Skip to main content

Access management in Servercore products

To manage access to Servercore products, projects and users are used.

When registering an account, a main user is automatically created — Account Owner, who has access to manage all account resources. The Account Owner can create additional users. Users can be of different types; you can assign them different permissions — assign roles in a specific scope.

In addition to the Account Owner, users with the iam.admin role can manage other users. Learn more about the capabilities of each role in the Roles Reference.

Users can be added to groups to manage multiple users as one.

You can manage users and roles in the control panel, using IAM API or Terraform.

Records of access management operations are saved in audit logs.

Access management in certain Servercore products is restricted.

Permissions

A permission (Permission) determines which operations a user can perform and on which group of resources.

A permission consists of an access scope and a role.

Permissions can be assigned to different subjects: a user, a service user, or a group. You can assign multiple permissions at once and change them.

Access scopes

A permission scope is a group of resources to which the permission is granted. The permission scope can be:

  • account (account) — all account resources, including the resources of all projects;
  • projects (project) — resources of selected projects.

Roles⁠​

A role is a set of authorized operations on specific types of resources or settings. A role defines access within an access scope that is specified in a permission.

Depending on the user type, you can assign them roles in different access scopes. Learn more about the capabilities of each role in the Roles Reference.

Role model update

Before the role model update in September 2025, user access was determined solely by their roles. After the update, the old concept of a role corresponds to a permission — a combination of a role and an access scope. Roles have been renamed. The capabilities of the roles have not changed.

Old role nameRoleAccess scope
Account administratormemberAccount
Project administratorProject
Billing administratorbillingAccount
User administratoriam.adminAccount
Account viewerreaderAccount
Project viewerProject
S3 administratorobject_storage_adminProject
S3 userobject_storage_userProject
Mobile farm administratormobile_farm.adminProject
Mobile farm usermobile_farm.userProject
Mobile farm viewermobile_farm.viewerProject

Access management constraints in certain products

Some products and services do not support the division of resources into projects and may additionally have their own access system:

  • VMware-based cloud products: Public cloud powered by VMware, disaster recovery to the cloud powered by VMware, virtual desktop rental;
  • Servercore email service;
  • Direct Connect;
  • Global Connect;
  • IP address accounting;
  • DDoS protection;
  • Fault tolerant load balancer;
  • AI Marketplace, ML platform;
  • backup and recovery products: Agent-based backup (Veeam Agent), Veeam Cloud Connect cloud repository, Cyber Backup Cloud;
  • Uptime check (formerly Monitoring);
  • Logs.

In S3, user access to a bucket can be modified in accordance with an access policy; learn more in the Manage access to S3 guide.