Access management in Servercore products

To manage access to Servercore products, projects and users are used.

When registering an account, a primary user is automatically created — the Account Owner, who has access to manage all account resources. The Account Owner can create additional users. Users can be of different types, and they can be granted different permissions by assigning roles in a specific access scope.

Besides the Account Owner, users with the iam.admin role can manage other users. You can learn more about the capabilities of each role in the Role Reference guide.

Users can be added to groups to manage multiple users as one.

You can manage users and roles in the control panel, using IAM API or Terraform.

Records of access management operations are saved in audit logs.

Access management in certain Servercore products is restricted.

Permissions

A permission (Permission) determines which operations a user can perform and on which group of resources.

A permission consists of an access scope and a role.

A permission can be assigned to different subjects: a user, a service user, or a group. You can assign multiple permissions at once and change them.

Access scopes

A permission scope is a group of resources to which the permission is granted. The permission scope can be:

• account (account) — all account resources, including the resources of all projects;
• projects (project) — resources of selected projects.

Roles⁠​

A role is a set of authorized operations on specific types of resources or settings. A role defines access within an access scope that is specified in a permission.

Depending on the user type, you can assign them roles in different access scopes. You can learn more about the capabilities of each role in the Role Reference guide.

Role model update

Before the role model update in September 2025, user access was determined only by their roles. After the update, the old concept of a role corresponds to a permission — a combination of a role and an access scope. Roles have been renamed. The capabilities of the roles have not changed.

Old role name	Role	Access scope
Account administrator	member	Account
Project administrator		Project
Billing administrator	billing	Account
User administrator	iam.admin	Account
Account viewer	reader	Account
Project viewer		Project
S3 administrator	object_storage_admin	Project
S3 user	object_storage_user	Project
Mobile farm administrator	mobile_farm.admin	Project
Mobile farm user	mobile_farm.user	Project
Mobile farm viewer	mobile_farm.viewer	Project

Access management constraints in certain products

Some products and services do not support the division of resources into projects and may additionally have their own access system:

• VMware-based cloud products: Public cloud powered by VMware, disaster recovery to the cloud powered by VMware, virtual desktop rental;
• Servercore email service;
• Direct Connect;
• Global Connect;
• IP address accounting;
• DDoS protection;
• Fault tolerant load balancer;
• AI Marketplace, ML platform;
• backup and recovery products: Agent-based backup (Veeam Agent), Veeam Cloud Connect cloud repository, Cyber Backup Cloud;
• Uptime check (formerly Monitoring);
• Logs.

In S3, user access to a bucket can be modified in accordance with an access policy; learn more in the Manage access to S3 guide.