Yandex.Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If a user doesn't have any roles assigned, almost all operations are forbidden.
To allow access to Managed Service for PostgreSQL service resources (database clusters and hosts, cluster backups, databases, and their users), assign the user the appropriate roles from the list below. For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.
For more information about role inheritance, see Access rights inheritance in the Yandex Resource Manager documentation.
To assign a role to a user:
Select the user to assign the role to, click , and choose Configure roles.
To add a cloud role, click in the Roles for cloud
To add a folder role, select the folder and click Assign role in the Roles in folders section.
Choose a role from the list.
The list below shows all roles that are considered when verifying access rights in the Managed Service for PostgreSQL service.
Service roles are roles that allow access to the resources of a particular service.
When a new user is added to the cloud, they are automatically assigned the role of cloud member:
This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as
To enable a user to work in the cloud through the management console, assign them the
viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.
The role of
resource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.
Only the cloud owner can assign users the
resource-manager.clouds.owner role or remove it from them.
A cloud must have at least one owner. The sole owner of a cloud may not give up this role.
You can assign primitive roles to any resource in any service.
Users with the
viewer role view information about resources. For example, they can view a list of hosts or get information about a database cluster.
User with the
editor role can manage resources. For example, they can create a database cluster and create and delete cluster hosts.
editor role includes all the permissions of the
Users with the
admin role can manage access rights to resources. For example, they can allow other users to create database clusters or view information about them.
admin role includes all the permissions of the