Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring access permissions for a dedicated host group

Written by
Updated at June 27, 2025

To grant a user, group, or service account access to a dedicated host group, assign a role for it.

Assigning a role

  1. In the management console, select the folder where the dedicated host group is located.
  2. Select Compute Cloud.
  3. In the left-hand panel, click and select Dedicated host groups.
  4. Select the dedicated host group.
  5. Go to the Access bindings tab.
  6. Click Assign roles.
  7. In the window that opens, select the group, user, or service account you want to grant access to the dedicated host group.
  8. Click Add role and select the required role.
  9. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for assigning a role for a dedicated host group:

    yc compute host-group add-access-binding --help

  2. Get a list of dedicated host groups in the default folder:

    yc compute host-group list

  3. View a list of roles already assigned for the resource in question:

    yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID>

  4. Assign the role using this command:

    • To a user:

      yc compute host-group add-access-binding <dedicated_host_group_name_or_ID> \
  --user-account-id <user_ID> \
  --role <role>

      Where:

      • --user-account-id: User ID. To assign a role to all authenticated users, use the --all-authenticated-users flag.
      • --role: Role to assign.

    • To a service account:

      yc compute host-group add-access-binding <dedicated_host_group_name_or_ID> \
  --service-account-id <service_account_ID> \
  --role <role>

      Where:

To assign a role, use the updateAccessBindings REST API method for the HostGroup resource or the HostGroupService/UpdateAccessBindings gRPC API call. In the request body, set the action property to ADD and specify the user type and ID under subject.

Assigning multiple roles

  1. In the management console, select the folder where the dedicated host group is located.
  2. Select Compute Cloud.
  3. In the left-hand panel, click and select Dedicated host groups.
  4. Select the dedicated host group.
  5. Go to the Access bindings tab.
  6. Click Assign roles.
  7. In the window that opens, select the group, user, or service account you want to grant access to the dedicated host group.
  8. Click Add role and select the required role.
  9. To add another role, click Add role.
  10. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

You can assign multiple roles using the set-access-bindings command.

Alert

The set-access-bindings command completely rewrites access permissions for the resource. All current roles for the resource will be deleted.

  1. Make sure the resource has no roles assigned that you would not want to lose:

    yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID>

  2. See the description of the CLI command for assigning roles for a dedicated host group:

    yc compute host-group set-access-bindings --help

  3. Assign roles:

    yc compute host-group set-access-bindings <dedicated_host_group_name_or_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID>

    Where:

    • --access-binding: Parameters for setting access permissions:

      • role: Role to assign.
      • subject: Type and ID of the subject getting the role.

    For example, this command will assign roles to multiple users and a single service account:

    yc compute host-group set-access-bindings my-host-group \
  --access-binding role=editor,subject=userAccount:gfei8n54hmfh********
  --access-binding role=viewer,subject=userAccount:helj89sfj80a********
  --access-binding role=editor,subject=serviceAccount:ajel6l0jcb9s********

To assign roles for a dedicated host group, use the setAccessBindings REST API method for the HostGroup resource or the HostGroupService/SetAccessBindings gRPC API call.

Alert

The setAccessBindings method and the HostGroupService/SetAccessBindings call overwrite all existing access permissions for the resource. All current roles for the resource will be deleted.

Revoking a role

  1. In the management console, select the folder where the dedicated host group is located.
  2. Select Compute Cloud.
  3. In the left-hand panel, click and select Dedicated host groups.
  4. Select the dedicated host group.
  5. Navigate to the Access bindings tab.
  6. In the line with the user in question, click and select Edit roles.
  7. Next to the role, click .
  8. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for revoking a role for for a dedicated host group:

    yc compute host-group remove-access-binding --help

  2. View the roles and assignees for the resource:

    yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID>

  3. To revoke access permissions, run this command:

    yc compute host-group remove-access-binding <dedicated_host_group_name_or_ID> \
  --role=<role> \
  --subject=<subject_type>:<subject_ID> \

    Where:

    • --role: ID of the role to revoke.
    • --subject: Type and ID of the subject you are assigning the role to.

    For example, this command revokes the viewer role for the dedicated host group from a user with the ajel6l0jcb9s******** ID:

    yc compute host-group remove-access-binding my-host-group \
  --role viewer \
  --subject userAccount:ajel6l0jcb9s********

To revoke a role, use the updateAccessBindings REST API method for the HostGroup resource or the HostGroupService/UpdateAccessBindings gRPC API call. In the request body, set the action property to REMOVE and specify the user type and ID under subject.

Previous
Creating a VM on a dedicated host
Next
Creating a reserved instance pool