Granting permissions in Organization

Written by

Service roles

Access management in Yandex Cloud leverages the Role Based Access Control (RBAC) policy. To grant a user certain privileges or access to a resource, you must assign the user the appropriate roles.

Each role consists of a set of permissions that describe operations that can be performed with the resource. A user can assign a role with only those permissions which are available to themselves. For example, only a user with the organization owner role can assign this role: the administrator role is not sufficient to do this.

If a resource has child resources, all permissions from the parent resource will be inherited by the child resources. For instance, if you assign a user the administrator role for the organization hosting the cloud, all the role's permissions will apply to the cloud and all the cloud's nested resources.

For more information about access control in Yandex Cloud, see the Yandex Identity and Access Management documentation, How access management works in Yandex Cloud.

Service roles

organization-manager.admin: The organization administrator role.

The role lets you edit organization settings, create identity federations, add and remove users, and appoint other administrators.
organization-manager.organizations.owner: The organization owner role.

The role lets you to appoint organization owners as well as use all the administrator privileges.

By default, the user who creates an organization is the organization owner.
organization-manager.viewer: This role lets you view, but not edit, an organization's settings.
organization-manager.groups.memberAdmin: This role lets you view information about a group and add and remove group members.

Appointing a user the organization administrator

To grant a user organization management access, assign the user one of the following roles:

organization-manager.admin;
organization-manager.organizations.owner.

Assigning a role to a user

An organization's administrators and owners can assign roles in Yandex Cloud Organization. You can assign users both roles for managing an organization and roles for your organization's connected cloud resources.

For information about roles available in Yandex Cloud and their associated permissions, see the Yandex Identity and Access Management documentation, Roles.

Organization interface

CLI

API

Terraform

Log in to the organization's administrator or owner account.
Go to Yandex Cloud Organization.
In the left panel, select Users .
Select a user from the list or use the search bar at the top of the page.
In the right-hand column, click and select Configure access.
In the Configure access rights window, click Add role and enter the name of the role or select from list.

You can find a description of the available roles in the Yandex Identity and Access Management documentation, Roles.
Click Save.

Select the role you wish to assign. You can find a description of the roles in the Yandex Identity and Access Management documentation, Roles.
Get the user ID.
Assign the role using the command:
```
yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
    --role <ROLE-ID> \
    --subject userAccount:<USER-ACCOUNT-ID>
```
- <SERVICE-NAME> is the name of the service whose resource the role, such as organization-manager, is assigned to.
- <RESOURCE> is the resource category. For an organization, organization is the category of importance.
- <RESOURCE-NAME> is the name of the resource. Refer to an organization by its technical name.
- <RESOURCE-ID> is the resource ID.
- <ROLE-ID> is the role ID, such as organization-manager.admin.
- <USER-ACCOUNT-ID> is the ID of the user account assigned the role.
For example, assign the administrator role for the organization with the ID bpf3crucp1v28b74p3rk:
```
yc organization-manager organization add-access-binding bpf3crucp1v28b74p3rk \
    --role organization-manager.admin \
    --subject userAccount:aje6o61dvog2h6g9a33s
```

Use the updateAccessBindings method for the corresponding resource.

Select the role you wish to assign. You can find a description of the roles in the Yandex Identity and Access Management documentation, Roles.
Get the user ID.

Create a request body, for example, in a body.json file. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

Example body.json file:

{
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "organization-manager.admin",
      "subject": {
        "id": "gfei8n54hmfhuk5nogse",
        "type": "userAccount"
      }
    }
  }]
}

Assign the role. For example, for an organization with the ID bpf3crucp1v28b74p3rk:
```
export ORGANIZATION_ID=bpf3crucp1v28b74p3rk
export IAM_TOKEN=CggaATEVAgA...
curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${IAM_TOKEN}" \
    -d '@body.json' \	"https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"
```
For detailed instructions on assigning a role to a resource, please see the Yandex Identity and Access Management and Yandex Resource Manager documentation:

If you don't have Terraform, install it and configure the Yandex Cloud provider.

Describe the properties of the roles to be assigned in the configuration file:
- organization_id: Organization ID.
- role: Role to assign. You can find a description of the roles in the Yandex Identity and Access Management documentation, Roles. For each role, you can only use one yandex_organization manager_organization_iam_binding.
- members: An array of the IDs of users to assign the role to:
  * userAccount:{user_id}: User's Yandex account ID.
  - serviceAccount:{service_account_id}: Service account ID.
  - federatedUser:{federated_user_id}: Federated user ID.
Example configuration file structure:
```
resource "yandex_organizationmanager_organization_iam_binding" "editor" {
  organization_id = "<organization ID>"
  role = "editor"
  members = [
   "federatedUser:<user ID>",
  ]
}
```
For more information on resources that you can create with Terraform, see the provider documentation.
Make sure that the configuration files are correct.
1. In the command line, go to the directory where you created the configuration file.
2. Run the check using the command:
```
terraform plan
```
If the configuration is described correctly, the terminal displays a list of the roles assigned. If the configuration contain errors, Terraform will point them out.
Assign roles.

If the configuration doesn't contain any errors, run the command:
```
terraform apply
```
This assigns the roles in the specified organization.

Revoking a user's role

If you wish to deny a user access to a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information on access control in Yandex Cloud, please see the Yandex Identity and Access Management documentation.

The role can be revoked by a user with the organization-manager.admin or organization-manager.organizations.owner role. For information about how to assign roles to users, see Roles.

Organization interface

CLI

API

Log in to the organization's administrator or owner account.
Go to Yandex Cloud Organization.
In the left panel, select Users .
Select a user from the list or use the search bar at the top of the page.
In the right-hand column, click and select Configure access.
Click next to a role to delete it.
Click Save.

To revoke a role from a subject, delete the corresponding access binding for the appropriate resource:

View roles and their assignees:

yc <SERVICE-NAME> <RESOURCE> list-access-bindings <RESOURCE-NAME>|<RESOURCE-ID>

<SERVICE-NAME> is the name of the service that the resource belongs to, such as organization-manager.
<RESOURCE> is the resource category. For an organization, organization is the category of importance.
<RESOURCE-NAME> is the name of the resource. Refer to an organization by its technical name.
<RESOURCE-ID> is the resource ID.

For example, see to whom and which roles the organization with the ID bpf3crucp1v28b74p3rk has been assigned:

yc organization-manager organization list-access-bindings bpf3crucp1v28b74p3rk

Result:

+------------------------------------------+--------------+----------------------+
|                 ROLE ID                  | SUBJECT TYPE |      SUBJECT ID      |
+------------------------------------------+--------------+----------------------+
| organization-manager.organizations.owner | userAccount  | aje3r40rsemj2f5b5jkk |
| organization-manager.admin               | userAccount  | aje6o61dvog2h6g9a33s |
+------------------------------------------+--------------+----------------------+

To delete an access binding, run:

yc <SERVICE-NAME> <RESOURCE> remove-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
    --role <ROLE-ID> \
    --subject <SUBJECT-TYPE>:<SUBJECT-ID>

<ROLE-ID> is the ID of the role to revoke, such as organization-manager.admin.
<SUBJECT-TYPE> is the subject type to revoke a role from.
<SUBJECT-ID> is the subject ID.

For example, to take a role away from a user with the ID aje6o61dvog2h6g9a33s:

yc organization-manager organization remove-access-binding bpf3crucp1v28b74p3rk \
    --role organization-manager.admin \
    --subject userAccount:aje6o61dvog2h6g9a33s

To revoke a resource role from a subject, delete the corresponding access binding:

View what roles were assigned for resources and to whom using the listAccessBindings method. For example, to view the roles in an organization with the ID bpf3crucp1v28b74p3rk:

export ORGANIZATION_ID=bpf3crucp1v28b74p3rk
export IAM_TOKEN=CggaATEVAgA...
curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:listAccessBindings"