Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Adding a user to an organization

Written by
Updated at October 17, 2024

Add a user to your organization to grant him or her access to Yandex Cloud resources.

You can add users with a Yandexaccount as well as federated users. To do this, you need to be the organization administrator (the organization-manager.admin role) or owner (the organization-manager.organizations.owner role).

The user will become an organization member, and you will be able to grant them access to your cloud resources by assigning them a role. A new organization member will not have access to cloud resources until you assign them a role.

Add a user to your organization and grant them the role needed to access Yandex Cloud resources. For example, enable the user to create managed DB clusters or track the status of VMs in use.

You can add users with a Yandex account and federated users. To do this, you need to be the organization administrator (the organization-manager.admin role) or owner (the organization-manager.organizations.owner role). To learn how to grant roles to users, see Assigning roles.

Users with a Yandex account

If your employees have Yandex accounts (for example, login@yandex.com), they can use them to access the Yandex Cloud services enabled in your organization.

You can invite a user to an organization via the management console or Yandex Cloud Organization. An invitation to join your organization will be sent to the user's email address.

Send an invitation

  1. Log in as the organization administrator or owner.

  2. Go to Yandex Cloud Organization.

  3. In the left-hand panel, select Users .

  4. In the top-right corner, click Invite users.

  5. Enter the email addresses of the users you want to invite to the organization (e.g., login@yandex.com).

    You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.

  6. Click Send invitation.

  1. Log in to the cloud administrator account.

  2. Log in to the management console.

  3. Select the appropriate cloud from the list on the left. For example:

    image

  4. Go to the Access bindings tab.

  5. In the top-right corner, click and select Invite users.

  6. Enter the email addresses of the users you want to invite to the organization (e.g., login@yandex.com).

    You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.

  7. Click Send invitation.

The user will be able to log in to the organization upon accepting the invitation via the emailed link and selecting an account for log-in. To access the services enabled for the organization, the users you invited simply need to log in to their Yandex account.

You can delete or resend your invitation only via Cloud Organization.

Delete the invitation

  1. Under Users , go to InvitationsPending.
  2. Click in the invitation line and select Delete invitation.

Resend your invitation

  1. Under Users , go to InvitationsPending.
  2. Click in the invitation line and select Resend.

Note

To better safeguard your resources from unauthorized access, enable Yandex ID two-factor authentication. Also, request users you add to your organization to enable it.

Federated users

If you did not enable the Automatically create users option when setting up a federation, you will have to add federated users to your organization manually.

To do this, you need to know the user name IDs returned by the Identity Provider (IdP) server together with the successful authentication response. This will usually be the user's email address. To find out what the server returns as the name ID, contact the administrator who configured authentication for your federation.

If the Automatically create users option is enabled, a federation will only add users logging in to a cloud for the first time. If a federated user has been removed, they can only be added again manually.

You do not need to invite federated users to the organization; they are added automatically after logging in.

Add federated users

  1. Log in as the organization administrator.
  2. Go to Yandex Cloud Organization.
  3. In the left-hand panel, select Users .
  4. In the top-right corner, click Add federated users.
  5. Select the identity federation to add users from.
  6. List the name IDs of users, separating them with line breaks.
  7. Click Add. This will give the users access to the organization.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View a description of the add user command:

    yc organization-manager federation saml add-user-accounts --help

  2. Add users by listing their name IDs separated by a comma:

    yc organization-manager federation saml add-user-accounts \
   --name <federation_name> \
   --name-ids <list_of_user_name_IDs>

Use the addUserAccounts REST API method for the Federation resource or the FederationService/AddUserAccounts gRPC API call and provide the following in the request:

  • Federation ID in the federationId parameter.
  • List of user name IDs in the nameIds parameter.

What's next

Previous
Handling secrets that are available in the public domain
Next
Getting user information