Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Identity and Access Management
    • Overview
      • Overview
      • Roles
      • System groups
      • Public groups
      • Resources that roles can be assigned for
    • Service access to user resources
    • Identity federations
    • Workload identity federations
    • Quotas and limits
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  1. Concepts
  2. How access management works
  3. System groups

System groups

Written by
Yandex Cloud
Updated at May 27, 2025

A system group is a group of users (subjects) to which you can assign roles. In Yandex Cloud, there are two types of system groups: All users in organization X and All users in federation N. These groups allow you to grant access to your resources for a specific user group, but only for the operations that are allowed by the assigned role. System groups do not include service accounts.

System groups are dynamic: any new user added to an organization or federation automatically inherits all the permissions assigned to that organization or federation. When a user is removed from an organization or federation, those permissions are automatically revoked.

It is unsafe to assign roles with extensive permissions, such as editor or admin, to system groups.

All users in organization XAll users in organization X

All users in organization X includes all organization X users.

When assigning a role to All users in organization X via the CLI, Terraform, or API, use group:organization:<organization_ID>:users as the subject ID, where <organization_ID> is the unique ID assigned to organization X.

All users in federation NAll users in federation N

All users in federation N includes all identity federation N users.

When assigning a role to All users in federation N via the CLI, Terraform, or API, use group:federation:<federation_ID>:users as the subject ID, where <federation_ID> is the unique ID assigned to identity federation N.

Use casesUse cases

  • Authentication using Active Directory
  • Authentication using Microsoft Entra ID

Was the article helpful?

Previous
Roles
Next
Public groups
Yandex project
© 2025 Yandex.Cloud LLC