Access management in Query
Query uses roles to manage access rights.
Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If a user does not have any roles assigned, almost all operations are forbidden.
To allow access to Yandex Query resources, assign the required roles from the list below to the Yandex account, service account, federated users, user group, or system group. Currently, a role can only be assigned to a parent resource (folder or cloud). Roles are inherited by nested resources.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Note
For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.
Assigning roles
To assign a user a role:
- Add the required user if needed.
- In the management console
, select the appropriate cloud in the list on the left. - Go to the Access bindings tab.
- Click Assign bindings.
- In the Configuring access bindings window, click
- Select a user from the list or search by user.
- Click
- Select a role in the cloud.
- Click Save.
Which roles exist in the service
You can manage access to Query objects using both service and primitive roles. The chart below shows which roles are available in the service and how they inherit each other's permissions. For example, the editor
role includes all viewer
role permissions. You can find the description of each role under the chart.
The list below shows all roles that are considered when verifying access rights in the Query service.
Service roles
yq.viewer
Users with the yq.viewer
role can view queries and their results.
yq.editor
Users assigned the yq.editor
role can view, edit, and delete their connections and queries, as well as run the queries they create. The yq.editor
role includes all permissions of the yq.viewer
role.
yq.admin
The yq.admin
role allows you to manage any Query resources, including those labeled as private. The yq.admin
role includes all permissions of the yq.editor
role.
yq.invoker
Users with the yq.invoker
role can run queries in Query. The role is designed to automate query execution by service accounts. For example, you can use it to run queries by an event or on schedule.
Primitive roles
viewer
Users with the viewer
role can view information about resources, such as query runs.
editor
Users with the editor
role can manage any resource, such as creating or deleting a query. The editor
role includes all permissions of the viewer
role.
admin
Users with the admin
role can manage resource access rights, such as permitting other users to create queries. The admin
role includes all permissions of the editor
role.