Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Viewing a list of a subject's accesses

Written by
Updated at November 12, 2025

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

Cloud Infrastructure Entitlement Management (CIEM) provides a centralized view of the full list of access permissions for the organization's resources available to individual subjects and groups.

Only organization members with the organization-manager.viewer role or higher for the organization can view access permissions in the Security Deck interface.

To get a list of a subject's accesses to the organization's resources:

  1. Log in as an organization user with the organization-manager.viewer role or higher for the organization.

  2. Go to Yandex Security Deck.

  3. In the left-hand panel, select CIEM.

  4. Click Select subject and in the window that opens:

    1. Select the user, service account, user group, system group, or public group you need.

      Use search, if required.

    2. Click Select.

This will open a list of accesses assigned to the selected subject. For each access, the list indicates the resource name/ID and type, role assigned to the subject for that resource, and information about whether the role was assigned to the subject directly or inherited from a group to which the subject belongs.

If the selected subject has multiple accesses, only some of them will be displayed. To display the remaining access permissions, click Load more at the bottom of the page.

Use filtering by resource ID, role ID, or access assignment method (Directly appointed or Assigned via group) as needed.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to get a list of subject’s accesses:

    yc iam access-analyzer list-subject-access-bindings --help

  2. Get the ID of a user, service account, or user group to view their list of accesses.

  3. Use the yc iam access-analyzer list-subject-access-bindings command to get a list of subject’s accesses:

    yc iam access-analyzer list-subject-access-bindings \
   --organization-id=<organization_ID> \
   --subject-id=<subject_ID>

    Where:

    Result:

    +---------+-------------------------+----------------------+----------+
| ROLE ID |      RESOURCE TYPE      |     RESOURCE ID      | GROUP ID |
+---------+-------------------------+----------------------+----------+
| admin   | resource-manager.cloud  | b1g2c5615qja******** |          |
| admin   | resource-manager.folder | b1gq979gqitb******** |          |
+---------+-------------------------+----------------------+----------+

    You will get the list of accesses as a table. For each access, the list indicates a role assigned to the subject for a resource as well as the resource type and ID. If the subject has not been assigned any role directly, but has inherited it from a group, the list will indicate the group ID.

See also

Previous
Overview
Next
Revoking an access permission