Managing user groups
You can group users by any criteria, e.g., by their duties or department.
Creating a group
- Log in
as the organization administrator. - Go to Yandex Cloud Organization
. - In the left-hand panel, select Groups
. - In the top-right corner, click Create group and enter a group name and description.
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the group parameters:
resource "yandex_organizationmanager_group" "my-group" { name = "<group_name>" description = "<group_description>" organization_id = "<organization_ID>" }
Where:
-
name
: Group name. The name format is as follows:- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
description
: Group description. This is an optional parameter. -
organization_id
: ID of the organization to add the group to.
-
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
Terraform will create all the required resources. You can check the new resources and their configuration using the management console
or this CLI command:yc organization-manager group list --organization-id=<organization_ID>
-
Adding members
- Go to Yandex Cloud Organization
. - In the left-hand panel, select Groups
and click the line with the group name. - Go to the Members tab.
- Click Add member.
- In the Adding participants window, select users from the list or search by user. You can also add service accounts to a group.
- Click Save.
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the new group members:
resource "yandex_organizationmanager_group_membership" "group-members" { group_id = "<group_ID>" members = [ "<member_1_ID>", "<member_2_ID>" ] }
Where:
organization_id
: ID of the group to add the members to.members
: IDs of the members to be added to the group.
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
Terraform will create all the required resources. You can check the new resources and their configuration using the management console
or this CLI command:yc organization-manager group --name=<group_name> list-members --organization-id=<organization_ID>
-
Editing a group
To change the name or description of a group:
- Log in
as the organization administrator. - Go to Yandex Cloud Organization
. - In the left-hand panel, select Groups
. - Select a group from the list and click
next to the group name. - Click Edit and enter a new group name or description.
- Click Save.
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, edit the group parameters:
resource "yandex_organizationmanager_group" "my-group" { name = "new-group-name" description = "My first group" organization_id = "<organization_ID>" }
Where:
-
name
: New group name. The name format is as follows:- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
description
: New group description. -
organization_id
: ID of the organization the group belongs to.
-
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
Terraform will create all the required resources. You can check the new resources and their configuration using the management console
or this CLI command:yc organization-manager group get --name=<group_name> --organization-id=<organization_ID>
-
Setting up permissions to manage a group
You can grant access to a user group to:
To do this, assign roles for the group. To choose the ones you need, learn about the service's roles.
Assigning a role
- Log in
as the organization administrator. - Go to Yandex Cloud Organization
. - In the left-hand panel, select Groups
and click the line with the group name. - Go to the Group access rights tab.
- Click Assign roles.
- Select the group, user, or service account you want to grant access to the group.
- Click
Add role and select the roles. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To grant access permissions for a user group:
-
See the description of the CLI role assignment command:
yc organization-manager group add-access-binding --help
-
Get a list of user groups with their IDs:
yc organization-manager group list --organization-id <organization_ID>
-
Get the ID of the user, service account, or user group you are assigning a role to.
-
Use one of these commands to assign a role:
-
To a Yandex account user:
yc organization-manager group add-access-binding \ --id <group_ID> \ --role <role> \ --user-account-id <user_ID>
-
To a federated user:
yc organization-manager group add-access-binding \ --id <group_ID> \ --role <role> \ --subject federatedUser:<user_ID>
-
To a service account:
yc organization-manager group add-access-binding \ --id <group_ID> \ --role <role> \ --service-account-id <service_account_ID>
-
To a user group:
yc organization-manager group add-access-binding \ --id <group_ID> \ --role <role> \ --subject group:<group_ID>
-
Use the updateAccessBindings method for the Group resource or the GroupService/UpdateAccessBindings gRPC API call and provide the following in the request:
ADD
in theaccessBindingDeltas[].action
parameter to add a role.- Role in the
accessBindingDeltas[].accessBinding.roleId
parameter. - ID of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.id
parameter. - Type of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.type
parameter.
Assigning multiple roles
- Log in
as the organization administrator. - Go to Yandex Cloud Organization
. - In the left-hand panel, select
Groups and click the line with the group name. - Go to the Group access rights tab.
- Click Assign roles.
- Select the user or service account you want to grant access to the group.
- Click Add role and select the required roles.
- Click Save.
Alert
The set-access-bindings
command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign multiple roles for a user group:
-
Make sure the resource has no roles assigned that you would not want to lose:
yc organization-manager group list-access-bindings \ --id <group_ID>
-
See the description of the CLI role assignment command:
yc organization-manager group set-access-bindings --help
-
Get a list of user groups with their IDs:
yc organization-manager group list
-
Get the ID of the user, service account, or user group you are assigning roles to.
-
Use one of the commands below to assign roles:
-
To a Yandex account user:
yc organization-manager group set-access-bindings \ --id <group_ID> \ --access-binding role=<role>,user-account-id=<user_ID>
-
To a federated user:
yc organization-manager group set-access-bindings \ --id <group_ID> \ --access-binding role=<role>,subject=federatedUser:<user_ID>
-
To a service account:
yc organization-manager group set-access-bindings \ --id <group_ID> \ --access-binding role=<role>,service-account-id=<service_account_ID>
-
To a user group:
yc organization-manager group set-access-bindings \ --id <group_ID> \ --access-binding role=<role>,subject=group:<group_ID>
Provide a separate
--access-binding
flag for each role. Example:yc organization-manager group set-access-bindings \ --id <group_ID> \ --access-binding role=<role_1>,service-account-id=<service_account_ID> \ --access-binding role=<role_2>,service-account-id=<service_account_ID> \ --access-binding role=<role_3>,service-account-id=<service_account_ID>
-
Alert
The setAccessBindings
method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
Use the setAccessBindings method for the Group resource or the GroupService/SetAccessBindings gRPC API call. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:
- Role in the
accessBindings[].roleId
parameter. - ID of the subject getting the roles in the
accessBindings[].subject.id
parameter. - Type of the subject getting the roles in the
accessBindings[].subject.type
parameter.
Revoking a role
To revoke a group role from a user:
-
Log in
as the organization administrator. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select Groups
and click the line with the group name. -
Go to the Group access rights tab.
-
Select a user from the list and click
next to the username. -
Click Configure access.
-
Click
next to the role to revoke. -
Click Save.
Tip
To open the list of users allowed to manage the group at the organization role level (e.g., organization admin or owner), go to the Group access rights tab and enable the Inherited roles option.
Setting up a group's access to use Yandex Cloud
To enable group members to work with Yandex Cloud services, assign the appropriate roles to the group.
Assigning a role for a separate resource
In the management console, you can assign a role for a cloud, folder, and other resources from the list.
To grant a group access to a resource:
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select
Access bindings . -
At the top right, click Assign bindings.
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: Includes all users in theX
organization.All users in federation N
: Includes all users in theN
organization.
-
Click Add role and select the role in the cloud or folder. You can assign multiple roles.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Select a role from the Yandex Cloud role reference.
-
Assign the role using the command:
yc <service_name> <resource> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject group:<group_ID>
Where:
-
<service_name>
: Name of the service whose resource requires a role for access, e.g.,resource-manager
. -
<resource>
: Resource category, e.g.,cloud
. -
<resource_name_or_ID>
: Name or ID of the resource. You can specify the resource name or ID. -
--role
: Role ID, e.g.,resource-manager.clouds.owner
. -
--subject group
: ID of the group to which the role is assigned.To assign a role to one of the system groups, instead of using the
--subject
parameter, use the--organization-users <organization_ID>
or--federation-users <federation_ID>
parameter, providing in it the ID of the organization or identity federation, respectively, to the users of which you want to assign the role.You can also assign a role to a system group using the
--subject
parameter. To do this, provide in it the subject ID matching the selected system group.
For example, here is how you can assign the
resource-manager.viewer
role for themycloud
cloud:yc resource-manager cloud add-access-binding mycloud \ --role resource-manager.viewer \ --subject group:aje6o61dvog2********
-
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add the resource parameters to the configuration file and specify the required role and group:
resource "yandex_resourcemanager_cloud_iam_member" "admin" { cloud_id = "<cloud_ID>" role = "<role_ID>" member = "group:<group_ID>" }
Where:
-
cloud_id
: Cloud ID. You can also assign a role within an individual folder. To do this, specifyfolder_id
instead ofcloud_id
and the required folder ID in the resource parameters. -
role
: Role being assigned. This is a required parameter. -
member
: Group the role is assigned to. It should be specified ingroup:<group_ ID>
format. This is a required parameter.To assign a role to one of the system groups, specify the following in the
member
parameter:system:group:organization:<organization_ID>:users
: To assign a role to theAll users in organization X
system group.system:group:federation:<federation_ID>:users
: To assign a role to theAll users in federation N
system group.
For more information about the
yandex_resourcemanager_cloud_iam_member
resource parameters, see the provider documentation . -
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-
Use the updateAccessBindings
REST API method for the respective resource.
-
Select a role from the Yandex Cloud role reference.
-
Create the request body, for example, in the
body.json
file. Set theaction
property toADD
and specify thegroup
type and group ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<group_ID>", "type": "group" } } } ] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
To learn how to assign a role for the respective resource, see:
Assigning a role for an entire organization
A role granted for the entire organization allows group members to manage any Yandex Cloud resources activated for the organization as per the role's permissions.
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select
Access bindings . -
At the top right, click Assign bindings.
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: Includes all users in theX
organization.All users in federation N
: Includes all users in theN
organization.
-
Click Add role and select the role in the organization. You can assign multiple roles.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
yc organization-manager organization add-access-binding \ --subject=group:<group_ID> \ --role=<role_ID> \ <organization_ID>
To assign a role to one of the system groups, instead of using the
--subject
parameter, use the--organization-users <organization_ID>
or--federation-users <federation_ID>
parameter, providing in it the ID of the organization or identity federation, respectively, to the users of which you want to assign the role.You can also assign a role to a system group using the
--subject
parameter. To do this, provide in it the subject ID matching the selected system group. -
Make sure the requested rights are granted:
yc organization-manager organization list-access-bindings <organization_ID>
A response contains a list of all roles assigned to users and groups in the organization:
+------------------------------------------+--------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +------------------------------------------+--------------+----------------------+ | organization-manager.admin | userAccount | ajev1p2345lj******** | | organization-manager.organizations.owner | userAccount | ajev1p2345lj******** | | editor | group | ajev1p2345lj******** | | viewer | group | ajev1p2345lj******** | +------------------------------------------+--------------+----------------------+
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add the resource parameters to the configuration file and specify the required role and group:
resource "yandex_organizationmanager_organization_iam_member" "users-editors" { organization_id = "<cloud_ID>" role = "<role_ID>" member = "group:<group_ID>" }
Where:
-
organization_id
: Cloud ID. This is a required parameter. -
role
: Role being assigned. This is a required parameter. -
member
: Group the role is assigned to. It should be specified ingroup:<group_ ID>
format. This is a required parameter.To assign a role to one of the system groups, specify the following in the
member
parameter:system:group:organization:<organization_ID>:users
: To assign a role to theAll users in organization X
system group.system:group:federation:<federation_ID>:users
: To assign a role to theAll users in federation N
system group.
For more information about the
yandex_organizationmanager_organization_iam_member
resource parameters, see the provider documentation . -
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-