Skip to main content
Types and roles of users
Last update:

Types and roles of users

User access rights are delimited through:

  • user-types, which define where the account will be used — in the dashboard or for authorized access via APIs and automation tools;
  • user roles, which define accesses within each user type.

Add and edit users can only be accessed by users with the Account Owner or User Administrator role.

User types and roles are temporarily unsupported in the following product and service groups:

  • Cloud powered by VMware: Public Cloud powered by VMware, disaster recovery to Cloud powered by VMware, and others;
  • network services (except CDN and DNS);
  • additional services: monitoring and others.

In object storage, user access to the container can be changed according to the access policy, see Manage Object Storage Access for details.

Types of users

The user type is specified at add user and cannot be changed:

  • control panel user — a user with an account in the control panel who registers in the control panel and passes two-step authentication via mail and phone number during authorization. May prescribe Selectel token (API key) for full access to Selectel's API products;
  • service user — a user with an account for program access via Selectel Product API and other automation tools. Has only a username and password. Cannot access dashboard;
  • federated user — a control-panel user who belongs to one of federations and is authenticated through SSO. Does not pass two-step authentication. The user is added already registered — he only needs to enter his full name at the first login. Mail is required. Does not have access to the API.

For more information about authorizing different types of users in the API, see the Authorization API Documentation instructions.

User Roles

Depending on user-type, a user can be assigned one or more roles.

Control Panel UserService UserFederated User
Account OwnerThe user who registered the account. You cannot change the role of the Account Owner or assign the role to another user. You can only change the Account Owner by registering a new account
Account AdministratorUser with access to account management, services and billing
Billing AdministratorUser with access to manage billing and without access to manage services
User AdministratorUser with access to manage users and without access to services and billing. The first User Administrator is created by the Account Owner
Project AdministratorUser with access to manage the infrastructure of the cloud platform project and without access to other projects and products
Account SupervisorUser with access to view all services, billing and account data and without management access. The Account Viewer can view everything that the Account Administrator
Project ViewerUser with access to view the project cloud platform infrastructure and tickets and no management access
Object Storage AdministratorUser with full access to manage object storage within the project. Does not have access to other products. For more information, see the instructions at Manage Object Storage Access
Object Storage UserUser with access to Object Storage containers if they have an access policy configured that allows access to the container for that user, for more information, see the instructions at Manage Object Storage Access. Does not have access to retrieve container list and other products. The degree of access and allowed actions with objects depends on the access policy settings
SubscriberUser without access to the control panel, does not have a login and password. When adding a Subscriber, only mail is specified. Subscriber can only receive notifications from the Accounting Documents and Balance Sheet and Payments categories. Notifications are configured by the Account Owner or User Administrator
(without panel access)

Role Comparison

If a role has all the accesses of another role, the roles are not combined.

The role combinations Project Administrator and Project Viewer, Object Storage Administrator and Object Storage User cannot be assigned to the same project, but can be assigned to different ones.

Account OwnerAccount AdministratorBilling AdministratorUser AdministratorProject AdministratorAccount SupervisorProject SupervisorObject Store AdministratorObject Store User StorageSubscriber
Account Owner
Account Administrator
Billing Administrator
User Administrator
Project Administrator(for different projects)(for different projects)
Viewer account
Project Supervisor(for different projects)-
Object Storage Administrator(for different projects)-(for different projects)
User of object storage(for different projects)-
Subscriber