Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring group management access

Written by
Updated at November 12, 2025

You can grant access to a user group to:

To do this, assign roles for the group. To choose the ones you need, learn about the service's roles.

Assigning a role

  1. Log in to Yandex Identity Hub using an administrator or organization owner account.

  2. In the left-hand panel, select Groups and click the row with the name of the group you need.

  3. Navigate to the Group access rights tab.

  4. Click Assign roles.

  5. Select the group, user, or service account you want to grant access to the group. Use search, if required.

  6. Click Add role and select the roles that you need to assign to the group.

  7. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To grant access permissions for a user group:

  1. See the description of the CLI role assignment command:

    yc organization-manager group add-access-binding --help

  2. Get a list of user groups with their IDs:

    yc organization-manager group list \
  --organization-id <organization_ID>

  3. Get the ID of the user, service account, or user group you are assigning a role to.

  4. Using the yc organization-manager group add-access-binding command, assign the following roles:

    yc organization-manager group add-access-binding \
  --id <group_ID> \
  --role <role> \
  --user-account-id <user_ID> \
  --federation-users <user_ID> \
  --service-account-id <service_account_ID> \
  --subject group: <group_ID>

    Where:

    • --id: User group ID.
    • --role: Role ID.

    ID of the object the role is assigned to.

    • --user-account-id: Yandex account ID.
    • --federation-users: Federated user ID.
    • --service-account-id: Service account ID.
    • --subject group: Group ID.

Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning multiple roles

  1. Log in to Yandex Identity Hub as the organization administrator or owner.

  2. In the left-hand panel, select Groups and click the line with the group name.

  3. Navigate to the Group access rights tab.

  4. Click Assign roles.

  5. Select the user or service account you want to grant access to the group. Use search, if required.

  6. Click Add role and select the roles that you need to assign to the group.

  7. Click Save.

Alert

The set-access-bindings command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To assign multiple roles for a user group:

  1. Make sure the resource has no important roles assigned before proceeding:

    yc organization-manager group list-access-bindings \
  --id <group_ID>

  2. See the description of the CLI role assignment command:

    yc organization-manager group set-access-bindings --help

  3. Get a list of user groups with their IDs:

    yc organization-manager group list

  4. Get the ID of the user, service account, or user group you are assigning roles to.

  5. Using the yc organization-manager group set-access-bindings command, assign the following roles:

    • To a Yandex account user:

      yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,user-account-id=<user_ID>

    • To a federated user:

      yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,subject=federatedUser:<user_ID>

    • To a service account:

      yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,service-account-id=<service_account_ID>

    • To a user group:

      yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role>,subject=group:<group_ID>

    Provide a separate --access-binding parameter for each role. Here is an example:

    yc organization-manager group set-access-bindings \
  --id <group_ID> \
  --access-binding role=<role1>,service-account-id=<service_account_ID> \
  --access-binding role=<role2>,service-account-id=<service_account_ID> \
  --access-binding role=<role3>,service-account-id=<service_account_ID>

Alert

The setAccessBindings method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

Use the setAccessBindings method for the Group resource or the GroupService/SetAccessBindings gRPC API call. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:

  • Role in the accessBindings[].roleId parameter.
  • ID of the subject getting the roles in the accessBindings[].subject.id parameter.
  • Type of the subject getting the roles in the accessBindings[].subject.type parameter.

Revoking a role

  1. Log in to Yandex Identity Hub as the organization administrator or owner.

  2. In the left-hand panel, select Groups and click the line with the group name.

  3. Navigate to the Group access rights tab.

  4. To revoke roles:

    1. In the row with the user, service account, or group, click and select Configure access.

    2. Click next to the roles you want to revoke.

    3. Click Save.

  5. To revoke all roles, in the row with the user, service account, or group, click and select Revoke access. Confirm the action.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to revoke a role:

    yc organization-manager group remove-access-binding --help

  2. Get a list of user groups with their IDs:

    yc organization-manager group list \
  --organization-id <organization_ID>

  3. Get the ID of the user, service account, or user group you are revoking a role from.

  4. Use the yc organization-manager group remove-access-binding command to revoke a role from an object:

    yc organization-manager group remove-access-binding \
  --id <group_ID> \
  --role <role> \
  --user-account-id <user_ID> \
  --federation-users <user_ID> \
  --service-account-id <service_account_ID> \
  --subject group:<group_ID>

    Where:

    • --id: User group ID.
    • --role: Role ID.

    ID of the object to revoke a role from:

    • --user-account-id: Yandex account ID.
    • --federation-users: Federated user ID.
    • --service-account-id: Service account ID.
    • --subject group: Group ID.

Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • REMOVE in the accessBindingDeltas[].action parameter to revoke the role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject to revoke the role from in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject to revoke the role from in the accessBindingDeltas[].accessBinding.subject.type parameter.
Previous
Editing a group
Next
Granting permissions to a group