Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Access management in Yandex Identity Hub

Written by
Updated at November 13, 2025

Access management in Yandex Cloud leverages the Role Based Access Control (RBAC) policy. To grant a user certain privileges or access to a resource, you must assign the user the appropriate roles.

Each role consists of a set of permissions that describe operations that can be performed with the resource. A user can assign a role with only those permissions which are available to themselves. For example, only a user with the organization owner role can assign this role: the administrator role is not sufficient to do this.

If a resource has child resources, all permissions from the parent resource will be inherited by the child resources. For example, if you assign the administrator role for the organization hosting the cloud, all the role's permissions will apply to the cloud and all its nested resources.

For more information on access management in Yandex Cloud, see the Yandex Identity and Access Management documentation, How access management works in Yandex Cloud.

Resources you can assign a role for

You can assign a role to an organization, cloud, or folder. The roles assigned to organizations, clouds, and folders also apply to their nested resources.

You can assign a role for individual resources within the service using the Cloud Center interface, Yandex Cloud CLI, API, or Terraform:

Roles this service has

Service roles

organization-manager.auditor

The organization-manager.auditor role enables viewing info on the organization and its settings, identity federations that belong to the organization, user pools, SAML and OIDC applications, and the organization’s users and user groups.

Users with this role can:
  • View info on the Identity Hub organization and its settings.
  • View info on access permissions granted for the organization.
  • View the list of the organization’s users, info from the user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • View info on access permissions granted for entities in the Identity Hub organization.
  • View info on the organization’s identity federations.
  • View info on identity federation certificates.
  • View the list of federated user group mappings and info on them.
  • View info on the attributes of federated users.
  • View info on user pools and access permissions granted for them.
  • View info on the attributes of local users belonging to user pools.
  • View info on domains linked to the user pools.
  • View info on SAML and OIDC applications, as well as access permissions granted for them.
  • View the list of users added to SAML and OIDC applications.
  • Get the certificates of SAML applications.
  • View the list of organization users that are subscribed to technical notifications on organization events.
  • View info on MFA policies.
  • View info on the organization's OS Login settings.
  • View the list of OS Login profiles for users and service accounts.
  • View the list of the organization users' SSH keys and info on such keys.
  • View info on user groups and access permissions granted for them.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View info on the refresh tokens of the organization’s users and on the refresh token settings.
  • View info on the Identity Hub quotas.
  • View info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the iam.userAccounts.refreshTokenViewer, organization-manager.federations.auditor, organization-manager.osLogins.viewer, organization-manager.userpools.auditor, organization-manager.samlApplications.auditor, and organization-manager.oauthApplications.auditor permissions.

organization-manager.viewer

The organization-manager.viewer role enables viewing info on the organization and its settings, identity federations that belong to the organization, user pools, SAML and OIDC applications, and the organization’s users and user groups.

Users with this role can:
  • View info on the Identity Hub organization and its settings.
  • View info on access permissions granted for the organization.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View info on access permissions granted for entities in the Identity Hub organization.
  • View info on the organization’s identity federations.
  • View info on identity federation certificates.
  • View the list of federated user group mappings and info on them.
  • View info on the attributes of federated users.
  • View info on user pools and access permissions granted for them.
  • View info on the attributes of local users belonging to user pools.
  • View user audit events.
  • View info on domains linked to the user pools.
  • View info on SAML and OIDC applications, as well as access permissions granted for them.
  • View the list of users added to SAML and OIDC applications.
  • Get the certificates of SAML applications.
  • View the list of organization users that are subscribed to technical notifications on organization events.
  • View info on MFA policies.
  • View info on the organization's OS Login settings.
  • View the list of OS Login profiles for users and service accounts.
  • View the list of the organization users' SSH keys and info on such keys.
  • View info on user groups and access permissions granted for them.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View the list of and info on Identity Hub user groups associated with identity federations and user pools through synchronization with user groups in Active Directory or another external source.
  • View info on a subscription to the paid-for Identity Hub features.
  • View info on stats regarding the use of the quotes within a subscription to the paid-for Identity Hub features.
  • View the list of users who employ the Identity Hub authentication quota in the current reporting period.
  • View info on the refresh tokens of the organization’s users and on the refresh token settings.
  • View info on the Identity Hub quotas.
  • View info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the organization-manager.auditor, organization-manager.federations.viewer, organization-manager.users.viewer, organization-manager.samlApplications.viewer, organization-manager.oauthApplications.viewer, organization-manager.userpools.viewer, and organization-manager.idpInstances.billingViewer permissions.

organization-manager.editor

The organization-manager.editor role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, as well as users and user groups.

Users with this role can:
  • View and edit info on the relevant Identity Hub organization.
  • View and edit organization settings.
  • View info on access permissions granted for the organization.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View info on access permissions granted for entities in the Identity Hub organization.
  • View info on the identity federations in an organization and create, modify, and delete such federations.
  • Add and remove federated users.
  • View info on identity federation certificates and add, modify, and delete them.
  • Configure federated user group mapping.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View info on the attributes of federated user, as well as create, modify, and delete such attributes.
  • View info on user pools and access permissions granted for them.
  • Create, modify, and delete user pools.
  • View info on domains linked to user pools, as well as add, confirm, and remove domains.
  • Create, delete, activate, and deactivate local users belonging to user pools.
  • View info on the attributes of local users.
  • View user audit events.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • View info on SAML and OIDC applications, as well as access permissions granted for them.
  • Create, deactivate, activate, modify, and delete SAML and OIDC applications.
  • View the list of users added to SAML and OIDC applications.
  • Get certificates of SAML applications and create, modify, and delete such certificates.
  • View the list of organization users that are subscribed to technical notifications on organization events, as well as edit this list.
  • View info on MFA policies and create, modify, activate, deactivate, and delete such policies.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • View info on the organization's OS Login settings.
  • View the list of OS Login profiles for users and service accounts.
  • View the list of the organization users' SSH keys and info on such keys.
  • View info on user groups, as well as create, modify, and delete them.
  • View info on access permissions granted for user groups.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View the list of and info on Identity Hub user groups associated with identity federations and user pools through synchronization with user groups in Active Directory or another external source.
  • View info on a subscription to the paid-for Identity Hub features.
  • View info on stats regarding the use of the quotes within a subscription to the paid-for Identity Hub features.
  • View the list of users who employ the Identity Hub authentication quota in the current reporting period.
  • View and edit the refresh token settings in an organization.
  • View the info on the refresh tokens of the organization's users, as well as revoke such tokens.
  • View info on the Identity Hub quotas.
  • View info on the effective tech support service plan.
  • View the list of technical support requests and the info on them, as well as create and close such requests, leave comments, and attach files to them.

This role includes the organization-manager.viewer, organization-manager.federations.editor, organization-manager.userpools.editor, organization-manager.samlApplications.editor, organization-manager.oauthApplications.editor, and organization-manager.groups.editor permissions.

To configure user group mapping, the role must be assigned for the Identity Hub groups you intend to map.

organization-manager.admin

The organization-manager.admin role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, users and user groups, and user access permissions to the organization and its resources.

Users with this role can:
  • Link a billing account to an Identity Hub organization.
  • View and edit info on the relevant Identity Hub organization.
  • View and edit organization settings.
  • View info on access permissions granted for the relevant organization and modify such permissions.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View info on access permissions granted for entities in the Identity Hub organization.
  • Remove users from the organization.
  • View info on invites to the organization sent to the users, as well as send and delete such invites.
  • View info on the identity federations in an organization and create, modify, and delete such federations.
  • Add and remove federated users.
  • View info on identity federation certificates and add, modify, and delete them.
  • Configure federated user group mapping.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View info on the attributes of federated user, as well as create, modify, and delete such attributes.
  • View info on user pools and create, modify, and delete them.
  • View info on access permissions granted for the relevant user pools and modify such permissions.
  • View info on domains linked to user pools, as well as add, confirm, and remove domains.
  • Create, delete, activate, and deactivate local users belonging to user pools.
  • View info on the attributes of local users.
  • View user audit events.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • View info on SAML and OIDC applications, as well as create, deactivate, activate, modify, and delete them.
  • View info on access permissions granted for SAML and OIDC applications, as well as modify such permissions.
  • View and edit the list of users added to SAML and OIDC applications.
  • Get certificates of SAML applications and create, modify, and delete such certificates.
  • View the list of organization users that are subscribed to technical notifications on organization events, as well as edit this list.
  • View info on MFA policies and create, modify, activate, deactivate, and delete such policies.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • View info on the organization's OS Login settings and modify them.
  • View the list of users' and service accounts' OS Login profiles, as well as create, modify, and delete such profiles.
  • View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.
  • View info on user groups, as well as create, modify, and delete them.
  • Add users and service accounts to and remove them from groups.
  • View info on access permissions granted for the relevant user groups and modify such permissions.
  • View the list of groups a certain user is a member of, as well as the list of users that are members of a certain group.
  • View the list of and info on Identity Hub user groups associated with identity federations and user pools through synchronization with user groups in Active Directory or another external source.
  • View the list of members belonging to Identity Hub user groups associated with user groups in Active Directory or another external source, as well as manage membership in such groups.
  • Associate user groups with identity federations and user pools through synchronization with user groups in Active Directory or another external source, as well as disassociate them.
  • Modify and delete Identity Hub user groups associated with user groups in Active Directory or another external source.
  • Link Identity Hub to a billing account.
  • View info on a subscription to the paid-for Identity Hub features.
  • View info on stats regarding the use of the quotes within a subscription to the paid-for Identity Hub features, as well as edit these quotas.
  • View the list of users who employ the Identity Hub authentication quota in the current reporting period.
  • View and edit the refresh token settings in an organization.
  • View the info on the refresh tokens of the organization's users, as well as revoke such tokens.
  • View info on the Identity Hub quotas.
  • View info on the effective tech support service plan.
  • View the list of technical support requests and info on them, as well as create and close such requests, leave comments, and attach files to them.
  • View, create, modify, and delete SourceCraft repositories.
  • Read files from a SourceCraft repository.
  • View, create, edit, and delete pull requests in SourceCraft repositories.
  • Merge pull requests in SourceCraft repositories.
  • Push changes to regular and protected SourceCraft repository branches.
  • View, create, and edit private and public issues in SourceCraft repositories.
  • Change the issue access type in SourceCraft repositories.
  • Add reactions to issues in SourceCraft repositories.
  • View, create, edit, and delete comments to pull requests and private and public issues in SourceCraft repositories, as well as mark such comments as resolved.
  • View, create, edit, and delete SourceCraft repository tags.
  • Manage access permissions for a SourceCraft repository.
  • View, get, create, modify, and delete secrets in SourceCraft repositories.

This role includes the organization-manager.editor, organization-manager.federations.admin, organization-manager.osLogins.admin, organization-manager.userpools.admin, organization-manager.samlApplications.admin, organization-manager.oauthApplications.admin, organization-manager.groups.memberAdmin, organization-manager.groups.externalCreator, organization-manager.groups.externalManager, organization-manager.idpInstances.billingAdmin, and src.repositories.admin permissions.

To configure user group mapping, the role must be assigned for the Identity Hub groups you intend to map.

organization-manager.organizations.owner

The organization-manager.organizations.owner role enables performing any actions with the organization resources and billing accounts, which includes creating billing accounts and linking them to clouds. This role also enables assigning additional organization owners.

Prior to assigning this role, make sure to check out the information on protecting privileged accounts.

organization-manager.federations.extGroupsViewer

The organization-manager.federations.extGroupsViewer role enables viewing the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.

organization-manager.federations.extGroupsManager

The organization-manager.federations.extGroupsManager role enables viewing the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source, as well as associating such groups with identity federations.

This role includes the organization-manager.federations.extGroupsViewer permissions.

organization-manager.federations.extGroupsCleaner

The organization-manager.federations.extGroupsCleaner role enables viewing the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source, as well as disassociating such groups from identity federations.

This role includes the organization-manager.federations.extGroupsViewer permissions.

organization-manager.federations.auditor

The organization-manager.federations.auditor role enables viewing info on the organization and its settings, the identity federations, and user group mappings.

Users with this role can:

organization-manager.federations.viewer

The organization-manager.federations.viewer role enables viewing info on the organization and its settings, the identity federations, and user group mappings.

Users with this role can:

  • View info on the Identity Hub organization and its settings.
  • View info on identity federations.
  • View info on certificates.
  • View the list of user group mappings and info on them.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.
  • View the attributes of federated and local users.

This role includes the organization-manager.federations.auditor and organization-manager.federations.extGroupsViewer permissions.

organization-manager.federations.editor

The organization-manager.federations.editor role enables managing identity federations, federated users, and certificates, as well as viewing info on the organization, its settings, and users.

Users with this role can:

  • View info on the Identity Hub organization and its settings.
  • View info on identity federations and create, modify, and delete such federations.
  • View info on certificates and create, modify, and delete them.
  • Add and remove federated users.
  • Revoke federated users' refresh tokens.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Configure mapping for federated user groups.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.
  • View the attributes of federated and local users.

This role includes the organization-manager.federations.viewer and organization-manager.federations.userAdmin permissions.

To configure user group mapping, the role must be assigned for the Identity Hub groups you intend to map.

organization-manager.federations.userAdmin

The organization-manager.federations.userAdmin role enables adding and removing federated users to/from an organization, revoking refresh tokens, managing user accounts’ MFA factors, and viewing the list of the organization’s users as well as info from their accounts.

Users with this role can:

  • Add and remove federated users.
  • Revoke federated users’ refresh tokens.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • View the list of the organization’s users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the attributes of federated and local users.

This role includes the iam.userAccounts.refreshTokenRevoker permissions.

organization-manager.federations.admin

The organization-manager.federations.admin role enables managing identity federations, federated users, and certificates, as well as viewing info on the organization, its settings, and users.

Users with this role can:

  • View info on the Identity Hub organization and its settings.
  • View info on identity federations and create, modify, and delete such federations.
  • View info on certificates and create, modify, and delete them.
  • Add and remove federated users.
  • Revoke federated users' refresh tokens.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Configure mapping for federated user groups.
  • View the lists of federated user group mappings and info on them, as well as create, edit, and delete such lists.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, and the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with identity federations through synchronization with user groups in Active Directory or another external source.
  • Associate user groups with identity federations through synchronization with user groups in Active Directory or another external source, as well as disassociate them.
  • View the attributes of federated and local users.

This role includes the organization-manager.federations.editor, organization-manager.federations.extGroupsManager, and organization-manager.federations.extGroupsCleaner permissions.

To configure user group mapping, the role must be assigned for the Identity Hub groups you intend to map.

organization-manager.osLogins.viewer

The organization-manager.osLogins.viewer role enables viewing the organization's OS Login settings and the list of the users' and service accounts’ OS Login profiles, as well as viewing the list of the users' SSH keys and the info on them.

organization-manager.osLogins.admin

The organization-manager.osLogins.admin role enables managing the organization's OS Login settings, as well as the users' OS Login profiles and SSH keys.

Users with this role can:

  • View info on the organization's OS Login settings and modify them.
  • View the list of the organization users' and service accounts’ OS Login profiles, as well as create, modify, and delete such profiles.
  • View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.

This role includes the organization-manager.osLogins.viewer permissions.

organization-manager.groups.externalCreator

The organization-manager.groups.externalCreator role enables creating Identity Hub user groups when synchronizing with user groups in Active Directory or another external source.

organization-manager.groups.externalConverter

The organization-manager.groups.externalConverter role enables adding an attribute with an external group ID to Identity Hub user groups when synchronizing with user groups in Active Directory or another external source.

organization-manager.groups.externalManager

The organization-manager.groups.externalManager role enables managing Identity Hub user groups associated with user groups in Active Directory or another external source.

Users with this role can:

  • Associate Identity Hub user groups with user groups in Active Directory or another external source.
  • Modify and delete Identity Hub user groups associated with user groups in Active Directory or another external source.
  • View the list of members belonging to Identity Hub user groups associated with user groups in Active Directory or another external source, as well as manage membership in such groups.
  • View info on access permissions granted for Identity Hub user groups.

organization-manager.groups.editor

The organization-manager.groups.editor role enables managing user groups.

A role is assigned to an organization or user group.

Users with this role can:

organization-manager.groups.memberAdmin

The organization-manager.groups.memberAdmin role enables viewing the info on user groups, as well as viewing and modifying the lists of users and service accounts that are members of groups.

organization-manager.groups.admin

The organization-manager.groups.admin role enables managing user groups and access to them, as well as the users that belong to them.

A role is assigned to an organization or user group.

Users with this role can:

  • View info on user groups, as well as create, modify, and delete them.
  • View info on access permissions granted for the relevant user groups and modify such permissions.
  • View the list of users and service accounts belonging to user groups.
  • Add users and service accounts to and remove them from groups.

This role includes the organization-manager.groups.editor and organization-manager.groups.memberAdmin permissions.

organization-manager.users.viewer

The organization-manager.users.viewer role enables viewing the list of the organization’s users, info on them (including their phone number), the attributes and date of the latest verification for federated and local accounts via two-factor authentication, and the lists of groups to which the users belong.

organization-manager.passportUserAdmin

The organization-manager.passportUserAdmin role enables viewing info on the organization’s users, as well as inviting users with Yandex accounts to the organization and removing them from it.

Users with this role can:

  • Send and resend invites to the organization to new users with Yandex accounts, as well as view and delete such invites.
  • Delete user accounts from the organization.
  • View the list of the organization’s users, info from user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • View the attributes of the organization’s federated and local users.

organization-manager.oauthApplications.auditor

The organization-manager.samlApplications.auditor role enables viewing info on OIDC applications and the access permissions granted for them, as well as viewing the list of users added to OIDC applications.

organization-manager.oauthApplications.viewer

The organization-manager.samlApplications.viewer role enables viewing info on OIDC applications and the access permissions granted for them, as well as viewing the list of users added to OIDC applications.

This role includes the organization-manager.oauthApplications.auditor permissions.

organization-manager.oauthApplications.editor

The organization-manager.samlApplications.editor role enables managing OIDC applications and viewing the users added to them.

Users with this role can:

  • View info on OIDC applications and the access permissions granted for them.
  • Create, deactivate, activate, modify, and delete OIDC applications.
  • View the list of the users added to OIDC applications.

This role includes the organization-manager.oauthApplications.viewer permissions.

organization-manager.oauthApplications.userAdmin

The organization-manager.oauthApplications.userAdmin role enables viewing and editing the list of the users added to an OIDC application.

organization-manager.oauthApplications.admin

The organization-manager.oauthApplications.admin role enables managing OIDC applications and access to them, as well as users added to such OIDC applications.

Users with this role can:

  • View info on OIDC applications, as well as create, deactivate, activate, modify, and delete them.
  • View info on the access permissions granted for the relevant OIDC applications and modify such permissions.
  • View and edit the list of the users added to OIDC applications.

This role includes the organization-manager.oauthApplications.editor and organization-manager.oauthApplications.userAdmin permissions.

organization-manager.samlApplications.auditor

The organization-manager.samlApplications.auditor role enables viewing info on SAML applications and the access permissions granted for them, viewing the list of users added to SAML applications, and getting certificates for SAML applications.

organization-manager.samlApplications.viewer

The organization-manager.samlApplications.viewer role enables viewing info on SAML applications and the access permissions granted for them, viewing the list of users added to SAML applications, and getting certificates for SAML applications.

This role includes the organization-manager.samlApplications.auditor permissions.

organization-manager.samlApplications.editor

The organization-manager.samlApplications.editor role enables managing SAML applications and viewing the users added to them.

Users with this role can:

  • View info on SAML applications and the access permissions granted for them.
  • Create, deactivate, activate, modify, and delete SAML applications.
  • Get certificates of SAML applications and create, modify, and delete such certificates.
  • View the list of the users added to SAML applications.
  • View the list of the users added to OIDC applications.

This role includes the organization-manager.samlApplications.viewer permissions.

organization-manager.samlApplications.userAdmin

The organization-manager.samlApplications.userAdmin role enables viewing and editing the list of the users added to a SAML application.

organization-manager.samlApplications.admin

The organization-manager.samlApplications.admin role enables managing SAML applications and access to them, as well as users added to such SAML applications.

Users with this role can:

  • View info on SAML applications, as well as create, deactivate, activate, modify, and delete them.
  • View info on the access permissions granted for the relevant SAML applications and modify such permissions.
  • Get certificates of SAML applications and create, modify, and delete such certificates.
  • View and edit the list of the users added to SAML applications.
  • View the list of the users added to OIDC applications.

This role includes the organization-manager.samlApplications.editor and organization-manager.samlApplications.userAdmin permissions.

organization-manager.userpools.extGroupsViewer

The organization-manager.userpools.extGroupsViewer role enables viewing the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.

organization-manager.userpools.extGroupsManager

The organization-manager.userpools.extGroupsManager role enables viewing the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source, as well as associating such groups with user pools.

This role includes the organization-manager.userpools.extGroupsViewer permissions.

organization-manager.userpools.extGroupsCleaner

The organization-manager.userpools.extGroupsCleaner role enables viewing the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source, as well as disassociating such groups from user pools.

This role includes the organization-manager.userpools.extGroupsViewer permissions.

organization-manager.userpools.syncAgent

The organization-manager.userpools.syncAgent role enables synchronizing Identity Hub users and groups with users and groups in Active Directory or another external source.

Users with this role can:

  • View info on sync sessions between Identity Hub AD Sync Agent and Identity Hub, as well as create and modify such sessions.
  • View info on user pools and sync settings in user pools.
  • View the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
  • Associate user groups with user pools through synchronization with user groups in Active Directory or another external source.
  • View info on Identity Hub users, create, modify, activate, deactivate, and delete such users, as well as edit their passwords and other data.

This role includes the organization-manager.userpools.extGroupsManager permissions.

organization-manager.userpools.auditor

The organization-manager.userpools.auditor role enables viewing info on user pools and the organization’s users.

Users with this role can:

  • View info on user pools and access permissions granted for them.
  • View info on domains linked to user pools.
  • View the list of the organization’s users, info from user accounts (except phone numbers), the latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • View the list of groups that users are members of.
  • View the attributes of federated and local users.

organization-manager.userpools.viewer

The organization-manager.userpools.viewer role enables viewing info on user pools, as well as viewing the list of organization users and info on them.

Users with this role can:

  • View info on user pools and access permissions granted for them.
  • View info on domains linked to user pools.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • View user audit events.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
  • View the attributes of federated and local users.

This role includes the organization-manager.userpools.auditor and organization-manager.userpools.extGroupsViewer permissions.

organization-manager.userpools.editor

The organization-manager.userpools.editor role enables managing user pools and users that belong to them.

Users with this role can:

  • View info on user pools and access permissions granted for them.
  • Create, modify, and delete user pools.
  • View info on domains associated with user pools, as well as add, confirm, and remove domains.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • Create, delete, activate, and deactivate users belonging to user pools.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Revoke refresh tokens from users.
  • View user audit events.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
  • View the attributes of federated and local users.

This role includes the organization-manager.userpools.userAdmin and organization-manager.userpools.viewer permissions.

organization-manager.userpools.userAdmin

The organization-manager.userpools.userAdmin role enables managing organization users belonging to user pools.

Users with this role can:

  • View the list of the organization’s users, info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • Create, delete, activate, and deactivate local users belonging to user pools.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Revoke refresh tokens from users.
  • View the list of groups that users are members of.
  • View the attributes of federated and local users.

This role includes the iam.userAccounts.refreshTokenRevoker permissions.

organization-manager.userpools.admin

The organization-manager.userpools.admin role enables managing user pools and access to them, as well as users that belong to them.

Users with this role can:

  • View info on user pools and create, modify, and delete them.
  • View info on access permissions granted for the relevant user pools and modify such permissions.
  • View info on domains associated with user pools, as well as add, confirm, and remove domains.
  • View the list of the organization's users, info on them (including their phone number), their latest authentication date, as well as the latest verification date for federated and local accounts via two-factor authentication.
  • Create, delete, activate, and deactivate users belonging to user pools.
  • Edit user data, such as usernames, passwords, domains, emails, full names, and phone numbers.
  • Delete MFA factors for federated and local user accounts.
  • Reset the verification date for federated and local user accounts.
  • Revoke refresh tokens from users.
  • View user audit events.
  • View the list of groups that users are members of.
  • View the list of and info on Identity Hub user groups associated with user pools through synchronization with user groups in Active Directory or another external source.
  • Associate user groups with user pools through synchronization with user groups in Active Directory or another external source, as well as disassociate them.
  • View the attributes of federated and local users.

This role includes the organization-manager.userpools.editor, organization-manager.userpools.extGroupsManager, and organization-manager.userpools.extGroupsCleaner permissions.

organization-manager.idpInstances.billingViewer

The organization-manager.idpInstances.billingViewer role enables viewing the list of users who employ the Identity Hub authentication quota in the current reporting period, as well as viewing info on a subscription to the paid-for Identity Hub features and stats regarding the use of the quotas within this subscription.

organization-manager.idpInstances.billingAdmin

The organization-manager.idpInstances.billingAdmin role enables managing a subscription to the paid-for Identity Hub features.

Users with this role can:

  • Link Identity Hub to a billing account.
  • View info on a subscription to the paid-for Identity Hub features.
  • View info on stats regarding the use of the quotes within a subscription to the paid-for Identity Hub features, as well as edit these quotas.
  • View the list of users who employ the Identity Hub authentication quota in the current reporting period.

This role includes the organization-manager.idpInstances.billingViewer permissions.

Primitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

  • View info on a resource.
  • View the resource metadata.
  • View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role includes the viewer permissions.

admin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role includes the editor permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.

For more information about primitive roles, see the Yandex Cloud role reference.

Assigning a user as an organization administrator

To grant a user permissions to manage an organization, assign them the organization-manager.admin role.

Assigning a role to a user

Organization administrators and owners can assign roles in Yandex Identity Hub. You can assign to users not just organization management roles but also roles for access to your organization's connected cloud resources.

For information about roles available in Yandex Cloud and their associated permissions, see the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  1. Log in to Yandex Identity Hub with an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. If the user already has at least one role, click and select Assign bindings in the row with this user.

    If the user is not on the list, click Assign bindings in the top-right corner. In the window that opens, select a user from the list or use the search bar.

  4. Click Add role and select the role you want to assign to the user. You can assign multiple roles.

    You can find the description of the available roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  5. Click Save.

  1. Select the role you want to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  2. Get the user ID.

  3. To assign the role, run the following command:

    yc <service_name> <resource> add-access-binding <resource_name_or_ID> \
    --role <role_ID> \
    --subject <subject_type>:<subject_ID>
    • <service_name>: Name of the service for whose resource you are assigning the role, e.g., organization-manager.
    • <resource>: Resource category. For an organization, it is always organization.
    • <resource_name_or_ID>: Resource name or ID. For an organization, use its technical name.
    • --role: Role ID, e.g., organization-manager.admin.
    • --subject: Type and ID of the subject the role is assigned to.

    For example, this command assigns the administrator role for the organization with the bpf3crucp1v2******** ID:

    yc organization-manager organization add-access-binding bpf3crucp1v2******** \
    --role organization-manager.admin \
    --subject userAccount:aje6o61dvog2********

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Describe the parameters of the roles you assign in the configuration file:

    • organization_id: Organization ID.
    • role: Role you want to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference. For each role, you can only use one yandex_organization manager_organization_iam_binding resource.
    • members: Array of the IDs of users to assign the role to:
      • userAccount:{user_id}: User Yandex account ID.
      • serviceAccount:{service_account_id}: Service account ID.
      • federatedUser:{federated_user_id}: Federated user ID.

    Here is an example of the configuration file structure:

    resource "yandex_organizationmanager_organization_iam_binding" "editor" {
  organization_id = "<organization_ID>"
  role = "editor"
  members = [
   "federatedUser:<user_ID>",
  ]
}

    For more information about the resources you can create with Terraform, see the relevant provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.
    2. Run a check using this command:
    terraform plan

    If the configuration is described correctly, the terminal will display a list of the assigned roles. If the configuration contains any errors, Terraform will show them.

  3. Assign roles.

    If the configuration does not contain any errors, run this command:

    terraform apply

    This assigns the roles in the specified organization.

Use the updateAccessBindings method for the appropriate resource.

  1. Select the role you want to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  2. Get the user ID.

  3. Create the request body, e.g., in the body.json file. In the action property, enter ADD and specify the userAccount type and user ID under subject.

    Example of the body.json file:

    {
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "organization-manager.admin",
      "subject": {
        "id": "gfei8n54hmfh********",
        "type": "userAccount"
      }
    }
  }]
}

  4. Assign the role. For example, for an organization with the bpf3crucp1v2******** ID:

    export ORGANIZATION_ID=bpf3crucp1v2********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"

    For detailed instructions on assigning a role to a resource, please see the Yandex Identity and Access Management and Yandex Resource Manager documentation:

In a similar way, you can assign roles for an organization to a service account.

Revoking a user's role

If you want to deny a user access to a resource, revoke the relevant roles for this resource as well as for other resources access permissions can be inherited from. For more information on access management in Yandex Cloud, see the Yandex Identity and Access Management documentation.

The role can be revoked by a user with the organization-manager.admin or organization-manager.organizations.owner role. To learn how to grant a role to a user, see the Roles section.

  1. Log in to Yandex Identity Hub with an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. Find the required user in the list. If required, use the search bar or filter.

  4. In the row with the user, click and select Assign bindings. In the window that opens:

    1. Click next to a role to delete it.

    2. Click Save.

To revoke a role from a subject, delete access permissions for the appropriate resource:

  1. View the roles and assignees for the resource:

    yc <service_name> <resource> list-access-bindings <resource_name_or_ID>
    • <service_name>: Name of the service the resource belongs to, e.g., organization-manager.
    • <resource>: Resource category. For an organization, it is always organization.
    • <resource_name_or_ID>: Resource name or ID. For an organization, use its technical name.

    For example, view the roles and assignees in an organization with the bpf3crucp1v2******** ID:

    yc organization-manager organization list-access-bindings bpf3crucp1v2********

    Result:

    +------------------------------------------+--------------+----------------------+
|                 ROLE ID                  | SUBJECT TYPE |      SUBJECT ID      |
+------------------------------------------+--------------+----------------------+
| organization-manager.organizations.owner | userAccount  | aje3r40rsemj******** |
| organization-manager.admin               | userAccount  | aje6o61dvog2******** |
+------------------------------------------+--------------+----------------------+

  2. To delete access permissions, run this command:

    yc <service_name> <resource> remove-access-binding <resource_name_or_ID> \
    --role <role_ID> \
    --subject <subject_type>:<subject_ID>
    • --role: ID of the role to revoke, e.g., organization-manager.admin.
    • --subject: Type and ID of the subject to revoke the role from.

    For example, to revoke a role from a user with the aje6o61dvog2******** ID:

    yc organization-manager organization remove-access-binding bpf3crucp1v2******** \
    --role organization-manager.admin \
    --subject userAccount:aje6o61dvog2********

To revoke a role from a subject, delete access permissions for the appropriate resource:

  1. View the roles and assignees for the resource using the listAccessBindings method. For example, to view the roles in the organization with the bpf3crucp1v2******** ID:

    export ORGANIZATION_ID=bpf3crucp1v2********
export IAM_TOKEN=CggaAT********
curl \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:listAccessBindings"

    Result:

    {
"accessBindings": [
{
  "subject": {
  "id": "aje6o61dvog2********",
  "type": "userAccount"
  },
  "roleId": "organization-manager.admin"
}
]
}

  2. Create the request body, e.g., in the body.json file. In the request body, specify the access permissions to delete. For example, revoke the organization-manager.admin role from the aje6o61dvog2******** user:

    Example of the body.json file:

    {
  "accessBindingDeltas": [{
    "action": "REMOVE",
    "accessBinding": {
      "roleId": "organization-manager.admin",
      "subject": {
        "id": "aje6o61dvog2********",
        "type": "userAccount"
      }
    }
  }]
}

  3. Revoke a role by deleting the specified permissions:

    export ORGANIZATION_ID=bpf3crucp1v2********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"

Assigning a role to a user group

Assign a role to a user group to grant access to a resource. To grant group access permissions to a subject, see Configuring group management access.

In Yandex Identity Hub, you can assign a group a role for an organization, cloud, folder, another group, or service account.

Assigning a role for a cloud or folder

  1. Log in to the management console with the cloud administrator or owner account.

  2. On the left side of the screen, click the line with the name of the cloud or folder for which you want to assign a role to a user group.

  3. At the top of the screen, go to the Access bindings tab and click Configure access. In the window that opens:

    1. Go to the Groups tab and select the group you need or search by group name.

      You can also assign a role to one of the system groups:

      • All users in organization X: The group includes all users in organization X.
      • All users in federation N: The group includes all users in federation N.

    2. Click Add role and select the role you want to assign to the group for the cloud or folder you selected earlier. You can assign multiple roles.

    3. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

  1. Select a role from the Yandex Cloud role reference.

  2. Assign the role using this command:

    yc <service_name> <resource> add-access-binding <resource_name_or_ID> \
  --role <role_ID> \
  --subject group:<group_ID>

    Where:

    • --role: Role ID, e.g., resource-manager.clouds.owner.

    • --subject group: ID of the group the role is assigned to.

      To assign a role to one of the system groups, instead of --subject, use the --organization-users <organization_ID> or --federation-users <federation_ID> parameter. In the parameter, provide the ID of the organization or identity federation, respectively, to all the users you want to assign the role to.

      You can also assign a role to a system group using the --subject parameter. To do this, provide in it the subject ID matching the selected system group.

    For example, assign the resource-manager.viewer role for the my-cloud cloud:

    yc resource-manager cloud add-access-binding mycloud \
  --role resource-manager.viewer \
  --subject group:aje6o61dvog2********

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Add the resource parameters to the configuration file and specify the required role and group:

    resource "yandex_resourcemanager_cloud_iam_member" "admin" {
  cloud_id    = "<cloud_ID>"
  role        = "<role_ID>"
  member      = "group:<group_ID>"
}

    Where:

    • cloud_id: Cloud ID. You can also assign a role within an individual folder. To do this, specify folder_id instead of cloud_id and the required folder ID in the resource parameters.

    • role: Role to assign. This is a required parameter.

    • member: Group the role is assigned to. Use this format: group:<group_ID>. This is a required parameter.

      To assign a role to one of the system groups, specify the following in the member parameter:

      • system:group:organization:<organization_ID>:users: To assign a role to the All users in organization X system group.
      • system:group:federation:<federation_ID>:users: To assign a role to the All users in federation N system group.

    For more information about the yandex_resourcemanager_cloud_iam_member resource parameters, see this Terraform article.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    This will create all the resources you need in the specified folder. You can check the new resource using the management console or this CLI command:

    terraform plan

    If the configuration is correct, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

    This will create all the resources you need in the specified folder. You can check the new resource using the management console or this CLI command:

    yc resource-manager folder list-access-bindings <folder_name_or_ID>

Use the updateAccessBindings REST API method for the appropriate resource.

  1. Select a role from the Yandex Cloud role reference.

  2. Create the request body, e.g., in the body.json file. In the action property, enter ADD, and specify the group type and group ID under subject:

    body.json:

    {
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "editor",
      "subject": {
        "id": "<group_ID>",
        "type": "group"
      }
    }
  }]
}

  3. Assign a role to a service account. For example, for a folder with the b1gvmob95yys******** ID:

    export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

To learn how to assign a role for the respective resource, see:

Assigning a role for an organization

  1. Log in to Yandex Identity Hub using an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. At the top right, click Assign bindings.

  4. Go to the Groups tab and select the group you need or search by group name.

    You can also assign a role to one of the system groups:

    • All users in organization X: The group includes all users in organization X.
    • All users in federation N: The group includes all users in federation N.

  5. Click Add role and select the role for the organization you want to assign to the group. You can assign multiple roles.

  6. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

  1. Assign the role to the group:

    yc organization-manager organization add-access-binding \
  --subject group:<group_ID> \
  --role <role_ID> \
  --organization-users <organization_ID> \
  --federation-users <federation_ID>

    To assign a role to one of the system groups, instead of the --subject parameter, use --organization-users <organization_ID> or --federation-users <federation_ID>. In the parameter, provide the organization or identity federation ID to all the users you want to assign the role to.

    You can also assign a role to a system group using the --subject parameter. To do this, provide in it the subject ID matching the selected system group.

  2. Make sure the requested permissions are granted:

    yc organization-manager organization list-access-bindings <organization_ID>

    A response contains a list of all roles assigned to users and groups in the organization:

    +------------------------------------------+--------------+----------------------+
|                 ROLE ID                  | SUBJECT TYPE |      SUBJECT ID      |
+------------------------------------------+--------------+----------------------+
| organization-manager.admin               | userAccount  | ajev1p2345lj******** |
| organization-manager.organizations.owner | userAccount  | ajev1p2345lj******** |
| editor                                   | group        | ajev1p2345lj******** |
| viewer                                   | group        | ajev1p2345lj******** |
+------------------------------------------+--------------+----------------------+

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Add the resource parameters to the configuration file and specify the required role and group:

    resource "yandex_organizationmanager_organization_iam_member" "users-editors" {
  organization_id = "<organization_ID>"
  role            = "<role_ID>"
  member          = "group:<group_ID>"
}

    Where:

    • organization_id: Organization ID. This is a required parameter.

    • role: Role being assigned. This is a required parameter.

    • member: Group the role is assigned to. Use this format: group:<group_ID>. This is a required parameter.

      To assign a role to one of the system groups, specify the following in the member parameter:

      • system:group:organization:<organization_ID>:users: To assign a role to the All users in organization X system group.
      • system:group:federation:<federation_ID>:users: To assign a role to the All users in federation N system group.

    For more information about yandex_organizationmanager_organization_iam_member properties, see the relevant provider documentation.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    This will create all the resources you need in the specified folder. You can check the new resource using the management console or this CLI command:

    yc resource-manager folder list-access-bindings <folder_name_or_ID>

What roles are assigned in an organization

You can view all roles assigned to subjects in an organization:

  1. Log in to Yandex Identity Hub using an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. The Access bindings page will display information about users and roles assigned to them.

    If you have more than one organization, you can switch to the one you need. To do this, click next to the name of the current organization in the top-left corner of the screen and select another one.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. To view a list of organizations available to you, run this command by substituting the organization ID:

    yc organization-manager organization list --organization-id <organization_ID>

    Result:

    +----------------------+-----------------------------+-------------------------+--------+
|          ID          |            NAME             |          TITLE          | LABELS |
+----------------------+-----------------------------+-------------------------+--------+
| bpf1smsil5q0******** | org1-technical-name         | Organization One        |        |
| bpf2c65rqcl8******** | org2-technical-name         | Organization Two        |        |
| bpfaidqca8vd******** | org3-technical-name         | Organization Three      |        |
+----------------------+-----------------------------+-------------------------+--------+

    Copy the ID of the organization you need from the ID column.

  2. See the description of the CLI command to get a list of roles assigned in an organization:

    yc organization-manager organization list-access-bindings --help

  3. Get a list of roles assigned in an organization by specifying its name or ID:

    yc organization-manager organization list-access-bindings <organization_ID>

    Result:

    +------------------------------------------+----------------+----------------------+
|                 ROLE ID                  |  SUBJECT TYPE  |      SUBJECT ID      |
+------------------------------------------+----------------+----------------------+
| auditor                                  | serviceAccount | ajefbjkmgjt1******** |
| admin                                    | userAccount    | asefbskmgjt1******** |
| organization-manager.organizations.owner | userAccount    | ajcfabjkmgjt******** |
+------------------------------------------+----------------+----------------------+

Use the ListAccessBindings REST API method for the Organization resource or the OrganizationService/ListAccessBindings gRPC API call.

Previous
Authentication errors when using a Yandex account
Next
Pricing policy