Yandex Cloud resource hierarchy
The Resource Manager resource model is shown in the chart. Most Yandex Cloud services are based on this model.
All Yandex Cloud resources, such as VMs, disks, or networks, are placed in folders. When creating a resource, its folder is specified.
Each folder belongs to a single cloud. There are no folders outside a cloud. You cannot create a folder inside another folder.
A cloud belongs to an organization.
Organizations do not interact with each other. The resources of an organization cannot interact with the resources of another organization using Yandex Cloud tools. Organization management is performed by Yandex Cloud Organization.
Within your organization, you can configure resource access rights at the following levels:
- Organization.
- Cloud.
- Folder.
- Individual resource if the service supports access control at this level.
A new user (organization member) is not granted access to resources within organization clouds by default. The access rights must be granted to them explicitly by assigning the respective role for a resource or a folder, the resource's cloud or organization.
Resource Manager Resources
Cloud
A cloud is an isolated space where folders are created.
By default, clouds are isolated from each other. You cannot move resources from one cloud to another. For resources that support cross-cloud interaction, you can configure it separately.
Cloud owner
A newly created cloud gets an owner assigned. A cloud owner is a user with the resource-manager.clouds.owner
role assigned for the cloud.
An owner can perform any operation with the cloud and the resources within it.
An owner can grant access to the cloud to other users: assign and revoke various roles. Only a cloud owner can assign and revoke the resource-manager.clouds.owner
role. Cloud owners can also revoke this role from themselves.
A cloud must have at least one owner. The user creating a cloud becomes its owner automatically. Sole cloud owners cannot revoke the resource-manager.clouds.owner
role from themselves.
Cloud member
The resource-manager.clouds.member
role does not grant any rights to handle resources. This role is used in combination with other roles.
The role is useful if the user needs access to Yandex Cloud resources not only via the CLI, API, and Terraform, but also via the management console.
resource-manager.clouds.member
is one of the roles that gives users access to the management console. Any role from the list can also be used for this purpose:
-
For an organization or cloud:
resource-manager.admin
.resource-manager.editor
.resource-manager.viewer
.resource-manager.auditor
.admin
.editor
.viewer
.auditor
.
-
For a cloud:
resource-manager.clouds.owner
.
Each role from the list will give the user access to the console and permissions for cloud resources or an organization. Depending on the role, this can be either for reading information about all the resources in the cloud or creating and deleting any resource.
To avoid giving the user additional rights, use resource-manager.clouds.member
. The role will provide access to the management console while giving minimum additional rights. The user will only see general information about the cloud which they have been assigned the role to, but will not be able to view the resources and access rights to the cloud.
Example:
Let's assume the administrator needs to manage the network connectivity of resources in all organization clouds, while other team members are in charge of non-network resources. In this case, you can use the following access matrix:
Role For a resource Allows vpc.admin
Organization To manage networks, routes, IP addresses, and other Virtual Private Cloud resources via the CLI, API, and Terraform in all the organization's clouds resource-manager.clouds.member
All clouds of the organization To work with Virtual Private Cloud resources in the management console and view general information about the clouds
Note
If there are multiple clouds in the organization and they are created and deleted frequently, it might not be handy to assign resource-manager.clouds.member
to a cloud every time. In this case, you can replace the resource-manager.clouds.member
role with the resource-manager.viewer
one: if you assign it once to an organization, the administrator will be able to work in the management console with Virtual Private Cloud resources of all clouds, including those you create moving forward. This role will also enable you to view information about all clouds and folders, including access rights lists.
Public access to the cloud
You can make your cloud (and any of its resources) public by assigning a role to the system group. Then to access a resource, you do not have to be a cloud member. You just need to know the resource ID. Learn more about system groups.
Folder
A folder is a space where Yandex Cloud resources are created and grouped.
Just like folders in your file system, Yandex Cloud folders make resource management simpler. You can group your resources into folders by the resource type, project, or department that uses those resources, or any other criteria of your choice.
Inheritance of access rights
When a user (subject) performs an operation with a resource, the Identity and Access Management service verifies the user's access rights to this resource.
Resource access rights are inherited:
- Organization access rights apply to the organization's resources:
- Federations.
- Groups.
- Organization clouds.
- Rights to access the cloud apply to all folders within the cloud.
- Folder access rights apply to all resources in the folder.
For example, for an organization named
myorganization
with the following hierarchy:
Mycloud
cloud:
Robots
folder:
Alice
service account.Bob
service account.If you assign a user the
resource-manager.viewer
role for the organization, they can view a list of all clouds, folders, and resources in the organization, but cannot manage them.If you additionally assign them the
editor
role for themycloud
cloud, they can manage all the cloud resources, including theAlice
andBob
service accounts, but cannot grant other users access to them.The
admin
role for therobots
folder allows the user to manage all the resources in the folder, including theAlice
andBob
service accounts.
For certain resources, you cannot assign a role directly. In this case, a role is assigned for a folder, cloud, or organization. If the folder access rights are missing, Identity and Access Management checks the cloud and organization access rights.