[Yandex Cloud documentation](../../index.md) > [Yandex Cloud Video](../index.md) > Access management

# Access management in Yandex Cloud Video

In this section, you will learn about:

* [Resources supporting role assignment](#resources).
* [Roles this service has](#roles-list).

## Access management {#about-access-control}

Access to Cloud Video is controlled by assigning permissions within the [organization](../../organization/concepts/organization.md). Organizations are managed using [Yandex Identity Hub](../../organization/index.md).

The operations available to Cloud Video users are determined by their roles. You can assign roles to a Yandex account, [federated](../../iam/concepts/users/accounts.md#saml-federation) or [local](../../iam/concepts/users/accounts.md#local) users, [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information about access management in Yandex Cloud, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign a role for a resource, you need the `video.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role for a [channel](../concepts/index.md#channels) from the Cloud Video [interface](https://video.yandex.cloud/) or via the [API](../api-ref/authentication.md).

## Adding a user to Cloud Video {#add-user}

You can add a user to Cloud Video as follows:
* Send an invitation from the Cloud Video [interface](https://video.yandex.cloud/) by specifying the email address the user used to sign up to the organization.
* [Grant](../../organization/security/index.md) access permissions via the Yandex Identity Hub interface.

## Roles this service has {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

```mermaid
%%{init: {"flowchart": {'defaultRenderer': 'elk'}} }%%
flowchart BT
    video.auditor --> video.viewer
    video.viewer --> video.editor
    video.editor --> video.admin
```

### Service roles {#service-roles}

#### video.auditor {#video-auditor}

The `video.auditor` role enables viewing info on Cloud Video resources or a separate [channel’s](../concepts/index.md#channels) resources, their settings, and their assigned [access permissions](../../iam/concepts/access-control/index.md).

#### video.viewer {#video-viewer}

The `video.viewer` role enables viewing info on Cloud Video resources or a separate channel’s resources, their settings, and their assigned access permissions.

Users with this role can:
* View info on Cloud Video resources and their settings.
* Download source [video](../concepts/videos.md) and [subtitle](../concepts/videos.md#subtitles) files as well as thumbnails.
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for [channels](../concepts/index.md#channels).

This role includes the `video.auditor` permissions.

#### video.editor {#video-editor}

The `video.editor` enables managing Cloud Video resources or a dedicated channel’s resources, as well as broadcasting video streams.

Users with this role can:
* View info on Cloud Video resources and their settings, as well as create, modify, and delete such resources.
* [Broadcast](../concepts/streams.md#streams) live video streams from Cloud Video.
* Download source [video](../concepts/videos.md) and [subtitle](../concepts/videos.md#subtitles) files as well as thumbnails.
* Use AI features, such as video [summarization](../concepts/videos.md#summarization) and [neural machine translation](../concepts/videos.md#stranslation).
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for Cloud Video [channels](../concepts/index.md#channels).

This role includes the `video.viewer` permissions.

#### video.admin {#video-admin}

The `video.admin` role enables managing Cloud Video resources or a dedicated channel’s resources and assigning access permissions to all resources or a channel’s resources.

Users with this role can:
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for [channels](../concepts/index.md#channels) and modify such permissions.
* View info on Cloud Video resources and their settings, as well as create, modify, and delete such resources.
* [Broadcast](../concepts/streams.md#streams) live video streams from Cloud Video.
* Download source [video](../concepts/videos.md) and [subtitle](../concepts/videos.md#subtitles) files as well as thumbnails.
* Use AI features, such as video [summarization](../concepts/videos.md#summarization) and [neural machine translation](../concepts/videos.md#stranslation).

This role includes the `video.editor` permissions.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).