Access management in Data Streams
Data Streams uses roles to manage access rights.
Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If a user does not have any roles assigned, almost all operations are forbidden.
To allow access to Yandex Data Streams resources (data streams, Yandex Managed Service for YDB databases storing them, and database users), assign the Yandex account, service account, federated users, user group, or system group the required roles from the list below. Currently, a role can only be assigned to a parent resource (folder or cloud). Roles are inherited by nested resources.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Note
For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.
Assigning roles
To assign a user a role:
- Add the required user if needed.
- In the management console
, select the appropriate cloud in the list on the left. - Go to the Access bindings tab.
- Click Assign bindings.
- In the Configuring access bindings window, click
- Select a user from the list or search by user.
- Click
- Select a role in the cloud.
- Click Save.
Which roles exist in the service
The list below shows all roles that are considered when verifying access rights in the Data Streams service.
Service roles
yds.viewer
Users with the yds.viewer
role can read data from Data Streams streams and view their settings. The yds.viewer
role also includes all permissions of the ydb.viewer
role.
yds.writer
The yds.writer
role allows writing data to Data Streams streams.
yds.editor
The yds.editor
role enables you to write data to and read data from Data Streams streams, as well as view their settings. The yds.editor
role also includes all permissions of the ydb.editor
role.
yds.admin
Users with the yds.admin
role can manage resource access rights, e.g., allow other users to create Data Streams streams or view information about them.
The yds.admin
role also includes all permissions of the ydb.admin
role.
Primitive roles
viewer
A user with the viewer
role can view information about resources, e.g., lists of data streams and databases they are created in, their properties.
editor
A user with the editor
role can manage any resources, e.g., create a stream or delete it. In addition, this role allows writing application data to streams.
The editor
role also includes all permissions of the viewer
role.
admin
Users with the admin
role can manage resource access rights, for example, allow other users to create streams or view information about them.
The admin
role also includes all permissions of the editor
role.