Changing desktop group access permissions

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

You can assign multiple roles using the set-access-bindings command.

1. Make sure the desktop group has no roles you want to keep:

   yc desktops group list-access-bindings <desktop_group_name_or_ID>
   

2. See the description of the CLI command for assigning roles to a desktop group:

   yc desktops group set-access-bindings --help
   

3. Assign roles:

   yc desktops group set-access-bindings <desktop_group_name_or_ID> \
     --access-binding role=<role>,<subject_type>=<subject_ID> \
     --access-binding role=<role>,<subject_type>=<subject_ID>
   

   Where --access-binding contains access permission settings:

   • role: Role.
   • subject: Type and ID of the entity assigned the role.

   For example, the following command will assign roles to multiple users and a single service account:

   yc desktops group set-access-bindings my-desktop-group \
     --access-binding role=editor,userAccount=gfei8n54hmfh******** \
     --access-binding role=viewer,userAccount=helj89sfj80a******** \
     --access-binding role=editor,serviceAccount=ajel6l0jcb9s********
   

   To assign a role to an entity without rewriting its other roles, use the yc desktops group add-access-bindings command. For example, the following command will assign a role to a service account:

   yc desktops group add-access-bindings \
     --name <desktop_group_name> \
     --role <role> \
     --service-account-name <service_account_name>
   

Use the updateAccessBindings REST API method for the DesktopGroup resource or the DesktopGroupService/UpdateAccessBindings gRPC API call.