Manage access to security groups

Last update: December 22 2025

Access to security groups is regulated:

• projects - define access within an isolated group of resources;
• role model - defines access different users within an account and project.

Role model access

For more information about role model access, see the Access Control in Selectel Products manual.

member

User with full access to all services. Access control is not available for: users, service users, user groups and federations.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; creating and deleting security groups in all projects; changing the group name, description and tags in all projects; assigning a group to a port and disabling a group from a port in all projects; adding and deleting rules in the group in all projects; downloading a report on groups in all projects
	In the access area Project: view the list of safety groups and information about them in the selected project; creating and deleting a security group in the selected project; change the name, description and tags of the group in the selected project; assign a group to a port and disconnect the group from the port in the selected project; adding and deleting rules in a group in the selected project; downloading a report on groups in the selected project

iam_admin

User with access to user management and without access to services and billing. Cannot manage his account: change permissions, manage notifications, delete the user. The first user with the iam_admin role is created by the Account Owner.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations with security groups	Manage users, service users, user groups with access to security groups, and manage federations

reader

A user with access to view everything he controls member in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations with security groups	In the Account access area: View the list of security groups and information about them in all projects
	In the access area Project: view the list of safety groups and information about them in the selected project

vpc.admin

User with access to manage cloud platform networks (private networks and subnets, public subnets and public IP addresses, cloud routers), cloud firewalls, security groups, cloud load balancers.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; creating and deleting security groups in all projects; changing the group name, description and tags in all projects; assigning a group to a port and disabling a group from a port in all projects; adding and deleting rules in the group in all projects; downloading a report on groups in all projects
	In the access area Project: view the list of safety groups and information about them in the selected project; creating and deleting a security group in the selected project; change the name, description and tags of the group in the selected project; assign a group to a port and disconnect the group from the port in the selected project; adding and deleting rules in a group in the selected project; downloading a report on groups in the selected project

vpc.viewer

User with access to view everything he controls vpc.admin in the same access area.

Access areas	Account
Who can be prescribed	Users; to service users; user groups
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; downloading a report on groups in all projects
	In the access area Project: view the list of safety groups and information about them in the selected project; downloading a report on groups in the selected project

vpc.network_security.admin

Manage traffic restriction tools - cloud firewalls, security groups.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects (to view information about ports, the role of vpc.private_network.viewer or vpc.external_access.viewer); creating and deleting security groups in all projects; changing the name, description and tags of security groups in all projects; assigning security groups to ports and disabling security groups from ports in all projects (additionally requires the role vpc.private_network.viewer or vpc.external_access.viewer); adding and deleting rules in a security group; downloading a report on security groups in all projects (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role vpc.viewer)
	In the access area Project: view the list of security groups and information about them in the selected project (to view information about ports, the role is additionally required vpc.private_network.viewer or vpc.external_access.viewer); creating and deleting a security group in the selected project; change the name, description and tags of the security group in the selected project; assigning a security group to a port and disconnecting the group from the port in the selected project (additionally, the role of vpc.private_network.viewer or vpc.external_access.viewer); adding and deleting rules in the security group in the selected project; downloading a report on security groups in the selected project (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role vpc.viewer)

vpc.network_security.user

A user with access to view everything they manage vpc.network_security.admin in the same access area. Also has access to manage security groups on ports on the private or public network.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; assigning a group to a port and disabling a group from a port in all projects. In the control panel, the action is available for a role only through the security group page (in the top menu, click Products → Cloud Servers → Security Groups → Group page); downloading report by groups in all projects (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role vpc.viewer)
	In the access area Project: view the list of safety groups and information about them in the selected project; assign a group to a port and disconnect the group from the port in the selected project; downloading report by groups in the selected project (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role vpc.viewer)

vpc.network_security.viewer.

A user with access to view everything they manage vpc.network_security.admin in the same access area.

Access areas	Account; project
Who can be prescribed	Users; to service users; user groups
Available operations with security groups	In the Account access area: view the list of security groups and information about them in all projects; downloading report by groups in all projects (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role vpc.viewer)
	In the access area Project: view the list of safety groups and information about them in the selected project; downloading report by groups in the selected project (additionally requires role combination vpc.private_network.viewer and vpc.external_access.viewer or the role vpc.viewer)