Granting permissions

Written by

Appointing a user the organization administrator
Assigning a role to a user
Revoking a user's role

Access management in Yandex.Cloud leverages the Role Based Access Control (RBAC) policy. To grant a user certain privileges or access to a resource, you must assign the user the appropriate roles.

Each role consists of a set of permissions that describe operations that can be performed with the resource. A user can assign a role with only those permissions which are available to themselves. For example, only a user with the organization owner role can assign this role: the administrator role is not sufficient to do this.

If a resource has child resources, all permissions from the parent resource will be inherited by the child resources. For instance, if you assign a user the administrator role for the organization hosting the cloud, all the role's permissions will apply to the cloud and all the cloud's nested resources.

For more information on access control in Yandex.Cloud, please see the Yandex Identity and Access Management documentation, How access management works in Yandex.Cloud.

Appointing a user the organization administrator

To grant a user organization management access, assign the user one of the following roles:

organization-manager.admin: The organization administrator role.

The role is able to edit organization settings, create identity federations, add and remove users, create other administrators, and manage the resources of an organization's clouds.
organization-manager.organizations.owner: The organization owner role.

The role is able to appoint organization owners as well as use all the administrator privileges.

By default, the user who creates an organization is the organization owner.
organization-manager.viewer: This role is able to view, but not edit, an organization's settings.

Assigning a role to a user

An organization's administrators and owners can assign roles in Yandex Cloud Organization. You can assign users both roles for managing an organization and roles for your organization's connected cloud resources.

For information on roles available in Yandex.Cloud and their associated permissions, please review the Yandex Identity and Access Management documentation, Roles.

Organization interface

CLI

API

Log in to the organization's administrator account.
Go to Yandex Cloud Organization.
Go to the left panel and select Users .
Select a user from the list or use the search bar at the top of the page.
In the right-hand column, click and select Configure access.
In the Configure access rights window, click Add role and enter the name of the role or select from list.

You can find a description of the available roles in the Yandex Identity and Access Management documentation, Roles.
Click Save.

Select the role you wish to assign. You can find a description of the roles in the Yandex Identity and Access Management documentation, Roles.
Get a user ID.
Assign the role using the command:
```
yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
    --role <ROLE-ID> \
    --subject userAccount:<USER-ACCOUNT-ID>
```
- <SERVICE-NAME> is the name of the service whose resource an assigned role, such as organization-manager, applies to.
- <RESOURCE> is the resource category. For an organization, organization is the category of importance.
- <RESOURCE-NAME> is the name of the resource. Refer to an organization by its technical name.
- <RESOURCE-ID> is the resource ID.
- <ROLE-ID> is the role ID, such as organization-manager.admin.
- <USER-ACCOUNT-ID> is the ID of the user account assigned the role.
For example, assign an organization administrator role with the ID bpf3crucp1v28b74p3rk:
```
yc organization-manager organization add-access-binding bpf3crucp1v28b74p3rk \
    --role organization-manager.admin \
    --subject userAccount:aje6o61dvog2h6g9a33s
```

Use the updateAccessBindings method for the corresponding resource.

Select the role you wish to assign. You can find a description of the roles in the Yandex Identity and Access Management documentation, Roles.
Get the user ID.

Create a request body, for example, in a body.json file. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

Example body.json file:

{
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "organization-manager.admin",
      "subject": {
        "id": "gfei8n54hmfhuk5nogse",
        "type": "userAccount"
      }
    }
  }]
}

Assign the role. For example, for an organization with the ID bpf3crucp1v28b74p3rk:

export ORGANIZATION_ID=bpf3crucp1v28b74p3rk
export IAM_TOKEN=CggaATEVAgA...
curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${IAM_TOKEN}" \
    -d '@body.json' \	"https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"

For detailed instructions on assigning a role to a resource, please see the Yandex Identity and Access Management and Yandex Resource Manager documentation:

Revoking a user's role

If you wish to deny a user access to a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information on access control in Yandex.Cloud, please see the Yandex Identity and Access Management documentation.

Organization interface

CLI

API

Log in to the organization's administrator account.
Go to Yandex Cloud Organization.
Go to the left panel and select Users .
Select a user from the list or use the search bar at the top of the page.
In the right-hand column, click and select Configure access.
Click next to a role to delete it.
Click Save.

To revoke a role from a subject, delete the corresponding access binding for the appropriate resource:

View roles and their assignees:

yc <SERVICE-NAME> <RESOURCE> list-access-bindings <RESOURCE-NAME>|<RESOURCE-ID>

<SERVICE-NAME> is the name of the service that the resource belongs to, such as organization-manager.
<RESOURCE> is the resource category. For an organization, organization is the category of importance.
<RESOURCE-NAME> is the name of the resource. Refer to an organization by its technical name.
<RESOURCE-ID> is the resource ID.

For example, see to whom and which roles the organization with the ID bpf3crucp1v28b74p3rk has been assigned:

yc organization-manager organization list-access-bindings bpf3crucp1v28b74p3rk

Result:

+------------------------------------------+--------------+----------------------+
|                 ROLE ID                  | SUBJECT TYPE |      SUBJECT ID      |
+------------------------------------------+--------------+----------------------+
| organization-manager.organizations.owner | userAccount  | aje3r40rsemj2f5b5jkk |
| organization-manager.admin               | userAccount  | aje6o61dvog2h6g9a33s |
+------------------------------------------+--------------+----------------------+

To delete an access binding, run:

yc <SERVICE-NAME> <RESOURCE> remove-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
    --role <ROLE-ID> \
    --subject <SUBJECT-TYPE>:<SUBJECT-ID>

<ROLE-ID> is the ID of the role to revoke, such as organization-manager.admin.
<SUBJECT-TYPE> is the subject type to revoke a role from.
<SUBJECT-ID> is the subject ID.

For example, to revoke a role from a user with the ID aje6o61dvog2h6g9a33s:

yc organization-manager organization remove-access-binding bpf3crucp1v28b74p3rk \
    --role organization-manager.admin \
    --subject userAccount:aje6o61dvog2h6g9a33s

To revoke a resource role from a subject, delete the corresponding access binding:

View what roles were assigned for resources and to whom using the listAccessBindings method. For example, to view the roles in an organization with the ID bpf3crucp1v28b74p3rk:

export ORGANIZATION_ID=bpf3crucp1v28b74p3rk
export IAM_TOKEN=CggaATEVAgA...
curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:listAccessBindings"