Access management in Data Transfer
In this section, you'll learn:
- Which resources you can assign roles to.
- Which roles exist in the service.
- Which roles are required for particular actions.
About access management
All transactions in Yandex Cloud are checked by the Yandex Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the
resource-manager.clouds.owner role for a resource can assign roles for this resource.
What resources you can assign roles to
What roles exist in the service
data-transfer.viewer role enables you to view Data Transfer resource information.
data-transfer.privateAdmin role enables you to create, activate, and deactivate transfers that transmit data only on Yandex Cloud networks.
If you wish to prevent users from creating or activating transfers that transmit data over the internet, revoke the
data-transfer.admin role and assign the
This role includes the
This role is assigned by default. It includes the
This role alone doesn't give you the right to perform any operations and is only used in combination with other roles.
How the role can be combined with other roles depends on whether a cloud belongs to an organization or not.
For a cloud in an organization
The role is useful if the user needs access to Yandex Cloud resources not only via the CLI, API, and Terraform, but also via the management console.
resource-manager.clouds.member is one of the roles that gives users access to the management console. Any role from the list can also be used for this purpose:
For an organization or cloud:
For a cloud:
Each role from the list will give the user access to the console and permissions for cloud resources or an organization. Depending on the role, this can be either for reading information about all the resources in the cloud or creating and deleting any resource.
To avoid giving the user additional rights, use
resource-manager.clouds.member. The role will provide access to the management console while giving minimum additional rights. The user will only see general information about the cloud which they have been assigned the role to, but will not be able to view the resources and access rights to the cloud.
The administrator must manage the network connectivity of resources in all clouds of the organization. Other team members are responsible for non-network resources. In this case, the following access matrix can be used:
Role For a resource Allows
Organization To manage networks, routes, IP addresses and other Virtual Private Cloud resources via the CLI, API, and Terraform in all clouds of the organization
All clouds of the organization To work with Virtual Private Cloud in the management console, view general information about the clouds
If there are multiple clouds in the organization and they are created and deleted frequently, it is inconvenient to assign
resource-manager.clouds.member to a cloud every time. In this case, you can replace
resource-manager.clouds.member with the
resource-manager.viewer role: assign it once to an organization and the administrator will be able to work in the management console with Virtual Private Cloud resources of all clouds, including future clouds. The role will enable you to view information about all clouds and folders, including access rights lists.
For a cloud without an organization
Without this role, no other roles will work for the user.
The role is assigned automatically when you add a new user to a cloud without an organization.
resource-manager.clouds.owner role is assigned for a cloud and makes the user a cloud owner. The owner can perform any operation with the cloud and its resources.
Only a cloud owner can assign and revoke a user's
A cloud must have at least one owner. A user that created a cloud automatically becomes its owner. The sole owner of a cloud may not give up this role.
viewer role grants permission to read resources.
For example, the
viewer role lets you perform the following operations:
- View information about a resource.
- Get a list of nested resources, such as a list of VMs in a folder.
- View a list of operations with a resource.
editor role grants permissions to perform any operation related to resource management, except assigning roles to other users. The
editor role includes all permissions granted by the
For example, the
editor role lets you perform the following operations:
- Create a resource.
- Update a resource.
- Delete a resource.
admin role grants all permissions to manage the resource, including assigning roles to other users. You can assign any role except
admin role includes all permissions granted by the
For example, the
admin role lets you perform the following operations:
- Set permissions to the resource.
- Change permissions to the resource.
To use the service, you need the role of
editor or higher to the folder that projects are being created in. With the
viewer role, you can only view the list of projects and the contents of files that were downloaded.
You can always assign a role granting more permissions than the role specified. For example, assign the
admin role instead of