Organization

An organization is the highest resource in the Yandex Cloud resource model hierarchy that consolidates the resources of all other services. Organizations are also used to manage users and their authentication and authorization settings.

When working with Yandex Cloud services, you create resources, such as managed database clusters, virtual machines, disks, networks, etc. Most services store their resources in folders. Folders belong to clouds, and clouds belong to organizations. A cloud may only belong to one organization, but you can move clouds between organizations. Yandex Resource Manager is a service that manages clouds and folders; Yandex Identity Hub manages organizations. Access to Yandex Cloud resources is managed via roles.

Yandex Cloud organization structure:

Access management in an organizationAccess management in an organization

Within an organization, users deal with Yandex Cloud resources. Organizations do not interact with one another, which is why an organization's resources are available only to its members. This does not apply to resources authorized to be accessed from the public groups titled All users and All authenticated users.

You can set up access to an organization's resources for individual users or user groups. You have the following tools for that:

• User groups: Allow issuing identical access permissions to several users at the same time.
• Identity federations: Implement a single sign-on system for users within an organization, even without a Yandex account.
• User pools: Allow grouping local users into containers.
• Yandex Identity and Access Management: Enables you to enforce restrictions on operations via access policies and provides users with roles they need to perform specific operations with a particular Yandex Cloud resource.

Organization security managementOrganization security management

These practices can help you manage security of your organization:

• Use refresh tokens in the Yandex Cloud CLI.
• Set up OS Login access.
• Require two-factor authentication.
• Block users from viewing information about organization members.

Service managementService management

Most Yandex Cloud services store their resources in folders within an organization. However, some services are separate from the common resource and role model. They operate at the organization level and can exchange data with other services within the same organization. These services include:

• Yandex Tracker
• Yandex DataLens
• Yandex Wiki
• Yandex Forms
• Yandex DataSphere
• Yandex SpeechSense

To start managing the services:

1. Log in as the organization administrator or owner.

2. Go to Cloud Center.

3. If you want to manage one of the separate services, find and click it in the list of services on the right-hand panel.

   To manage other services, click Cloud Console in the top-right corner.

Use casesUse cases

• Access control for user groups with different roles in Yandex Identity Hub
• Google Workspace authentication
• Authentication via Microsoft Entra ID
• Authentication via Active Directory

What's nextWhat's next

• Organization membership
• Managing organizations
• Managing user groups
• Managing identity federations
• OS Login
• Getting started with Yandex Security Deck
• Access control for user groups with different roles in Yandex Identity Hub