Access management in SmartCaptcha

Written by

Yandex Cloud

improved by

Dmitry A.

About access management
What resources you can assign roles to
What roles exist in the service
- Service roles
- Primitive roles
What roles do I need

In this section, you'll learn:

Which resources you can assign roles to.
Which roles exist in the service.

About access management

All transactions in Yandex Cloud are checked by the Yandex Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.

To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.

Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.

What resources you can assign roles to

You can assign a role to an organization, cloud, or folder. Roles assigned to an organization, cloud, or folder also apply to the CAPTCHAs in them.

What roles exist in the service

The list below shows all roles that are considered when verifying access rights in the SmartCaptcha service.

Service roles

Role	Permissions
`resource-manager.clouds.owner`	Grants you full access to a cloud and the resources in it. You can only assign this role for a cloud.
`smart-captcha.viewer`	Enables you to view CAPTCHA information.
`smart-captcha.editor`	Enables you to manage CAPTCHAs (create, change, or delete them). Includes all access rights of the `smart-captcha.viewer` role.
`smart-captcha.admin`	Enables you to manage CAPTCHAs and access to them. Includes all access rights of the `smart-captcha.editor` role.

Primitive roles

Role	Permissions
`admin`	Lets you manage your resources and access to them.
`editor`	Lets you manage resources (create, edit, and delete).
`viewer`	Lets you only view information about resources.

What roles do I need

The table shows actions and minimum roles required to perform them. You can always assign a role granting broader access rights than the role from the table. For example, you can assign the smart-captcha.editor role instead of the smart-captcha.viewer role.

Action	Role
Viewing CAPTCHA information	`smart-captcha.viewer`
Creating a CAPTCHA	`smart-captcha.editor`
Editing a CAPTCHA	`smart-captcha.editor`
Deleting a CAPTCHA	`smart-captcha.editor`
Managing roles of CAPTCHA users	`smart-captcha.admin`