Yandex Cloud
Search
Contact UsGet started
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML Services
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
© 2025 Direct Cursus Technology L.L.C.
Yandex Identity and Access Management
    • Overview
      • Overview
      • Roles
      • System groups
      • Public groups
      • Resources that roles can be assigned for
    • Service access to user resources
    • Identity federations
    • Workload identity federations
    • Quotas and limits
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  1. Concepts
  2. How access management works
  3. Public groups

Public groups

Written by
Yandex Cloud
Updated at September 17, 2025

A public group is a group of users (subjects) to which you can assign roles. In Yandex Cloud, there are two types of public groups: All authenticated users and All users. These groups allow you to grant public access to your resources, but only for operations that are allowed by the assigned role.

It is unsafe to assign roles with extensive permissions, such as editor or admin, to public groups.

All authenticated usersAll authenticated users

The All authenticated users public group includes all authenticated users, i.e., all registered Yandex Cloud users or service accounts, both from your clouds and other users' clouds. Using this group is unsafe. Instead, use system groups, such as All users in organization X and All users in federation N, or your own custom groups.

For example, let's say you have an OS disk image that you want to share with all Yandex Cloud users. To do this, assign the compute.images.user role to the All authenticated users subject for the folder containing the image.

When assigning a role to All authenticated users via the CLI, Terraform, and API, use the allAuthenticatedUsers subject ID.

Alert

Assigning this role to the All authenticated users system group gives public access to your resources. The role grants permissions for your resources to every user authenticated in Yandex Cloud, not only the users from your cloud.

All usersAll users

The All users public group includes any user, with no authentication required.

For example, when making an API request to your resource, users do not need to specify their IAM tokens. Using this group is unsafe. Instead, use system groups, such as All users in organization X and All users in federation N, or your custom organization user groups.

When assigning a role to All users via the CLI, Terraform, and API, use the allUsers subject ID.

Note

All users is only supported in Object Storage when using ACL-based access management.

Was the article helpful?

Previous
System groups
Next
Resources that roles can be assigned for
© 2025 Direct Cursus Technology L.L.C.