Roles and permissions of Management console users
Immediately after creating a project, it contains only one user — its owner. This user can invite other members to the project by assigning them roles and permissions. Roles and permissions define the rights available to a user when working with the functionality of the management console and with cloud services.
A role is a specific set of permissions to perform operations with VK Cloud resources.
A permission allows a user to perform only one operation in a specific service or component.
You can find the full list of roles and permissions in the reference guides:
Each role and each permission has:
- a name in the management console, which is used to assign or remove the role via the graphical interface;
- a technical name, which is used to manage the project and services via API and Terraform.
The same user can be a member of multiple projects and have different roles and permissions in them. A single member can be assigned multiple roles and permissions within one project; in this case, the rights are cumulative.
In addition to users, service accounts can also be added to a project; they are intended for interaction between programs and services. Any roles and permissions can be assigned to СУЗ, except for the Project owner role.
You can view the list of project members and the roles and permissions assigned to them on the Access management page of the management console.
Some services have special sets of rights. Below are such sets of rights and how they relate to VK Cloud roles.
Roles | Viewing logs and service configuration | Editing log settings | Creating service users and names |
|---|---|---|---|
Project owner | |||
Superadministrator | |||
Project administrator | |||
User access administrator | |||
Billing administrator | |||
Viewer | |||
VM administrator, junior VM administrator, VM operator | |||
Network administrator | |||
Network security administrator | |||
Internal network administrator | |||
Kubernetes administrator, auditor, operator |
Roles | Viewing dashboards | Viewing Prometheus metrics | Recording in monitoring system | Creating and editing dashboards |
|---|---|---|---|---|
Project owner | ||||
Superadministrator | ||||
Project administrator | ||||
User access administrator | ||||
Billing administrator | ||||
Viewer | ||||
VM administrator, junior VM administrator | ||||
VM operator | ||||
Network administrator | ||||
Network security administrator | ||||
Internal network administrator | ||||
Kubernetes administrator, auditor, operator |
Roles | Viewing events | Downloading data | Setting service |
|---|---|---|---|
Project owner | All events of a project | ||
Superadministrator | All events of a project | ||
Project administrator | All events of a project | ||
User access administrator | All the IAM service events and all his/her actions | ||
Billing administrator | All the Billing service events and all his/her actions | ||
Viewer | All events of a project | ||
VM administrator, junior VM administrator | All events of a project | ||
VM operator | |||
Network administrator | All the Cloud Network service events and all his/her actions | ||
Network security administrator | |||
Internal network administrator | |||
Kubernetes administrator, auditor, operator | All the Cloud Containers service events and all his/her actions |
The following user roles are intended for working with the Сontainers service:
- Kubernetes administrator
- Kubernetes operator
- Kubernetes auditor
The operations available to Kubernetes administrator are also available to Project owner, Superadministrator, and Project administrator.
For other roles these operations are unavailable.
For Kubernetes clusters of version 1.23 and later, the role of a Kubernetes administrator, operator, or auditor also defines the internal Kubernetes role (admin, edit, or view) assigned to the user.
Operations | Roles | |||
Kubernetes administrator | Kubernetes operator | Kubernetes auditor | Viewer | |
Create a cluster | ||||
Delete a cluster | ||||
Start a cluster | ||||
Stop a cluster | ||||
Show information about a cluster and node groups | ||||
Get kubeconfig | ||||
Get the secret to access the Kubernetes Dashboard | ||||
Update version | ||||
Change the virtual machine type | ||||
Change the size of the Prometheus disk | ||||
Add a node group | ||||
Delete a node group | ||||
Change scaling settings | ||||
Change Labels and Taints | ||||
Install and delete an add-on | ||||
The Security Gate service in the management console is available for the following roles:
- Project owner
- Superadministrator
- Project administrator
- Network security administrator
- Internal network administrator
- Virtual machine administrator
- Junior VM administrator
- Virtual machine operator
- Viewer
The Security Gate service is not available for any other roles.