Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Handling secrets that are available in the public domain
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Groups of users
      • Creating a group
      • Setting up group access bindings
      • Granting group permissions
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for service accounts
      • Creating static access keys
      • Deleting static access keys
      • Getting the service account ID
      • Deleting a service account
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
      • Deleting authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • Identity federations
    • Quotas and limits
  • How to use Yandex Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
        • createForServiceAccount
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • AccessKey
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
      • Federation
        • Overview
        • list
        • get
        • listUserAccounts
        • delete
        • addUserAccounts
        • update
        • listOperations
        • create
      • Certificate
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on one page
  1. Concepts
  2. How access management works
  3. System groups

System groups

Written by
Yandex Cloud

    A system group is an ID for a group of users (subjects) that roles can be assigned to.

    There are two types of system groups in Yandex Cloud: allAuthenticatedUsers and allUsers. These groups let you grant public access to your resources, but only for operations that are allowed by the given role.

    You can assign any role to the system group, except resource-manager.clouds.owner and resource-manager.clouds.member.

    Alert

    Do not assign a system group the editor or admin role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex Cloud at your expense.

    allAuthenticatedUsers

    allAuthenticatedUsers: All users who passed authentication. These are all registered users or service accounts in Yandex Cloud: both from your clouds and other users'.

    For example, let's say you have an OS disk image that you want to share with all Yandex Cloud users. To do this, assign the compute.images.user role to the allAuthenticatedUsers subject for the folder containing the image.

    Alert

    Assigning the role to the allAuthenticatedUsers system group opens public access to your resources. This role grants rights to your resources to every user authenticated in Yandex Cloud rather than just users from your cloud.

    allUsers

    allUsers: Any user. No authentication is required.

    For example, when making an API request to your resource, users don't need to specify their IAM tokens.

    Warning

    Now allUsers is only supported in Object Storage with ACL-based access management, in Container Registry, and in Cloud Functions.

    For other services, assigning a role to the allUsers group is the equivalent to assigning the role to allAuthenticatedUsers.

    Was the article helpful?

    Language / Region
    Yandex project
    © 2023 Yandex.Cloud LLC