Role Reference

A role is a set of permitted operations on specific resource types.

Roles are assigned within the scope of permissions. A role's action applies to the access scope specified in the permission; for more information, see the Access Control in Selectel Products guide.

Some roles can only be assigned in a specific access scope and may have a different set of manageable resources in different access scopes.

member

A user with full access to all services. Does not have access to manage: users, service users, user groups, federations.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Account access scope: managing projects, their limits, and quotas; billing management; managing resources in all projects; managing resources outside of projects; working with audit logs
Available operations	In the Project access scope: managing resources of the selected project

billing

A user with access to billing management and no access to service management.

Access scopes	Account
Who can be assigned	Users; service users; user groups
Available operations	Billing management: balance top-ups and transferring funds between balances; management of autobills, monthly payments, payment deferrals; managing balance notifications; managing bank cards; viewing reporting documents; managing the affiliate program and funds withdrawal; viewing connected services and service statuses

iam.admin

A user with access to manage other users but no access to services or billing. Cannot manage their own account: change permissions, manage notifications, or delete the user. The first user with the iam.admin role is created by the Account Owner.

Access scopes	Account
Who can be assigned	Users; service users; user groups
Available operations	Manage users, service users, user groups and federations; issuing keys to users; managing notifications of other users; configuring account access restrictions

iam.viewer

A user with access to view everything managed by iam.admin.

Access scopes	Account
Who can be assigned	Users; service users; user groups
Available operations	Viewing users, service users, user groups, and federations; viewing user keys; viewing notifications of other users; viewing account access restrictions

reader

A user with access to view everything managed by member in the same access scope.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Account access scope: viewing resources in all projects, as well as resources that are not attached to a project; viewing settings of all projects, their limits, and quotas; viewing billing data (balance, bank cards, report documents, partner program, etc.)
Available operations	In the Project access scope: viewing resources of the selected project

dedicated.admin

The dedicated.admin role provides access to manage:

dedicated servers; for more information, see the Manage access to dedicated servers instructions;
colocated equipment; for more information, see the Manage access to colocated equipment instructions;
firewalls; for more information, see the Manage access to firewalls instructions;
basic firewall; for more information, see the Manage access to basic firewall instructions;
storage system; for more information, see the Manage access to storage systems instructions;
network volumes for dedicated servers; for more information, see the Manage access to network volumes instructions;
leased network equipment; for more information, see the Manage access to leased network equipment instructions.

Access scopes	account; project
Who can be assigned	users; service users; user groups
Available operations	In the Account access scope: viewing the project list; managing dedicated servers in all projects (ordering, modifying, cancelling); managing colocated equipment in all projects (ordering, modifying, cancelling); managing networks; enabling and disabling additional services; viewing the list of SSH keys, adding SSH keys to the vault, and managing added SSH keys; managing firewalls (ordering, modifying, cancelling); managing network volumes (creating, modifying, deleting); managing storage systems (ordering, modifying, cancelling); managing basic firewall (creating, modifying, deleting); managing leased equipment (ordering, modifying, cancelling)
Available operations	In the Project access scope: managing dedicated servers in the selected project (ordering, modifying, cancelling); managing colocated equipment in the selected project (ordering, modifying, cancelling); enabling and disabling additional services; viewing the list of SSH keys added to the vault and information about them; viewing and management are not available for: networks; firewalls; network volumes and storage systems; basic firewall; leased network equipment

dedicated.viewer

A user with access to view everything managed by dedicated.admin in the same access scope.

Access scopes	account; project
Who can be assigned	users; service users; user groups
Available operations	In the Account access scope: viewing the list of all dedicated servers and information about them in all projects; viewing the list of colocated equipment and information about it in all projects; viewing the list of all VLANs, public and private subnets, SANs, and information about them; viewing the list of network volumes and storage systems and information about them; viewing the list of firewalls and information about them; viewing the list of basic firewalls and information about them; viewing the list of leased network equipment and information about it; viewing the list of SSH keys added to the vault and information about them
Available operations	In the Project access scope: viewing the list of dedicated servers and information about them in the selected project; viewing the list of colocated equipment and information about it in the selected project; viewing the list of SSH keys added to the vault and information about them viewing and management are not available for: networks; network volumes and storage systems; firewalls; basic firewall; leased network equipment

vpc.admin

A user with access to manage cloud platform networks (private networks and subnets, public subnets and public IP addresses, cloud routers), cloud firewalls, security groups, and cloud load balancers.

Adding ports to a cloud server and deleting ports added to a cloud server is not available; this requires the member role.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud platform networks	In the Account access scope: viewing the list of all cloud platform network resources and information about them in all projects; managing private networks, subnets, and ports in all projects: creating and deleting networks and subnets; modifying network and subnet names and tags; modifying automatic subnet network settings (gateway, DNS servers, static routes, DHCP state); connecting a subnet to a cloud router and disconnecting it; connecting a subnet to a global router and disconnecting it (also requires the `global_router.admin` role); creating a port in a network (without assigning it to a cloud server) and deleting a port in a network (except for those assigned to a cloud server); enabling and disabling a port in a network; managing public subnets in all projects: creating and deleting subnets; modifying subnet names and tags; modifying DNS servers; creating and deleting ports in a subnet; enabling and disabling a port in a network; managing public IP addresses in all projects: creating and deleting IP addresses; connecting an IP address to a port in a private network; switching between ports; disconnecting from a port; managing cloud routers in all projects: creating and deleting routers; modifying router names and tags; enabling and disabling routers; connecting a router to the Internet and disconnecting it; managing static routes on a router; connecting a private subnet to a router and disconnecting it
Available operations with cloud platform networks	In the Project access scope: viewing the list of all cloud platform network resources and information about them in the selected project; managing private networks, subnets, and ports in the selected project: creating and deleting networks and subnets; modifying network and subnet names and tags; modifying automatic subnet network settings (gateway, DNS servers, static routes, DHCP state); connecting a subnet to a cloud router and disconnecting it; connecting a subnet to a global router and disconnecting it (also requires the `global_router.admin` role); creating a port in a network (without assigning it to a cloud server) and deleting a port in a network (except for those assigned to a cloud server); enabling and disabling a port in a network; managing public subnets in the selected project: creating and deleting subnets; modifying subnet names and tags; modifying DNS servers; creating and deleting ports in a subnet; enabling and disabling a port in a network; managing public IP addresses in the selected project: creating and deleting IP addresses; connecting an IP address to a port in a private network; switching between ports; disconnecting from a port; managing cloud routers in the selected project: creating and deleting routers; modifying router names and tags; enabling and disabling routers; connecting a router to the Internet and disconnecting it; managing static routes on a router; connecting a private subnet to a router and disconnecting it
Available operations with cloud load balancers	In the Account access scope: viewing the list of all load balancer objects and information about them in all projects: load balancers, rules and HTTP policies, target groups and their servers, and health checks; viewing load balancer statistics in all projects; managing load balancers, rules and HTTP policies, target groups, and health checks in all projects; enabling and disabling load balancer logging in all projects
Available operations with cloud load balancers	In the Project access scope: viewing the list of all load balancer objects and information about them in the selected project: load balancers, rules and HTTP policies, target groups and their servers, and health checks; viewing load balancer statistics in the selected project; managing load balancers, rules and HTTP policies, target groups, and health checks in the selected project; enabling and disabling load balancer logging in the selected project
Available operations with cloud firewalls	In the Account access scope: viewing the list of cloud firewalls and information about them in all projects; managing cloud firewalls in all projects
Available operations with cloud firewalls	In the Project access scope: viewing the list of cloud firewalls and information about them in the selected project; managing cloud firewalls in the selected project
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects; creating and deleting security groups in all projects; modifying group names, descriptions, and tags in all projects; assigning a group to a port and disconnecting a group from a port in all projects; adding and deleting rules in a group in all projects; downloading a report on groups in all projects
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project; creating and deleting security groups in the selected project; modifying group names, descriptions, and tags in the selected project; assigning a group to a port and disconnecting a group from a port in the selected project; adding and deleting rules in a group in the selected project; downloading a report on groups in the selected project

vpc.viewer

A user with access to view everything managed by vpc.admin in the same access scope.

Access scopes	Account
Who can be assigned	Users; service users; user groups
Available operations with cloud platform networks	In the Account access scope: viewing the list of all cloud platform network resources and information about them in all projects
Available operations with cloud platform networks	In the Project access scope: viewing the list of all cloud platform network resources and information about them in the selected project
Available operations with cloud firewalls	In the Account access scope: viewing the list of cloud firewalls and information about them in all projects
Available operations with cloud firewalls	In the Project access scope: viewing the list of cloud firewalls and information about them in the selected project
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects; downloading a report on groups in all projects
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project; downloading a report on groups in the selected project

vpc.private_network.admin

A user with access to manage private networks, subnets, and ports, as well as private DNS.

Adding ports to a cloud server and deleting ports added to a cloud server is not available; this requires the member role.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud platform networks	In the Account access scope: viewing the list of private networks, subnets, ports, and information about them in all projects; managing private networks, subnets, and ports in all projects: creating and deleting networks and subnets; modifying network and subnet names and tags; modifying automatic subnet network settings (gateway, DNS servers, static routes, DHCP state); connecting a subnet to a cloud router and disconnecting it (also requires the `vpc.external_access.admin` role); connecting a subnet to a global router and disconnecting it (also requires the `global_router.admin` role); creating a port in a network (without assigning it to a cloud server) and deleting a port in a network (except for those assigned to a cloud server); enabling and disabling a port in a network
Available operations with cloud platform networks	In the Project access scope: viewing the list of private networks, subnets, ports, and information about them in the selected project; managing private networks, subnets, and ports in the selected project: creating and deleting networks and subnets; modifying network and subnet names and tags; modifying automatic subnet network settings (gateway, DNS servers, static routes, DHCP state); connecting a subnet to a cloud router and disconnecting it (also requires the `vpc.external_access.admin` role); connecting a subnet to a global router and disconnecting it (also requires the `global_router.admin` role); creating a port in a network (without assigning it to a cloud server) and deleting a port in a network (except for those assigned to a cloud server); enabling and disabling a port in a network
Available operations with private DNS	In the Account access scope: viewing information about connecting a network to a private DNS resolver, viewing the list of zones, and resource records in zones in all projects; managing private DNS in all projects: managing zones (creating, updating, deleting, connecting a network to a zone, etc.); managing resource records (adding, updating, deleting a record); managing connections to a private DNS resolver (creating, deleting connections)
Available operations with private DNS	In the Project access scope: viewing information about connecting a network to a private DNS resolver, viewing the list of zones and resource records, and information about them in the selected project; managing private DNS in the selected project: managing zones (creating, updating, deleting, connecting a network to a zone, etc.); managing resource records (adding, updating, deleting a record); managing connections to a private DNS resolver (creating, deleting connections)

vpc.private_network.viewer

A user with access to view everything managed by vpc.private_network.admin in the same access scope.

Access scopes	Project; Account
Who can be assigned	Users; service users; user groups
Available operations with cloud platform networks	In the Account access scope: viewing the list of private networks, subnets, ports, and information about them in all projects
Available operations with cloud platform networks	In the Project access scope: viewing the list of private networks, subnets, ports, and information about them in the selected project
Available operations with private DNS	In the Account access scope: viewing information about connecting a network to a private DNS resolver, viewing the list of zones, and resource records in zones in all projects
Available operations with private DNS	In the Project access scope: viewing information about connecting a network to a private DNS resolver, viewing the list of zones and resource records, and information about them in the selected project

vpc.external_access.admin

A user with access to manage objects for Internet access: public subnets, public IP addresses, and cloud routers.

Adding ports to a cloud server and deleting ports added to a cloud server is not available; this requires the member role.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud platform networks	In the Account access scope: viewing the list of public subnets, public IP addresses, ports in public networks, cloud routers, and information about them in all projects; managing public subnets in all projects: creating and deleting subnets; modifying subnet names and tags; modifying DNS servers; creating and deleting ports in a subnet; enabling and disabling a port in a network managing public IP addresses in all projects: creating and deleting IP addresses; connecting an IP address to a port in a private network; switching between ports; disconnecting from a port; managing cloud routers in all projects: creating and deleting routers; modifying router names and tags; enabling and disabling routers; connecting a router to the Internet and disconnecting it; managing static routes on a router; connecting a private subnet to a router and disconnecting it (also requires the `vpc.private_network.admin` role)
Available operations with cloud platform networks	In the Project access scope: viewing the list of public subnets, public IP addresses, ports in public networks, cloud routers, and information about them in the selected project; managing public subnets in the selected project: creating and deleting subnets; modifying subnet names and tags; modifying DNS servers; creating and deleting ports in a subnet; enabling and disabling a port in a network managing public IP addresses in the selected project: creating and deleting IP addresses; connecting an IP address to a port in a private network; switching between ports; disconnecting from a port; managing cloud routers in the selected project: creating and deleting routers; modifying router names and tags; enabling and disabling routers; connecting a router to the Internet and disconnecting it; managing static routes on a router; connecting a private subnet to a router and disconnecting it (also requires the `vpc.private_network.admin` role)

vpc.external_access.user

A user with access to view everything managed by vpc.external_access.admin in the same access scope, and also with access to manage public IP addresses.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud platform networks	In the Account access scope: viewing the list of public subnets, public IP addresses, ports in public networks, cloud routers, and information about them in all projects; managing public IP addresses in all projects: connecting an IP address to a port in a private network, switching between ports, disconnecting from a port
Available operations with cloud platform networks	In the Project access scope: viewing the list of public subnets, public IP addresses, ports in public networks, cloud routers, and information about them in the selected project; managing public IP addresses in the selected project: connecting an IP address to a port in a private network, switching between ports, disconnecting from a port

vpc.external_access.viewer

A user with access to view everything managed by vpc.external_access.admin in the same access scope.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud platform networks	In the Account access scope: viewing the list of public subnets, public IP addresses, ports in public networks, cloud routers, and information about them in all projects
Available operations with cloud platform networks	In the Project access scope: viewing the list of public subnets, public IP addresses, ports in public networks, cloud routers, and information about them in the selected project

vpc.network_security.admin

Managing traffic restriction tools: cloud firewalls and security groups.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud firewalls	In the Account access scope: viewing the list of cloud firewalls and information about them in all projects; managing cloud firewalls in all projects
Available operations with cloud firewalls	In the Project access scope: viewing the list of cloud firewalls and information about them in the selected project; managing cloud firewalls in the selected project
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects (to view information about ports, also requires the `vpc.private_network.viewer` or `vpc.external_access.viewer` role); creating and deleting security groups in all projects; modifying security group names, descriptions, and tags in all projects; assigning security groups to ports and disconnecting security groups from ports in all projects (also requires the `vpc.private_network.viewer` or `vpc.external_access.viewer` role); adding and deleting rules in a security group; downloading a report on security groups in all projects (also requires a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project (to view information about ports, also requires the `vpc.private_network.viewer` or `vpc.external_access.viewer` role) creating and deleting a security group in the selected project; modifying security group names, descriptions, and tags in the selected project; assigning a security group to a port and disconnecting a group from a port in the selected project (also requires the `vpc.private_network.viewer` or `vpc.external_access.viewer` role); adding and deleting rules in a group in the selected project; downloading a report on groups in the selected project (also requires a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)

vpc.network_security.user

A user with access to view everything managed by vpc.network_security.admin in the same access scope.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud firewalls	In the Account access scope: viewing the list of cloud firewalls and information about them in all projects
Available operations with cloud firewalls	In the Project access scope: viewing the list of cloud firewalls and information about them in the selected project
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects; assigning a group to a port and disconnecting a group from a port in all projects. In the control panel, this action is only available for the role via the security group page (in the top menu, click Products → Cloud Servers → Security Groups → group page); downloading a report on groups in all projects (also requires a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project; assigning a group to a port and disconnecting a group from a port in the selected project; downloading a report on groups in the selected project (also requires a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)

vpc.network_security.viewer

A user with access to view everything managed by vpc.network_security.admin in the same access scope.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud firewalls	In the Account access scope: viewing the list of cloud firewalls and information about them in all projects
Available operations with cloud firewalls	In the Project access scope: viewing the list of cloud firewalls and information about them in the selected project
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects; downloading a report on groups in all projects (also requires a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project; downloading a report on groups in the selected project (also requires a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)

vpc.load_balancer.admin

A user with access to manage cloud load balancers. For more information, see the Manage access to cloud load balancers guide.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud load balancers	In the Account access scope: viewing the list of all load balancer objects and information about them in all projects: load balancers, rules and HTTP policies, target groups and their servers, and health checks; viewing load balancer statistics in all projects; managing load balancer objects (except for creating a load balancer) in all projects. To create a load balancer, one or more additional roles are required. The additional roles depend on the network in which the load balancer will be created: `vpc.admin` for creating a load balancer in any subnet; `vpc.private_network.admin` for creating a load balancer in a private subnet; `vpc.external_access.admin` for creating a load balancer in a public subnet; a combination of `vpc.private_network.admin` and `vpc.external_access.admin` for creating a load balancer in a private subnet with a public IP address; enabling and disabling load balancer logging in all projects
Available operations with cloud load balancers	In the Project access scope: viewing the list of all load balancer objects and information about them in the selected project: load balancers, rules and HTTP policies, target groups and their servers, and health checks; viewing load balancer statistics in the selected project; managing load balancer objects (except for creating a load balancer) in the selected project. To create a load balancer, one or more additional roles are required. The additional roles depend on the network in which the load balancer will be created: `vpc.admin` for creating a load balancer in any subnet; `vpc.private_network.admin` for creating a load balancer in a private subnet; `vpc.external_access.admin` for creating a load balancer in a public subnet; a combination of `vpc.private_network.admin` and `vpc.external_access.admin` for creating a load balancer in a private subnet with a public IP address; enabling and disabling load balancer logging in the selected project

vpc.load_balancer.viewer

A user with access to view everything that a vpc.load_balancer.admin manages in the same access scope. For more information, see the Manage access to cloud load balancers guide.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with cloud load balancers	In the Account access scope: viewing the list of all load balancer objects and information about them in all projects: load balancers, rules and HTTP policies, target groups and their servers, and health checks
Available operations with cloud load balancers	In the Project access scope: viewing the list of all load balancer objects and information about them in the selected project: load balancers, rules and HTTP policies, target groups and their servers, and health checks

compute.admin

A user with access to manage cloud servers, flavors, and placement groups. No access to other products. For more information, see the Manage access to cloud servers and flavors and Manage access to cloud server placement groups guides.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Account access scope: viewing quotas for all projects (default quotas, modified quota values, and used quotas); managing cloud servers (creating, modifying, deleting) `*`: using the console; managing flavors (creating, modifying, deleting); managing SSH keys (adding, deleting); managing placement groups (creating, deleting)
Available operations	In the Project access scope: viewing project quotas (default quotas, modified quota values, and used quotas); managing cloud servers (creating, modifying, deleting) `*`: using the console; managing flavors (creating private flavors, modifying, deleting); managing SSH keys (adding, deleting); managing placement groups (creating, deleting)

* In addition to the compute.admin role, the user must have a role with access to manage cloud platform networks.

compute.viewer

A user with access to view cloud servers, flavors, and placement groups. No access to other products. For more information, see the Manage access to cloud servers and flavors and Manage access to cloud server placement groups guides.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Account access scope: viewing quotas for all projects (default quotas, modified quota values, and used quotas); viewing the list of cloud servers and information about them: server type, configuration type, number of vCPUs, memory size, attached disks, security groups, network settings, and tags; viewing statistics for cloud servers; viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them; viewing the list of placement groups and information about them: group name, placement policy condition
Available operations	In the Project access scope: viewing project quotas (default quotas, modified quota values, and used quotas); viewing the list of cloud servers and information about them: server type, configuration type, number of vCPUs, memory size, attached disks, security groups, network settings, and tags; viewing statistics for cloud servers; viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them; viewing the list of placement groups and information about them: group name, placement policy condition

compute.server.user

A user with access to manage cloud servers. No access to other products. For more information, see the Manage access to cloud servers and flavors guide.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Account access scope: viewing quotas for all projects (default quotas, modified quota values, and used quotas); managing cloud servers (creating, modifying, deleting) `*`: using the console; viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; managing SSH keys (adding, deleting)
Available operations	In the Project access scope: viewing project quotas (default quotas, modified quota values, and used quotas); managing cloud servers (creating, modifying, deleting) `*`: using the console; viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; managing SSH keys (adding, deleting)

* In addition to the compute.server.user role, the user must have a role with access to manage cloud platform networks, network volumes, images, and backups.

compute.server.viewer

A user with access to view cloud servers. No access to other products. For more information, see the Manage access to cloud servers and flavors guide.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Account access scope: viewing quotas for all projects (default quotas, modified quota values, and used quotas); viewing the list of cloud servers and information about them: server type, configuration type, number of vCPUs, memory size, attached disks, security groups, network settings, and tags; viewing statistics for cloud servers; viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them
Available operations	In the Project access scope: viewing project quotas (default quotas, modified quota values, and used quotas); viewing the list of cloud servers and information about them: server type, configuration type, number of vCPUs, memory size, attached disks, security groups, network settings, and tags; viewing statistics for cloud servers; viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them

compute.flavor.admin

A user with access to manage cloud server flavors. No access to other products. For more information, see the Manage access to cloud servers and flavors guide.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Account access scope: viewing quotas for all projects (default quotas); managing flavors (creating private flavors, modifying, deleting); viewing the list of SSH keys and information about them
Available operations	In the Project access scope: viewing project quotas (default quotas); managing flavors (creating private flavors, modifying, deleting); viewing the list of SSH keys and information about them

compute.flavor.viewer

A user with access to view cloud server flavors. No access to other products. For more information, see the Manage access to cloud servers and flavors guide.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Account access scope: viewing quotas for all projects (default quotas); viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them
Available operations	In the Project access scope: viewing project quotas (default quotas); viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them

compute.server_group.admin

A user with access to manage cloud server placement groups. No access to other products. For more information, see the Manage access to cloud server placement groups guide.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Account access scope: viewing quotas for all projects (default quotas); managing placement groups (creating, deleting); viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them
Available operations	In the Project access area: viewing project quotas (default quotas); managing placement groups (creation, deletion); viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them

compute.server_group.viewer

A user with access to view cloud server placement groups. No access to other products. For more information, see the Manage access to cloud server placement groups guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: retrieving quotas for all projects; viewing the list of placement groups and information about them: group name, placement policy condition; viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them
Available operations	In the Project access area: retrieving project quotas; viewing the list of placement groups and information about them: group name, placement policy condition; viewing the list of flavors and information about them: flavor name, number of vCPUs, RAM, and local disk size; viewing the list of SSH keys and information about them

compute.volume.admin

A user with access to manage network volumes for cloud servers. No access to other products. For more information, see the Manage access to cloud server network volumes and snapshots guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all network volumes and information about them: disk type, disk size; creating volumes; managing volumes; moving volumes between projects; viewing information about volume moves
Available operations	In the Project access area: viewing the list of all network volumes and information about them: disk type, disk size; creating volumes; managing volumes; moving volumes between projects; viewing information about volume moves

compute.volume.user

A user with access to manage network volumes for cloud servers. No access to other products in their project or to network volumes in other projects. For more information, see the Manage access to cloud server network volumes and snapshots guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all network volumes and information about them: disk type, disk size; creating volumes; managing volumes
Available operations	In the Project access area: viewing the list of all network volumes and information about them: disk type, disk size; creating volumes; managing volumes

compute.volume.viewer

A user with access to view network volumes. No access to other products. For more information, see the Manage access to cloud server network volumes and snapshots guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all network volumes and information about them: disk type, disk size
Available operations	In the Project access area: viewing the list of all network volumes and information about them: disk type, disk size

compute.snapshot.admin

A user with access to manage network volume snapshots. No access to other products.

For more information, see the instructions Manage access to cloud server network volumes and snapshots.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all snapshots: snapshot size, creation date, and status; creating snapshots; managing snapshots
Available operations	In the Project access area: viewing the list of all snapshots: snapshot size, creation date, and status; creating snapshots; managing snapshots

compute.snapshot.viewer

A user with access to view network volume snapshots. No access to other products. For more information, see the Manage access to cloud server network volumes and snapshots guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all snapshots: snapshot size, creation date, and status
Available operations	In the Project access area: viewing the list of all snapshots: snapshot size, creation date, and status

compute.image.admin

A user with access to manage images. No access to other products. For more information, see the Manage access to cloud server images guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all images and information about them: image size, image format and container, minimum image requirements; creating or uploading images; managing images; configuring shared access to images in projects from the same account or from other accounts
Available operations	In the Project access area: viewing the list of all images and information about them: image size, image format and container, minimum image requirements; creating or uploading images; managing images; configuring shared access to images in projects from the same account or from other accounts

compute.image.user

A user with access to manage images. No access to other products in their project or to images in other projects. For more information, see the Manage access to cloud server images guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all images and information about them: image size, image format and container, minimum image requirements; creating or uploading images; managing images
Available operations	In the Project access area: viewing the list of all images and information about them: image size, image format and container, minimum image requirements; creating or uploading images; managing images

compute.backup.admin

A user with access to manage network volume backups and backup plans. No access to other products. For more information, see the Manage access to cloud server network volume backups guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all backups and information about them: backup type, size, connected backup plans, status; creating backups; managing backups; viewing the list of all backup plans; creating backup plans; managing backup plans
Available operations	In the Project access area: viewing the list of all backups and information about them: backup type, size, connected backup plans, status; creating backups; managing backups; viewing the list of all backup plans; creating backup plans; managing backup plans

compute.backup.viewer

A user with access to view network volume backups. No access to other products. For more information, see the Manage access to cloud server network volume backups guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all backups and information about them: backup type, size, connected backup plans, status; viewing the list of all backup plans
Available operations	In the Project access area: viewing the list of all backups and information about them: backup type, size, connected backup plans, status; viewing the list of all backup plans

filestorage.admin

A user with access to manage File Storage. No access to other products. For more information, see the Manage access to File Storage guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all file storages and information about them: name, size, storage type and protocol, IP and network name, status; viewing access rules for file storages; creating and managing file storages `*`; creating and managing access rules
Available operations	In the Project access area: viewing the list of all file storages and information about them: name, size, storage type and protocol, IP and network name, status; viewing access rules for file storages; creating and managing file storages `*`; creating and managing access rules

* In addition to the filestorage.admin role, the user must have a role with access to manage cloud platform networks to connect a file storage network.

filestorage.viewer

A user with access to view File Storage instances. No access to other products. For more information, see the Manage access to File Storage guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing the list of all file storages and information about them: name, size, storage type and protocol, IP and network name, status; viewing access rules for file storages
Available operations	In the Project access area: viewing the list of all file storages and information about them: name, size, storage type and protocol, IP and network name, status; viewing access rules for file storages

s3.admin

A user with full access to manage S3 within the project. No access to S3 in other projects or other products in their project. For more information, see the Manage access to S3 guide.

Access scopes	Project
Who can be assigned	Service users
Available operations	View the list of buckets in the project; viewing bucket contents; managing objects in a bucket (uploading, modifying, deleting, etc.); changing bucket settings; configuring a bucket access policy

s3.user

A user with access to an S3 bucket, if a bucket policy is configured in it that allows this user access to the bucket; for more information, see the Manage Access to S3 instruction. The level of access is determined by the bucket policy settings. Does not have access to S3 in other projects or to other products in their project.

Differs from a user with the s3.bucket.user role only in that they can view the list of buckets in the project.

Access areas	Project
Who can be assigned	Service users
Available operations	Viewing the list of buckets in the project; bucket operations allowed by the access policy.

s3.bucket.user

Differs from a user with the s3.user role only in that they cannot view the list of buckets in the project.

Access areas	Project
Who can be assigned	Service users
Available operations	Bucket operations allowed by the access policy

object_storage:admin

For your information

The object_storage:admin role will be removed soon; it cannot be assigned to new users. Existing users with the object_storage:admin role will continue to function.

A deprecated version of the s3.admin role. Has identical permissions.

object_storage_user

For your information

The object_storage_user role will be removed soon; it cannot be assigned to new users. Existing users with the object_storage_user role will continue to function.

A deprecated version of the s3.user role. Has identical permissions.

global_router.admin

A user with access to manage global routers in the account. No access to other products. For more information, see the Manage access to global routers guide.

Access areas Account

Who can be assigned

Users;
service users;
user groups

Available operations

Viewing the list of global routers, networks and subnets connected to them, and the list of static routes on a router;
creating, modifying, and deleting global routers;
adding, modifying, and deleting static routes on a global router;
renaming networks and subnets connected to a global router.

Other network operations for a global router additionally require the member role (Project or Account access area):

connecting an existing or new cloud platform network and subnet to a global router;
connecting an existing or new dedicated server network and subnet to a global router;
removing a cloud platform network or subnet from a global router network, including deleting the cloud platform network or subnet itself;
removing a dedicated server network or subnet from a global router network

global_router.viewer

A user with access to view global routers and their networks. No access to other products. For more information, see the Manage access to global routers guide.

Access areas	Account
Who can be assigned	Users; service users; user groups
Available operations	Viewing the list of global routers, networks and subnets connected to them, and the list of static routes on a router

logs.admin

A user with access to manage logs. No access to other products. For more information, see the Manage access to logs guide.

Access areas	Account; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing logs in the Control Panel and using available tools; managing custom logs; managing log groups and event streams
Available operations	In the Project access area: viewing logs in the Control Panel and using available tools; managing custom logs; managing log groups and event streams

logs.writer

A user with access to add logs to the Logs service. No access to other products. For more information, see the Manage access to logs guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: adding logs from custom storage using available tools; creating log groups and event streams
Available operations	In the Project access area: adding logs from custom storage using available tools; creating log groups and event streams

logs.viewer

A user with access to view logs. No access to other products. For more information, see the Manage access to logs guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: viewing logs in the Control Panel and using available tools
Available operations	In the Project access area: viewing logs in the Control Panel and using available tools

metrics.admin

A user with access to manage metrics. No access to other products. For more information, see the Manage access to metrics guide.

Access areas	Resident; Project
Who can be assigned	Users; service users; user groups
Available operations	In the Resident access area: collecting metrics
Available operations	In the Project access area: collecting metrics

audit_logs.admin

A user with access to audit logs. No access to other products. For more information, see the Manage access to audit logs guide.

Access areas	Account
Who can be assigned	Users; service users; user groups
Available operations	Unloading audit logs

mobile_farm.admin

A user with full access to manage Mobile Farm in their project. No access to Mobile Farm in other projects or other products in their project. For more information, see the Manage access to Mobile Farm guide.

Access areas	Project
Who can be assigned	Users; service users; user groups
Available operations	Viewing mobile farm consumption; adding and removing mobile farm devices; using mobile farm devices; changing pricing for mobile farm devices; adding ADB keys to their profile

mobile_farm.user

A user with access to use Mobile Farm devices in their project. No access to Mobile Farm in other projects or other products in their project. For more information, see the Manage access to Mobile Farm guide.

Access areas	Project
Who can be assigned	Users; service users; user groups
Available operations	Viewing mobile farm consumption; using mobile farm devices; adding ADB keys to their profile

mobile_farm.viewer

A user with access to view Mobile Farm devices and consumption in their project. No access to Mobile Farm in other projects or other products in their project. For more information, see the Manage access to Mobile Farm guide.

Access areas	Project
Who can be assigned	Users; service users; user groups
Available operations	Viewing mobile farm consumption; viewing mobile farm devices; adding ADB keys to their profile