Contact UsGet started

Changing desktop group permissions

Written by
Updated at December 2, 2024

Cloud Desktop leverages Yandex Identity and Access Management roles and access control lists (ACL) to manage access. This example shows how access control works in Cloud Desktop.

  1. In the management console, select the folder the desktop group is in.
  2. In the list of services, select Cloud Desktop.
  3. Click to the right of the desktop group you want to change access permissions for and select Configure ACL.
  4. In the ACL editing window that opens, grant or revoke the appropriate permissions.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

You can assign multiple roles using the set-access-bindings command.

Alert

The set-access-binding command completely rewrites access permissions for a desktop group. All current group roles will be deleted.

  1. Make sure the desktop group has no roles assigned that you would not want to lose:

    yc desktops group list-access-bindings <desktop_group_name_or_ID>

  2. See the description of the CLI command for assigning roles to a desktop group:

    yc desktops group set-access-bindings --help

  3. Assign roles:

    yc desktops group set-access-bindings <desktop_group_name_or_ID> \
  --access-binding role=<role>,<subject_type>=<subject_ID> \
  --access-binding role=<role>,<subject_type>=<subject_ID>

    Where --access-binding is used to provide the parameters for setting access permissions:

    • role: Role to assign.
    • subject: Type and ID of the subject getting the role.

    For example, assign roles to multiple users and a service account:

    yc desktops group set-access-bindings my-desktop-group \
  --access-binding role=editor,userAccount=gfei8n54hmfh******** \
  --access-binding role=viewer,userAccount=helj89sfj80a******** \
  --access-binding role=editor,serviceAccount=ajel6l0jcb9s********

    To assign a role to a subject without rewriting its other roles, use the yc desktops group add-access-bindings command. For example, to assign a role to a service account:

    yc desktops group add-access-bindings \
  --name <desktop_group_name> \
  --role <role> \
  --service-account-name <service_account_name>

Use the updateAccessBindings REST API method for the DesktopGroup resource or the DesktopGroupService/UpdateAccessBindings gRPC API call.

Previous
Updating a desktop group
Next
Deleting a desktop group