Access management

Yandex.Cloud users can only perform operations on resources that are permitted under the roles assigned to them. If a user doesn't have any roles assigned, almost all operations are forbidden.

To allow access to resources in the Yandex Monitoring service, assign the required roles to the user from the list below. Roles can currently only be assigned to parent resources (folders or clouds), whose roles are inherited by nested resources.

Note

For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.

Assigning roles

To assign a role to a user:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click image, and choose Configure roles.

  3. To add a cloud role, click image in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.

Roles

The list below shows all roles that are considered when verifying access rights in the Yandex Monitoring service.

Service roles

Service roles are roles that allow access to the resources of a particular service.

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

Important

To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.

resource-manager.clouds.owner

Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

Primitive roles

You can assign primitive roles to any resource in any service.

viewer

Users with the viewer role can view created dashboards and widgets, as well as written metrics.

editor

Users with the editor role can create dashboards and widgets, as well as write metrics.

In addition, the editor role includes all permissions of the viewer role.

admin

Users with the admin role can create dashboards and widgets, as well as write metrics.

In addition, the admin role includes all permissions of the editor role.