Changing desktop group permissions

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

You can assign multiple roles using the set-access-bindings command.

1. Make sure the desktop group has no roles assigned that you would not want to lose:

   yc desktops group list-access-bindings <desktop_group_name_or_ID>
   

2. See the description of the CLI command for assigning roles to a desktop group:

   yc desktops group set-access-bindings --help
   

3. Assign roles:

   yc desktops group set-access-bindings <desktop_group_name_or_ID> \
     --access-binding role=<role>,<subject_type>=<subject_ID> \
     --access-binding role=<role>,<subject_type>=<subject_ID>
   

   Where --access-binding is used to provide the parameters for setting access permissions:

   • role: Role to assign.
   • subject: Type and ID of the subject getting the role.

   For example, assign roles to multiple users and a service account:

   yc desktops group set-access-bindings my-desktop-group \
     --access-binding role=editor,userAccount=gfei8n54hmfh******** \
     --access-binding role=viewer,userAccount=helj89sfj80a******** \
     --access-binding role=editor,serviceAccount=ajel6l0jcb9s********
   

   To assign a role to a subject without rewriting its other roles, use the yc desktops group add-access-bindings command. For example, to assign a role to a service account:

   yc desktops group add-access-bindings \
     --name <desktop_group_name> \
     --role <role> \
     --service-account-name <service_account_name>
   

Use the updateAccessBindings REST API method for the DesktopGroup resource or the DesktopGroupService/UpdateAccessBindings gRPC API call.