Manage access to security groups

Access to security groups is regulated by:

projects — define access within an isolated group of resources;
role model — defines the access of different users within an account and a project.

Access within the role model

Read more about access within the role model in the Access Management in Selectel Products article.

member

User with full access to all services. Access management is not available: users, service users, user groups, and federations.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects; creating and deleting security groups in all projects; editing the name, description, and tags of a group in all projects; assigning a group to a port and detaching a group from a port in all projects; adding and removing rules in a group in all projects; downloading a report on groups in all projects
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project; creating and deleting a security group in the selected project; editing the name, description, and tags of a group in the selected project; assigning a group to a port and detaching a group from a port in the selected project; adding and removing rules in a group in the selected project; downloading a report on groups in the selected project

iam.admin

User with access to manage users and no access to services or billing. Cannot manage their account: change permissions, manage notifications, delete a user. The first user with the iam.admin role is created by the Account Owner.

Access scopes	Account
Who can be assigned	Users; service users; user groups
Available operations with security groups	Manage users, service users, user groups with access to security groups, and manage federations

iam.viewer

User with access to view everything that iam.admin manages.

Access scopes	Account
Who can be assigned	Users; service users; user groups
Available operations with security groups	View users, service users, user groups, and federations; viewing user keys; view notifications of other users; viewing account access restrictions

reader

User with access to view everything that member in the same access scope.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project

vpc.admin

User with access to manage cloud platform networks (private networks and subnets, public subnets and public IP addresses, cloud routers), cloud firewalls, security groups, and cloud load balancers.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects; creating and deleting security groups in all projects; editing the name, description, and tags of a group in all projects; assigning a group to a port and detaching a group from a port in all projects; adding and removing rules in a group in all projects; downloading a report on groups in all projects
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project; creating and deleting a security group in the selected project; editing the name, description, and tags of a group in the selected project; assigning a group to a port and detaching a group from a port in the selected project; adding and removing rules in a group in the selected project; downloading a report on groups in the selected project

vpc.viewer

User with access to view everything that vpc.admin manages in the same access scope.

Access scopes	Account
Who can be assigned	Users; service users; user groups
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects; downloading a report on groups in all projects
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project; downloading a report on groups in the selected project

vpc.network_security.admin

Manage tools for traffic restriction — cloud firewalls, security groups.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects (to view information about ports, you additionally need the `vpc.private_network.viewer` or `vpc.external_access.viewer` role); creating and deleting security groups in all projects; editing the name, description, and tags of security groups in all projects; assigning security groups to ports and detaching security groups from ports in all projects (you additionally need the `vpc.private_network.viewer` or `vpc.external_access.viewer` role); adding and removing rules in a security group; downloading a report on security groups in all projects (you additionally need a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project (to view information about ports, you additionally need the `vpc.private_network.viewer` or `vpc.external_access.viewer` role); creating and deleting a security group in the selected project; editing the name, description, and tags of a security group in the selected project; assigning a security group to a port and detaching a group from a port in the selected project (you additionally need the `vpc.private_network.viewer` or `vpc.external_access.viewer` role); adding and removing rules in a security group in the selected project; downloading a report on security groups in the selected project (you additionally need a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)

vpc.network_security.user

User with access to view everything that vpc.network_security.admin manages in the same access scope. Also has access to manage security groups on ports in a private or public network.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects; assigning a group to a port and detaching a group from a port in all projects. In the Control Panel, this action is only available for the role through the security group page (in the top menu, click Products → Cloud Servers → Security Groups → group page); downloading a report on groups in all projects (you additionally need a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project; assigning a group to a port and detaching a group from a port in the selected project; downloading a report on groups in the selected project (you additionally need a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)

vpc.network_security.viewer

User with access to view everything that vpc.network_security.admin in the same access scope.

Access scopes	Account; Project
Who can be assigned	Users; service users; user groups
Available operations with security groups	In the Account access scope: viewing the list of security groups and information about them in all projects; downloading a report on groups in all projects (you additionally need a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)
Available operations with security groups	In the Project access scope: viewing the list of security groups and information about them in the selected project; downloading a report on groups in the selected project (you additionally need a combination of the `vpc.private_network.viewer` and `vpc.external_access.viewer` roles, or the `vpc.viewer` role)