Setting up user group access permissions
To grant access permissions to a group as a resource, assign the required roles to the subjects. You can also grant a group permissions for any resource from the list.
Assigning a role
-
Log in to Yandex Cloud Organization
using an administrator or organization owner account. -
In the left-hand panel, select
Groups and click the row with the name of the group you need. -
Go to the Group access rights tab.
-
Click Assign roles.
-
Select the group, user, or service account you want to grant access to the group. You may want to use the search feature.
-
Click
Add role and select the roles to assign to the group. -
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To grant access permissions for a user group:
-
See the description of the CLI role assignment command:
yc organization-manager group add-access-binding --help
-
Get a list of user groups with their IDs:
yc organization-manager group list \ --organization-id <organization_ID>
-
Get the ID of the user, service account, or user group you are assigning a role to.
-
Using the
yc organization-manager group add-access-binding
command, assign the following roles:yc organization-manager group add-access-binding \ --id <group_ID> \ --role <role> \ --user-account-id <user_ID> \ --federation-users <user_ID> \ --service-account-id <service_account_ID> \ --subject group: <group_ID>
Where:
--id
: User group ID.--role
: Role ID.
ID of the object the role is assigned to.
--user-account-id
: Yandex account ID.--federation-users
: Federated user ID.--service-account-id
: Service account ID.--subject group
: Group ID.
Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:
ADD
value in theaccessBindingDeltas[].action
parameter to add a role.- Role in the
accessBindingDeltas[].accessBinding.roleId
parameter. - ID of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.id
parameter. - Type of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.type
parameter.
Revoking a role
-
Log in to Yandex Cloud Organization
with an administrator or organization owner account. -
In the left-hand panel, select
Groups and click the row with the name of the group you need. -
Go to the Group access rights tab.
-
To revoke a role:
-
In the row with the required user, service account, or group, click
and select Configure access. -
Click
next to each role you want to revoke. -
Click Save.
-
-
To revoke all roles, in the row with the required user, service account, or group, click
and select Revoke access. Confirm the action.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command to revoke a role:
yc organization-manager group remove-access-binding --help
-
Get a list of user groups with their IDs:
yc organization-manager group list \ --organization-id <organization_ID>
-
Get the ID of the user, service account, or user group you are revoking a role from.
-
Use the
yc organization-manager group remove-access-binding
command to revoke a role from an object:yc organization-manager group remove-access-binding \ --id <group_ID> \ --role <role> \ --user-account-id <user_ID> \ --federation-users <user_ID> \ --service-account-id <service_account_ID> \ --subject group:<group_ID>
Where:
--id
: User group ID.--role
: Role ID.
ID of the object to revoke a role from:
--user-account-id
: Yandex account ID.--federation-users
: Federated user ID.--service-account-id
: Service account ID.--subject group
: Group ID.
Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:
REMOVE
in theaccessBindingDeltas[].action
parameter to revoke the role.- Role in the
accessBindingDeltas[].accessBinding.roleId
parameter. - ID of the subject to revoke the role from in the
accessBindingDeltas[].accessBinding.subject.id
parameter. - Type of the subject to revoke the role from in the
accessBindingDeltas[].accessBinding.subject.type
parameter.