Revoking a role from a user
If you want to deny a user access to a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information on access control in Yandex Cloud, please see the Yandex Identity and Access Management documentation.
The role can be revoked by a user with the organization administrator role (organization-manager.admin
) or organization owner role (organization-manager.organizations.owner
).
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select
Access bindings . -
Select a user from the list or use the search bar at the top of the page.
-
In the right-hand column, click
and select Assign bindings. -
Click
next to a role to delete it. -
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
View the roles and assignees for a resource:
yc <service_name> <resource> list-access-bindings <resource_name_or_ID>
Where:
<service_name>
: Name of the service the resource belongs to, e.g.,organization-manager
.<resource>
: Resource category. For an organization,organization
is the category of importance.<resource_name_or_ID>
: Name or ID of the resource. You can specify the resource name or ID. Refer to an organization by its technical name.
For example, view the roles and assignees in an organization with the
bpf3crucp1v2********
ID:yc organization-manager organization list-access-bindings bpf3crucp1v2********
Result:
+------------------------------------------+--------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +------------------------------------------+--------------+----------------------+ | organization-manager.organizations.owner | userAccount | aje3r40rsemj******** | | organization-manager.admin | userAccount | aje6o61dvog2******** | +------------------------------------------+--------------+----------------------+
-
To delete an access binding, run:
yc <service_name> <resource> remove-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject <subject_type>:<subject_ID>
Where:
--role
: ID of the role to be revoked, e.g.,organization-manager.admin
.<subject-type>
: Subject type to revoke a role from.<subject_ID>
: Subject ID.
For example, to revoke a role from a user with the
aje6o61dvog2********
ID:yc organization-manager organization remove-access-binding bpf3crucp1v2******** \ --role organization-manager.admin \ --subject userAccount:aje6o61dvog2********
-
View the roles and assignees for a resource using the
listAccessBindings
method. For example, to view the roles in the organization with thebpf3crucp1v2********
ID:export ORGANIZATION_ID=bpf3crucp1v2******** export IAM_TOKEN=<IAM-token> curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:listAccessBindings"
Result:
{ "accessBindings": [ { "subject": { "id": "aje6o61dvog2********", "type": "userAccount" }, "roleId": "organization-manager.admin" } ] }
-
Create the request body, e.g., in the
body.json
file. In the request body, specify which access binding to delete. For example, revoke theorganization-manager.admin
role from theaje6o61dvog2********
user:{ "accessBindingDeltas": [{ "action": "REMOVE", "accessBinding": { "roleId": "organization-manager.admin", "subject": { "id": "aje6o61dvog2********", "type": "userAccount" } } }] }
-
Revoke the role by deleting the specified access binding:
export ORGANIZATION_ID=bpf3crucp1v2******** export IAM_TOKEN=<IAM-token> curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"