Access management
The list of operations available to Yandex.Cloud users is determined by the roles they have. A role is assigned to a user at the folder or cloud level, and nested resources inherit this role.
To allow access to resources in DataSphere, assign the required roles to the user from the list below.
Note
For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.
Assigning roles
To assign a user a role:
-
Open the Access management page for the selected cloud. If necessary, switch to another cloud.
-
Select the user to assign the role to, click , and choose Configure roles.
-
To add a cloud role, click in the Roles for cloud
section. To add a folder role, select the folder and click Assign role in the Roles in folders section.
-
Choose a role from the list.
Roles for managing clouds and folders
resource-manager.clouds.member
When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member
.
Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.
This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin
, editor
, or viewer
.
resource-manager.clouds.owner
Theresource-manager.clouds.owner
is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.
Only the cloud owner can assign users the resource-manager.clouds.owner
role.
A cloud must have at least one owner. The sole owner of a cloud may not give up this role.
Service roles
datasphere.user
The datasphere.user
role lets the user view the list of projects and work with existing projects. The user can't create or delete projects.
datasphere.admin
The datasphere.admin
role lets the user create, edit, and delete projects in DataSphere, as well as view the list of cloud folders.
The datasphere.admin
role also includes all datasphere.user
role permissions.
Primitive roles
viewer
The viewer
role includes all permissions of the datasphere.user
role. The user can view the list of projects and work with existing projects. The user can't create or delete projects.
editor
The editor
role includes all permissions of the viewer
role. In terms of access to DataSphere service resources, these roles match.
admin
Users with the admin
role can manage resource access rights, such as allow other users to work with folders or view information about projects and user permissions.
The admin
role also includes all editor
role permissions.