Access management in Managed Service for YDB
Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If a user does not have any roles assigned, almost all operations are forbidden.
To allow access to YDB resources (databases and database users), assign the required roles from the list below to the Yandex account, service account, federated users, user group, or system group. A role can be assigned to a parent resource (directory or cloud) whose roles are inherited by nested resources.
You can also grant a role for access to a specific database. This will allow a user without any roles in the directory hosting the database to access the database according to the role assigned.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Note
For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.
Assigning roles
To assign a user a role:
- Add the required user if needed.
- In the management console
, select the appropriate cloud in the list on the left. - Go to the Access bindings tab.
- Click Assign bindings.
- In the Configuring access bindings window, click
Select subject. - Select a user from the list or search by user.
- Click
Add role. - Select a role in the cloud.
- Click Save.
Which roles exist in the service
The list below shows all roles that are considered when verifying access rights in the Managed Service for YDB service.
Service roles
ydb.auditor
The ydb.auditor
role allows you to:
- Establish DB connections.
- View the list of schema objects (tables, indexes, and folders).
- View descriptions of schema objects (table, index, and folder).
- View DB information.
Users with this role can also retrieve the list of folders in the cloud and the list of resources in a cloud folder.
ydb.viewer
The ydb.viewer
role grants permission to perform the following actions:
- Establish DB connections.
- View a list of schema objects (tables, indexes, and folders).
- View descriptions of schema objects (tables, indexes, and folders).
- View DB information.
- Run queries to read data.
This role also enables the user to retrieve a list of folders in the cloud and a list of resources in a cloud folder.
All the ydb.viewer
permissions are included in the viewer
role.
ydb.editor
The ydb.editor
role grants permission to perform the following actions:
- Manage DBs, for example, create a DB or reconfigure it.
- Create, modify, and delete schema objects (tables, indexes, and folders) in a database.
- Run the statements that write data.
The ydb.editor
role also includes all permissions of the viewer
role.
All ydb.editor
permissions are included in the editor
role.
ydb.admin
The ydb.admin
role has the same permissions as the ydb.editor
role.
ydb.kafkaApi.client
The ydb.kafkaApi.client
role allows you to work with ydb
over the Kafka API protocol using plain authentication over an SSL connection.
Primitive roles
auditor
The auditor
role grants permission to read service configurations and metadata with no access to data.
For example, the auditor
role allows you to perform the following operations:
- View information about a resource.
- View resource metadata.
- View a list of operations with a resource.
Note
The auditor
role is currently not supported in the following services:
- Yandex Data Streams.
- Yandex Query.
viewer
The viewer
role grants permission to read resources.
The viewer
role includes all permissions granted by the auditor
role. Unlike auditor
, the viewer
role allows access to service data in read mode.
For example, the viewer
role allows you to perform the following operations:
- View information about a resource.
- Get a list of nested resources, such as a list of VMs in a folder.
- View a list of operations with a resource.
editor
The editor
role grants permissions to perform any operation related to resource management, except assigning roles to other users. The editor
role includes all permissions granted by the viewer
role.
For example, the editor
role lets you perform the following operations:
- Create a resource.
- Update a resource.
- Delete a resource.
admin
The admin
role grants all permissions to manage the resource, including assigning roles to other users. You can assign any role except resource-manager.clouds.owner
.
The admin
role includes all permissions granted by the editor
role.
For example, the admin
role lets you perform the following operations:
- Set permissions to the resource.
- Change permissions to the resource.