Types and roles of users

Last update: April 18 2025

Types and roles of users

User access rights are delimited through:

• user types that determine where the account will be used — in the control panels or for authorized access via APIs and automation tools;
• roles that define accesses within each type of user.

add and edit Only users with the role of Account Owner or User Administrator are allowed to create users.

You can also add users to groups To manage multiple users as a single user.

User types and roles are temporarily unsupported in the following product and service groups:

• VMware-based cloud: VMware-based public cloud, disaster recovery to VMware-based cloud, and others;
• network services (except CDN and DNS);
• additional services: monitoring and others.

In object storage, user access to a container can be changed according to the access policy, see the instructions for more details Manage access to object storage.

You can work with users and roles in the control panels with the help of IAM API or Terraform.

Types of users⁠

The user type is specified when user addition and cannot be changed:

• control panel user — a user with an account in the control panel who logged into the control panel and the authorization goes through two-step authentication through the mail and a phone number. He can write himself a prescription static token (X-Token) for full access to Selectel product APIs;
• service user — a user with an account for program access via Selectel Product API and other automation tools. Has only a login and password. Does not have access to control panels;
• federated user — a user of the control panel who belongs to one of the federations and authenticates through SSO. Does not pass two-step authentication. The user is added already registered — he only needs to enter his full name at the first login. Email is mandatory. Does not have access to API.

Learn more about authenticating different types of users in the API in the instructions Authentication of requests to API API documentation.

Raleigh⁠

Depending on user type it can be assigned one or more roles.

A role can be assigned individually to a user or to a user group.

		Control panel user	Service user	Federated user
Account owner	The user who registered the account. You cannot change the role of the Account Owner or assign this role to another user. You can only change the Account Owner via new account registration	✓	✗	✗
Account administrator	User with access to account, service and billing management	✓	✓	✓
Billing administrator	User with access to billing management and without access to service management	✓	✗	✓
User Administrator	User with access to user management and without access to services and billing. The first User Administrator is created by the Account Owner	✓	✓	✓
Project Administrator	User with access to infrastructure management projects and without access to billing, other projects and products.	✓	✓	✓
Account Supervisor	A user with access to view all services, billing and account data and no management access. The Account Supervisor can view everything that the Account Administrator manages	✓	✓	✓
Project Observer	User with access to view the infrastructure projects and tickets and no management access	✓	✓	✓
Object Storage Administrator	User with full access to manage object storage within the project. Does not have access to other products. More details in the manual Manage access to object storage	✗	✓	✗
Object storage user	A user with access to object store containers, if they have an access policy configured that allows access to the container for that user, see the instructions for more details Manage access to object storage. Does not have access to other products. The degree of access and allowed actions with objects depends on the access policy settings	✗	✓	✗
Subscriber	User without access to the control panel, has no login and password. When adding a Subscriber, only mail is specified. The Subscriber can only receive notices from the Accounting Documents and Balance and Payments categories. Notifications are configured by the Account Owner or User Administrator	✓ (without access to the panel)	✗	✗

Role comparison⁠

Account

	Account owner	Account administrator	Billing administrator	User Administrator	Project Administrator	Account Supervisor	Project Observer	Object Storage Administrator	Object storage user	Subscriber
Two-factor authentication	✓	✓	✓	✓	✓	✓	✓	✗	✗	✗
Viewing the authorization log	✓	✓ (only their own)	✓ (only their own)	✓ (only their own)	✓ (only their own)	✓ (only their own)	✓ (only their own)	✗	✗	✗
Resetting your sessions	✓	✓	✓	✓	✓	✓	✓	✗	✗	✗
Managing users, user groups and federations	✓	✗	✗	✓	✗	✗	✗	✗	✗	✗
Receiving notifications	✓	✓	✓	✓	✓	✓	✓	✗	✗	✓ (Accounting Documents and Balance Sheet and Payments categories only)
Notification management	✓ (other users only)	✗	✗	✓ (other users only)	✗	✗	✗	✗	✗	✗
Connect notifications in Telegram	✓	✓	✓	✓	✓	✓	✓	✗	✗	✗
Access restriction	✓	✗	✗	✓	✗	✗	✗	✗	✗	✗

Billing

	Account owner	Account administrator	Billing administrator	User Administrator	Project Administrator	Account Supervisor	Project Observer	Object Storage Administrator	Object storage user	Subscriber
View balance status	✓	✓	✓	✗	✗	✓	✗	✗	✗	✗
Top-up	✓	✓	✓	✗	✗	✗	✗	✗	✗	✗
Transfer between balances	✓	✓	✓	✗	✗	✗	✗	✗	✗	✗
Payment for services	✓	✓	✗	✗	✗	✗	✗	✗	✗	✗
Viewing service statuses	✓	✓	✓	✗	✗	✓	✗	✗	✗	✗
Auto account management	✓	✓	✓	✗	✗	✗ (view only)	✗	✗	✗	✗
Managing monthly payments	✓	✓	✓	✗	✗	✗ (view only)	✗	✗	✗	✗
View transaction history	✓	✓	✓	✗	✗	✓	✗	✗	✗	✗
Managing balance notifications	✓	✓	✓	✗	✗	✗ (view only)	✗	✗	✗	✗
Bank card management (adding, saving, deleting)	✓	✓	✓	✗	✗	✗ (only view saved maps)	✗	✗	✗	✗
Viewing reporting documents	✓	✓	✓	✗	✗	✓	✗	✗	✗	✗
Withdrawal of money and affiliate program management	✓	✓	✓	✗	✗	✗ (view only)	✗	✗	✗	✗
Deferred payment management	✓	✓	✓	✗	✗	✗	✗	✗	✗	✗

Services

	Account owner	Account administrator	Billing administrator	User Administrator	Project Administrator	Account Supervisor	Project Observer	Object Storage Administrator	Object storage user	Subscriber
Service connection	✓	✓	✗	✗	✓ (in your project only)	✗	✗	✓ (in your project only)	✓ (if allowed by the access policy)	✗
View connected services	✓	✓	✓	✗	✓ (in your project only)	✓	✓ (in your project only)	✓ (in your project only)	✓ (only within a container, if allowed by the access policy)	✗
Payment for services	✓	✓	✗	✗	✗	✗	✗	✗	✗	✗
Viewing service statuses	✓	✓	✓	✗	✗	✓	✗	✗	✗	✗

Projects

	Account owner	Account administrator	Billing administrator	User Administrator	Project Administrator	Account Supervisor	Project Observer	Object Storage Administrator	Object storage user	Subscriber
Resource Creation	✓	✓	✗	✗	✓ (in your project only)	✗	✗	✓ (in your project only)	✓ (if allowed by the access policy)	✗
View created resources	✓	✓	✓	✗	✓ (in your project only)	✓	✓ (in your project only)	✓ (in your project only)	✓ (only within a container, if allowed by the access policy)	✗
Creating, transferring and deleting projects	✓	✓	✗	✗	✗	✗	✗	✗	✗	✗
Managing project settings	✓	✓	✗	✗	✗	✗	✗	✗	✗	✗
Management of project limits and quotas	✓	✓	✗	✗	✗	✗ (view only)	✗	✗	✗	✗
Project ticket management	✓	✓	✓	✓	✓	✓	✓	✗	✗	✗
Project user management	✓	✗	✗	✓	✗	✗	✗	✗	✗	✗

Access keys

	Account owner	Account administrator	Billing administrator	User Administrator	Project Administrator	Account Supervisor	Project Observer	Object Storage Administrator	Object storage user	Subscriber
Managing your keys (SSH, API, S3, ADB)	✓	✓	✓	✓	✓	✓	✓	✗	✗	✗
Managing other users' keys (SSH, S3, ADB)	✓	✗	✗	✓	✗	✗	✗	✗	✗	✗

Tickets

	Account owner	Account administrator	Billing administrator	User Administrator	Project Administrator	Account Supervisor	Project Observer	Object Storage Administrator	Object storage user	Subscriber
Creating tickets	✓	✓	✓	✓	✓ (in your project only)	✓	✓ (in your project only)	✗	✗	✗
View all tickets of the account	✓	✓	✓	✓	✗	✓	✗	✗	✗	✗
View project tickets	✓	✓	✓	✓	✓ (in your project only)	✓	✓ (in your project only)	✗	✗	✗
Changing ticket availability	✓	✓	✓	✓	✓ (when a user has access to multiple projects)	✓	✓ (when a user has access to multiple projects)	✗	✗	✗