Contact UsGet started
Written by
Updated at November 14, 2024

Configuring group management access

You can grant access to a user group to:

To do this, assign roles for the group. To choose the ones you need, learn about the service's roles.

Assigning a role

  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

  2. In the left-hand panel, select Groups and click the row with the name of the group you need.

  3. Go to the Group access rights tab.

  4. Click Assign roles.

  5. Select the group, user, or service account you want to grant access to the group. You may want to use the search feature.

  6. Click Add role and select the roles to assign to the group.

  7. Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To grant access permissions for a user group:

  1. See the description of the CLI role assignment command:

    yc organization-manager group add-access-binding --help

  2. Get a list of user groups with their IDs:

    yc organization-manager group list \
  --organization-id <organization_ID>

  3. Get the ID of the user, service account, or user group you are assigning a role to.

  4. Using the yc organization-manager group add-access-binding command, assign the following roles:

    yc organization-manager group add-access-binding \
  --id <group_ID> \
  --role <role> \
  --user-account-id <user_ID> \
  --federation-users <user_ID> \
  --service-account-id <service_account_ID> \
  --subject group: <group_ID>

    Where:

    • --id: User group ID.
    • --role: Role ID.

    ID of the object the role is assigned to.

    • --user-account-id: Yandex account ID.
    • --federation-users: Federated user ID.
    • --service-account-id: Service account ID.
    • --subject group: Group ID.

Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning multiple roles

  1. Log in to Yandex Cloud Organization with an administrator or organization owner account.

  2. In the left-hand panel, select Groups and click the row with the name of the group you need.

  3. Go to the Group access rights tab.

  4. Click Assign roles.

  5. Select the user or service account you want to grant access to the group. You may want to use the search feature.

  6. Click Add role and select the roles to assign to the group.

  7. Click Save.

Alert

The set-access-bindings command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign multiple roles for a user group:

  1. Make sure the resource has no roles assigned that you would not want to lose:

    yc organization-manager group list-access-bindings \
  --id <group_ID>

  2. See the description of the CLI role assignment command:

    yc organization-manager group set-access-bindings --help

  3. Get a list of user groups with their IDs:

    yc organization-manager group list

  4. Get the ID of the user, service account, or user group you are assigning roles to.

  5. Using the yc organization-manager group set-access-bindings command, assign the following roles:

    • To a Yandex account user:

      yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,user-account-id=<user_ID>

    • To a federated user:

      yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,subject=federatedUser:<user_ID>

    • To a service account:

      yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,service-account-id=<service_account_ID>

    • To a user group:

      yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,subject=group:<group_ID>

    Provide a separate --access-binding flag for each role, e.g.:

    yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role_1>,service-account-id=<service_account_ID> \
  --access-binding role=<role_2>,service-account-id=<service_account_ID> \
  --access-binding role=<role_2>,service-account-id=<service_account_ID>

Alert

The setAccessBindings method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

Use the setAccessBindings method for the Group resource or the GroupService/SetAccessBindings gRPC API call. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:

  • Role in the accessBindings[].roleId parameter.
  • ID of the subject getting the roles in the accessBindings[].subject.id parameter.
  • Type of the subject getting the roles in the accessBindings[].subject.type parameter.

Revoking a role

  1. Log in to Yandex Cloud Organization with an administrator or organization owner account.

  2. In the left-hand panel, select Groups and click the row with the name of the group you need.

  3. Go to the Group access rights tab.

  4. To revoke a role:

    1. In the row with the required user, service account, or group, click and select Configure access.

    2. Click next to each role you want to revoke.

    3. Click Save.

  5. To revoke all roles, in the row with the required user, service account, or group, click and select Revoke access. Confirm the action.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to revoke a role:

    yc organization-manager group remove-access-binding --help

  2. Get a list of user groups with their IDs:

    yc organization-manager group list \
  --organization-id <organization_ID>

  3. Get the ID of the user, service account, or user group you are revoking a role from.

  4. Use the yc organization-manager group remove-access-binding command to revoke a role from an object:

    yc organization-manager group remove-access-binding \
  --id <group_ID> \
  --role <role> \
  --user-account-id <user_ID> \
  --federation-users <user_ID> \
  --service-account-id <service_account_ID> \
  --subject group:<group_ID>

    Where:

    • --id: User group ID.
    • --role: Role ID.

    ID of the object to revoke a role from:

    • --user-account-id: Yandex account ID.
    • --federation-users: Federated user ID.
    • --service-account-id: Service account ID.
    • --subject group: Group ID.

Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • REMOVE in the accessBindingDeltas[].action parameter to revoke the role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject to revoke the role from in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject to revoke the role from in the accessBindingDeltas[].accessBinding.subject.type parameter.
Previous
Editing a group
Next
Granting permissions to a group