Get started
Log in
Yandex Managed Service for MongoDB

Access management

Yandex.Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If a user doesn't have any roles assigned, almost all operations are forbidden.

To allow access to the Managed Service for MongoDB service resources (DB clusters and hosts, cluster backups, databases, and their users), assign the user the appropriate roles from the list below. At this time, a role can only be assigned to a parent resource (folder or cloud), and the roles are inherited by nested resources.

Note

For more information about role inheritance, see Access rights inheritance in the Yandex Resource Manager documentation.

Assigning roles

To assign a role to a user:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. In the line with the appropriate user name, click Configure roles.

  3. To add a cloud role, click image in the Roles for the cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Select a role from the list. For more information about roles, see Roles in the documentation on the service Yandex Identity and Access Management.

Roles

The list below shows all roles that are considered when verifying access rights in the Managed Service for MongoDB service.

Service roles

Service roles are roles that allow access to the resources of a particular service.

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of a cloud member: resource-manager.clouds.member.

This role must be assigned to everyone who needs to access cloud resources, except the owners of the cloud, service accounts, and system group allAuthenticatedUsers.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

Important

To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.

resource-manager.clouds.owner

The role of resource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operations with the cloud and its resources.

Only the cloud owner can assign to or remove from the users the role resource-manager.clouds.owner.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

Primitive roles

You can assign primitive roles to any resource in any service.

viewer

A user with the viewer can view information about resources. For example, they can view a list of hosts or obtain information about a DB cluster.

editor

A user with the editor can manage any resources. For example, they can create a DB cluster, and create or delete a host in a cluster.

In addition, the editor role includes all permissions of the viewer role.

admin

A user with the admin role can manage access rights to resources. For example, they can allow other users to create DB clusters or view information about them.

In addition, the admin role includes all permissions of the role of editor.