Access control in Selectel products

Projects and users are used to separate access to Selectel products.

When you register an account, a primary user - the Account Owner - is automatically created, who has access to manage all account resources. The Account Owner can create additional users. Users can be of different types and can be given different permissions - assigned roles in a certain access area.

In addition to the Account Owner, other users can be managed by users with the role of iam_admin. For more information about the capabilities of each role, see the Role Reference manual.

Users can be added to groups to manage multiple users as one.

Users and roles can be managed in the control panel, using the IAM API or Terraform.

Access control is limited in some Selectel products.

Authorizations

Permission defines which operations a user can perform on which group of resources.

An authorization consists of an access area and a role.

You can assign permissions to different subjects: a user, a service user, or a group. You can assign multiple permissions at once and change them.

Access areas

Permit Access Area - A group of resources for which a permit is granted. An authorization access area can be:

account - all resources of the account, including resources of all projects;
projects (project) - resources of selected projects.

Raleigh

A role is a set of authorized operations on specific types of resources or settings. A role defines access within the access area that is specified in the permission.

Depending on the type of user, you can assign roles to different access areas. For more information about the capabilities of each role, see the Role Reference Guide.

Role model update

Prior to the role model update in September 2025, users' access was determined only by their roles. After the update, the old concept of a role corresponds to a permission - a combination of a role and an access area. The roles have been renamed. The capabilities of the roles have not changed.

Old role title	role	Access area
Account administrator	member	Account
Project Administrator	member	project
Billing administrator	billing	Account
User Administrator	iam_admin	Account
Account Supervisor	reader	Account
Project Observer	reader	project
S3 Administrator	object_storage_admin	project
User S3	object_storage_user	project
Mobile farm administrator	mobile_farm.admin	project
Mobile farm user	mobile_farm.user	project
Mobile Farm Supervisor	mobile_farm.viewer	project

Restricting access control in some products

Some products and services do not support the division of resources into projects and may additionally have their own access system:

VMware-based cloud products:VMware-based public cloud, VMware-based cloud disaster recovery, VMware-based remote desktop rental;
Selectel Mail Service;
Direct Connect;
Global Connect;
IP address accounting;
DDoS protection;
Fault-tolerant load balancer;
ML and data processing: AI marketplace, ML platform, Data processing platform;
backup and recovery products: Backup by agents (Veeam Agent), Veeam Cloud Connect, Cyber Backup Cloud;
Monitoring;
Loglines.

In S3, a user's access to a buck can be changed according to the access policy, more details in the Manage Access in S3 instructions.