Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Assigning access permissions

Written by
Updated at April 8, 2026

You can assign roles to users, groups, and service accounts. Access permissions can be assigned at two levels:

  • At the cluster level, using the ClusterAccessBinding resource. Such a role applies to the entire organization.
  • At the project level, using the AccessBinding resource. Such a role applies to a specific namespace.

Note

To assign cluster-level permissions, you need the organization admin privileges.

Assigning a cluster-level role

Use the ClusterAccessBinding resource to assign roles at the organization level.

Assigning a role to a user

  1. In the management console, navigate to Access management.
  2. On the Access permissions page, click Assign role.
  3. In the Subject field, select User.
  4. Select a user from the list.
  5. In the Role field, select a role.
  6. Click Save.

  1. Create a file named user-role-binding.yaml:

    apiVersion: iam.stackland.yandex.cloud/v1alpha1
kind: ClusterAccessBinding
metadata:
  name: user-admin-role
spec:
  roleID: admin
  subject:
    kind: User
    name: username

    Where:

    • metadata.name: Unique role binding name.
    • roleID: Role ID, such as admin, editor, or viewer.
    • kind: Subject type. To set a user, specify User.
    • name: Name of the user (username for local users and name_id for SAML federation users).

  2. Apply the configuration:

    kubectl apply -f user-role-binding.yaml

  3. Check the binding you created:

    kubectl get clusteraccessbinding user-admin-role

Assigning a role to a group

  1. In the management console, navigate to Access management.
  2. On the Access permissions page, click Assign role.
  3. In the Subject field, select Group.
  4. Select a group from the list.
  5. In the Role field, select a role.
  6. Click Save.

  1. Create a file named group-role-binding.yaml:

    apiVersion: iam.stackland.yandex.cloud/v1alpha1
kind: ClusterAccessBinding
metadata:
  name: stackland-cluster-admins
spec:
  roleID: admin
  subject:
    kind: Group
    name: stackland-cluster-admins

    Where:

    • metadata.name: Unique role binding name.
    • roleID: Role ID.
    • kind: Subject type. To set a group, specify Group.
    • name: Group name.

  2. Apply the configuration:

    kubectl apply -f group-role-binding.yaml

  3. Check the binding you created:

    kubectl get clusteraccessbinding stackland-cluster-admins

Assigning a project-level role

Use the AccessBinding resource to assign roles within a specific namespace.

Assigning a project-level role to a user

  1. Create a file named user-project-role-binding.yaml:

    apiVersion: iam.stackland.yandex.cloud/v1alpha1
kind: AccessBinding
metadata:
  name: bob-is-storage-admin
  namespace: warehouse
spec:
  roleID: storage.admin
  subject:
    kind: User
    name: bob@stackland

    Where:

    • metadata.name: Unique role binding name.
    • metadata.namespace: Namespace to assign the role in.
    • roleID: Role ID.
    • kind: Subject type. To set a user, specify User.
    • name: Username.

  2. Apply the configuration:

    kubectl apply -f user-project-role-binding.yaml

  3. Check the binding you created:

    kubectl get accessbinding bob-is-storage-admin -n warehouse

Assigning a project-level role to a service account

  1. Create a file named sa-role-binding.yaml:

    apiVersion: iam.stackland.yandex.cloud/v1alpha1
kind: AccessBinding
metadata:
  namespace: warehouse
  name: app-sa-is-storage-viewer
spec:
  roleID: storage.viewer
  subject:
    kind: ServiceAccount
    name: app-sa
    namespace: warehouse

    Where:

    • metadata.name: Unique role binding name.
    • metadata.namespace: Namespace to assign the role in.
    • roleID: Role ID.
    • kind: Subject type. To set a service account, specify ServiceAccount.
    • name: Service account name.
    • namespace: Namespace of the service account.

  2. Apply the configuration:

    kubectl apply -f sa-role-binding.yaml

  3. Check the binding you created:

    kubectl get accessbinding app-sa-is-storage-viewer -n warehouse

Available roles

The basic roles in the system include:

  • admin: Full access to all resources in the organization.
  • editor: Permissions to create and modify resources.
  • viewer: View-only permissions for resources.

To view all available roles, refer to Access management.

Revoking a role

  1. In the management console, navigate to Access management.
  2. On the Access permissions page, find the role binding in question.
  3. Click and select Delete.
  4. Confirm the deletion.

To revoke a cluster-level role, delete the ClusterAccessBinding resource:

kubectl delete clusteraccessbinding <binding_name>

To revoke a project-level role, delete the AccessBinding resource:

kubectl delete accessbinding <binding_name> -n <namespace>

What's next

Previous
Connecting a SAML federation
Next
Creating a cluster PostgreSQL