How to set up access to manage a user group in Yandex Cloud Organization

Written by

Yandex Cloud

Updated at May 5, 2025

Configuring group management access

Configuring group management access

You can grant access to a user group to:

To do this, assign roles for the group. To choose the ones you need, learn about the service's roles.

Assigning a role

Cloud Center interface

CLI

API

Log in to Yandex Cloud Organization using an administrator or organization owner account.
In the left-hand panel, select Groups and click the row with the name of the group you need.
Go to the Group access rights tab.
Click Assign roles.
Select the group, user, or service account you want to grant access to the group. You may want to use the search feature.
Click Add role and select the roles to assign to the group.
Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To grant access permissions for a user group:

See the description of the CLI role assignment command:

yc organization-manager group add-access-binding --help

Get a list of user groups with their IDs:

yc organization-manager group list \
  --organization-id <organization_ID>

Get the ID of the user, service account, or user group you are assigning a role to.
Using the yc organization-manager group add-access-binding command, assign the following roles:
```
yc organization-manager group add-access-binding \
  --id <group_ID> \
  --role <role> \
  --user-account-id <user_ID> \
  --federation-users <user_ID> \
  --service-account-id <service_account_ID> \
  --subject group: <group_ID>
```
Where:
- --id: User group ID.
- --role: Role ID.
ID of the object the role is assigned to.
- --user-account-id: Yandex account ID.
- --federation-users: Federated user ID.
- --service-account-id: Service account ID.
- --subject group: Group ID.

Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:

ADD value in the accessBindingDeltas[].action parameter to add a role.
Role in the accessBindingDeltas[].accessBinding.roleId parameter.
ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning multiple roles

Cloud Center interface

CLI

API

Log in to Yandex Cloud Organization with an administrator or organization owner account.
In the left-hand panel, select Groups and click the row with the name of the group you need.
Go to the Group access rights tab.
Click Assign roles.
Select the user or service account you want to grant access to the group. You may want to use the search feature.
Click Add role and select the roles to assign to the group.
Click Save.

Alert

The set-access-bindings command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

To assign multiple roles for a user group:

Make sure the resource has no roles assigned that you would not want to lose:
```
yc organization-manager group list-access-bindings \
  --id <group_ID>
```

See the description of the CLI role assignment command:

yc organization-manager group set-access-bindings --help

Get a list of user groups with their IDs:
```
yc organization-manager group list
```
Get the ID of the user, service account, or user group you are assigning roles to.

Using the yc organization-manager group set-access-bindings command, assign the following roles:

To a Yandex account user:

yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,user-account-id=<user_ID>

To a federated user:

yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,subject=federatedUser:<user_ID>

To a service account:

yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,service-account-id=<service_account_ID>

To a user group:

yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,subject=group:<group_ID>

Provide a separate --access-binding flag for each role, e.g.:

yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role_1>,service-account-id=<service_account_ID> \
  --access-binding role=<role_2>,service-account-id=<service_account_ID> \
  --access-binding role=<role_2>,service-account-id=<service_account_ID>

Alert

The setAccessBindings method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

Use the setAccessBindings method for the Group resource or the GroupService/SetAccessBindings gRPC API call. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:

Role in the accessBindings[].roleId parameter.
ID of the subject getting the roles in the accessBindings[].subject.id parameter.
Type of the subject getting the roles in the accessBindings[].subject.type parameter.

Revoking a role

Cloud Center interface

CLI

API

Log in to Yandex Cloud Organization with an administrator or organization owner account.
In the left-hand panel, select Groups and click the row with the name of the group you need.
Go to the Group access rights tab.
To revoke a role:
1. In the row with the required user, service account, or group, click and select Configure access.
2. Click next to each role you want to revoke.
3. Click Save.
To revoke all roles, in the row with the required user, service account, or group, click and select Revoke access. Confirm the action.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

See the description of the CLI command to revoke a role:

yc organization-manager group remove-access-binding --help

Get a list of user groups with their IDs:

yc organization-manager group list \
  --organization-id <organization_ID>

Get the ID of the user, service account, or user group you are revoking a role from.
Use the yc organization-manager group remove-access-binding command to revoke a role from an object:
```
yc organization-manager group remove-access-binding \
  --id <group_ID> \
  --role <role> \
  --user-account-id <user_ID> \
  --federation-users <user_ID> \
  --service-account-id <service_account_ID> \
  --subject group:<group_ID>
```
Where:
- --id: User group ID.
- --role: Role ID.
ID of the object to revoke a role from:
- --user-account-id: Yandex account ID.
- --federation-users: Federated user ID.
- --service-account-id: Service account ID.
- --subject group: Group ID.

Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:

REMOVE in the accessBindingDeltas[].action parameter to revoke the role.
Role in the accessBindingDeltas[].accessBinding.roleId parameter.
ID of the subject to revoke the role from in the accessBindingDeltas[].accessBinding.subject.id parameter.
Type of the subject to revoke the role from in the accessBindingDeltas[].accessBinding.subject.type parameter.

Configuring group management accessConfiguring group management access

Assigning a roleAssigning a role

Assigning multiple rolesAssigning multiple roles

Revoking a roleRevoking a role

Was the article helpful?

Configuring group management access

Assigning a role

Assigning multiple roles

Revoking a role