Public groups

A public group is a group of users (subjects) to which you can assign roles. In Yandex Cloud, there are two types of public groups: All authenticated users and All users. These groups allow you to grant public access to your resources, but only for operations that are allowed by the assigned role.

It is unsafe to assign roles with extensive permissions, such as editor or admin, to public groups.

All authenticated usersAll authenticated users

The All authenticated users public group includes all authenticated users, i.e., all registered Yandex Cloud users or service accounts, both from your clouds and other users' clouds. Using this group is unsafe. Instead, use system groups, such as All users in organization X and All users in federation N, or your own custom groups.

For example, let's say you have an OS disk image that you want to share with all Yandex Cloud users. To do this, assign the compute.images.user role to the All authenticated users subject for the folder containing the image.

When assigning a role to All authenticated users via the CLI, Terraform, and API, use the allAuthenticatedUsers subject ID.

All usersAll users

The All users public group includes any user, with no authentication required.

For example, when making an API request to your resource, users do not need to specify their IAM tokens. Using this group is unsafe. Instead, use system groups, such as All users in organization X and All users in federation N, or your custom organization user groups.

When assigning a role to All users via the CLI, Terraform, and API, use the allUsers subject ID.