Authentication policies in Yandex Identity Hub
Note
This feature is at the Preview stage.
In Yandex Identity Hub, authentication policies are used for granular management of user and user group access to Yandex Identity Hub applications by denying or allowing authentication based on conditions specified in the policy scope.
Currently, you can manage authentication policies via the Cloud Center UIorganization-manager.admin role or higher.
Policy scope
Authentication policies apply to user authentication events based on the following conditions:
Note
The conditions specified in the policy are applied with the AND logic when checking whether the user can authenticate.
Users and user groups
You can apply an authentication policy to all users within your Yandex Identity Hub or restrict it to specific users or user groups.
You can also explicitly exclude certain users or user groups from a policy. Note that you cannot add the same users or user groups to both inclusion and exclusion lists at the same time.
Applications
You can apply an authentication policy to all applications created in your Yandex Identity Hub or restrict it to specific applications.
You can also exclude certain applications from a policy.
Networks and IP addresses
You can apply an authentication policy to either all possible IP addresses or specific IPv4 and IPv6 ranges in CIDR
You can also exclude certain address ranges from a policy. Note that you cannot add the same IP address ranges to both inclusion and exclusion lists at the same time.
Policy outcomes
Currently, you can use authentication policies to deny user authentication if the authentication event meets the policy conditions.
Policy statuses
An authentication policy may be either Active or Inactive. An inactive policy does not apply to user authentication events.
Useful links
- Creating an authentication policy
- Activating/deactivating an authentication policy
- Editing an authentication policy
- Deleting an authentication policy
- Applications in Yandex Identity Hub
An organization is the highest resource in the Yandex Cloud resource model hierarchy that consolidates the resources of all other services. It is also used for user management as well as authentication and authorization management. For more information, see Organization.
You can group Yandex Identity Hub users to simplify access management in Yandex Cloud. For more information, see User groups.
Yandex Identity Hub SAML and OIDC applications allow Yandex Cloud users to authenticate in services of third-party service providers. For more information, see Applications in Yandex Identity Hub.
Yandex Cloud uses Yandex accounts as well as federated and local user accounts. For more information, see Accounts in Yandex Cloud.
The organization-manager.admin role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, users and user groups, and users' access permissions to the organization and its resources. To learn more, see Access management in Yandex Identity Hub.