System groups
A system group is an ID for a group of users (subjects) that roles can be assigned to.
There are two types of system groups in Yandex Cloud: allAuthenticatedUsers
and allUsers
. These groups let you grant public access to your resources, but only for operations that are allowed by the given role.
You can assign any role to the system group, except resource-manager.clouds.owner
and resource-manager.clouds.member
.
Alert
Do not assign a system group the editor
or admin
role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex Cloud at your expense.
allAuthenticatedUsers
allAuthenticatedUsers
: All users who have passed authentication. These are all registered users or service accounts in Yandex Cloud: both from your clouds and other users'.
For example, let's say you have an OS disk image that you want to share with all Yandex Cloud users. To do this, assign the
compute.images.user
role to theallAuthenticatedUsers
subject for the folder containing the image.
Alert
Assigning the role to the allAuthenticatedUsers
system group opens public access to your resources. This role grants rights to your resources to every user authenticated in Yandex Cloud rather than just users from your cloud.
allUsers
allUsers
: Any user. No authentication is required.
For example, when making an API request to your resource, users don't need to specify their IAM tokens.
Warning
Now allUsers
is supported only in Object Storage in ACL-based access management, in Container Registry, and in Cloud Functions.
For other services, assigning a role to the allUsers
group is the equivalent to assigning the role to allAuthenticatedUsers
.