Access management
Yandex.Cloud users can only perform operations on resources that are permitted under the roles assigned to them. If a user doesn't have any roles assigned, almost all operations are forbidden.
To allow access to Managed Service for MySQL service resources (DB clusters and hosts, cluster backups, databases, and their users), assign the user the appropriate roles from the list below. For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.
Note
For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.
Assigning roles
To assign a user a role:
-
Open the Access management page for the selected cloud. If necessary, switch to another cloud.
-
Select the user to assign the role to, click
, and choose Configure roles.
-
To add a cloud role, click
in the Roles for cloud
section. To add a folder role, select the folder and click Assign role in the Roles in folders section.
-
Choose a role from the list.
Roles
The list below shows all roles that are considered when verifying access rights in the Managed Service for MySQL service.
resource-manager.clouds.member
When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member
.
Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.
This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin
, editor
, or viewer
.
resource-manager.clouds.owner
Theresource-manager.clouds.owner
is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.
Only the cloud owner can assign users the resource-manager.clouds.owner
role.
A cloud must have at least one owner. The sole owner of a cloud may not give up this role.
viewer
Users with the viewer
role can view information about resources. For example, they can view a list of hosts or get information about a database cluster.
editor
Users with the editor
role can manage any resource, including creating a database cluster and creating or deleting cluster hosts.
The editor
role also includes all viewer
role permissions.
admin
Users with the admin
role can manage resource access rights, including allowing other users to create database clusters and to view information about them.
The admin
role also includes all editor
role permissions.