Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Organization access policy management

Written by
Updated at April 3, 2026

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with Yandex Cloud resources. Access policies are based on templates and complement the role system for more flexible access management.

An organization's access policies can be managed by a user with the organization-manager.admin or admin role.

Creating an access policy for an organization

To create an access policy for an organization based on a template without optional parameters:

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Get a list of supported access policy templates with their IDs.

  2. Run this command:

    yc organization-manager organization bind-access-policy \
  --name <organization_name> \
  --access-policy-template-id=<policy_template_ID>

    Where:

    • --name: Name of the organization you want to create a policy for. Instead of the organization name, you can provide its ID in the --id parameter.
    • --access-policy-template-id: ID of the template you want to use as the basis for the new access policy for the organization.

  3. Make sure the policy was created.

Use the bindAccessPolicy REST API method for the Organization resource or the OrganizationService/BindAccessPolicy gRPC API call.

The new access policy will apply to resources within all clouds in the specified organization.

Viewing the list of your organization's access policies

To view the list of organization access policies:

If you do not have the Yandex Cloud CLI yet, install and initialize it.

Run the command, specifying the name or ID of the organization for which you want to view the created policies:

yc organization-manager organization list-access-policy-bindings <organization_name_or_ID>

Result:

+------------------------------+
|  ACCESS POLICY TEMPLATE ID   |
+------------------------------+
| organization.denyUserListing |
+------------------------------+

Use the listAccessPolicyBindings REST API method for the Organization resource or the OrganizationService/ListAccessPolicyBindings gRPC API call.

Deleting an access policy created for an organization

To delete an access policy created for an organization, follow these steps:

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Get a list of IDs of access policy templates assigned for the organization.

  2. Run this command:

    yc organization-manager organization unbind-access-policy \
  --name <organization_name> \
  --access-policy-template-id=<policy_template_ID>

    Where:

    • --name: Name of the organization to delete the policy for. Instead of the organization name, you can provide its ID in the --id parameter.
    • --access-policy-template-id: ID of the access policy template you want to delete from the specified organization.

  3. Make sure the policy was deleted.

Use the unbindAccessPolicy REST API method for the Organization resource or the OrganizationService/UnbindAccessPolicy gRPC API call.

The access policy will no longer apply to resources within all clouds in the specified organization.

See also

Previous
Managing multiple organizations
Next
Hiding information about organization members