System groups

    A system group is an ID for a group of users (subjects) that roles can be assigned to.

    There are two types of system groups in Yandex.Cloud: allAuthenticatedUsers and allUsers. These groups let you grant public access to your resources, but only for operations that are allowed by the given role.

    You can assign any role to the system group, except resource-manager.clouds.owner and resource-manager.clouds.member.


    Do not assign a system group the editor or admin role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex.Cloud at your expense.


    allAuthenticatedUsers: All users who passed authentication. These are all registered Yandex.Cloud users or service accounts.

    For example, you have an OS disk image that you want to share with all Yandex.Cloud users. To do this, assign the compute.images.user role to the allAuthenticatedUsers subject for the folder containing the image.


    allUsers: Any user. No authentication is required. For example, you don't need to specify the IAM token in an API query.


    Now allUsers is supported only in Object Storage in ACL-based access management.

    For other services, assigning a role to the allUsers group is the equivalent to assigning the role to allAuthenticatedUsers.