[Yandex Cloud documentation](../../index.md) > [Yandex Audit Trails](../index.md) > [Step-by-step guides](index.md) > Managing trail access permissions > Revoking roles assigned for a trail

# Revoking roles assigned for a trail

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command to revoke [roles](../security/index.md#roles-list) assigned for a [trail](../concepts/trail.md):

      ```bash
      yc audit-trails trail remove-access-binding --help
      ```

  1. Get a list of trails:
     
     ```bash
     yc audit-trails trail list
     ```
     
     Result:
     
     ```text
     +----------------------+--------------+--------+-------------------+
     |          ID          |     NAME     | STATUS |      FILTERS      |
     +----------------------+--------------+--------+-------------------+
     | cnp82sb0phnm******** | trailfromapi | ACTIVE | storage compute   |
     |                      |              |        | management.events |
     | cnp8v52idttr******** | tf-trail     | ACTIVE | storage compute   |
     |                      |              |        | mdb.postgresql    |
     | cnpnkcubr529******** | test-2       | ACTIVE | compute           |
     +----------------------+--------------+--------+-------------------+
     ```
  1. To revoke a role assigned for a trail, run this command:

      * From a user:

          ```bash
          yc audit-trails trail remove-access-binding \
            --id <trail_ID> \
            --user-account-id <user_ID> \
            --role <role>
          ```
          
          Result:

          ```text
          done (1s)
          ```

      * From a [service account](../../iam/concepts/users/service-accounts.md):

          ```bash
          yc audit-trails trail remove-access-binding \
            --id <trail_ID> \
            --service-account-id <service_account_ID> \
            --role <role>
          ```

          Result:

          ```text
          done (1s)
          ```

      * From all authorized users (the `All authenticated users` [public group](../../iam/concepts/access-control/public-group.md)):

          ```bash
          yc audit-trails trail remove-access-binding \
            --id <trail_ID> \
            --all-authenticated-users \
            --role <role>
          ```

          Result:
        
          ```text
          done (1s)
          ```

- API {#api}

  To revoke roles for a [trail](../concepts/trail.md), use the [updateAccessBindings](../api-ref/Trail/updateAccessBindings.md) REST API method for the [Trail](../api-ref/Trail/index.md) resource or the [TrailService/UpdateAccessBindings](../api-ref/grpc/Trail/updateAccessBindings.md) gRPC API call.

{% endlist %}