Cloud Infrastructure Entitlement Management (CIEM)
To ensure data and cloud infrastructure security, you need to regularly audit the access permissions of users and service accounts.
Cloud Infrastructure Entitlement Management, or CIEM, provides a centralized view of the full list of access permissions for organization resources granted to subjects: users, service accounts, user groups, system groups, and public groups. The tool also makes it easy to revoke accesses from subjects.
Viewing access permissions
Only organization members with the organization-manager.viewer role or higher for the organization can view access permissions in the Security Deck interface.
For each access permission, the list indicates the name/ID and type of resource to which access was granted, the role assigned to the subject for that resource, and information about whether the role was assigned to the subject directly or was inherited from a group of which the subject is a member.
Cloud Infrastructure Entitlement Management allows you to view the access permissions assigned to an individual subject (user or service account):
- Directly
- Via a user group
- Via a system group
- Via a public group
To check whether access to a particular resource was assigned to a subject directly or via a group, refer to the Group field of the table listing the subject’s access permissions. If the role was assigned directly, this field will be empty. In other cases, it will show the name of the group and its ID.
Access permissions are always assigned to groups directly, so for groups, the Group field of the table with aceess permissions is always empty.
You can filter the list of access permissions granted to a subject by:
- ID of the resource the access was granted to.
- ID of the granted role.
- Assignment method,
Directly appointedorAssigned via group.
Warning
Currently, Cloud Infrastructure Entitlement Management does not display subjects’ access permissions for Yandex DataLens resources and billing accounts.
Revoking access permissions
Cloud Infrastructure Entitlement Management allows you to revoke excessive access permissions from a subject or group as well as remove a subject from a user group, if required.
To revoke access permissions, users must have one of these roles: admin, resource-manager.admin, organization-manager.admin, resource-manager.clouds.owner, organization-manager.organizations.owner, or the administrator role in the service where they want to revoke the subject's access to a resource.
You can only remove a subject from a group created by an organization administrator. You cannot remove a subject from a system or public group.