Access management in Cloud Backup
In this section, you will learn:
About access management
In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Which resources you can assign a role for
Using the Yandex Cloud console or the YC CLI, you can assign a role to a cloud or folder. These assigned roles will also apply to nested resources.
Which roles exist in the service
Service roles
backup.viewer
The backup.viewer
role is intended for viewing Cloud Backup resources. Users with this role can view:
- Backup policies, including permissions to access them, and a list of policies.
- Basic information about Yandex Cloud resources linked to policies (such as VM IDs) and their backup statuses.
- Information about backups.
- A list of connected backup providers.
- Service quotas.
In a cloud, this role can be granted by the cloud administrator (the admin
role), and in a folder, by the cloud administrator or a user with the backup.admin
folder role.
backup.editor
The backup.editor
role is intended for managing Cloud Backup resources. Users with this role can:
- View all resources and their lists, as with the
backup.viewer
role. - Create, update, and delete backup policies.
- Update a list of Yandex Cloud resources linked to a policy.
- Restore resources from backups.
- Delete backups.
- Connect backup providers available in Cloud Backup.
In a cloud, this role can be granted by the cloud administrator (the admin
role), and in a folder, by the cloud administrator or a user with the backup.admin
folder role.
backup.admin
The backup.admin
role is intended for managing Cloud Backup. Users with this role can:
- Perform any actions allowed by the
backup.editor
role. - Manage other users' access to backup policies.
This role can be assigned by the administrator of the cloud (the admin
role).
Primitive roles
auditor
Grants permission to view service configuration and metadata without access to data.
viewer
Enables you to view information about resources.
editor
Allows you to manage resources, e.g., create, edit, and delete them.
admin
Allows you to manage your resources and access to them.
For more information about primitive roles, see Roles.