Role Directory

A role is a set of authorized operations on specific types of resources.

Roles are assigned within permissions. The role applies to the access area that is specified in the permission, please refer to the Access Control in Servercore Products manual for more details.

Some roles may only be assigned to a specific access area, and may have a different set of managed resources in different access areas.

member

User with full access to all services. Unavailable access control: users, service users, user groups, federations.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: management of projects, their limits and quotas; billing management; resource management across all projects; management of resources outside of projects; audit logging
Available operations	In the access area Project: resource management of the selected project

billing

User with access to billing management and without access to service management.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations	Billing Management: replenishment of balance and transfer of funds between balances; management of auto-account, monthly payments, payment deferrals; balance notification management; bank card management; viewing of reporting documents; managing the affiliate program and withdrawal of funds; View connected services and service statuses

iam_admin

User with access to user management and without access to services and billing. Cannot manage his account: change permissions, manage notifications, delete the user. The first user with the iam_admin role is created by the Account Owner.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations	Manage users, service users, user groups and federations; issuing keys to users; manage other users' notifications; setting account access restrictions

reader

A user with access to view everything he controls member in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View resources in all projects, as well as resources that are not attached to a project; view the settings of all projects, their limits and quotas; view billing data (balance, bank cards, report documents, partner program, etc.)
Available operations	In the access area Project: view the resources of the selected project

vpc.admin

User with access to manage cloud platform networks (private networks and subnets, public subnets and public IP addresses, cloud routers), cloud firewalls, security groups, cloud load balancers.

It is not available to add ports to the cloud server or delete ports added to the cloud server, this requires the role of member.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of all network resources in the cloud platform and information about them in all projects; manage private networks, subnets and ports in all projects: Creating and deleting a network and subnet; Change the name and tags of the network and subnet; changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP status); Connecting the subnet to and disconnecting from the cloud router; Connecting a subnet to and disconnecting from the global router (additionally requires the role of `global_router.admin`); Create a port on the network (not assigned to a cloud server) and delete a port on the network (other than those assigned to a cloud server); Enable or disable the port on the network; management of public subnets in all projects: creating and deleting a subnet; changing the subnet name and tags; changing DNS servers; Create and delete a port on a subnet; Enable or disable the port on the network; management of public IP addresses in all projects: creating and deleting an IP address; connecting an IP address to a port on a private network; switching between ports; disconnecting from the port; Cloud router management in all projects: creating and deleting a router; changing the router name and tags; turning the router on and off; connect the router to an external network and disconnect from it; managing static routes on the router; Connecting a private subnet to and disconnecting from the router
Available cloud platform network operations	In the access area Project: View a list of all network resources in the cloud platform and information about them in the selected project; manage private networks, subnets, and ports in the selected project: Creating and deleting a network and subnet; Change the name and tags of the network and subnet; changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP status); Connecting the subnet to and disconnecting from the cloud router; Connecting a subnet to and disconnecting from the global router (additionally requires the role of `global_router.admin`); Create a port on the network (not assigned to a cloud server) and delete a port on the network (other than those assigned to a cloud server); Enable or disable the port on the network; management of public subnets in the selected project: creating and deleting a subnet; changing the subnet name and tags; change DNS servers; Create and delete a port on a subnet; Enabling and disabling the port on the network; management of public IP addresses in the selected project: creating and deleting an IP address; connecting an IP address to a port on a private network; switching between ports; disconnecting from the port; Managing cloud routers in the selected project: creating and deleting a router; changing the router name and tags; turning the router on and off; connect the router to an external network and disconnect from it; managing static routes on the router; Connecting a private subnet to and disconnecting from the router
Available cloud load balancer operations	In the Account access area: View a list of all load balancer objects and information about them in all projects: load balancers, rules and HTTP policies, target groups and servers in them, availability checks; view balancer statistics in all projects; managing load balancers, rules and HTTP policies, target groups, availability checks in all projects; Enabling and disabling balancer logging in all projects
Available cloud load balancer operations	In the access area Project: View a list of all load balancer objects and information about them in the selected project: load balancers, rules and HTTP policies, target groups and servers in them, availability checks; view statistics of balancers in the selected project; managing load balancers, rules and HTTP policies, target groups, availability checks in the selected project; enable or disable balancer logging in the selected project
Available cloud firewall operations	In the Account access area: View a list of cloud firewalls and information about them in all projects; managing cloud firewalls in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project; managing cloud firewalls in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; creating and deleting security groups in all projects; changing the group name, description and tags in all projects; assigning a group to a port and disabling a group from a port in all projects; adding and deleting rules in the group in all projects; downloading a report on groups in all projects
Available operations with security groups	In the access area Project: view the list of safety groups and information about them in the selected project; creating and deleting a security group in the selected project; change the name, description and tags of the group in the selected project; assign a group to a port and disconnect the group from the port in the selected project; adding and deleting rules in a group in the selected project; downloading a report on groups in the selected project

vpc.viewer

User with access to view everything he controls vpc.admin in the same access area.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of all network resources in the cloud platform and information about them in all projects
Available cloud platform network operations	In the access area Project: View a list of all network resources of the cloud platform and information about them in the selected project
Available cloud firewall operations	In the Account access area: View the list of cloud firewalls and information about them in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; downloading a report on groups in all projects
Available operations with security groups	In the access area Project: view the list of safety groups and information about them in the selected project; downloading a report on groups in the selected project

vpc.private_network.admin

A user with access to manage private networks, subnets, and ports.

It is not available to add ports to the cloud server or delete ports added to the cloud server, this requires the role of member.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View the list of private networks, subnets, ports and information about them in all projects; manage private networks, subnets and ports in all projects: Creating and deleting a network and subnet; Change the name and tags of the network and subnet; changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP status); connecting the subnet to and disconnecting from the cloud router (additionally requires the role of `vpc.external_access.admin`); Connecting a subnet to and disconnecting from the global router (additionally requires the role of `global_router.admin`); Create a port on the network (not assigned to a cloud server) and delete a port on the network (other than those assigned to a cloud server); Enabling and disabling the port on the network
Available cloud platform network operations	In the access area Project: view the list of private networks, subnets, ports and information about them in the selected project; manage private networks, subnets, and ports in the selected project: Creating and deleting a network and subnet; Change the name and tags of the network and subnet; changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP status); connecting the subnet to and disconnecting from the cloud router (additionally requires the role of `vpc.external_access.admin`); Connecting a subnet to and disconnecting from the global router (additionally requires the role of `global_router.admin`); Create a port on the network (not assigned to a cloud server) and delete a port on the network (other than those assigned to a cloud server); Enabling and disabling the port on the network

vpc.private_network.viewer.

A user with access to view everything they manage vpc.private_network.admin in the same access area.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View the list of private networks, subnets, ports and information about them in all projects
Available cloud platform network operations	In the access area Project: View the list of private networks, subnets, ports and information about them in the selected project

vpc.external_access.admin

User with access to manage objects for internet access - public subnets, public IP addresses, cloud routers.

It is not available to add ports to the cloud server or delete ports added to the cloud server, this requires the role of member.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in all projects; management of public subnets in all projects: creating and deleting a subnet; changing the subnet name and tags; changing DNS servers; Create and delete a port on a subnet; Enabling and disabling the port on the network management of public IP addresses in all projects: creating and deleting an IP address; connecting an IP address to a port on a private network; switching between ports; disconnecting from the port; Cloud router management in all projects: creating and deleting a router; changing the router name and tags; turning the router on and off; connect the router to an external network and disconnect from it; managing static routes on the router; connecting a private subnet to the router and disconnecting from it (additionally requires the role of `vpc.private_network.admin`)
Available cloud platform network operations	In the access area Project: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in the selected project; management of public subnets in the selected project: creating and deleting a subnet; changing the subnet name and tags; changing DNS servers; Create and delete a port on a subnet; Enabling and disabling the port on the network management of public IP addresses in the selected project: creating and deleting an IP address; connecting an IP address to a port on a private network; switching between ports; disconnecting from the port; Managing cloud routers in the selected project: creating and deleting a router; changing the router name and tags; turning the router on and off; connect the router to an external network and disconnect from it; managing static routes on the router; connecting a private subnet to the router and disconnecting from it (additionally requires the role of `vpc.private_network.admin`)

vpc.external_access.user

A user with access to view everything he controls vpc.external_access.admin in the same access area, and with access to manage public IP addresses.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in all projects; management of public IP addresses in all projects: connecting an IP address to a port on a private network, switching between ports, disconnecting from a port
Available cloud platform network operations	In the access area Project: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in the selected project; management of public IP addresses in the selected project: connecting an IP address to a port on a private network, switching between ports, disconnecting from a port

vpc.external_access.viewer.

A user with access to view everything he controls vpc.external_access.admin in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in all projects
Available cloud platform network operations	In the access area Project: View the list of public subnets and public IP addresses, ports in public networks, cloud routers and information about them in the selected project

vpc.network_security.admin

Manage traffic restriction tools - cloud firewalls, security groups.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud firewall operations	In the Account access area: View a list of cloud firewalls and information about them in all projects; managing cloud firewalls in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project; managing cloud firewalls in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects (to view information about ports, the role of vpc.private_network.viewer or `vpc.external_access.viewer`); creating and deleting security groups in all projects; changing the name, description and tags of security groups in all projects; Assigning security groups to ports and disabling security groups from ports in all projects (additionally requires the role vpc.private_network.viewer or `vpc.external_access.viewer`); adding and deleting rules in a security group; downloading a report on security groups in all projects (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)
Available operations with security groups	In the access area Project: view the list of security groups and information about them in the selected project; (to view information about ports, the following role is additionally required vpc.private_network.viewer or `vpc.external_access.viewer`) creating and deleting a security group in the selected project; change the name, description and tags of the security group in the selected project; assigning a security group to a port and disconnecting the group from the port in the selected project (additionally, the role of vpc.private_network.viewer or `vpc.external_access.viewer`); adding and deleting rules in a group in the selected project; downloading report by groups in the selected project (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)

vpc.network_security.user

A user with access to view everything they manage vpc.network_security.admin in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud firewall operations	In the Account access area: View the list of cloud firewalls and information about them in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; assigning a group to a port and disabling a group from a port in all projects. In the control panel, the action is available for a role only through the security group page (in the top menu, click Products → Cloud Servers → Security Groups → Group page); downloading report by groups in all projects (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)
Available operations with security groups	In the access area Project: view the list of safety groups and information about them in the selected project; assign a group to a port and disconnect the group from the port in the selected project; downloading report by groups in the selected project (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)

vpc.network_security.viewer.

A user with access to view everything they manage vpc.network_security.admin in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud firewall operations	In the Account access area: View the list of cloud firewalls and information about them in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; downloading report by groups in all projects (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)
Available operations with security groups	In the access area Project: view the list of safety groups and information about them in the selected project; downloading report by groups in the selected project (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)

vpc.load_balancer.admin

User with access to manage cloud load balancer management. For more information, see Manage Access to Cloud Load Balancer.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud load balancer operations	In the Account access area: View a list of all load balancer objects and information about them in all projects: load balancers, rules and HTTP policies, target groups and servers in them, availability checks; view balancer statistics in all projects; management of load balancer objects (except for load balancer creation) in all projects. Creating a load balancer additionally requires one or more roles. The additional roles depend on the network in which the load balancer will be created: `vpc.admin` to create a balancer on any subnet; `vpc.private_network.admin` to create a balancer on a private subnet; `vpc.external_access.admin` to create a balancer on the public subnet; role combination vpc.private_network.admin. and `vpc.external_access.admin` to create a balancer on a private subnet with a public IP address; Enabling and disabling balancer logging in all projects
Available cloud load balancer operations	In the access area Project: View a list of all load balancer objects and information about them in the selected project: load balancers, rules and HTTP policies, target groups and servers in them, availability checks; view statistics of balancers in the selected project; management of load balancer objects (except for load balancer creation) in the selected project. To create a load balancer, one or more additional roles are required. The additional roles depend on the network in which the load balancer will be created: `vpc.admin` to create a balancer on any subnet; `vpc.private_network.admin` to create a balancer on a private subnet; `vpc.external_access.admin` to create a balancer on the public subnet; role combination vpc.private_network.admin. and `vpc.external_access.admin` to create a balancer on a private subnet with a public IP address; Enable or disable logging of balancers in the selected project

vpc.load_balancer.viewer

User with access to view everything he manages vpc.load_balancer.admin in the same access area. For more information, see the Manage Access to Cloud Load Balancer instructions.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud load balancer operations	In the Account access area: View a list of all load balancer objects and information about them in all projects: load balancers, rules and HTTP policies, target groups and servers in them, availability checks
Available cloud load balancer operations	In the access area Project: View a list of all load balancer objects and information about them in the selected project: load balancers, rules and HTTP policies, target groups and servers in them, availability checks

object_storage:admin

User with full access to S3 management within the project. Does not have access to S3 in other projects or other products in his project. For more information, see the Manage access to S3 instructions.

Access areas	project
Who can be prescribed	Service users
Available operations	View the list of bucket list in the project; viewing the contents of the bins; management of objects in the baquette (loading, modification, deletion, etc.); changing the settings of the baquettes; configuring the bucket access policy

object_storage_user

A user with access to the S3 buckets if an access policy is configured that allows access to the buckets for that user, see the Manage Access in S3 instructions for details . The degree of access is determined by the access policy settings. Does not have access to S3 in other projects and other products in its project.

Distinguished from a user with the role s3.bucket.user only by the fact that it has access to viewing the list of bucket in the project.

Access areas	project
Who can be prescribed	Service users
Available operations	View the list of bucket list in the project; operations in the buckets that are allowed by the access policy.

s3.bucket.user

Distinguished from a user with the role object_storage_user differs from the user with the object_storage_user role only by the fact that he/she does not have access to viewing the list of bins in the project.

Access areas	project
Who can be prescribed	Service users
Available operations	Operations in the baquette that are allowed by the access policy

global_router.admin

User with access to manage global routers in the account. Does not have access to other products. For more information, see Manage global router management access.

Access areas Account

Who can be prescribed

Users;
to service users;
user groups

Available operations

View a list of global routers, the networks and subnets connected to them, and a list of static routes on the router;
Create, modify, and delete global routers;
adding, modifying, and deleting static routes on a global router;
Change the name of the networks and subnets connected to the global router.

Other operations on global router networks additionally require the role member (Project or Account access area):

Connect to a global router on an existing or new network and subnet of the cloud platform;
connect to the global router of an existing or new network and a subnet of dedicated servers;
Removing the cloud platform network or subnet from the global router network, including removing the cloud platform network or subnet itself;
Removing a network or subnet of dedicated servers from the global router network

global_router.viewer

User with access to view global routers and their networks. Does not have access to other products. For more information, see Manage access to a global router.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations	View a list of global routers, networks and subnets connected to them, a list of static routes on the router

mobile_farm.admin

User with full access to mobile farm management in their project. Does not have access to the mobile farm in other projects and other products in his project. For more information, see the Manage access to the mobile farm instruction.

Access areas	project
Who can be prescribed	Users; to service users; user groups
Available operations	View mobile farm consumption; Adding and removing mobile farm devices; utilization of mobile farm devices; changing the charging of mobile farm devices; adding ADB keys to your profile

mobile_farm.user

User with access to use mobile farm devices in their project. Does not have access to the mobile farm in other projects or other products in their project. For more information, see Manage access to the mobile farm.

Access areas	project
Who can be prescribed	Users; to service users; user groups
Available operations	View mobile farm consumption; utilization of mobile farm devices; adding ADB keys to your profile

mobile_farm.viewer

User with access to view devices and consumption of the mobile farm in their project. Does not have access to the mobile farm in other projects and other products in their project. For more information, see Manage access to the mobile farm in the instructions.

Access areas	project
Who can be prescribed	Users; to service users; user groups
Available operations	View mobile farm consumption; Mobile Farm Device Viewer; adding ADB keys to your profile