Changing desktop group access permissions

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

You can assign multiple roles using the set-access-bindings command.

1. Make sure the desktop group has no roles you want to keep:

   yc desktops group list-access-bindings <desktop_group_name_or_ID>
   

2. See the description of the CLI command for assigning roles to a desktop group:

   yc desktops group set-access-bindings --help
   

3. Assign roles:

   yc desktops group set-access-bindings <desktop_group_name_or_ID> \
     --access-binding role=<role>,<subject_type>=<subject_ID> \
     --access-binding role=<role>,<subject_type>=<subject_ID>
   

   Where --access-binding contains access permission settings:

   • role: Role.
   • subject: Type and ID of the subject the role is assigned to.

   For example, the following command will assign roles to multiple users and a single service account:

   yc desktops group set-access-bindings my-desktop-group \
     --access-binding role=editor,userAccount=gfei8n54hmfh******** \
     --access-binding role=viewer,userAccount=helj89sfj80a******** \
     --access-binding role=editor,serviceAccount=ajel6l0jcb9s********
   

   To assign a role to a subject without rewriting its other roles, use the yc desktops group add-access-bindings command. For example, the following command will assign a role to a service account:

   yc desktops group add-access-bindings \
     --name <desktop_group_name> \
     --role <role> \
     --service-account-name <service_account_name>
   

Use the updateAccessBindings REST API method for the DesktopGroup resource or the DesktopGroupService/UpdateAccessBindings gRPC API call.