Yandex Cloud
Search
Contact UsGet started
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • AI Studio
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
© 2025 Direct Cursus Technology L.L.C.
Yandex Identity Hub
  • Getting started
  • Access management
  • Pricing policy
  • Terraform reference
  • Audit Trails events
  • Release notes

In this article:

  • Getting started
  • Create an organization
  • Manage users
  • Add a user to your organization
  • Create a user group
  • Add the user to the group
  • Manage access
  • Assign a role to a user
  • Assign a role for a cloud or folder to a user group
  • Assign a role for an organization to a user group
  • Additional features
  • Create an identity federation
  • Enable access via OS Login
  • What's next

Getting started with Yandex Identity Hub

Written by
Yandex Cloud
Updated at July 15, 2025
  • Getting started
  • Create an organization
  • Manage users
    • Add a user to your organization
    • Create a user group
    • Add the user to the group
  • Manage access
    • Assign a role to a user
    • Assign a role for a cloud or folder to a user group
    • Assign a role for an organization to a user group
  • Additional features
    • Create an identity federation
    • Enable access via OS Login
  • What's next

An organization is the highest resource in the Yandex Cloud resource model hierarchy that consolidates the resources of all other services. Organizations are also used to manage users and their authentication and authorization settings.

When working with Yandex Cloud services, you create resources, such as managed database clusters, virtual machines, disks, networks, etc. Most services store their resources in folders. Folders belong to clouds, and clouds belong to organizations. A cloud may only belong to one organization, but you can move clouds between organizations. Yandex Resource Manager is a service that manages clouds and folders; Identity Hub manages organizations. Access to Yandex Cloud resources is managed via roles.

Yandex Cloud organization structure:

Getting startedGetting started

  1. Go to the management console and log in to Yandex Cloud or sign up if not signed up yet.
  2. Accept the user agreement.
  3. In Yandex Cloud Billing, make sure you have a billing account linked and its status is ACTIVE or TRIAL_ACTIVE. If you do not have a billing account yet, create one.

Create an organizationCreate an organization

Cloud Center UI
  1. Go to Yandex Identity Hub.

  2. Read the Yandex Cloud terms of use and click Log in.

  3. Enter your company name and description.

  4. Click Create a new organization.

After registering, you will become the organization owner. You will be able to manage employee accounts, connect and disconnect services.

Manage usersManage users

Add a user to your organizationAdd a user to your organization

You can connect your employees using their Yandex accounts for access to the corporate services. If your company already uses a different account management system (such as Active Directory or Google Workspace), you can create an identity federation so that your employees can use their corporate accounts to access Yandex Cloud services.

To connect employees with Yandex accounts:

Cloud Center UI
  1. Go to Yandex Identity Hub.

  2. In the left-hand panel, select Users.

  3. In the top-right corner of the screen, click Add user and select Invite users with a Yandex account from the drop-down list.

  4. Enter the email addresses of the users you want to invite to the organization (e.g., login@yandex.ru).

    You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.

  5. Click Send invitation.

The user will be connected to the organization as soon as they accept the invitation via the emailed link and select the appropriate account to log in. After that, you will be able to assign them the required roles.

For more information about users, see Organization membership.

Create a user groupCreate a user group

You can configure access for multiple users at once by adding them to a group and assigning a role to this group. You can grant access to any Yandex Cloud resources to the group.

To create a user group:

Cloud Center UI
  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Groups.

  3. In the top-right corner of the page, click Create group.

  4. Enter a name and description for the group.

    The name must be unique within the organization and satisfy the relevant requirements:

    • It must be from 1 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.
  5. Click Create group.

Add the user to the groupAdd the user to the group

Cloud Center UI
  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Groups and click the row with the name of the group you need.

  3. Navigate to the Members tab.

  4. Click Add member.

  5. In the window that opens, select the users or service accounts. You may want to use the search feature.

  6. Click Save.

Manage accessManage access

Assign a role to a userAssign a role to a user

To grant access to a resource, assign a role for the resource to the user. You can assign roles for an organization, cloud, or folder. The roles assigned to organizations, clouds, and folders also apply to their nested resources.
You can also assign roles to users to manage individual Yandex Cloud services using Yandex Identity and Access Management.

To assign a role to a user:

Cloud Center UI
  1. Log in to Yandex Identity Hub with an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. If the user already has at least one role, click and select Assign bindings in the row with this user.

    If the user is not on the list, click Assign bindings in the top-right corner. In the window that opens, select a user from the list or use the search bar.

  4. Click Add role and select the role you want to assign to the user. You can assign multiple roles.

    You can find the description of the available roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  5. Click Save.

Assign a role for a cloud or folder to a user groupAssign a role for a cloud or folder to a user group

Management console
  1. Log in to the management console with the cloud administrator or owner account.

  2. On the left side of the screen, click the line with the name of the cloud or folder for which you want to assign a role to a user group.

  3. At the top of the screen, go to the Access bindings tab and click Configure access. In the window that opens:

    1. Go to the Groups tab and select the group you need or search by group name.

      You can also assign a role to one of the system groups:

      • All users in organization X: The group includes all users in organization X.
      • All users in federation N: The group includes all users in federation N.
    2. Click Add role and select the role you want to assign to the group for the cloud or folder you selected earlier. You can assign multiple roles.

    3. Click Save.

Assign a role for an organization to a user groupAssign a role for an organization to a user group

Cloud Center UI
  1. Log in to Yandex Identity Hub using an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. At the top right, click Assign bindings.

  4. Go to the Groups tab and select the group you need or search by group name.

    You can also assign a role to one of the system groups:

    • All users in organization X: The group includes all users in organization X.
    • All users in federation N: The group includes all users in federation N.
  5. Click Add role and select the role for the organization you want to assign to the group. You can assign multiple roles.

  6. Click Save.

Additional featuresAdditional features

Create an identity federationCreate an identity federation

If your company has a user and access management system (e.g., Active Directory or Google Workspace), you can use it to authenticate employees in Yandex Identity Hub. This way, employees will access Yandex Cloud services using their corporate accounts.

For more information, see Identity federation.

Enable access via OS LoginEnable access via OS Login

With OS Login, you can manage SSH access to VMs by relying solely on the Yandex Identity and Access Management mechanisms. There is no need to upload SSH keys to each new VM when creating it. You can use OS Login to access both Yandex Compute Cloud VM instances and individual nodes in node groups within Yandex Managed Service for Kubernetes clusters.

OS Login benefits:

  • Instant update of user access permissions within a VM when revoking or assigning roles. If you revoke the roles, the user will lose access to all VMs with OS Login access enabled.
  • Multiple available options to access VMs: you can use both short-lived SSH certificates and SSH keys including those added to the organization user profile.

For more information, see OS Login.

What's nextWhat's next

  • Learn more about the relationships between organizations and other services
  • Managing organizations
  • Managing user groups
  • Managing identity federations
  • Access control for user groups with different roles

Was the article helpful?

Next
All guides
© 2025 Direct Cursus Technology L.L.C.