Interaction between users and Yandex Cloud resources
All Yandex Cloud services work based on the common resource and role model. Its underlying entity is organization that combines different types of resources and users in a single workspace. You add and manage users at the organization level, see Organization membership for more details.
Yandex Cloud resources
When using Yandex Cloud services, you create resources: VMs, managed database and Kubernetes clusters, registries, secrets, and more. Most services store the resources they create in folders. Folders belong to clouds, and clouds belong to organizations.
In addition, organizations may have the following enabled: Yandex DataSphere, a Yandex DataLens instance, as well as Yandex Tracker, Yandex Wiki, Yandex Forms, and Yandex SpeechSense. All of them store their resources on their own, yet are able to exchange information with other services within the same organization. Organizations do not interact with each other.
In the Cloud Center interface, you can look up the clouds and services existing in your organization.
Learn more about the resource hierarchy in Yandex Cloud.
Users
Each Yandex Cloud user has an account of their own used for identification when performing operations with resources. This can be either a Yandex ID account, a federated account of an identity federation, or a local account from a user pool. In addition, there are service accounts: a special type of account your software can use to perform operations with Yandex Cloud resources. Learn more about accounts.
Each user belongs to at least one organization. When logging in to Yandex Cloud with your Yandex ID for the first time, you will be prompted to register your own organization. After creating an organization, you can enable and disable Yandex Cloud services, create clouds, folders, and other resources.
You can invite other members with Yandex accounts to your organization to grant them access to its services and resources. If your company already uses a different identity management system, e.g., Active Directory or Keycloak, you can set up an identity federation. This will allow company employees to use their corporate accounts to access Yandex Cloud services. In addition, you can create a user pool in your organization and, by adding a domain to it, create local user accounts in the organization.
For bulk access management, users can be combined into groups.
To learn more about user and user group management, see this Yandex Identity Hub guide.
Access management
Access to Yandex Cloud resources is managed through roles and access policies. For an account (subject) to perform an action with a resource (object), the account or group this account belongs to must have relevant roles for that resource, and the action must not be prohibited by any access policies. Basically, each role is a list of permitted object operations. Permissions to access Yandex Cloud resources are managed by Yandex Identity and Access Management.
To authenticate users, Yandex Cloud services request credentials. The type of data requested depends on the account type, the service, and request interface. When using the API, the folder ID is also required to uniquely identify the resource and verify the permissions. If actions are performed on behalf of a service account, the ID of its folder is used by default.