Skip to main content
Roles are sets of permissions that are granted to users and service accounts to work with resources in Nebius AI Cloud. Roles are assigned to groups:
  • Default groups in each tenant (auditors, viewers, editors, admins) have corresponding predefined general roles.
  • When you create custom groups, you should create at least one access permit that assigns a role to the group. You can configure an access permit to apply to the entire tenant, a project within it or an individual resource within it. For more details and instructions, see Managing custom groups.

List of roles

The following roles are available:
  • General
    • auditor
    • viewer
    • editor
    • admin
  • Object Storage
    • storage.viewer
    • storage.uploader
    • storage.editor
    • storage.object-editor
    • storage.object-viewer
    • storage.object-lister

General roles

General roles grant permissions for resources from all services. For example, if you are in a group that has the admin role within a tenant, you can perform all actions listed below on all Compute virtual machines, Managed Kubernetes clusters, etc. in the tenant. The default groups within a tenant are assigned corresponding tenant-wide general roles.
Default groups and general roles grant a wide range of permissions across all services. To follow the principle of least privilege, create custom groups and assign roles with as few permissions as possible to these groups.
The following general roles are available:
  • auditor: view certain types of resources without access to data.
  • viewer: view most types of resources (except some resources related to access management, security, etc.) and access data in them (e.g. download objects in buckets).
  • editor: view and manage most types of resources and access data in them.
  • admin: view and manage all types of resources and access data in them.
The graph below shows how general roles are related to each other (the arrow means “is a sub-role of”):
The auditor role is going to be deprecated in the near future. We recommend using the viewer role and viewers default group instead.
General roles contain the following permissions:
Resource typeauditor
(auditors default group)		viewer
(viewers default group)		editor
(editors default group)		admin
(admins default group)
Computeauditorviewereditoradmin
Virtual machines-ViewView
Create
Modify
Stop
Start
Delete		View
Create
Modify
Stop
Start
Delete
GPU clusters-ViewView
Create
Add/remove VMs
Modify
Delete		View
Create
Add/remove VMs
Modify
Delete
Disks-ViewView
Create
Attach to/detach from VMs
Modify
Delete		View
Create
Attach to/detach from VMs
Modify
Delete
Shared filesystems-ViewView
Create
Attach to/detach from VMs
Modify
Delete		View
Create
Attach to/detach from VMs
Modify
Delete
Boot disk images-View
Use		View
Use		View
Use
Soperatorauditorviewereditoradmin
Clusters-ViewView
Create
Modify
Stop
Start
Delete		View
Create
Modify
Stop
Start
Delete
Managed Service for Kubernetesauditorviewereditoradmin
Clusters-ViewView
Create
Modify
Delete		View
Create
Modify
Delete
Node groups-ViewView
Create
Modify
Delete		View
Create
Modify
Delete
Serverless AIauditorviewereditoradmin
Endpoints-ViewViewView
Create
Modify
Stop
Start
Delete
Jobs-ViewViewView
Create
Modify
Cancel
Delete
Object Storageauditorviewereditoradmin
BucketsViewViewView
Create
Delete
Undelete
Purge		View
Create
Delete
Undelete
Purge
Objects, versions-List
Download		List
Download
Upload
Delete
Restore		List
Download
Upload
Delete
Restore
Multipart uploads-List uploadsList uploads
List parts
Create		List uploads
List parts
Create
TransfersView transfers
View iterations		View transfers
View iterations		View transfers
View iterations
Create
Modify
Stop
Start
Delete		View transfers
View iterations
Create
Modify
Stop
Start
Delete
Bucket settingsViewViewView
Modify		View
Modify
Managed Service for PostgreSQL®auditorviewereditoradmin
Clusters-ViewView
Create
Modify
Stop
Start
Delete		View
Create
Modify
Stop
Start
Delete
Container Registryauditorviewereditoradmin
Registries-ViewView
Create
Modify
Delete		View
Create
Modify
Delete
Images-List
Pull		List
Pull
Push
Modify		List
Pull
Push
Modify
Managed Service for MLflowauditorviewereditoradmin
Clusters-ViewView
Stop
Start		View
Stop
Start
Create
Modify
Delete
Applicationsauditorviewereditoradmin
Standalone applications-ViewView
Create
Modify
Stop
Start
Delete		View
Create
Modify
Stop
Start
Delete
Applications for Managed Kubernetes-ViewView
Create
Create/delete endpoints
Delete		View
Create
Create/delete endpoints
Delete
Observabilityauditorviewereditoradmin
Metrics-ViewViewView
Alerts-ViewView
Create
Modify
Delete		View
Create
Modify
Delete
Logs-ViewView
Write		View
Write
Virtual Networksauditorviewereditoradmin
IP address pools-ViewViewView
IP address allocations-ViewView
Create
Assign to/de-assign from resources
Delete		View
Create
Assign to/de-assign from resources
Delete
Networks-ViewView
Create
Modify
Delete		View
Create
Modify
Delete
Subnets-ViewView
Create
Use
Modify
Delete		View
Create
Use
Modify
Delete
Routing tables-ViewView
Create
Assign to subnets
Modify
Delete		View
Create
Assign to subnets
Modify
Delete
Routes-ViewView
Create
Modify
Delete		View
Create
Modify
Delete
Security groups-ViewView
Create
Assign to VMs
Modify
Delete		View
Create
Assign to VMs
Modify
Delete
Security rules-ViewView
Create
Modify
Delete		View
Create
Modify
Delete
Billingauditorviewereditoradmin
Billing details – general:
payer type, country, payment method, etc.		ViewViewViewView
Billing details – sensitive:
payer name, billing address, etc.		-ViewViewView
DocumentsViewViewViewView
PricesViewViewViewView
Pay-as-you-go balance-ViewViewView
Usage details-ViewViewView
Transactions-ViewViewView
Identity and Access Managementauditorviewereditoradmin
UsersViewViewViewView
GroupsViewViewViewView
Add members
Remove members
Service accountsViewViewView
Create
Modify
Delete		View
Create
Modify
Delete
Authorized keysViewViewViewView
Upload
Modify
Delete
Access keysViewViewViewView
Create
Modify
Delete
Audit Logsauditorviewereditoradmin
Events---View
Exports---View
Create
MysteryBoxauditorviewereditoradmin
SecretsView
List		View
List		View
List
Create
Update
Delete
Restore		View
List
Create
Update
Delete
Restore
VersionsView
List		View
List		View
List
Create
Delete
Restore		View
List
Create
Delete
Restore
Payloads---View
Quotasauditorviewereditoradmin
Limits-ViewViewView
Requests-ViewViewView
Create
Cancel
Supportauditorviewereditoradmin
Regular requestsView
Create
Comment
Attach files
Close		View
Create
Comment
Attach files
Close		View
Create
Comment
Attach files
Close		View
Create
Comment
Attach files
Close
Data Subject Requests to receive copies of data---View
Create
Comment
Attach files
Close
Data Subject Requests to erase data---View
Create
Comment
Attach files
Close

Object Storage

Object Storage roles grant permissions for Object Storage buckets and objects. The following Object Storage roles are available:
  • storage.object-viewer: download objects and view their metadata
  • storage.object-lister: list objects and view their version metadata
  • storage.viewer: view buckets, list and download objects but not upload them
  • storage.uploader: view buckets, upload objects but not list or download them
  • storage.object-editor: view buckets, list, download, upload and manage objects
  • storage.editor: view and manage buckets, list, download, upload and manage objects
The graph below shows how Object Storage roles are related to each other and to general roles, shown in green (the arrow means “is a sub-role of”): Object Storage roles contain the following permissions:
Object Storagestorage.object-viewerstorage.object-listerstorage.viewerstorage.uploaderstorage.object-editorstorage.editor
Buckets--ViewViewViewView
Create
Delete
Objects, versionsDownloadListList
Download		UploadList
Download
Upload
Delete
Restore		List
Download
Upload
Delete
Restore
Multipart uploads--List uploadsList parts
Create		List uploads
List parts
Create		List uploads
List parts
Create
Transfers------
Bucket settings--ViewViewViewView
Modify
For more details on the actions available to different roles, see Actions supported by Object Storage roles. If you want to configure fine-grained access to objects in a bucket, apply a bucket policy in Object Storage.

MysteryBox

MysteryBox roles grant permissions for MysteryBox secrets. The only available role is mysterybox.payload-viewer, which is a sub-role of the admin general role. mysterybox.payload-viewer contains the following permissions:
MysteryBoxmysterybox.payload-viewer
Secrets-
Versions-
PayloadsView
Creating a secret or a version of a secret does not automatically grant you access to view payloads in that secret or version. The editor role is enough to create a secret or a version, but viewing payloads requires the mysterybox.payload-viewer role, which is a sub-role of admin but not editor.

Data Subject Requests

Roles for Data Subject Requests (DSRs) grant permissions to receive copies of personal and non-personal data stored in a tenant and its resources in a machine-readable format, and erase the data if required. If you represent a legal entity and want to send a DSR, you need a role for DSRs. The only available role for DSRs is dsr.admin, which allows you to create Data Subject Requests and general support requests. It is a sub-role of the admin general role. dsr.admin contains the following permissions:
Supportdsr.admin
Regular requestsView
Create
Comment
Attach files
Close
Data Subject Requests to receive copies of dataView
Create
Comment
Attach files
Close
Data Subject Requests to erase dataView
Create
Comment
Attach files
Close
The dsr.admin role allows you to receive copies of and erase all personal and non-personal data in the tenant. Assign this role with caution.
Postgres, PostgreSQL and the Slonik Logo are trademarks or registered trademarks of the PostgreSQL Community Association of Canada, and used with their permission.