Access management in DataSphere
User access to Yandex DataSphere depends on relevant permissions granted within an organization. Organizations are managed using Yandex Cloud Organization.
The list of operations available to DataSphere users is determined by the roles they have. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information about managing access to Yandex Cloud, see How access management works in Yandex Cloud.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Which resources you can assign a role for
Access control is implemented at the community and project level. You can also make resources available to all community users. Once granted, access permissions apply to the whole hierarchy of resources. For example, if you give a user a role for a DataSphere project, all the permissions will also be valid for the resources within this project. Learn more about relationships between DataSphere resources.
How to assign a role
You can assign a role to a user in the DataSphere interface:
You can also grant access rights through the Cloud Organization interface.
Which roles exist in the service
Service roles
datasphere.community-projects.viewer
The datasphere.community-projects.viewer
role lets you view the project list and settings, as well as their resources and project members.
In the DataSphere interface, users with the datasphere.community-projects.viewer
role have the Viewer
role in the Members tab on the project page.
datasphere.community-projects.developer
The datasphere.community-projects.developer
role lets you work in a project. Users with this role can manage project resources but can't share them in a community. They can run an IDE and code cells.
The datasphere.community-projects.developer
role also includes all permissions of the datasphere.community-projects.viewer
role.
In the DataSphere interface, users with the datasphere.community-projects.developer
role have the Developer
role in the Members tab on the project page.
datasphere.community-projects.editor
The datasphere.community-projects.editor
role lets you edit project settings and delete projects.
Users with the datasphere.community-projects.editor
role can share project resources with communities where they have Developer
privileges (the datasphere.communities.developer
role).
The datasphere.community-projects.editor
role also includes all permissions of the datasphere.community-projects.developer
role.
In the DataSphere interface, users with the datasphere.community-projects.editor
role have the Editor
role in the Members tab on the project page.
datasphere.community-projects.admin
The datasphere.community-projects.admin
role lets you manage project access rights.
Users with the datasphere.community-projects.admin
role can share project resources with communities where they have Developer
privileges (the datasphere.communities.developer
role).
The datasphere.community-projects.admin
role also includes all permissions of the datasphere.community-projects.editor
role.
In the DataSphere interface, users with the datasphere.community-projects.admin
role have the Admin
role in the Members tab on the project page.
datasphere.communities.viewer
With the datasphere.communities.viewer
role, you can view the list of communities and their settings, but can't create, delete, or edit resources. This role doesn't let you run an IDE.
The datasphere.communities.viewer
role also includes all permissions of the datasphere.community-projects.viewer
role.
In the DataSphere interface, users with the datasphere.communities.viewer
role have the Viewer
role in the Members tab on the community page.
datasphere.communities.developer
The datasphere.communities.developer
role lets you create new projects and publish project resources in a community.
The datasphere.communities.developer
role also includes all permissions of the datasphere.communities.viewer
role.
In the DataSphere interface, users with the datasphere.communities.developer
role have the Developer
role in the Members tab on the community page.
datasphere.communities.editor
The datasphere.communities.editor
role lets you edit community settings, manage community projects and resources, and delete communities. Users with this role can link a billing account to a community.
The datasphere.communities.editor
role also includes all permissions of the datasphere.communities.developer
and datasphere.community-projects.editor
roles.
In the DataSphere interface, users with the datasphere.communities.editor
role have the Editor
role in the Members tab on the community page.
datasphere.communities.admin
The datasphere.communities.admin
role lets you manage permissions to a community and its projects and resources.
The datasphere.communities.admin
role also includes all permissions of the datasphere.communities.editor
and datasphere.community-projects.admin
roles.
Users with the datasphere.communities.admin
role can share resources with communities where they also have this role.
In the DataSphere interface, users with the datasphere.communities.admin
role have the Admin
role in the Members tab on the community page.
datasphere.user
The datasphere.user
role is deprecated and no longer used.
datasphere.admin
The datasphere.admin
role is deprecated and no longer used.
For example, Julia works with multiple teams and belongs to their communities with different access rights:
- In the
Cat loverscommunity:Admin
(thedatasphere.communities.admin
role).- In the
Counting fencescommunity:Admin
(thedatasphere.communities.admin
role).- In the
Top secretcommunity:Developer
(thedatasphere.communities.developer
role), but noAdmin
privilege in theProject_111project of this community (thedatasphere.community-projects.admin
role).Julia can share the resources of any
Cat loversorCounting fencesprojects in any of these communities. She can also publishProject_111resources in these communities, but can't share them in theTop secretcommunity.
Primitive roles
auditor
Grants permission to view service configuration and metadata without access to data.
viewer
Enables you to view information about resources.
editor
Allows you to manage resources, e.g., create, edit, and delete them.
admin
Allows you to manage your resources and access to them.
For more information about primitive roles, see Roles.
What roles do I need
The table below lists the roles needed to perform a particular action. You can always assign a role granting more permissions than the role specified. For example, you can assign Editor
instead of Viewer
.
Action |
Roles required |
Viewing information |
|
Viewing a project, their settings and users |
|
Viewing a community, their settings and users |
|
Managing a project |
|
|
|
Running an IDE |
|
Using resources |
|
Creating resources |
|
Deleting resources |
|
Publishing resources in a community |
|
|
|
|
|
Granting a role in a project |
|
Managing a community |
|
Editing community settings |
|
|
|
|
|
Granting a role in a community |
|