Contact UsGet started

Managing users

Written by
Updated at November 14, 2024

The guide in this checklist item will help you add users to your created organization, appoint an administrator, and set user roles.

Add a Yandex user

If your employees have Yandex accounts, e.g., login@yandex.ru, they can use them to access Yandex Cloud services enabled in your organization.

To add employee accounts to the organization, follow these steps:

  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Users.

  3. In the top-right corner, click Invite users.

  4. Enter the email addresses of the users you want to invite to the organization (e.g., login@yandex.com).

    You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.

  5. Click Send invitation.

  1. Log in to the management console with the cloud administrator account.

  2. Select the appropriate cloud from the list on the left. Example:

    image

  3. In the top-right corner, click and select Invite users.

  4. Enter the email addresses of the users you want to invite to the organization (e.g., login@yandex.ru).

    You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.

  5. Click Send invitation.

The users will be added to the organization as soon as they accept the invitation and select a log-in account for the organization.

To access the organization's enabled services, invited users simply need to log in to their Yandex account.

Add federated users

To add federated users, you need to know the user Name IDs returned by the Identity Provider (IdP) server together with the authentication successful response. This is usually the user's primary email address. If you do not know what the server returns as the name ID, contact the administrator who configured authentication for your federation.

To add federation users to an organization:

  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Users.

  3. In the top-right corner, click More and select Add federated users.

  4. Select the identity federation to add users from.

  5. List the name IDs of users, separating them with spaces or line breaks.

  6. Click Add. This will give the users access to the organization.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View a description of the add user command:

    yc organization-manager federation saml add-user-accounts --help

  2. Add users by listing their name IDs separated by a comma:

    yc organization-manager federation saml add-user-accounts \
   --name <federation_name> \
   --name-ids <list_of_user_name_IDs>

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. In the configuration file, describe the parameters of the resources you want to create:

    resource "yandex_organizationmanager_saml_federation_user_account" "some_account" {
  federation_id = "<federation_ID>"
  name_id       = "<User_name_ID>"
}

    Where:

    • federation_id: ID of the federation to add the user to.
    • name_id: Name ID of the user.

    For more information about the yandex_organizationmanager_saml_federation_user_account resource parameters, see the provider documentation.

  2. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create all the required resources. You can check the new resources using the management console or this CLI command:

    yc organization-manager federations saml \
  --organization-id <organization_ID> list-user-accounts \
  --id <federation_ID>

Use the addUserAccounts REST API method for the Federation resource or the FederationService/AddUserAccounts gRPC API call and provide the following in the request:

  • Federation ID in the federationId parameter.
  • List of user name IDs in the nameIds parameter.

Assign roles to the users

  1. Add the required user if needed.
  2. In the management console, on the left, select a cloud.
  3. Go to the Access bindings tab.
  4. Click Configure access.
  5. In the window that opens, select User accounts.
  6. Select a user from the list or search by user.
  7. Click Add role and select a role for the cloud.
  8. Click Save.
  1. Select a role from the Yandex Cloud role reference.
  2. Get the user ID.
  3. Assign the role using the command:
yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
  --role <ROLE-ID> \
  --subject userAccount:<USER-ACCOUNT-ID>

where:

  • <SERVICE-NAME>: Name of the service for whose resource you are assigning the role, e.g., resource-manager.
  • <RESOURCE>: Resource category, e.g., cloud.
  • <RESOURCE-NAME>: Resource name. You can specify a resource by its name or ID.
  • <RESOURCE-ID>: Resource ID.
  • <ROLE-ID>: Role ID, e.g., resource-manager.clouds.owner.
  • <USER-ACCOUNT-ID>: ID of the user account that gets the role.

For example, assign the viewer role for the my-cloud cloud.

$ yc resource-manager cloud add-access-binding mycloud \
  --role viewer \
  --subject userAccount:aje6o61dvog2h6g9a33s

Use the updateAccessBindings method for the appropriate resource.

  1. Select a role from the Yandex Cloud role reference.
  2. Get the user ID.
  3. Create the request body, e.g., in the body.json file. In the action property, enter ADD and specify the userAccount type and user ID under subject.

body.json:

{
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "editor",
      "subject": {
        "id": "gfei8n54hmfhuk5nogse",
        "type": "userAccount"
        }
      }
    }
  ]
}

  1. Assign a role to a service account. For example, for a folder with the b1gvmob95yys******** ID:

    export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

Appoint an administrator

To grant organization management access to a user, assign one of the following roles:

  • organization-manager.admin: Organization administrator role.

    The role allows you to edit organization settings, create identity federations, add and remove users, create other administrators, and manage the organization's cloud resources.

  • organization-manager.organizations.owner: Organization owner role.

    The role allows you to appoint organization owners and use all the administrator privileges.

    By default, the user who creates an organization is the organization owner.

  • organization-manager.viewer: Enables viewing the organization settings without the permission to edit them.

Previous
Step 4. Selecting a service plan
Next
Step 6. Resource hierarchy