Interaction between users and Yandex Cloud resources
All Yandex Cloud services work based on the common resource and role model. Its underlying entity is organization that combines different types of resources and users in a single workspace.
Yandex Cloud resources
When using Yandex Cloud services, you create resources: VMs, managed database and Kubernetes clusters, registries, secrets, and more. Most services store the resources they create in folders. Folders belong to clouds, and clouds belong to organizations.
In addition, organizations may have the following enabled: Yandex DataSphere, a Yandex DataLens instance, as well as Yandex Tracker, Yandex Wiki, and Yandex Forms. All of them store their resources on their own, yet are able to exchange information with other services within the same organization. Organizations do not interact with each other.
In the Cloud Center interface, you can look up the clouds and services existing in your organization.
Learn more about the resource hierarchy in Yandex Cloud.
Users
Each Yandex Cloud user has an account of their own used for identification when performing operations with resources. This can be either a Yandex ID account or a federated account of an identity federation. In addition, there are service accounts: a special type of account your software can use to perform operations with Yandex Cloud resources. Learn more about accounts.
Each user belongs to at least one organization. When logging in to Yandex Cloud with your Yandex ID for the first time, you will be prompted to register your own organization. After creating an organization, you can enable and disable Yandex Cloud services, create clouds, folders, and other resources.
You can invite other members with Yandex accounts to your organization to grant them access to its services and resources. If your company already uses a different account management system (such as Active Directory or Keycloak), you can configure an identity federation. This will allow company employees to use their corporate accounts to access Yandex Cloud services. For bulk access management, users can be combined into groups.
Access management
Yandex Cloud resource access rights are managed using roles. To enable an account (subject) to perform actions on a resource (object), assign appropriate roles for the resource either to the account or the group to which it belongs. Basically, each role is a list of permitted object operations. Permissions to access Yandex Cloud resources are managed by Yandex Identity and Access Management.
To authenticate users, Yandex Cloud services request credentials. The type of data requested depends on the account type, the service, and request interface. When using the API, the folder ID is also required to uniquely identify the resource and verify the permissions. If actions are performed on behalf of a service account, the ID of its folder is used by default.