Role Directory

A role is a set of authorized operations on specific types of resources.

Roles are assigned within permissions. The role applies to the access area that is specified in the permission, please refer to the Access Control in Servercore Products manual for more details.

Some roles may only be assigned to a specific access area, and may have a different set of managed resources in different access areas.

member

User with full access to all services. Does not have access to manage: users, service users, user groups, federations.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: management of projects, their limits and quotas; billing management; resource management across all projects; management of resources outside of projects; audit logging
Available operations	In the access area Project: resource management of the selected project

billing

User with access to billing management and without access to service management.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations	Billing Management: replenishment of balance and transfer of funds between balances; management of auto-account, monthly payments, payment deferrals; balance notification management; bank card management; viewing of reporting documents; managing the affiliate program and withdrawal of funds; View connected services and service statuses

iam.admin

User with access to user management and without access to services and billing. Cannot manage his account: change permissions, manage notifications, delete the user. The first user with the iam.admin role is created by the Account Owner.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations	Manage users, service users, user groups and federations; issuing keys to users; manage other users' notifications; setting account access restrictions

iam.viewer

A user with access to view everything that iam.admin manages.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations	View users, service users, user group and federations; view user keys; View other users' notifications; view account access restrictions

reader

A user with access to view everything he controls member in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View resources in all projects, as well as resources that are not attached to a project; view the settings of all projects, their limits and quotas; viewing of billing data (balance, bank cards, report documents, partner program, etc.)
Available operations	In the access area Project: view the resources of the selected project

dedicated.admin

The dedicated.admin role gives management access:

For more information, see Managing access to dedicated servers;
for more information on how to manage access to hosted equipment, see Managing Access to Hosted Equipment;
For more information, see Manage access to firewalls;
by the base firewall, for more information, see Manage access to the base firewall;
storage system, for more information, see Managing Storage Access;
network disks for dedicated servers, see the Manage access to network disks tutorial for more information;
For more information, see Manage access to leased network equipment.

Access areas	account; project
Who can be prescribed	users; to service users; user groups
Available operations	In the Account access area: view the list of projects, create and manage projects; management of dedicated servers in all projects (order, change, failure); management of placed equipment in all projects (ordering, modification, rejection); network management; connection and disconnection of additional services; view the list of SSH keys, add SSH keys to the storage and manage added SSH keys; firewall management (ordering, modification, rejection); network disk management (create, modify, delete); storage management (ordering, modification, rejection); basic firewall management (create, modify, delete); management of leased equipment (ordering, modification, rejection)
Available operations	In the access area Project: management of dedicated servers in the selected project (order, change, cancel); management of the placed equipment in the selected project (ordering, modification, rejection); connection and disconnection of additional services; View the list of SSH keys added to the storage and information about them unavailable to view and manage: networks; firewalls; network disks and storage; a basic firewall; leased network equipment

dedicated.viewer

User with access to view everything he manages dedicated.admin in the same access area.

Access areas	account; project
Who can be prescribed	users; to service users; user groups
Available operations	In the Account access area: View the list of all dedicated servers and information about them in all projects; viewing the list of placed equipment and information about it in all projects; View a list of all VLANs, public and private subnets, SANs, and information about them; View the list of network disks and storage devices and information about them; View a list of firewalls and information about them; View a list of basic firewalls and information about them; view the list of leased network equipment and information about it; View the list of SSH keys added to the storage and information about them
Available operations	In the access area Project: view the list of dedicated servers and information about them in the selected project; viewing the list of placed equipment and information about it in the selected project; View the list of SSH keys added to the storage and information about them unavailable to view and manage: networks; network disks and storage; firewalls; a basic firewall; leased network equipment

vpc.admin

User with access to manage cloud platform networks (private networks and subnets, public subnets and public IP addresses, cloud routers), cloud firewalls, security groups, cloud load balancers.

It is not available to add ports to the cloud server or delete ports added to the cloud server, this requires the role of member.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of all network resources in the cloud platform and information about them in all projects; manage private networks, subnets and ports in all projects: Creating and deleting a network and subnet; Change the name and tags of the network and subnet; changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP status); Connecting the subnet to and disconnecting from the cloud router; Connecting a subnet to and disconnecting from the global router (additionally requires the role of `global_router.admin`); Create a port on the network (not assigned to a cloud server) and delete a port on the network (other than those assigned to a cloud server); Enable or disable the port on the network; management of public subnets in all projects: creating and deleting a subnet; changing the subnet name and tags; changing DNS servers; Create and delete a port on a subnet; Enable or disable the port on the network; management of public IP addresses in all projects: creating and deleting an IP address; connecting an IP address to a port on a private network; switching between ports; disconnecting from the port; Cloud router management in all projects: creating and deleting a router; changing the router name and tags; turning the router on and off; connect the router to the Internet and disconnect it from the Internet; managing static routes on the router; Connecting a private subnet to and disconnecting from the router
Available cloud platform network operations	In the access area Project: View a list of all network resources in the cloud platform and information about them in the selected project; manage private networks, subnets, and ports in the selected project: Creating and deleting a network and subnet; Change the name and tags of the network and subnet; changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP status); Connecting the subnet to and disconnecting from the cloud router; Connecting a subnet to and disconnecting from the global router (additionally requires the role of `global_router.admin`); Create a port on the network (not assigned to a cloud server) and delete a port on the network (other than those assigned to a cloud server); Enable or disable the port on the network; management of public subnets in the selected project: creating and deleting a subnet; changing the subnet name and tags; changing DNS servers; Create and delete a port on a subnet; Enable or disable the port on the network; management of public IP addresses in the selected project: creating and deleting an IP address; connecting an IP address to a port on a private network; switching between ports; disconnecting from the port; Managing cloud routers in the selected project: creating and deleting a router; changing the router name and tags; turning the router on and off; connect the router to the Internet and disconnect it from the Internet; managing static routes on the router; Connecting a private subnet to and disconnecting from the router
Available cloud load balancer operations	In the Account access area: View a list of all load balancer objects and information about them in all projects: load balancers, rules and HTTP policies, target groups and servers in them, availability checks; view balancer statistics in all projects; managing load balancers, rules and HTTP policies, target groups, availability checks in all projects; Enabling and disabling balancer logging in all projects
Available cloud load balancer operations	In the access area Project: View a list of all load balancer objects and information about them in the selected project: load balancers, rules and HTTP policies, target groups and servers in them, availability checks; view statistics of balancers in the selected project; managing load balancers, rules and HTTP policies, target groups, availability checks in the selected project; enable or disable balancer logging in the selected project
Available cloud firewall operations	In the Account access area: View a list of cloud firewalls and information about them in all projects; managing cloud firewalls in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project; managing cloud firewalls in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; creating and deleting security groups in all projects; changing the group name, description and tags in all projects; assigning a group to a port and disabling a group from a port in all projects; adding and deleting rules in the group in all projects; downloading a report on groups in all projects
Available operations with security groups	In the access area Project: view the list of safety groups and information about them in the selected project; creating and deleting a security group in the selected project; change the name, description and tags of the group in the selected project; assign a group to a port and disconnect the group from the port in the selected project; adding and deleting rules in a group in the selected project; downloading a report on groups in the selected project

vpc.viewer

User with access to view everything he controls vpc.admin in the same access area.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of all network resources in the cloud platform and information about them in all projects
Available cloud platform network operations	In the access area Project: View a list of all network resources of the cloud platform and information about them in the selected project
Available cloud firewall operations	In the Account access area: View the list of cloud firewalls and information about them in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; downloading a report on groups in all projects
Available operations with security groups	In the access area Project: view the list of safety groups and information about them in the selected project; downloading a report on groups in the selected project

vpc.private_network.admin

User with access to private network, subnet and port management, and private DNS.

It is not available to add ports to the cloud server or delete ports added to the cloud server, this requires the role of member.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View the list of private networks, subnets, ports and information about them in all projects; manage private networks, subnets and ports in all projects: Creating and deleting a network and subnet; Change the name and tags of the network and subnet; changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP status); connect the subnet to the cloud router and disconnect from it (additionally requires the role of `vpc.external_access.admin`); Connecting a subnet to and disconnecting from the global router (additionally requires the role of `global_router.admin`); Create a port on the network (not assigned to a cloud server) and delete a port on the network (other than those assigned to a cloud server); Enabling and disabling the port on the network
Available cloud platform network operations	In the access area Project: view the list of private networks, subnets, ports and information about them in the selected project; manage private networks, subnets, and ports in the selected project: Creating and deleting a network and subnet; Change the name and tags of the network and subnet; changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP status); connecting the subnet to and disconnecting from the cloud router (additionally requires the role of `vpc.external_access.admin`); Connecting a subnet to and disconnecting from the global router (additionally requires the role of `global_router.admin`); Create a port on the network (not assigned to a cloud server) and delete a port on the network (other than those assigned to a cloud server); Enabling and disabling the port on the network
Available operations with private DNS	In the Account access area: view information about network connection to a private DNS resolver, view the list of zones and resource records in zones in all projects; private DNS management in all projects: zone management (create, update, delete, connect the network to the zone, etc.); management of resource records (add, update, delete record); managing the connection to the private DNS resolver (create connection, delete connection)
Available operations with private DNS	In the access area Project: view information about the network connection to the private DNS resolver, view the list of zones and resource records and information about them in the selected project; managing private DNS in the selected project: zone management (create, update, delete, connect the network to the zone, etc.); management of resource records (add, update, delete record); managing the connection to the private DNS resolver (create connection, delete connection)

vpc.private_network.viewer.

A user with access to view everything they manage vpc.private_network.admin in the same access area.

Access areas	Project; Account
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View the list of private networks, subnets, ports and information about them in all projects
Available cloud platform network operations	In the access area Project: View the list of private networks, subnets, ports and information about them in the selected project
Available operations with private DNS	In the Account access area: View information about network connection to a private DNS resolver, view the list of zones and resource records in zones in all projects
Available operations with private DNS	In the access area Project: View information about the network connection to a private DNS resolver, view the list of zones and resource records and information about them in the selected project

vpc.external_access.admin

User with access to manage objects for internet access - public subnets, public IP addresses, cloud routers.

It is not available to add ports to the cloud server or delete ports added to the cloud server, this requires the role of member.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in all projects; management of public subnets in all projects: creating and deleting a subnet; changing the subnet name and tags; changing DNS servers; Create and delete a port on a subnet; Enabling and disabling the port on the network management of public IP addresses in all projects: IP address creation and deletion; connecting an IP address to a port on a private network; switching between ports; disconnecting from the port; Cloud router management in all projects: creating and deleting a router; changing the router name and tags; turning the router on and off; connect the router to the Internet and disconnect it from the Internet; managing static routes on the router; connecting a private subnet to the router and disconnecting from it (additionally requires the role of `vpc.private_network.admin`)
Available cloud platform network operations	In the access area Project: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in the selected project; management of public subnets in the selected project: creating and deleting a subnet; changing the subnet name and tags; changing DNS servers; Create and delete a port on a subnet; Enabling and disabling the port on the network management of public IP addresses in the selected project: IP address creation and deletion; connecting an IP address to a port on a private network; switching between ports; disconnecting from the port; Managing cloud routers in the selected project: creating and deleting a router; changing the router name and tags; turning the router on and off; connect the router to the Internet and disconnect it from the Internet; managing static routes on the router; connecting a private subnet to the router and disconnecting from it (additionally requires the role of `vpc.private_network.admin`)

vpc.external_access.user

A user with access to view everything he controls vpc.external_access.admin in the same access area, and with access to manage public IP addresses.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in all projects; management of public IP addresses in all projects: connecting an IP address to a port on a private network, switching between ports, disconnecting from a port
Available cloud platform network operations	In the access area Project: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in the selected project; management of public IP addresses in the selected project: connecting an IP address to a port on a private network, switching between ports, disconnecting from a port

vpc.external_access.viewer.

A user with access to view everything he controls vpc.external_access.admin in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud platform network operations	In the Account access area: View a list of public subnets and public IP addresses, ports on public networks, cloud routers and information about them in all projects
Available cloud platform network operations	In the access area Project: View the list of public subnets and public IP addresses, ports in public networks, cloud routers and information about them in the selected project

vpc.network_security.admin

Manage traffic restriction tools - cloud firewalls, security groups.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud firewall operations	In the Account access area: View a list of cloud firewalls and information about them in all projects; managing cloud firewalls in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project; managing cloud firewalls in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects (to view information about ports, the role of vpc.private_network.viewer or `vpc.external_access.viewer`); creating and deleting security groups in all projects; changing the name, description and tags of security groups in all projects; Assigning security groups to ports and disabling security groups from ports in all projects (additionally requires the role vpc.private_network.viewer or `vpc.external_access.viewer`); adding and deleting rules in a security group; downloading a report on security groups in all projects (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)
Available operations with security groups	In the access area Project: view the list of security groups and information about them in the selected project; (to view information about ports, the following role is additionally required vpc.private_network.viewer or `vpc.external_access.viewer`) creating and deleting a security group in the selected project; change the name, description and tags of the security group in the selected project; assigning a security group to a port and disconnecting the group from the port in the selected project (additionally, the role of vpc.private_network.viewer or `vpc.external_access.viewer`); adding and deleting rules in a group in the selected project; downloading report by groups in the selected project (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)

vpc.network_security.user

A user with access to view everything they manage vpc.network_security.admin in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud firewall operations	In the Account access area: View the list of cloud firewalls and information about them in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; assigning a group to a port and disabling a group from a port in all projects. In the control panel, the action is available for a role only through the security group page (in the top menu, click Products → Cloud Servers → Security Groups → Group page); downloading report by groups in all projects (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)
Available operations with security groups	In the access area Project: view the list of safety groups and information about them in the selected project; assign a group to a port and disconnect the group from the port in the selected project; downloading report by groups in the selected project (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)

vpc.network_security.viewer.

A user with access to view everything they manage vpc.network_security.admin in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud firewall operations	In the Account access area: View the list of cloud firewalls and information about them in all projects
Available cloud firewall operations	In the access area Project: View the list of cloud firewalls and information about them in the selected project
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; downloading report by groups in all projects (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)
Available operations with security groups	In the access area Project: view the list of safety groups and information about them in the selected project; downloading report by groups in the selected project (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role `vpc.viewer`)

vpc.load_balancer.admin

User with access to manage cloud load balancer management. For more information, see Manage Access to Cloud Load Balancer.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud load balancer operations	In the Account access area: View a list of all load balancer objects and information about them in all projects: load balancers, rules and HTTP policies, target groups and servers in them, availability checks; view balancer statistics in all projects; management of load balancer objects (except for load balancer creation) in all projects. Creating a load balancer additionally requires one or more roles. The additional roles depend on the network in which the load balancer will be created: `vpc.admin` to create a balancer on any subnet; `vpc.private_network.admin` to create a balancer on a private subnet; `vpc.external_access.admin` to create a balancer on the public subnet; role combination vpc.private_network.admin. and `vpc.external_access.admin` to create a balancer on a private subnet with a public IP address; Enabling and disabling balancer logging in all projects
Available cloud load balancer operations	In the access area Project: View a list of all load balancer objects and information about them in the selected project: load balancers, rules and HTTP policies, target groups and servers in them, availability checks; view statistics of balancers in the selected project; management of load balancer objects (except for load balancer creation) in the selected project. To create a load balancer, one or more additional roles are required. The additional roles depend on the network in which the load balancer will be created: `vpc.admin` to create a balancer on any subnet; `vpc.private_network.admin` to create a balancer on a private subnet; `vpc.external_access.admin` to create a balancer on the public subnet; role combination vpc.private_network.admin. and `vpc.external_access.admin` to create a balancer on a private subnet with a public IP address; Enable or disable logging of balancers in the selected project

vpc.load_balancer.viewer

User with access to view everything he manages vpc.load_balancer.admin in the same access area. For more information, see the Manage Access to Cloud Load Balancer instructions.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available cloud load balancer operations	In the Account access area: View a list of all load balancer objects and information about them in all projects: load balancers, rules and HTTP policies, target groups and servers in them, availability checks
Available cloud load balancer operations	In the access area Project: View a list of all load balancer objects and information about them in the selected project: load balancers, rules and HTTP policies, target groups and servers in them, availability checks

compute.admin

User with access to manage cloud servers, flavors and placement groups. Does not have access to other products. For more information, see the instructions Manage access to cloud servers and flavors and Manage access to cloud server placement groups.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: view quotas of all projects (default quotas, changed quota values and used quotas); cloud server management (create, modify, delete) `*`: console use; Flavor management (create, modify, delete); SSH key management (adding, deleting); management of placement groups (creation, deletion)
Available operations	In the access area Project: view project quotas (default quotas, changed quota values and used quotas); cloud server management (create, modify, delete) `*`: console use; Flavor management (private flavor creation, modification, deletion); SSH key management (adding, deleting); management of placement groups (creation, deletion)

* Except for the role compute.admin user must have a role with access to manage the cloud platform's cloud platform networks.

compute.viewer

User with access to view cloud servers, flavors, and placement groups. Does not have access to other products. For more information, see Manage access to cloud servers and flavors and Manage access to cloud server placement groups.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: view quotas of all projects (default quotas, changed quota values and used quotas); View a list of cloud servers and information about them: server type, configuration type, number of vCPUs, memory size, attached disks, security groups, network settings, tags; View cloud server statistics; view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; view the list of SSH keys and information about them; View the list of placement groups and information about them: group name, placement policy condition
Available operations	In the access area Project: view project quotas (default quotas, changed quota values and used quotas); View a list of cloud servers and information about them: server type, configuration type, number of vCPUs, memory size, attached disks, security groups, network settings, tags; View cloud server statistics; view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; view the list of SSH keys and information about them; View the list of placement groups and information about them: group name, placement policy condition

compute.server.user

User with access to cloud server management. Does not have access to other products. For more information, see Manage access to cloud servers and flavors.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: view quotas of all projects (default quotas, changed quota values and used quotas); cloud server management (create, modify, delete) `*`: console use; view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; SSH key management (adding, deleting)
Available operations	In the access area Project: view project quotas (default quotas, changed quota values and used quotas); cloud server management (create, modify, delete) `*`: console use; view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; SSH key management (adding, deleting)

* Except for the role compute.server.user the user must have a role with access to manage the cloud platform's networks, network disks, images and backups.

compute.server.viewer

User with access to view cloud servers. Does not have access to other products. For more information, see Manage access to cloud servers and flavors in the instructions.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: view quotas of all projects (default quotas, changed quota values and used quotas); View a list of cloud servers and information about them: server type, configuration type, number of vCPUs, memory size, attached disks, security groups, network settings, tags; View cloud server statistics; view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; View the list of SSH keys and information about them
Available operations	In the access area Project: view project quotas (default quotas, changed quota values and used quotas); View a list of cloud servers and information about them: server type, configuration type, number of vCPUs, memory size, attached disks, security groups, network settings, tags; View cloud server statistics; view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; View the list of SSH keys and information about them

compute.flavor.admin

User with access to cloud server flavor management. Does not have access to other products. For more information, see Manage access to cloud servers and flavors.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: view quotas of all projects (default quotas); Flavor management (private flavor creation, modification, deletion); View the list of SSH keys and information about them
Available operations	In the access area Project: view project quotas (default quotas); Flavor management (private flavor creation, modification, deletion); View the list of SSH keys and information about them

compute.flavor.viewer

User with access to view cloud server flavors. Does not have access to other products. For more information, see Manage access to cloud servers and flavors.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: view quotas of all projects (default quotas); view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; View the list of SSH keys and information about them
Available operations	In the access area Project: view project quotas (default quotas); view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; View the list of SSH keys and information about them

compute.server_group.admin

User with access to manage cloud server placement groups. Does not have access to other products. For more information, see Manage access to cloud server hosting groups.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: view quotas of all projects (default quotas); management of placement groups (creation, deletion); view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; View the list of SSH keys and information about them
Available operations	In the access area Project: view project quotas (default quotas); management of placement groups (creation, deletion); view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; View the list of SSH keys and information about them

compute.server_group.viewer.

User with access to view cloud server placement groups. Does not have access to other products. For more information, see Manage access to cloud server hosting groups.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: obtaining quotas of all projects; view the list of placement groups and information about them: group name, placement policy condition; view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; View the list of SSH keys and information about them
Available operations	In the access area Project: obtaining project quotas; view the list of placement groups and information about them: group name, placement policy condition; view the list of flavors and information about them: flavor name, number of vCPUs, RAM and local disk size; View the list of SSH keys and information about them

compute.volume.admin

User with access to cloud server network disk management. Does not have access to other products. For more information, see Manage access to cloud server network disks and snapshots.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all network disks and information about them: disk type, disk size; disk creation; disk management; moving disks between projects; View disk movement information
Available operations	In the access area Project: View a list of all network disks and information about them: disk type, disk size; disk creation; disk management; moving disks between projects; View disk movement information

compute.volume.user

User with access to cloud server network disk management. Does not have access to other products in their project or to network disks in other projects. For more information, see Manage access to cloud server network disks and snapshots.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all network disks and information about them: disk type, disk size; disk creation; disk management
Available operations	In the access area Project: View a list of all network disks and information about them: disk type, disk size; disk creation; disk management

compute.volume.viewer

User with access to browse network drives. Does not have access to other products. For more information, see Manage access to cloud server network drives and snapshots.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all network disks and information about them: disk type, disk size
Available operations	In the access area Project: View a list of all network disks and information about them: disk type, disk size

compute.snapshot.admin

User with access to network disk snapshot management. Does not have access to other products.

For more information, see the instructions Manage access to cloud server network disks and snapshots.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all snapshots: snapshot size, creation date and status; snapshot creation; snapshot management
Available operations	In the access area Project: View a list of all snapshots: snapshot size, creation date and status; snapshot creation; snapshot management

compute.snapshot.viewer

User with access to view snapshots of network disks. Does not have access to other products. For more information, see Manage access to cloud server network drives and snapshots.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all snapshots: snapshot size, creation date and status
Available operations	In the access area Project: View a list of all snapshots: snapshot size, creation date and status

compute.image.admin

User with access to image management. Does not have access to other products. For more information, see Manage access to cloud server images.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all images and information about them: image size, image format and container, minimum image requirements; creating or downloading images; image management; setting up shared access to images in projects from one account or from other accounts
Available operations	In the access area Project: View a list of all images and information about them: image size, image format and container, minimum image requirements; creating or downloading images; image management; setting up shared access to images in projects from one account or from other accounts

compute.image.user

User with access to image management. Does not have access to other products in his project or to images in other projects. For more information, see Manage access to cloud server images.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all images and information about them: image size, image format and container, minimum image requirements; creating or downloading images; image management
Available operations	In the access area Project: View a list of all images and information about them: image size, image format and container, minimum image requirements; creating or downloading images; image management

compute.backup.admin

User with access to manage network disk backups and backup plans. Does not have access to other products. For more information, see Manage access to cloud server network disk backups.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all backups and information about them: backup type, size, connected backup plans, status; backup creation; backup management; View a list of all backup plans; Creating backup plans; backup plan management
Available operations	In the access area Project: View a list of all backups and information about them: backup type, size, connected backup plans, status; backup creation; backup management; View a list of all backup plans; Creating backup plans; backup plan management

compute.backup.viewer

User with access to view network disk backups. Does not have access to other products. For more information, see Manage access to cloud server network disk backups.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all backups and information about them: backup type, size, connected backup plans, status; View a list of all backup plans
Available operations	In the access area Project: View a list of all backups and information about them: backup type, size, connected backup plans, status; View a list of all backup plans

filestorage.admin

User with access to file storage management. Does not have access to other products. For more information, see Manage access to file storage.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all file storages and information about them: name, size, storage type and protocol, IP and network name, status; view file storage access rules; creation and management of file storages `*`; creating and managing access rules
Available operations	In the access area Project: View a list of all file storages and information about them: name, size, storage type and protocol, IP and network name, status; view file storage access rules; creation and management of file storages `*`; creating and managing access rules

* Except for the role filestorage.admin the user must have a role with access to manage cloud platform networks to connect the file storage network.

filestorage.viewer

User with access to browse file storage. Does not have access to other products. For more information, see Manage file storage access.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations	In the Account access area: View a list of all file storages and information about them: name, size, storage type and protocol, IP and network name, status; View file storage access rules
Available operations	In the access area Project: View a list of all file storages and information about them: name, size, storage type and protocol, IP and network name, status; View file storage access rules

s3.admin

User with full access to S3 management within the project. Does not have access to S3 in other projects or other products in his project. For more information, see the Manage access to S3 instructions.

Access areas	project
Who can be prescribed	Service users
Available operations	View the list of bucket list in the project; viewing the contents of the bins; management of objects in the baquette (loading, modification, deletion, etc.); changing the settings of the baquettes; configuring the bucket access policy

s3.user

A user with access to the S3 buckets if an access policy is configured that allows access to the buckets for that user, see the Manage Access in S3 instructions for details . The degree of access is determined by the access policy settings. Does not have access to S3 in other projects and other products in its project.

Distinguished from a user with the role s3.bucket.user only by the fact that it has access to viewing the list of bucket in the project.

Access areas	project
Who can be prescribed	Service users
Available operations	View the list of bucket list in the project; operations in the buckets that are allowed by the access policy.

s3.bucket.user

Distinguished from a user with the role s3.user only by the fact that it does not have access to viewing the list of bucket in the project.

Access areas	project
Who can be prescribed	Service users
Available operations	Operations in the baquette that are allowed by the access policy

object_storage:admin

For your information

The object_storage:admin role will be removed soon and cannot be assigned to new users. Existing users with the object_storage:admin role will continue to work.

Outdated version of the role s3.admin. Has identical permissions.

object_storage_user

For your information

The object_storage_user role will soon be removed and cannot be assigned to new users. Existing users with the object_storage_user role will continue to work.

Outdated version of the role s3.user. Has identical permissions.

global_router.admin

User with access to manage global routers in the account. Does not have access to other products. For more information, see Manage global router management access.

Access areas Account

Who can be prescribed

Users;
to service users;
user groups

Available operations

View a list of global routers, the networks and subnets connected to them, and a list of static routes on the router;
Create, modify, and delete global routers;
adding, modifying, and deleting static routes on a global router;
Change the name of the networks and subnets connected to the global router.

Other operations on global router networks additionally require the role member (Project or Account access area):

Connect to a global router on an existing or new network and subnet of the cloud platform;
connect to the global router of an existing or new network and a subnet of dedicated servers;
Removing the cloud platform network or subnet from the global router network, including removing the cloud platform network or subnet itself;
Removing a network or subnet of dedicated servers from the global router network

global_router.viewer

User with access to view global routers and their networks. Does not have access to other products. For more information, see Manage access to a global router.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations	View a list of global routers, networks and subnets connected to them, a list of static routes on the router

audit_logs.admin

User with access to audit logs. Does not have access to other products. For more information, see Manage Audit Trail Access.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations	Uploading audit logs

mobile_farm.admin

User with full access to mobile farm management in their project. Does not have access to the mobile farm in other projects and other products in his project. For more information, see the Manage access to the mobile farm instruction.

Access areas	project
Who can be prescribed	Users; to service users; user groups
Available operations	View mobile farm consumption; Adding and removing mobile farm devices; utilization of mobile farm devices; changing the charging of mobile farm devices; adding ADB keys to your profile

mobile_farm.user

User with access to use mobile farm devices in their project. Does not have access to the mobile farm in other projects or other products in their project. For more information, see Manage access to the mobile farm.

Access areas	project
Who can be prescribed	Users; to service users; user groups
Available operations	View mobile farm consumption; utilization of mobile farm devices; adding ADB keys to your profile

mobile_farm.viewer

User with access to view devices and consumption of the mobile farm in their project. Does not have access to the mobile farm in other projects and other products in their project. For more information, see Manage access to the mobile farm in the instructions.

Access areas	project
Who can be prescribed	Users; to service users; user groups
Available operations	View mobile farm consumption; Mobile Farm Device Viewer; adding ADB keys to your profile