Setting up user group access permissions
To grant access permissions to a group as a resource, assign the required roles to the subjects. You can also grant a group permissions for any resource from the list.
Assigning a role
- Log in
as the organization administrator. - Go to Yandex Cloud Organization
. - In the left-hand panel, select Groups
and click the line with the group name. - Go to the Group access rights tab.
- Click Assign roles.
- Select the group, user, or service account you want to grant access to the group.
- Click
Add role and select the roles. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To grant access permissions for a user group:
-
See the description of the CLI role assignment command:
yc organization-manager group add-access-binding --help
-
Get a list of user groups with their IDs:
yc organization-manager group list --organization-id <organization_ID>
-
Get the ID of the user, service account, or user group you are assigning a role to.
-
Use one of these commands to assign a role:
-
To a Yandex account user:
yc organization-manager group add-access-binding \ --id <group_ID> \ --role <role> \ --user-account-id <user_ID>
-
To a federated user:
yc organization-manager group add-access-binding \ --id <group_ID> \ --role <role> \ --subject federatedUser:<user_ID>
-
To a service account:
yc organization-manager group add-access-binding \ --id <group_ID> \ --role <role> \ --service-account-id <service_account_ID>
-
To a user group:
yc organization-manager group add-access-binding \ --id <group_ID> \ --role <role> \ --subject group:<group_ID>
-
Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:
ADD
in theaccessBindingDeltas[].action
parameter to add a role.- Role in the
accessBindingDeltas[].accessBinding.roleId
parameter. - ID of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.id
parameter. - Type of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.type
parameter.
Revoking a role
To revoke a group role from a user:
-
Log in
as the organization administrator. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select Groups
and click the line with the group name. -
Go to the Group access rights tab.
-
Select a user from the list and click
next to the username. -
Click Configure access.
-
Click
next to the role to revoke. -
Click Save.
Tip
To open the list of users allowed to manage the group at the organization role level (e.g., organization admin or owner), go to the Group access rights tab and enable the Inherited roles option.