Access management in Yandex Cloud Organization
Access management in Yandex Cloud leverages the Role Based Access Control
Each role consists of a set of permissions that describe operations that can be performed with the resource. A user can assign a role with only those permissions which are available to themselves. For example, only a user with the organization owner role can assign this role: the administrator role is not sufficient to do this.
If a resource has child resources, all permissions from the parent resource will be inherited by the child resources. For example, if you assign the administrator role for the organization hosting the cloud, all the role's permissions will apply to the cloud and all its nested resources.
For more information about access control in Yandex Cloud, see the Yandex Identity and Access Management documentation, How access management works in Yandex Cloud.
Which resources you can assign a role for
You can assign a role to an organization, cloud, or folder. The roles assigned for organizations, clouds, or folders also apply to nested resources.
You can assign a role via the YC CLI or Yandex Cloud API for individual resources of the service:
Which roles exist in the service
Service roles
organization-manager.viewer
The organization-manager.viewer
role enables viewing info on the organization, its users and user groups, and the OS Login settings.
Users with this role can:
- View info on the access permissions granted for the organization.
- View the list of the organization users.
- View the list of the groups the users are members of.
- View info on the OS Login settings and the list of the organization users' OS Login profiles.
- View the list of the organization users' SSH keys and the info on such keys.
- View the info on the effective tech support service plan.
This role also includes the organization-manager.osLogins.viewer
permissions.
organization-manager.admin
The organization-manager.admin
role enables managing organization settings, organization users and their groups, and the users' access permissions to the organization and its resources.
Users with this role can:
- Link a billing account to an organization.
- View info on the access permissions granted for the organization and its user groups and modify such permissions.
- View the list of the organization user groups and info on such groups, as well as view and modify the lists of users that are members of such groups.
- Configure user group mapping.
- View the list of the organization users and remove users from the organization.
- View the info on the invites to the organization sent to the users, as well as send and delete such invites.
- View info on the organization's OS Login settings and modify them.
- View the list of the organization users' OS Login profiles, as well as create, modify, and delete OS Login profiles.
- View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.
- View the info on the effective tech support service plan.
This role also includes the organization-manager.viewer
and organization-manager.osLogins.admin
permissions.
organization-manager.organizations.owner
The organization-manager.organizations.owner
role enables performing any actions with the organization resources and billing accounts, which includes creating billing accounts and linking them to clouds. This role also enables assigning additional organization owners.
Prior to assigning this role, make sure to check out the information on protecting privileged accounts.
organization-manager.federations.viewer
The organization-manager.federations.viewer
role enables viewing info on the organization and its settings and on the identity federations and certificates, as well as the lists of user group mappings and the info on them.
organization-manager.federations.userAdmin
The organization-manager.federations.userAdmin
role allows adding and removing federated users to/from an organization, viewing the list of its users, and viewing federated users' attributes.
organization-manager.federations.admin
The organization-manager.federations.admin
role enables creating, modifying, and deleting identity federations, certificates, and federated users, as well as viewing the organization settings and the info on the user group mapping.
Users with this role can:
- View info on the organization and its settings.
- View info on the identity federations and create, modify, and delete them.
- View info on the certificates and create, modify, and delete them.
- View the list of user group mappings and info on them.
- Create and delete federated users.
This role also includes the organization-manager.federations.viewer
permissions.
organization-manager.osLogins.viewer
The organization-manager.osLogins.viewer
role enables viewing the organization's OS Login settings and the list of the organization users' OS Login profiles, as well as viewing the list of the organization users' SSH keys and the info on them.
organization-manager.osLogins.admin
The organization-manager.osLogins.admin
role enables managing the organization's OS Login settings, as well as the organization users' OS Login profiles and SSH keys.
Users with this role can:
- View info on the organization's OS Login settings and modify them.
- View the list of the organization users' OS Login profiles, as well as create, modify, and delete OS Login profiles.
- View the list of the organization users' SSH keys and info on such keys, as well as create, modify, and delete them.
This role also includes the organization-manager.osLogins.viewer
permissions.
organization-manager.groups.memberAdmin
The organization-manager.groups.memberAdmin
role enables viewing the info on user groups, configuring user group mapping, and viewing and modifying the lists of the users that are members of groups.
Primitive roles
Primitive roles allow users to perform actions in all Yandex Cloud services.
auditor
The auditor
role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.
For instance, users with this role can:
- View info on a resource.
- View the resource metadata.
- View the list of operations with a resource.
auditor
is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.
Currently, the auditor
role is available for all Yandex Cloud services, except for:
- Yandex Data Streams
- Yandex Query
viewer
The viewer
role grants the permissions to read the info on any Yandex Cloud resources.
This role also includes the auditor
permissions.
Unlike auditor
, the viewer
role provides access to service data in read mode.
editor
The editor
role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.
For instance, users with this role can create, modify, and delete resources.
This role also includes the viewer
permissions.
admin
The admin
role enables assigning any roles, except for resource-manager.clouds.owner
and organization-manager.organizations.owner
, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).
Prior to assigning the admin
role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.
This role also includes the editor
permissions.
Instead of primitive roles, we recommend using service roles. This ensures more selective access control and implementation of the principle of least privilege.
For more information about primitive roles, see the Yandex Cloud role reference.
Appointing a user the organization administrator
To grant a user organization management access, assign the user one of the following roles:
organization-manager.admin
organization-manager.organizations.owner
Assigning a role to a user
Organization administrators and owners can assign roles in Yandex Cloud Organization. You can assign to users not just organization management roles but also roles for access to your organization's connected cloud resources.
For information about roles available in Yandex Cloud and their associated permissions, see the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select Access bindings
. -
If the respective user has at least one role, select it from the list or use the search bar at the top of the page. In the line with the user name, click
and select Assign bindings.If the user is not on the list, click Assign bindings in the top-right corner. In the window that opens, click Select subject and select the appropriate user from the list or use the search bar.
-
Click Add role and enter the role name or select one from the list.
You can find the description of the available roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Click Save.
-
Select the role you want to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Assign the role using the command:
yc <service_name> <resource> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject <subject_type>:<subject_ID>
<service_name>
: Name of the service to whose resource the role is assigned, e.g.,organization-manager
.<resource>
: Resource category. For an organization,organization
is the category of importance.<resource_name_or_ID>
: Resource name or ID. Refer to an organization by its technical name.--role
: Role ID, e.g.,organization-manager.admin
.--subject
: Type and ID of the subject getting the role.
For example, assign the administrator role for the organization with the
bpf3crucp1v2********
ID:yc organization-manager organization add-access-binding bpf3crucp1v2******** \ --role organization-manager.admin \ --subject userAccount:aje6o61dvog2********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Describe the properties of the roles to be assigned in the configuration file:
organization_id
: Organization ID.role
: Role you want to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference. For each role, you can only use oneyandex_organization manager_organization_iam_binding
.members
: Array of the IDs of users to assign the role to:
*userAccount:{user_id}
: User's Yandex account ID.serviceAccount:{service_account_id}
: Service account ID.federatedUser:{federated_user_id}
: Federated user ID.
Here is an example of the configuration file structure:
resource "yandex_organizationmanager_organization_iam_binding" "editor" { organization_id = "<organization_ID>" role = "editor" members = [ "federatedUser:<user_ID>", ] }
For more information about resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
- In the command line, go to the folder where you created the configuration file.
- Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of the assigned roles. If the configuration contains any errors, Terraform will point them out.
-
Assign roles.
If the configuration does not contain any errors, run this command:
terraform apply
This assigns the roles in the specified organization.
Use the updateAccessBindings
method for the corresponding resource.
-
Select the role you want to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Create the request body, e.g., in the
body.json
file. Set theaction
property toADD
and specify theuserAccount
type and user ID in thesubject
property:Example
body.json
file:{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "organization-manager.admin", "subject": { "id": "gfei8n54hmfh********", "type": "userAccount" } } }] }
-
Assign the role. For example, for an organization with the
bpf3crucp1v2********
ID:export ORGANIZATION_ID=bpf3crucp1v2******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"
For detailed instructions on assigning a role to a resource, please see the Yandex Identity and Access Management and Yandex Resource Manager documentation:
In a similar way, you can assign roles for an organization to a service account.
Revoking a user's role
If you want to deny a user access to a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information on access control in Yandex Cloud, please see the Yandex Identity and Access Management documentation.
The role can be revoked by a user with the organization-manager.admin
or organization-manager.organizations.owner
role. To learn how to grant roles to a user, see Roles.
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select
Access bindings . -
Select a user from the list or use the search bar at the top of the page.
-
In the right-hand column, click
and select Assign bindings. -
Click
next to a role to delete it. -
Click Save.
To revoke a role from a subject, delete the corresponding access binding for the appropriate resource:
-
View the roles and assignees for the resource:
yc <service_name> <resource> list-access-bindings <resource_name_or_ID>
<service_name>
: Name of the service the resource belongs to, e.g.,organization-manager
.<resource>
: Resource category. For an organization,organization
is the category of importance.<resource_name_or_ID>
: Name or ID of the resource. Refer to an organization by its technical name.
For example, view the roles and assignees in an organization with the
bpf3crucp1v2********
ID:yc organization-manager organization list-access-bindings bpf3crucp1v2********
Result:
+------------------------------------------+--------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +------------------------------------------+--------------+----------------------+ | organization-manager.organizations.owner | userAccount | aje3r40rsemj******** | | organization-manager.admin | userAccount | aje6o61dvog2******** | +------------------------------------------+--------------+----------------------+
-
To delete an access binding, run:
yc <service_name> <resource> remove-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject <subject_type>:<subject_ID>
--role
: ID of the role to be revoked, e.g.,organization-manager.admin
.--subject
: Type and ID of the subject whose role is revoked.
For example, to revoke a role from a user with the
aje6o61dvog2********
ID:yc organization-manager organization remove-access-binding bpf3crucp1v2******** \ --role organization-manager.admin \ --subject userAccount:aje6o61dvog2********
To revoke a resource role from a subject, delete the corresponding access binding:
-
View the roles and assignees for the resource using the
listAccessBindings
method. For example, to view the roles in the organization with thebpf3crucp1v2********
ID:export ORGANIZATION_ID=bpf3crucp1v2******** export IAM_TOKEN=CggaAT******** curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:listAccessBindings"
Result:
{ "accessBindings": [ { "subject": { "id": "aje6o61dvog2********", "type": "userAccount" }, "roleId": "organization-manager.admin" } ] }
-
Create the request body, for example, in the
body.json
file. In the request body, specify which access binding to delete. For example, revoke theorganization-manager.admin
role from theaje6o61dvog2********
user:Example of
body.json
file:{ "accessBindingDeltas": [{ "action": "REMOVE", "accessBinding": { "roleId": "organization-manager.admin", "subject": { "id": "aje6o61dvog2********", "type": "userAccount" } } }] }
-
Revoke the role by deleting the specified access binding:
export ORGANIZATION_ID=bpf3crucp1v2******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"
Assigning a role to a user group
Assign a role to a user group to grant access to a resource. To grant group access permissions to a subject, see Subjects that roles are assigned to.
In Yandex Cloud Organization, you can assign a group a role for an organization, cloud, folder, another group, or service account.
Assigning a role for a cloud or folder
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select
Access bindings . -
At the top right, click Assign bindings.
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: Includes all users in theX
organization.All users in federation N
: Includes all users in theN
organization.
-
Click Add role and select the role in the cloud or folder. You can assign multiple roles.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Select a role from the Yandex Cloud role reference.
-
Assign the role using the command:
yc <service_name> <resource> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject group:<group_ID>
Where:
-
<service_name>
: Name of the service whose resource requires a role for access, e.g.,resource-manager
. -
<resource>
: Resource category, e.g.,cloud
. -
<resource_name_or_ID>
: Name or ID of the resource. You can specify the resource name or ID. -
--role
: Role ID, e.g.,resource-manager.clouds.owner
. -
--subject group
: ID of the group to which the role is assigned.To assign a role to one of the system groups, instead of using the
--subject
parameter, use the--organization-users <organization_ID>
or--federation-users <federation_ID>
parameter, providing in it the ID of the organization or identity federation, respectively, to the users of which you want to assign the role.You can also assign a role to a system group using the
--subject
parameter. To do this, provide in it the subject ID matching the selected system group.
For example, here is how you can assign the
resource-manager.viewer
role for themycloud
cloud:yc resource-manager cloud add-access-binding mycloud \ --role resource-manager.viewer \ --subject group:aje6o61dvog2********
-
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add the resource parameters to the configuration file and specify the required role and group:
resource "yandex_resourcemanager_cloud_iam_member" "admin" { cloud_id = "<cloud_ID>" role = "<role_ID>" member = "group:<group_ID>" }
Where:
-
cloud_id
: Cloud ID. You can also assign a role within an individual folder. To do this, specifyfolder_id
instead ofcloud_id
and the required folder ID in the resource parameters. -
role
: Role being assigned. This is a required parameter. -
member
: Group the role is assigned to. It should be specified ingroup:<group_ ID>
format. This is a required parameter.To assign a role to one of the system groups, specify the following in the
member
parameter:system:group:organization:<organization_ID>:users
: To assign a role to theAll users in organization X
system group.system:group:federation:<federation_ID>:users
: To assign a role to theAll users in federation N
system group.
For more information about the
yandex_resourcemanager_cloud_iam_member
resource parameters, see the provider documentation . -
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-
Use the updateAccessBindings
REST API method for the respective resource.
-
Select a role from the Yandex Cloud role reference.
-
Create the request body, for example, in the
body.json
file. Set theaction
property toADD
and specify thegroup
type and group ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<group_ID>", "type": "group" } } } ] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
To learn how to assign a role for the respective resource, see:
Assigning a role for an organization
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select
Access bindings . -
At the top right, click Assign bindings.
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: Includes all users in theX
organization.All users in federation N
: Includes all users in theN
organization.
-
Click Add role and select the role in the organization. You can assign multiple roles.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
yc organization-manager organization add-access-binding \ --subject=group:<group_ID> \ --role=<role_ID> \ <organization_ID>
To assign a role to one of the system groups, instead of using the
--subject
parameter, use the--organization-users <organization_ID>
or--federation-users <federation_ID>
parameter, providing in it the ID of the organization or identity federation, respectively, to the users of which you want to assign the role.You can also assign a role to a system group using the
--subject
parameter. To do this, provide in it the subject ID matching the selected system group. -
Make sure the requested rights are granted:
yc organization-manager organization list-access-bindings <organization_ID>
A response contains a list of all roles assigned to users and groups in the organization:
+------------------------------------------+--------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +------------------------------------------+--------------+----------------------+ | organization-manager.admin | userAccount | ajev1p2345lj******** | | organization-manager.organizations.owner | userAccount | ajev1p2345lj******** | | editor | group | ajev1p2345lj******** | | viewer | group | ajev1p2345lj******** | +------------------------------------------+--------------+----------------------+
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add the resource parameters to the configuration file and specify the required role and group:
resource "yandex_organizationmanager_organization_iam_member" "users-editors" { organization_id = "<cloud_ID>" role = "<role_ID>" member = "group:<group_ID>" }
Where:
-
organization_id
: Cloud ID. This is a required parameter. -
role
: Role being assigned. This is a required parameter. -
member
: Group the role is assigned to. It should be specified ingroup:<group_ ID>
format. This is a required parameter.To assign a role to one of the system groups, specify the following in the
member
parameter:system:group:organization:<organization_ID>:users
: To assign a role to theAll users in organization X
system group.system:group:federation:<federation_ID>:users
: To assign a role to theAll users in federation N
system group.
For more information about the
yandex_organizationmanager_organization_iam_member
resource parameters, see the provider documentation . -
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-