[Yandex Cloud documentation](../../index.md) > [Yandex Virtual Private Cloud](../index.md) > Access management

# Access management in Virtual Private Cloud

Virtual Private Cloud uses [roles](../../iam/concepts/access-control/roles.md) to manage access permissions.

In this section, you will learn about:
* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).
* [Roles required](#choosing-roles) for specific actions.

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign roles for a resource, you need to have one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources you can assign a role for {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

## Roles this service has {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

![image](../../_assets/vpc/security/service-roles-hierarchy.svg)

### Service roles {#service-roles}

#### vpc.auditor {#vpc-auditor}

The `vpc.auditor` roles allows you to view service metadata, including information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../concepts/network.md#network) and the info on them.
* View the list of [subnets](../concepts/network.md#subnet) and info on them.
* View the list of [cloud resource addresses](../concepts/address.md) and the info on them.
* View the list of [route tables](../concepts/routing.md#rt-vpc) and the info on them.
* View the list of [security groups](../concepts/security-groups.md) and the info on them.
* View information on [NAT gateways](../concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

#### vpc.viewer {#vpc-viewer}

The `vpc.viewer` role allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on the quotas and resource operations.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../concepts/network.md#network) and the info on them.
* View the list of [subnets](../concepts/network.md#subnet) and info on them.
* View the list of [cloud resource addresses](../concepts/address.md) and the info on them.
* View the list of [route tables](../concepts/routing.md#rt-vpc) and the info on them.
* View the list of [security groups](../concepts/security-groups.md) and the info on them.
* View information on [NAT gateways](../concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.auditor` permissions.

#### vpc.user {#vpc-user}

The `vpc.user` role allows you to use cloud networks, subnets, route tables, gateways, security groups, and IP addresses, get information on these resources, as well as on the quotas and resource operations.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../concepts/network.md#network) and info on them, as well as use them.
* View the list of [subnets](../concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud resource addresses](../concepts/address.md) and info on them, as well as use such addresses.
* View the list of [route tables](../concepts/routing.md#rt-vpc) and info on them, as well as use them.
* View the list of [security groups](../concepts/security-groups.md) and info on them, as well as use them.
* View information on [NAT gateways](../concepts/gateways.md) and connect them to route tables.
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.externalAddresses.user {#vpc-externalAddresses-user}

The `vpc.externalAddresses.user` role allows you to view the list of [private](../concepts/address.md#internal-addresses) and [public](../concepts/address.md#public-addresses) addresses of the cloud resources; it also enables viewing info on such addresses, using them, and managing the external network connectivity.

#### vpc.admin {#vpc-admin}

The `vpc.admin` role allows you to manage cloud networks, subnets, route tables, NAT gateways, security groups, internal and public IP addresses, as well as external network connectivity.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../concepts/network.md#network) and info on them, as well as create, modify, and delete them.
* Configure external access to cloud networks.
* Manage connectivity of multiple cloud networks.
* Manage multi-interface instances that provide connectivity between multiple networks.
* View the list of [subnets](../concepts/network.md#subnet) and info on them, as well as create, modify, and delete them.
* View the list of [route tables](../concepts/routing.md#rt-vpc) and info on them, as well as create, modify, and delete them.
* Link route tables to subnets.
* View information on [NAT gateways](../concepts/gateways.md), as well as create, modify, and delete them.
* View the list of [security groups](../concepts/security-groups.md) and info on them, as well as create, modify, and delete them.
* Create and delete default security groups in [cloud networks](../concepts/network.md#network).
* Create and delete security group [rules](../concepts/security-groups.md#security-groups-rules), as well as edit their metadata.
* Configure [DHCP](../concepts/dhcp-options.md) in subnets.
* View the list of [cloud resource addresses](../concepts/address.md) and info on them, as well as create, update, and delete internal and public IP addresses.
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.privateAdmin`, `vpc.publicAdmin`, and `vpc.securityGroups.admin` permissions.

#### vpc.bridgeAdmin {#vpc-bridge-admin}

The `vpc.bridgeAdmin` role allows you to use subnets and manage connectivity of multiple cloud networks. This role also allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

{% cut "Users with this role can:" %}

* Manage connectivity of multiple cloud networks.
* View the list of [subnets](../concepts/network.md#subnet) and info on them, as well as use them.
* View the list of [cloud networks](../concepts/network.md#network) and the info on them.
* View the list of [cloud resource addresses](../concepts/address.md) and the info on them.
* View the list of [route tables](../concepts/routing.md#rt-vpc) and the info on them.
* View the list of [security groups](../concepts/security-groups.md) and the info on them.
* View information on [NAT gateways](../concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.privateAdmin {#vpc-private-admin}

The `vpc.privateAdmin` role allows you to manage cloud networks, subnets, and route tables, as well as view information on the quotas, resources, and resource operations. This role also allows you to manage connectivity within Yandex Cloud, while it does not allow doing so from the internet.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../concepts/network.md#network) and info on them, as well as create, modify, and delete them.
* View the list of [subnets](../concepts/network.md#subnet) and info on them, as well as create, modify, and delete them.
* View the list of [route tables](../concepts/routing.md#rt-vpc) and info on them, as well as create, modify, and delete them.
* Link route tables to subnets.
* View the list of [security groups](../concepts/security-groups.md) and info on them, as well as create default security groups within cloud networks.
* Configure [DHCP](../concepts/dhcp-options.md) in subnets.
* View the list of [cloud resource addresses](../concepts/address.md) and info on them, as well as create internal IP addresses.
* View information on [NAT gateways](../concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.publicAdmin {#vpc-public-admin}

The `vpc.publicAdmin` role allows you to manage NAT gateways, public IP addresses, and external network connectivity, as well as view information on the quotas, resources, and resource operations. This role grants administrator privileges for multi-interface instances that provide connectivity between multiple networks.

{% cut "Users with this role can:" %}

* View the list of [cloud networks](../concepts/network.md#network) and info on them, as well as set up external access to them.
* Manage connectivity of multiple cloud networks.
* Manage multi-interface instances that provide connectivity between multiple networks.
* View the list of [subnets](../concepts/network.md#subnet) and info on them, as well as modify them.
* View information on [NAT gateways](../concepts/gateways.md), as well as create, modify, and delete them.
* View the list of [cloud resource addresses](../concepts/address.md) and info on them, as well as create, update, and delete public IP addresses.
* View the list of [route tables](../concepts/routing.md#rt-vpc) and info on them, as well as link them to subnets.
* View the list of [security groups](../concepts/security-groups.md) and the info on them.
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View info on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

You can assign a role for a cloud or folder.

{% note warning %}

If a network and subnet are in different folders, the `vpc.publicAdmin` role is checked for the folder where the network is located.

{% endnote %}

#### vpc.gateways.viewer {#vpc-gw-viewer}

The `vpc.gateways.viewer` role allows you to view information on [NAT gateways](../concepts/gateways.md).

#### vpc.gateways.user {#vpc-gw-user}

The `vpc.gateways.user` role allows you to view information on [NAT gateways](../concepts/gateways.md) and connect them to [route tables](../concepts/routing.md#rt-vpc).

#### vpc.gateways.editor {#vpc-gw-editor}

The `vpc.gateways.editor` role allows you to view information on [NAT gateways](../concepts/gateways.md), as well as create, modify, and delete them.

#### vpc.securityGroups.user {#vpc-sg-user}

The `vpc.securityGroups.user` role allows you to assign security groups to network interfaces and view information on the resources, quotas, and resource operations.

{% cut "Users with this role can:" %}

* Assign security groups to instance network interfaces.
* Get a list of [cloud networks](../concepts/network.md#network) and view information on them.
* Get a list of [subnets](../concepts/network.md#subnet) and view information on them.
* Get a list of [cloud resource addresses](../concepts/address.md) and view information on them.
* Get a list of [route tables](../concepts/routing.md#rt-vpc) and view information on them.
* Get a list of [security groups](../concepts/security-groups.md) and view information on them.
* View information on [NAT gateways](../concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.securityGroups.admin {#vpc-sg-admin}

The `vpc.securityGroups.admin` role allows you to manage security groups and view information on the resources, quotas, and resource operations.

{% cut "Users with this role can:" %}

* View information on [security groups](../concepts/security-groups.md), as well as create, modify, and delete them.
* Create and delete default security groups in [cloud networks](../concepts/network.md#network).
* Create and delete security group [rules](../concepts/security-groups.md#security-groups-rules), as well as edit their metadata.
* Get a list of cloud networks and view information on them.
* Get a list of [subnets](../concepts/network.md#subnet) and view information on them.
* Get a list of [cloud resource addresses](../concepts/address.md) and view information on them.
* Get a list of [route tables](../concepts/routing.md#rt-vpc) and view information on them.
* View information on [NAT gateways](../concepts/gateways.md).
* View information on the IP addresses used in subnets.
* View information on Virtual Private Cloud [quotas](../concepts/limits.md#vpc-quotas).
* View information on resource operations for Virtual Private Cloud.
* View information on resource operations for Compute Cloud.
* View information on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud).
* View information on the relevant [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

{% endcut %}

This role includes the `vpc.viewer` permissions.

#### vpc.privateEndpoints.viewer {#vpc-privateEndpoints-viewer}

The `vpc.privateEndpoints.viewer` role enables viewing info on the [service connections](../concepts/private-endpoint.md).

#### vpc.privateEndpoints.editor {#vpc-privateEndpoints-editor}

The `vpc.privateEndpoints.editor` role enables viewing info on the [service connections](../concepts/private-endpoint.md), as well as creating, modifying, and deleting such connections.

This role includes the `vpc.privateEndpoints.viewer` permissions.

#### vpc.privateEndpoints.admin {#vpc-privateEndpoints-admin}

The `vpc.privateEndpoints.admin` role enables viewing info on the [service connections](../concepts/private-endpoint.md), as well as creating, modifying, and deleting such connections.

This role includes the `vpc.privateEndpoints.editor` permissions.

### Primitive roles {#primitive-roles}

Primitive roles allow users to perform actions in all Yandex Cloud [services](../../overview/concepts/services.md).

#### auditor {#auditor}

The `auditor` role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:
* View info on a [resource](../../resource-manager/concepts/resources-hierarchy.md).
* View the resource metadata.
* View the list of operations with a resource.

`auditor` is the most secure role that does not grant any access to the [service](../../overview/concepts/services.md) data. This role suits the users who need minimum access to the Yandex Cloud resources.

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the [least privilege principle](../../security/standard/all.md#min-privileges).

For more information on primitive roles, see the [Yandex Cloud role reference](../../iam/roles-reference.md#primitive-roles).

## Required roles {#choosing-roles}

The table below lists the roles required for specific actions. You can always assign a role with more permissions. For example, you can assign the `editor` role instead of `viewer`, or `vpc.admin` instead of `vpc.publicAdmin`.

Action | Methods | Required roles
----- | ----- | -----
**Viewing data** | |
Viewing resource details | `get`, `list`, `listOperations` | `vpc.viewer` or `viewer` for the resource
List subnets in the network. | `listSubnets` | `vpc.viewer` or `viewer` for the network
**Use of resources** | |
Assign VPC resources to other Yandex Cloud resources, e.g., assigning an address to an interface or connecting a network interface to a subnet. | Various | `vpc.user` for the resource, and the permission to change the receiving object if the resource assignment operation is mutating.
Assign or delete the public address of an interface. | various | `vpc.publicAdmin` for the network
Create a VM connected to multiple networks. | `create` | `vpc.publicAdmin` for each network the VM connects to
**Managing resources** | |
[Create networks in a folder](../operations/network-create.md). | `create` | `vpc.privateAdmin` or `editor` for the folder
[Update](../operations/network-update.md) and [delete networks](../operations/network-delete.md). | `update`, `delete` | `vpc.privateAdmin` or `editor` for the network
[Create subnets in a folder](../operations/subnet-create.md). | `create` | `vpc.privateAdmin` or `editor` for the folder and network
[Update](../operations/subnet-update.md) and [delete subnets](../operations/subnet-delete.md). | `update`, `delete` | `vpc.privateAdmin` or `editor` for the folder
[Create a route table](../operations/static-route-create.md). | `create` | `vpc.privateAdmin` or `editor` for the folder
Update or delete a route table. | `update`, `delete` | `vpc.privateAdmin` or `editor` for the route table
[Create public addresses](../operations/get-static-ip.md). | `create` | `vpc.publicAdmin` or `editor` for the folder
[Delete public addresses](../operations/address-delete.md). | `delete` | `vpc.publicAdmin` or `editor` for the address
[Create a gateway](../operations/create-nat-gateway.md). | `create` | `vpc.gateways.editor`
Associate a gateway with a route table. | `create`, `update` |  `vpc.gateways.user`
Create security groups. | `create` | `vpc.securityGroups.admin` or `editor` for the folder and network
Update and delete security groups. | `update`, `delete` | `vpc.securityGroups.admin` or `editor` for the network and security group
**Resource access management** | |
[Granting](../../iam/operations/roles/grant.md), [revoking](../../iam/operations/roles/revoke.md), and viewing roles for a resource | `setAccessBindings`, `updateAccessBindings`, `listAccessBindings` | `admin` for the resource

To create a [NAT gateway](../concepts/gateways.md) and associate it with a route table, you need the `vpc.gateways.editor` and `vpc.gateways.user` roles. Currently, you cannot use reserved public IP addresses for gateways, so the `vpc.admin` role will not be enough.

#### What's next {#what-is-next}

* [How to assign a role](../../iam/operations/roles/grant.md).
* [How to revoke a role](../../iam/operations/roles/revoke.md).
* [Learn more about access management in Yandex Cloud](../../iam/concepts/access-control/index.md).
* [Learn more about role inheritance](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance).