Creating a user group
Written by
Updated at April 8, 2026
You can create a user group in Identity and Access Management to simplify access permission management.
Note
You need the organization administrator permissions to create such a group.
Creating a group
Management console
CLI
- In the management console, navigate to Access management.
- On the Groups page, click Create group.
- Specify the group's name.
- Optionally, add the group's description.
- Click Create.
You can only create a group using the management console. After the group is created, you can use the ClusterAccessBinding resource to assign it a role.
To assign a role to your group, create a file named group-role-binding.yaml:
apiVersion: iam.stackland.yandex.cloud/v1alpha1
kind: ClusterAccessBinding
metadata:
name: <group_name>-role
spec:
roleID: <role_ID>
subject:
kind: Group
name: <group_name>
Where:
metadata.name: Unique role binding name.roleID: Role ID, such asviewer,editor, oradmin.name: Name of the group you created in the management console.
Apply the manifest:
kubectl apply -f group-role-binding.yaml
Check the binding you created:
kubectl get clusteraccessbinding <group_name>-role
Adding users to a group
Management console
CLI
- In the management console, navigate to Access management.
- On the Groups page, select a group.
- Go to the Members tab.
- Click Add member.
- Select the users you want to add to the group.
- Click Add.
You can only manage group membership via the management console.
To check role assignments for groups, run this command:
kubectl get clusteraccessbindings -o wide
System groups
Groups prefixed with stackland- are system groups. You cannot delete or create such groups, but you can manage their membership.
System group examples:
stackland-cluster-admins: Cluster administrators with full permissions.stackland-cluster-editors: Editors with permissions to edit resources.stackland-cluster-viewers: Users with view-only permissions.