Get started
Yandex DataSphere

Access management

The list of operations available to Yandex.Cloud users is determined by the roles they have. A role is assigned to a user at the folder or cloud level, and nested resources inherit this role.

To allow access to resources in DataSphere, assign the required roles to the user from the list below.

Note

For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.

Assigning roles

To assign a user a role:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click , and choose Configure roles.

  3. To add a cloud role, click in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.

Roles for managing clouds and folders

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

resource-manager.clouds.owner

Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

Service roles

datasphere.user

The datasphere.user role lets the user view the list of projects and work with existing projects. The user can't create or delete projects.

datasphere.admin

The datasphere.admin role lets the user create, edit, and delete projects in DataSphere, as well as view the list of cloud folders.

The datasphere.admin role also includes all datasphere.user role permissions.

Primitive roles

viewer

The viewer role includes all permissions of the datasphere.user role. The user can view the list of projects and work with existing projects. The user can't create or delete projects.

editor

The editor role includes all permissions of the viewer role. In terms of access to DataSphere service resources, these roles match.

admin

Users with the admin role can manage resource access rights, such as allow other users to work with folders or view information about projects and user permissions.

The admin role also includes all editor role permissions.

In this article: