Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Setting up user group access permissions

Written by
Updated at May 5, 2025

To grant access permissions to a group as a resource, assign the required roles to the subjects. You can also grant a group permissions for any resource from the list.

Assigning a role

  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

  2. In the left-hand panel, select Groups and click the row with the name of the group you need.

  3. Go to the Group access rights tab.

  4. Click Assign roles.

  5. Select the group, user, or service account you want to grant access to the group. You may want to use the search feature.

  6. Click Add role and select the roles to assign to the group.

  7. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To grant access permissions for a user group:

  1. See the description of the CLI role assignment command:

    yc organization-manager group add-access-binding --help

  2. Get a list of user groups with their IDs:

    yc organization-manager group list \
  --organization-id <organization_ID>

  3. Get the ID of the user, service account, or user group you are assigning a role to.

  4. Using the yc organization-manager group add-access-binding command, assign the following roles:

    yc organization-manager group add-access-binding \
  --id <group_ID> \
  --role <role> \
  --user-account-id <user_ID> \
  --federation-users <user_ID> \
  --service-account-id <service_account_ID> \
  --subject group: <group_ID>

    Where:

    • --id: User group ID.
    • --role: Role ID.

    ID of the object the role is assigned to.

    • --user-account-id: Yandex account ID.
    • --federation-users: Federated user ID.
    • --service-account-id: Service account ID.
    • --subject group: Group ID.

Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Revoking a role

  1. Log in to Yandex Cloud Organization with an administrator or organization owner account.

  2. In the left-hand panel, select Groups and click the row with the name of the group you need.

  3. Go to the Group access rights tab.

  4. To revoke a role:

    1. In the row with the required user, service account, or group, click and select Configure access.

    2. Click next to each role you want to revoke.

    3. Click Save.

  5. To revoke all roles, in the row with the required user, service account, or group, click and select Revoke access. Confirm the action.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to revoke a role:

    yc organization-manager group remove-access-binding --help

  2. Get a list of user groups with their IDs:

    yc organization-manager group list \
  --organization-id <organization_ID>

  3. Get the ID of the user, service account, or user group you are revoking a role from.

  4. Use the yc organization-manager group remove-access-binding command to revoke a role from an object:

    yc organization-manager group remove-access-binding \
  --id <group_ID> \
  --role <role> \
  --user-account-id <user_ID> \
  --federation-users <user_ID> \
  --service-account-id <service_account_ID> \
  --subject group:<group_ID>

    Where:

    • --id: User group ID.
    • --role: Role ID.

    ID of the object to revoke a role from:

    • --user-account-id: Yandex account ID.
    • --federation-users: Federated user ID.
    • --service-account-id: Service account ID.
    • --subject group: Group ID.

Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • REMOVE in the accessBindingDeltas[].action parameter to revoke the role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject to revoke the role from in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject to revoke the role from in the accessBindingDeltas[].accessBinding.subject.type parameter.
Previous
Creating a group
Next
Granting group permissions