Getting started with Cloud Organization
To get started, create an organization and add users to it.
Organization is a workspace that combines different types of Yandex Cloud resources and users. Learn more about organizations, resources, and users.
You can manage organization settings in the Organization section of the Cloud Center interface.
Before you start using Yandex Cloud Organization, log in to your Yandex account. If you do not have an account, create one.
Create an organization
-
Go to Yandex Cloud Organization.
-
Read the Yandex Cloud terms of use and click Log in.
-
Enter your company name and description.
-
Click Create new organization.
After registering, you will become the organization owner. You will be able to manage employee accounts, connect and disconnect services.
Add employees
To grant your employees access to the organization's services, connect them using their Yandex accounts. If your company already uses a different account management system (such as Active Directory or Google Workspace), configure an identity federation so that your employees can use their work accounts to access Yandex Cloud services.
Note
To enable a user to access the management console, assign them a role for the cloud or organization. For added security, you can assign one of the least priveleged roles, such as resource-manager.clouds.member. However, you may also assign other roles if you know which permissions you want to grant to the invited users.
To grant these permissions to all the organization users at once, assign the role to the All users in organization X system group. When using the CLI or API, no additional roles are required.
Connect employees with Yandex accounts
If your employees have Yandex accounts, e.g., login@yandex.com, they can use them to access Yandex Cloud services enabled in your organization.
To connect employees with Yandex accounts:
-
Go to Yandex Cloud Organization.
-
In the left-hand panel, select Users.
-
In the top-right corner, click Invite users.
-
Enter the email addresses of the users you want to invite to the organization (e.g.,
login@yandex.com).You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.
-
Click Send invitation.
The users will be connected to the organization upon accepting the invitation via the emailed link and selecting an account for log-in.
Configure an identity federation
An identity federation is a technology that allows you to implement a Single Sign-On (SSO) authentication scheme and use corporate accounts to log in to Yandex Cloud Organization. In this case, your corporate account management system acts as an identity provider (IdP).
To configure your identity federation, follow these steps:
-
Set up the configurations in Yandex Cloud:
Cloud Center interface-
Go to Yandex Cloud Organization.
-
In the left-hand panel, select Federations.
-
Click Create federation in the top-right corner of the page. In the window that opens:
-
Enter the federation name and description.
-
In the Cookie lifetime field, specify the time before the browser asks the user to re-authenticate.
-
In the IdP Issuer field, specify the IdP server ID to use for authentication. While authenticating the user, the IdP server must send the same ID in its response to Cloud Organization.
Note
ID format depends on the type of IdP server you use (for example, Active Directory or Google Workspace).
-
In the Single Sign-On method field, choose POST.
-
In the Link to the IdP login page field, specify the address of the page to which the browser redirects the user for authentication.
-
Enable Automatically create users to add authenticated users to your organization automatically.
If you do not enable this option, you will need to manually add your federated users.
-
Click Create federation.
-
-
-
Configure the identity provider's server to transmit successful authentication information and user attributes to Yandex Cloud.
User attributes supported by Yandex Cloud Organization services are listed in identity federation setup guides for different identity providers: