Revoking a user's role
If you want to deny a user access to a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information on access management in Yandex Cloud, see the Yandex Identity and Access Management documentation.
The role can be revoked by a user with the organization-manager.admin or organization-manager.organizations.owner role.
-
Log in to Yandex Cloud Organization with an administrator or organization owner account.
-
In the left-hand panel, select Access bindings.
-
Find the required user in the list. If required, use the search bar or filter.
-
In the row with the user, click and select Assign bindings. In the window that opens:
-
Click next to a role to delete it.
-
Click Save.
-
If you do not have the Yandex Cloud CLI yet, install and initialize it.
-
View the roles and assignees for the resource:
yc <service_name> <resource> list-access-bindings <resource_name_or_ID>Where:
<service_name>: Name of the service the resource belongs to, e.g.,organization-manager.<resource>: Resource category. For an organization, it is alwaysorganization.<resource_name_or_ID>: Resource name or ID. You can specify the resource name or ID. For an organization, use its technical name.
For example, view the roles and assignees in an organization with the
bpf3crucp1v2********ID:yc organization-manager organization list-access-bindings bpf3crucp1v2********Result:
+------------------------------------------+--------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +------------------------------------------+--------------+----------------------+ | organization-manager.organizations.owner | userAccount | aje3r40rsemj******** | | organization-manager.admin | userAccount | aje6o61dvog2******** | +------------------------------------------+--------------+----------------------+ -
To delete access permissions, run this command:
yc <service_name> <resource> remove-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject <subject_type>:<subject_ID>Where:
--role: ID of the role to revoke, e.g.,organization-manager.admin.<subject_type>: Subject type to revoke a role from.<subject_ID>: Subject ID.
For example, to revoke a role from a user with the
aje6o61dvog2********ID:yc organization-manager organization remove-access-binding bpf3crucp1v2******** \ --role organization-manager.admin \ --subject userAccount:aje6o61dvog2********
-
View the roles and assignees for the resource using the
listAccessBindingsmethod. For example, to view the roles in the organization with thebpf3crucp1v2********ID:export ORGANIZATION_ID=bpf3crucp1v2******** export IAM_TOKEN=<IAM_token> curl \ --header "Authorization: Bearer ${IAM_TOKEN}" \ "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:listAccessBindings"Result:
{ "accessBindings": [ { "subject": { "id": "aje6o61dvog2********", "type": "userAccount" }, "roleId": "organization-manager.admin" } ] } -
Create the request body, e.g., in the
body.jsonfile. In the request body, specify access permissions to delete. For example, revoke theorganization-manager.adminrole from theaje6o61dvog2********user:{ "accessBindingDeltas": [{ "action": "REMOVE", "accessBinding": { "roleId": "organization-manager.admin", "subject": { "id": "aje6o61dvog2********", "type": "userAccount" } } }] } -
Revoke a role by deleting the specified permissions:
export ORGANIZATION_ID=bpf3crucp1v2******** export IAM_TOKEN=<IAM_token> curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer ${IAM_TOKEN}" \ --data '@body.json' \ "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"