Public groups

A public group is a group of users (subjects) to which you can assign roles. Yandex Cloud has two types of public groups: All authenticated users and All users. These groups allow you to grant public access to your resources, but only for operations that are allowed by the assigned role.

Granting roles with extensive permissions, such as editor or admin, to public groups poses a significant security risk.

All authenticated usersAll authenticated users

All authenticated users includes all users who have successfully authenticated. These are all registered users or Yandex Cloud service accounts: both from your clouds and other users' clouds. Using this group is not advisable for security reasons. Instead, use system groups, such as All users in organization X and All users in federation N, or your own custom groups.

For example, let's say you have an OS disk image that you want to share with all Yandex Cloud users. To do this, assign the compute.images.user role to the All authenticated users subject for the folder containing the image.

When assigning a role to All authenticated users via the CLI, Terraform, and API, use the allAuthenticatedUsers subject ID.

All usersAll users

All users includes any user, with no authentication required.

For example, when making an API request to your resource, users do not need to specify their IAM tokens. Using this group is not advisable for security reasons. Instead, use system groups, such as All users in organization X and All users in federation N, or organization-specific user groups you create on your own.

When assigning a role to All users via the CLI, Terraform, and API, use the allUsers subject ID.