Contact UsGet started

Assigning a role to a user

Written by
Updated at November 7, 2024

Organization administrators and owners can assign roles in Yandex Cloud Organization. You can assign to users not just organization management roles but also roles for access to your organization's connected cloud resources.

For information on roles available in Yandex Cloud and their associated permissions, please review the Yandex Identity and Access Management documentation, Yandex Cloud role reference.

  1. Log in to Yandex Cloud Organization with an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. If the user already has at least one role, click and select Assign bindings in the row with this user.

    If the user is not on the list, click Assign bindings in the top-right corner. In the window that opens, select a user from the list or use the search bar.

  4. Click Add role and select the role you want to assign to the user. You can assign multiple roles.

    You can find the description of the available roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  5. Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

  1. Select the role you want to assign.

  2. Get the user ID.

  3. Assign the role using the command:

    yc <service_name> <resource> add-access-binding <resource_name_or_ID> \
  --role <role_ID> \
  --subject <subject_type>:<subject_ID>

    Where:

    • <service_name>: Name of the service for whose resource you assign the role, e.g., organization-manager.
    • <resource>: Resource category. For an organization, it is always organization.
    • <resource_name_or_ID>: Resource name or ID. For an organization, use its technical name.
    • --role: Role ID.
    • --subject: Type and ID of the subject getting the role.

    For example, this command assigns a user the administrator role for a directory with the b1gmit33ngp3******** ID:

    yc recource-manager folder add-access-binding b1gmit33ngp3******** \
  --role resource-manager.admin \
  --subject userAccount:aje6o61dvog2********

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. Describe the parameters of the roles you assign in the configuration file:

    resource "yandex_organizationmanager_organization_iam_binding" "editor" {
  organization_id = "<organization_ID>"
  role = "<role_ID>"
  members = [
    "federatedUser:<user_ID>",
  ]
}

    Where:

    • organization_id: Organization ID.

    • role: Role you want to assign. For each role, you can only use one yandex_organization manager_organization_iam_binding resource.

    • members: Array of the IDs of users to assign the role to:

      • userAccount:<user_ID>: Yandex user account ID.
      • federatedUser:<user_ID>: Federated user ID.

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

The specified user will then get roles in the organization. You can check the new role in the management console.

To assign a role, use the updateAccessBindings REST API method for the appropriate resource:

  1. Select the role you want to assign.

  2. Get the user ID.

  3. Create the request body, e.g., in the body.json file. In the action property, enter ADD and specify the userAccount or federatedUser type and user ID under subject.

    {
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "<role_ID>",
      "subject": {
        "id": "gfei8n54hmfh********",
        "type": "userAccount"
      }
    }
  }]
}

  4. Assign the role. For example, for an organization with the bpf3crucp1v2******** ID:

    export ORGANIZATION_ID=bpf3crucp1v2********
export IAM_TOKEN=<IAM_token>
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"

In a similar way, you can assign roles for an organization to a service account.

See also

Previous
Assigning a user as organization administrator
Next
Assigning a role to a user group