Changing desktop group access permissions
Cloud Desktop leverages Yandex Identity and Access Management roles and access control lists (ACL) to manage access. This example shows how access control works in Cloud Desktop.
- In the management console
, select the folder containing the desktop group. - From the list of services, select Cloud Desktop.
- Click
next to the desktop group whose access permissions you want to change, then select Configure ACL. - In the ACL editing window that opens, grant or revoke the permissions as you see fit.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also specify a different folder for any command using the --folder-name
or --folder-id
parameter.
You can assign multiple roles using the set-access-bindings
command.
Alert
The set-access-binding
command rewrites desktop group access permissions. All current group roles will be deleted.
-
Make sure the desktop group has no roles you want to keep:
yc desktops group list-access-bindings <desktop_group_name_or_ID>
-
See the description of the CLI command for assigning roles to a desktop group:
yc desktops group set-access-bindings --help
-
Assign roles:
yc desktops group set-access-bindings <desktop_group_name_or_ID> \ --access-binding role=<role>,<subject_type>=<subject_ID> \ --access-binding role=<role>,<subject_type>=<subject_ID>
Where
--access-binding
contains access permission settings:For example, the following command will assign roles to multiple users and a single service account:
yc desktops group set-access-bindings my-desktop-group \ --access-binding role=editor,userAccount=gfei8n54hmfh******** \ --access-binding role=viewer,userAccount=helj89sfj80a******** \ --access-binding role=editor,serviceAccount=ajel6l0jcb9s********
To assign a role to an entity without rewriting its other roles, use the
yc desktops group add-access-bindings
command. For example, the following command will assign a role to a service account:yc desktops group add-access-bindings \ --name <desktop_group_name> \ --role <role> \ --service-account-name <service_account_name>
Use the updateAccessBindings REST API method for the DesktopGroup resource or the DesktopGroupService/UpdateAccessBindings gRPC API call.