Skip to main content

User types and roles

Last update:

Access rights of users are delimited through:

  • user types which determine where the account will be used — in the control panel or for authorized access via API and automation tools;
  • roles that define the accesses within each user type.

Add и edit users can only be added and edited by users with the Account Owner or User Administrator role.

You can also add users to groups to manage multiple users as one.

User types and roles are temporarily unsupported in the following product and service groups:

  • VMware-based cloud: VMware-based public cloud, disaster recovery to VMware-based cloud, and others;
  • network services (except CDN and DNS hosting);
  • additional services: monitoring and others besides the mobile farm.

In S3, a user's access to a buck can be changed according to the access policy, more details in the Manage Access in S3 instructions.

You can work with users and roles in the control panel, using the IAM API or Terraform.

Types of users

The user type is specified when the user is added and cannot be changed:

  • control panel user — a user with an account in the control panel, who registers in the control panel and undergoes two-step authentication via email and phone number during authorization . Can issue a static token (X-Token) to himself/herself for full access to Selectel products API;
  • service user — a user with an account for program access via Selectel product API and other automation tools. Has only a login and password. Does not have access to the control panel;
  • federated user — a control panel user who belongs to one of the federations and authenticates through SSO. It does not pass two-step authentication. The user is added already registered — he only needs to enter his full name at the first login. Email is mandatory. Does not have access to API.

For more information about authenticating different types of users in the API, see the API Documentation API Request Authentication instructions.

Roles

Depending on the type of user, one or more roles can be assigned to the user.

A role can be assigned to an individual user or a group of users.

Control panel userService userFederated user
Account ownerThe user who registered the account. You cannot change the role of the Account Owner or assign this role to another user. You can only change the Account Owner by registering a new account
Account administratorUser with access to account, service and billing management
Billing administratorUser with access to billing management and without access to service management
User AdministratorUser with access to user management and without access to services and billing. The first User Administrator is created by the Account Owner
Project AdministratorUser with access to project infrastructure management and without access to billing, other projects and products
Account SupervisorA user with access to view all services, billing and account data and no management access. The Account Supervisor can view everything that the Account Administrator manages
Project ObserverUser with access to view project infrastructure and tickets and without management access
S3 AdministratorUser with full access to S3 management within the project. Does not have access to other products. For more details, see the Managing access in S3 manual
User S3A user with access to S3 bucket if they have an access policy configured that allows access to the bucket for that user, see the Manage Access in S3 instructions for details. Does not have access to other products. The degree of access and allowed actions with objects depends on the access policy settings
Mobile farm administratorUser with full access to manage the mobile farm within the project. Does not have access to other products. More details in the Manage access to the mobile farm instructions
Mobile farm userUser with access to use Mobile Farm devices, more details in the Manage Mobile Farm Access instructions. Does not have access to other products
Mobile Farm SupervisorUser with access to view a list of Mobile Farm devices and consumption information, more details in the Manage Mobile Farm Access instructions. Does not have access to other products

Role comparison

Account ownerAccount administratorBilling administratorUser AdministratorProject AdministratorAccount SupervisorProject ObserverS3 AdministratorUser S3Mobile farm administratorMobile farm userMobile Farm Supervisor
Two-factor authentication
Viewing the authorization log(only their own)(only their own)(only their own)(only their own)(only their own)(only their own)(only their own)(only their own)(only their own)
Resetting your sessions
Managing users, user groups and federations
Receiving notifications
Notification management(other users only)(other users only)
Connect notifications in Telegram
Access restriction