Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Assigning a role to a user group

Written by
Updated at October 13, 2025

Assign a role to a user group to grant access to a resource. To grant group access permissions to a subject, see Subjects that roles are assigned to.

In Yandex Identity Hub, you can assign a group a role for an organization, cloud, folder, another group, or service account.

Assigning a role for a cloud or folder

  1. Log in to the management console with the cloud administrator or owner account.

  2. On the left side of the screen, click the line with the name of the cloud or folder for which you want to assign a role to a user group.

  3. At the top of the screen, go to the Access bindings tab and click Configure access. In the window that opens:

    1. Go to the Groups tab and select the group you need or search by group name.

      You can also assign a role to one of the system groups:

      • All users in organization X: The group includes all users in organization X.
      • All users in federation N: The group includes all users in federation N.

    2. Click Add role and select the role you want to assign to the group for the cloud or folder you selected earlier. You can assign multiple roles.

    3. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

  1. Select a role from the Yandex Cloud role reference.

  2. Assign the role using this command:

    yc <service_name> <resource> add-access-binding <resource_name_or_ID> \
  --role <role_ID> \
  --subject group:<group_ID>

    Where:

    • --role: Role ID, e.g., resource-manager.clouds.owner.

    • --subject group: ID of the group the role is assigned to.

      To assign a role to one of the system groups, instead of --subject, use the --organization-users <organization_ID> or --federation-users <federation_ID> parameter. In the parameter, provide the ID of the organization or identity federation, respectively, to all the users you want to assign the role to.

      You can also assign a role to a system group using the --subject parameter. To do this, provide in it the subject ID matching the selected system group.

    For example, assign the resource-manager.viewer role for the my-cloud cloud:

    yc resource-manager cloud add-access-binding mycloud \
  --role resource-manager.viewer \
  --subject group:aje6o61dvog2********

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Add the resource parameters to the configuration file and specify the required role and group:

    resource "yandex_resourcemanager_cloud_iam_member" "admin" {
  cloud_id    = "<cloud_ID>"
  role        = "<role_ID>"
  member      = "group:<group_ID>"
}

    Where:

    • cloud_id: Cloud ID. You can also assign a role within an individual folder. To do this, specify folder_id instead of cloud_id and the required folder ID in the resource parameters.

    • role: Role to assign. This is a required parameter.

    • member: Group the role is assigned to. Use this format: group:<group_ID>. This is a required parameter.

      To assign a role to one of the system groups, specify the following in the member parameter:

      • system:group:organization:<organization_ID>:users: To assign a role to the All users in organization X system group.
      • system:group:federation:<federation_ID>:users: To assign a role to the All users in federation N system group.

    For more information about the yandex_resourcemanager_cloud_iam_member resource parameters, see this Terraform article.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    This will create all the resources you need in the specified folder. You can check the new resource using the management console or this CLI command:

    terraform plan

    If the configuration is correct, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

    This will create all the resources you need in the specified folder. You can check the new resource using the management console or this CLI command:

    yc resource-manager folder list-access-bindings <folder_name_or_ID>

Use the updateAccessBindings REST API method for the appropriate resource.

  1. Select a role from the Yandex Cloud role reference.

  2. Create the request body, e.g., in the body.json file. In the action property, enter ADD, and specify the group type and group ID under subject:

    body.json:

    {
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "editor",
      "subject": {
        "id": "<group_ID>",
        "type": "group"
      }
    }
  }]
}

  3. Assign a role to a service account. For example, for a folder with the b1gvmob95yys******** ID:

    export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

To learn how to assign a role for the respective resource, see:

Assigning a role for an organization

  1. Log in to Yandex Identity Hub using an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. At the top right, click Assign bindings.

  4. Go to the Groups tab and select the group you need or search by group name.

    You can also assign a role to one of the system groups:

    • All users in organization X: The group includes all users in organization X.
    • All users in federation N: The group includes all users in federation N.

  5. Click Add role and select the role for the organization you want to assign to the group. You can assign multiple roles.

  6. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

  1. Assign the role to the group:

    yc organization-manager organization add-access-binding \
  --subject group:<group_ID> \
  --role <role_ID> \
  --organization-users <organization_ID> \
  --federation-users <federation_ID>

    To assign a role to one of the system groups, instead of the --subject parameter, use --organization-users <organization_ID> or --federation-users <federation_ID>. In the parameter, provide the organization or identity federation ID to all the users you want to assign the role to.

    You can also assign a role to a system group using the --subject parameter. To do this, provide in it the subject ID matching the selected system group.

  2. Make sure the requested permissions are granted:

    yc organization-manager organization list-access-bindings <organization_ID>

    A response contains a list of all roles assigned to users and groups in the organization:

    +------------------------------------------+--------------+----------------------+
|                 ROLE ID                  | SUBJECT TYPE |      SUBJECT ID      |
+------------------------------------------+--------------+----------------------+
| organization-manager.admin               | userAccount  | ajev1p2345lj******** |
| organization-manager.organizations.owner | userAccount  | ajev1p2345lj******** |
| editor                                   | group        | ajev1p2345lj******** |
| viewer                                   | group        | ajev1p2345lj******** |
+------------------------------------------+--------------+----------------------+

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Add the resource parameters to the configuration file and specify the required role and group:

    resource "yandex_organizationmanager_organization_iam_member" "users-editors" {
  organization_id = "<organization_ID>"
  role            = "<role_ID>"
  member          = "group:<group_ID>"
}

    Where:

    • organization_id: Organization ID. This is a required parameter.

    • role: Role being assigned. This is a required parameter.

    • member: Group the role is assigned to. Use this format: group:<group_ID>. This is a required parameter.

      To assign a role to one of the system groups, specify the following in the member parameter:

      • system:group:organization:<organization_ID>:users: To assign a role to the All users in organization X system group.
      • system:group:federation:<federation_ID>:users: To assign a role to the All users in federation N system group.

    For more information about yandex_organizationmanager_organization_iam_member properties, see the relevant provider documentation.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    This will create all the resources you need in the specified folder. You can check the new resource using the management console or this CLI command:

    yc resource-manager folder list-access-bindings <folder_name_or_ID>

See also

Previous
Assigning a role to a user
Next
Viewing roles assigned in an organization