md) (ACL).
* Set up access to a bucket via a [service connection](../../vpc/concepts/private-endpoint.md) from a Virtual Private Cloud.
* Upload objects into a bucket, delete objects and object versions.
* View bucket [CORS](../concepts/cors.md) configuration info and modify the CORS configuration.
* View bucket [static website hosting](../concepts/hosting.md) configuration info and modify the static website hosting configuration.
* View bucket access [protocol](../concepts/bucket.md#bucket-https) info and change the access protocol.
* View bucket action [logging](../concepts/server-logs.md) settings and change the logging settings.
* View bucket [versioning](../concepts/versioning.md) settings and change the versioning settings.
* View bucket [encryption](../concepts/encryption.md) settings and change the encryption settings.
* View bucket default [storage class](../concepts/storage-class.md#default-storage-class) info, change the default storage class.
* View and modify bucket [labels](../concepts/tags.md).
* View bucket region info.
* View object [lifecycle](../concepts/lifecycles.md) configuration info and change the lifecycle configuration.
* View lists of object versions and version info.
* Restore object versions in versioning-enabled buckets.
* View info on [object version locks](../concepts/object-lock.md) and set up such locks.
* Bypass [governance-mode retention](../concepts/object-lock.md#types).
* View object and object version [labels](../concepts/tags.md#object-tags), modify and delete such labels.
* View info on current [multipart uploads](../concepts/multipart.md) of objects and their parts, delete partially uploaded objects.
* View [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), and Object Storage statistics.
* View info on Object Storage [quotas](../concepts/limits.md#storage-quotas).
* View folder info.

{% endcut %}

This role includes the `storage.editor`, `storage.configViewer`, and `storage.configurer` permissions.


### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## See also {#see-also}

* [Configuring access permissions for a bucket using Identity and Access Management](../operations/buckets/iam-access.md)