Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Cloud Organization
  • Getting started
    • All guides
    • Subscribing a user to notifications
      • Overview
      • Creating a group
      • Adding members
      • Editing a group
      • Configuring group management access
      • Granting permissions to a group
      • Deleting members
      • Deleting a group
  • Access management
  • Pricing policy
  • Terraform reference
  • Audit Trails events
  • Release notes
  1. Step-by-step guides
  2. Managing user groups
  3. Granting permissions to a group
Written by
Yandex Cloud
Updated at April 22, 2025

Assigning a role for an entire organizationAssigning a role for an entire organization

To enable group members to use Yandex Cloud resources within an organization, assign the appropriate roles to the group.

Cloud Center interface
CLI
Terraform
  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. At the top right, click Assign bindings.

  4. Go to the Groups tab and select the group you need or search by group name.

    You can also assign a role to one of the system groups:

    • All users in organization X: The group includes all users in organization X.
    • All users in federation N: The group includes all users in federation N.
  5. Click Add role and select the role for the organization you want to assign to the group. You can assign multiple roles.

  6. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Assign the role to the group:

    yc organization-manager organization add-access-binding \
      --subject group:<group_ID> \
      --role <role_ID> \
      --organization-users <organization_ID> \
      --federation-users <federation_ID>
    

    To assign a role to one of the system groups, instead of the --subject parameter, use --organization-users <organization_ID> or --federation-users <federation_ID>. In the parameter, provide the ID of the organization or identity federation, respectively, to all the users you want to assign the role to.

    You can also assign a role to a system group using the --subject parameter. To do this, provide in it the subject ID matching the selected system group.

  2. Make sure the requested permissions are granted:

    yc organization-manager organization list-access-bindings <organization_ID>
    

    A response contains a list of all roles assigned to users and groups in the organization:

    +------------------------------------------+--------------+----------------------+
    |                 ROLE ID                  | SUBJECT TYPE |      SUBJECT ID      |
    +------------------------------------------+--------------+----------------------+
    | organization-manager.admin               | userAccount  | ajev1p2345lj******** |
    | organization-manager.organizations.owner | userAccount  | ajev1p2345lj******** |
    | editor                                   | group        | ajev1p2345lj******** |
    | viewer                                   | group        | ajev1p2345lj******** |
    +------------------------------------------+--------------+----------------------+
    

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Add the resource parameters to the configuration file and specify the required role and group:

    resource "yandex_organizationmanager_organization_iam_member" "users-editors" {
      organization_id = "<organization_ID>"
      role            = "<role_ID>"
      member          = "group:<group_ID>"
    }
    

    Where:

    • organization_id: Organization ID. This is a required parameter.

    • role: Role to assign. This is a required parameter.

    • member: Group the role is assigned to. Use this format: group:<group_ID>. This is a required parameter.

      To assign a role to one of the system groups, specify the following in the member parameter:

      • system:group:organization:<organization_ID>:users: To assign a role to the All users in organization X system group.
      • system:group:federation:<federation_ID>:users: To assign a role to the All users in federation N system group.

    For more information about the yandex_organizationmanager_organization_iam_member resource parameters, see this Terraform article.

  2. Create the resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate
      

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.
      
    3. Run the command:

      terraform plan
      

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply
      
    5. Confirm the changes: type yes in the terminal and press Enter.

    This will create all the resources you need in the specified folder. You can check the new resource using the management console or this CLI command:

    yc resource-manager folder list-access-bindings <folder_name_or_ID>
    

Was the article helpful?

Previous
Configuring group management access
Next
Deleting members
© 2025 Direct Cursus Technology L.L.C.