System groups

A system group is a group of users (subjects) to which you can assign roles. In Yandex Cloud, there are two types of system groups: All users in organization X and All users in federation N. These groups allow you to grant access to your resources for a specific user group, but only for the operations that are allowed by the assigned role. System groups do not include service accounts.

System groups are dynamic: any new user added to an organization or federation automatically inherits all the permissions assigned to that organization or federation. When a user is removed from an organization or federation, those permissions are automatically revoked.

It is unsafe to assign roles with extensive permissions, such as editor or admin, to system groups.

All users in organization XAll users in organization X

All users in organization X includes all organization X users.

When assigning a role to All users in organization X via the CLI, Terraform, or API, use group:organization:<organization_ID>:users as the subject ID, where <organization_ID> is the unique ID assigned to organization X.

All users in federation NAll users in federation N

All users in federation N includes all identity federation N users.

When assigning a role to All users in federation N via the CLI, Terraform, or API, use group:federation:<federation_ID>:users as the subject ID, where <federation_ID> is the unique ID assigned to identity federation N.

Use casesUse cases

• Authentication using Active Directory
• Authentication using Microsoft Entra ID