Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Access control for user groups with different roles in Yandex Identity Hub

Written by
Updated at October 29, 2025

This guide describes an example solution of working with user groups to control access to resources in a Yandex Identity Hub organization.

Solution overview

In this tutorial, you will create a test organization with two clouds, production and testing, together with the respective development environments. Three user groups created in the organization will use these clouds: a group of information security engineers (security), a group of DevOps engineers (devops), and a group of developers (developers).

To each user group, you will assign its own set of roles based on the tasks users in these groups perform. For example, information security engineers will have permissions to get information about all resources, set up collection and storage of any resource audit logs, and configure and scan Docker images in registries created in Yandex Container Registry. These permissions will apply to the entire organization.

Additionally, in the production environment, you will create a separate security folder for the group of information security engineers. They will have administrator privileges in this folder to manage any of its resources and control access to them.

The group of DevOps engineers will have permissions to manage registries from Container Registry, Yandex Managed Service for Kubernetes clusters, managed database clusters, VMs, and Yandex Monitoring resources. They will also be able to manage Yandex Cloud Logging log groups and access to them.

The group of developers will get the following access permissions:

  • In the production environment, to download Docker images from registries in Container Registry, view information about Kubernetes clusters, connect to Compute Cloud VMs via OS Login, and view information about Monitoring resources and metrics.
  • In the testing environment, to download and upload Docker images to registries in Container Registry, manage Kubernetes clusters, connect to Compute Cloud VMs via OS Login as superusers, and manage Monitoring resources.

To configure access control for organization's resources with the help of user groups:

  1. Prepare Yandex Cloud.
  2. Create an organization.
  3. Create clouds.
  4. Create a folder for the group of information security engineers.
  5. Create user groups.
  6. Configure access permissions.
  7. Add users and split them into groups.
  8. Create a production infrastructure.

If you no longer need the test organization you created, delete it.

Prepare Yandex Cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and its status is ACTIVE or TRIAL_ACTIVE. If you do not have a billing account yet, create one.

Create an organization

Organization is a workspace that combines different types of Yandex Cloud resources and users. Any Yandex user can create an organization in Yandex Identity Hub.

To create an organization, follow these steps:

  1. Go to Yandex Identity Hub.

    Your next steps will depend on whether you are a member of an exsiting Yandex Identity Hub.

  2. Create an organization:

    If you are currently not a member of any Yandex Identity Hub, when you open the link, you will see a form for creating a new organization:

    1. Enter your organization name, e.g., Example organization.
    2. Click Create a new organization.

    If you are currently a member of a Yandex Identity Hub, when you open the link, you will see the Yandex Identity Hub interface in Cloud Center.

    To complete this guide, let’s create a new organization so as not to interfere with the existing organizations’ infrastructure:

    1. In the top-left corner, next to the current organization name, click and select Create organization.
    2. In the window that opens, enter a name for the organization: Example organization.
    3. Click Create a new organization.

Once the organization is created, you become its owner and can manage its settings.

Create clouds

In your new organization, create two clouds, testing and production, to host the infrastructure of the independent testing and production environments.

  1. Create two clouds in your Example organization:

    1. Go to the management console and click your account picture in the left-hand panel.

    2. Select Example organization. This opens a window with the form for creating your first cloud:

      1. Make sure you selected Example organization in the Organization field.
      2. In the Cloud name field, specify testing.
      3. Click Create.

      As a result, Example organization will have its first cloud named testing, and the browser will open the default folder created in this new cloud.

    3. On the left side of the screen, in the line with Example organization, click and select Create cloud. In the window that opens, do the following:

      1. In the Name field, specify production.
      2. Click Create.

      This will create the second cloud named production in your Example organization.

  2. Make sure the clouds are linked to a billing account:

    1. Go to Yandex Cloud Billing.

    2. Select your billing account.

    3. Make sure you can see both clouds, production and testing, under Linked clouds and services on the account information page.

    4. If either of the clouds is missing, link them:

      1. Under Linked clouds and services, click Link cloud.
      2. In the window that opens, select the cloud to link and click Bind.

Create a folder for the group of information security engineers

Create a separate folder named security for the group of information security engineers in the production cloud.

  1. In the management console, select the production cloud from the list of organizations, clouds, and folders on the left of the screen.

  2. In the line with the production cloud name, click and select Create folder. In the window that opens, do the following:

    1. In the Name field, enter the folder name, security.
    2. Optionally, in the Description field, enter a description for the new folder.
    3. In the Advanced field, disable Create a default network. You will be able to create a cloud network with the parameters you need later, at any point when creating the infrastructure.
    4. Click Create.

Create user groups

Create three user groups: security for information security engineers, devops for DevOps engineers, and developers for developers.

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Groups.

  3. In the top-right corner, click Create group and in the window that opens:

    1. Enter a name for the group: security.
    2. Optionally, enter the group description.
    3. Click Create group.

  4. Similarly, create the other two user groups, devops and developers.

Configure access permissions

In this tutorial, you will assign multiple roles to the user groups based on the activity profiles of the employees in these groups.

Note

All users in a user group will automatically inherit the roles assigned to the group. Moreover, you can assign roles to each user individually, even if they belong to a user group.

Assign roles to the group of information security engineers

Users from the group of information security engineers (security) will need permissions to do the following:

  • Get information about all resources in all organization clouds (auditor role for the organization).
  • Configue collection and storage of audit logs for all resources in all the organization’s clouds (audit-trails.admin role for the organization).
  • Configure and scan Docker images in the Yandex Container Registry registries of all the organization’s clouds (container-registry.images.scanner role for the organization).
  • Manage all resources and access to them in the dedicated security folder of the production cloud (admin role for the folder).

To grant the required access permissions to the security user group:

  1. Assign roles for an organization:

    1. Log in to Yandex Identity Hub using an administrator or organization owner account.
    2. In the left-hand panel, select Access bindings.
    3. At the top right, click Assign bindings.
    4. Go to the Groups tab and select the security group.
    5. Click Add role, enter and select the auditor role in the search bar.
    6. Repeat the previous step to add the audit-trails.admin and container-registry.images.scanner roles.
    7. Click Save.

  2. Assign the admin role for the security folder:

    1. In the management console, select the security folder in the production cloud.

    2. At the top of the screen, go to the Access bindings tab and click Configure access. In the window that opens, do the following:

      1. Go to the Groups tab and select the security group.
      2. Click Add role, enter and select the admin role in the search bar.
      3. Click Save.

Assign roles to the group of DevOps engineers

Users from the group of DevOps engineers (devops) will need to be able to do the following in both clouds:

  • Manage registries in Container Registry (container-registry.editor role for both clouds).
  • Manage Yandex Managed Service for Kubernetes clusters (k8s.editor role for both clouds).
  • Manage database clusters (mdb.admin role for both clouds).
  • Manage Yandex Compute Cloud VMs (compute.editor role for both clouds).
  • Manage Yandex Monitoring resources (monitoring.admin role for both clouds).
  • Manage Yandex Cloud Logging log groups and access to them (logging.admin role for both clouds).

Assign roles for the clouds to the devops user group:

  1. In the management console, select the production cloud.

  2. At the top of the screen, go to the Access bindings tab and click Configure access. In the window that opens, do the following:

    1. Go to the Groups tab and select the devops group.
    2. Click Add role, find and select the container-registry.editor, k8s.editor, mdb.admin, compute.editor, monitoring.admin, and logging.admin roles.
    3. Click Save.

  3. In the same way, assign the same roles for the testing cloud to the devops user group.

Assign roles to the group of developers

Users from the group of developers (developers) will need permissions to do the following:

  • Download Docker images from registries in Container Registry in the production environment (container-registry.images.puller role for the production cloud).
  • Download and upload Docker images to registries in Container Registry in the testing environment (container-registry.images.pusher role for the testing cloud).
  • View information about Kubernetes clusters in the testing environment (k8s.viewer role for the production cloud).
  • Manage Kubernetes clusters in the testing environment (k8s.editor role and k8s.cluster-api.editor role for the testing cloud).
  • Connect to Compute Cloud VMs via OS Login in the production environment (compute.osLogin role for the production cloud).
  • Connect to Compute Cloud VMs via OS Login as superusers in the testing environment (compute.osAdminLogin role for the testing cloud).
  • View information about Monitoring resources and metrics in production environment (monitoring.viewer role for the production cloud).
  • Manage Monitoring resources in the testing environment (monitoring.editor role for the testing cloud).

Assign roles for the clouds to the developers user group:

  1. In the management console, select the production cloud.

  2. At the top of the screen, go to the Access bindings tab and click Configure access. In the window that opens, do the following:

    1. Go to the Groups tab and select the developers group.
    2. Click Add role, find and select the container-registry.images.puller, k8s.viewer, compute.osLogin, and monitoring.viewer roles.
    3. Click Save.

  3. In the same way, assign the developers user group the container-registry.images.pusher, k8s.editor, k8s.cluster-api.editor, compute.osAdminLogin, and monitoring.editor roles for the testing cloud.

Add users and split them into groups

To enable your employees to use Yandex Cloud resources, add them to the Yandex Identity Hub you created. Then distribute the employees among the previously created user groups.

  1. Invite users to an organization:

    1. Go to Yandex Identity Hub.

    2. In the left-hand panel, select Users.

    3. In the top-right corner, click Invite users with a Yandex account.

    4. Enter the email addresses of the users you want to invite to the organization, separated by commas.

      You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.

    5. Click Send invitation.

    Once the users accept the invitation by clicking the invitation link in the email, they will become organization members and will be listed in the Users section in your organization.

    Note

    To access the services enabled for the organization, the users you invited simply need to log in to their Yandex account.

  2. Distribute users you added among the previously created groups:

    1. Log in to Yandex Identity Hub.

    2. In the left-hand panel, select Groups and click the row with the name of the group you need.

    3. Navigate to the Members tab.

    4. Click Add member. In the window that opens, do the following:

      1. Select the users. Use search, if required.
      2. Click Save.

    Distribute all users among the previously created groups based on their tasks.

    Note

    A user may belong to multiple groups at the same time.

Create a production infrastructure

You have configured basic access permissions in your test organization. Now you can create different resources in your organization clouds: VMs, Yandex Managed Service for Kubernetes clusters, Yandex Container Registry registries, KMS encryption keys, Lockbox secrets, etc.

Warning

Note that VMs, clusters, registries, key, secrets, and many other resources created in folders are charged. You can learn more about the cost of cloud resources in the respective service pricing reference.

Access permissions to the created resources will be granted to users based on the access permissions settings of the relevant user group.

We recommend managing your infrastructure under service accounts which you can use to authenticate applications. Service accounts are created in folders. You can also add service accounts to user groups.

If you need to, you can assign additional roles to individual users or service accounts for an entire organization or individual clouds, folders, or resources at any time.

How to delete the resources you created

If you no longer need the created test organization, delete it.

You do not have to pay for organizations, clouds, folders, and users. However, you may be charged for other resources created within folders.

In addition to that, the infrastructure you create in this tutorial consumes quotas in Yandex Cloud Billing and some other services. Therefore, we recommend deleting an organization you do not use.

You can also separately delete clouds, folders, user groups, or service accounts from an organization.

See also

Previous
All tutorials
Next
Using a service account with an OS Login profile for VM management via Ansible