Access control list (ACL)
Yandex Cloud Desktop leverages Yandex Identity and Access Management roles for access control.
Cloud Desktop ACL is a list of permissions for a given desktop group.
By default, an empty ACL is created for each new desktop group. A user with the vdi.admin role can edit an ACL.
Using an ACL, you can grant desktop group access to:
Each desktop is assigned to a specific Yandex Cloud user.
To connect to a desktop, the user gets a unique RDP file with a built-in IAM token. This means only a certain user can access the desktop.
The IAM token lifetime is 12 hours. Once it expires, the RDP file is no longer valid. To connect to the desktop, the user needs to request a new RDP file.
If a user is removed from the list of Yandex Cloud users for any reason, e.g., if they were transferred to a different department or suspected of unauthorized activity, their RDP file becomes invalid regardless of when it was issued.
Example of access control in Cloud Desktop
-
The organization administrator (user with the
organization-manager.adminrole for the cloud) creates a Yandex Cloud Organization user group for which a desktop group will be deployed. -
The Cloud Desktop administrator (user with the
vdi.adminrole for the folder) creates a desktop group and grants permissions for it to a user group.The administrator can also create a custom image for the desktop group.
-
The Cloud Desktop administrator creates a personal desktop for each memeber in the user group.
-
A user group member gets authenticated using Yandex ID or Single Sign-On (SSO) on the User desktop showcase page. The showcase displays the desktops available to a given user.
-
From the showcase, the user group member downloads the RDP file for the appropriate desktop and connects to it.