Access management in Resource Manager
In this section, you will learn:
- Which resources you can assign roles to.
- Which roles exist in the service.
- Which roles are required for particular actions.
About access management
All transactions in Yandex Cloud are checked by the Yandex Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.
What resources you can assign roles to
As with other services, you can assign roles for clouds, folder and service accounts. The roles assigned for clouds and folders also apply to nested resources.
What roles exist in the service
The chart below shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. You can find the description of each role under the chart.
Active roles in the service:
-
Service roles:
-
resource-manager.clouds.owner: Grants you full access to the cloud and the resources in it. You can only assign this role for a cloud. -
resource-manager.clouds.memberis required for everyone except the cloud owners and service accounts to access resources in a cloud not owned by the organization. -
resource-manager.admingrants permission to edit and delete as well as manage access to clouds or folders. It is assigned for an organization, a cloud, or a folder. -
resource-manager.editorgrants permission to create, edit, or delete clouds or folders. It is assigned for an organization, a cloud, or a folder. -
resource-manager.viewergrants permission to view cloud or folder information as well as view the list of access rights granted to a cloud or a folder. It is assigned for an organization, a cloud, or a folder. -
resource-manager.auditor: Grants permission to view cloud or folder metadata and the list of cloud or folder roles. It is assigned to an organization, a cloud, or a folder.
-
-
Primitive roles:
What roles do I need
The table below lists the roles needed to perform a particular action. You can always assign a role granting more permissions than the role specified. For example, you can assign the editor role instead of the viewer one.
| Action | Methods | Required roles |
|---|---|---|
| View data | ||
| View information about any resource | get, list |
viewer for this resource |
| View information about a folder or cloud | get, list |
resource-manager.viewer for the folder or cloud |
| View metadata about a folder or cloud | get, list |
resource-manager.auditor for the folder or cloud |
| Manage resources | ||
| Create a cloud | To create your first cloud, no roles are required. You only need to authenticate (a user is automatically assigned the resource-manager.clouds.owner role in the created organization). Afterwards, the resource-manager.editor or editor role for the organization is required. |
|
| Update a cloud | update |
editor or resource-manager.editor for the cloud |
| Deleting a cloud | delete |
resource-manager.clouds.owner for a cloud |
| Create a folder in the cloud | create |
editor or resource-manager.editor for the cloud |
| Updating a folder | update |
editor or resource-manager.editor for the folder |
| Deleting a folder | delete |
editor or resource-manager.editor for the folder |
| Manage resource access | ||
| Add a new user to the cloud | setAccessBindings |
admin for the cloud if it has no organization |
| Make a new user the owner of the cloud | setAccessBindings, updateAccessBindings |
resource-manager.clouds.owner for the cloud |
| View roles granted for a resource | listAccessBindings |
viewer for this resource |
| View roles granted for the folder or cloud | listAccessBindings |
resource-manager.viewer for the folder or cloud |
| Assign a role and revoke a role for the folder or cloud | setAccessBindings, updateAccessBindings |
admin or resource-manager.admin for the folder or cloud |