Viewing a list of a subject's accesses
You can have a centralized view of the full list of access permissions for the organization's resources held by individual subjects and groups. This can be done either via Yandex Security Deck's CIEM module or the Yandex Cloud CLI.
Only organization members who have the organization-manager.viewer role or higher for the organization can view access permissions in the Security Deck interface.
Access diagnostics via the Yandex Cloud CLI is available from release 0.171 onward.
To get a list of a subject's accesses to the organization's resources:
-
Log in as an organization user with the
organization-manager.viewerrole or higher for the organization. -
Go to Yandex Security Deck.
-
In the left-hand panel, select CIEM.
-
Click Select subject and in the window that opens:
-
Select the user, service account, user group, system group, or public group you need.
Use search, if required.
-
Click Select.
-
This will open a list of accesses assigned to the selected subject. For each access, the list indicates the resource name/ID and type, role assigned to the subject for that resource, and information about whether the role was assigned to the subject directly or inherited from a group to which the subject belongs.
If the selected subject has multiple accesses, only some of them will be displayed. To display the remaining access permissions, click Load more at the bottom of the page.
Use filtering by resource ID, role ID, or access assignment method (Directly appointed or Assigned via group) as needed.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
See the description of the CLI command to get a list of subject’s accesses:
yc iam access-analyzer list-subject-access-bindings --help -
Get the ID of a user, service account, or user group to view their list of accesses.
-
Use the
yc iam access-analyzer list-subject-access-bindingscommand to get a list of subject’s accesses:yc iam access-analyzer list-subject-access-bindings \ --organization-id=<organization_ID> \ --subject-id=<subject_ID>Where:
--organization-id: Organization ID.--subject-id: ID of a subject, i.e., a user, service account, user group, system group, or public group.
Result:
+---------+-------------------------+----------------------+----------+ | ROLE ID | RESOURCE TYPE | RESOURCE ID | GROUP ID | +---------+-------------------------+----------------------+----------+ | admin | resource-manager.cloud | b1g2c5615qja******** | | | admin | resource-manager.folder | b1gq979gqitb******** | | +---------+-------------------------+----------------------+----------+You will get the list of accesses as a table. For each access, the list indicates a role assigned to the subject for a resource as well as the resource type and ID. If the subject has not been assigned any role directly, but has inherited it from a group, the list will indicate the group ID.