# Changing desktop group access permissions

Cloud Desktop leverages [Yandex Identity and Access Management roles](../../security/index.md) and [access control lists (ACL)](../../concepts/acl.md) to manage access. [This example](../../concepts/acl.md#example) shows how access control works in Cloud Desktop.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the desktop group.
  1. Navigate to **Cloud Desktop**.
  1. Select the desktop group to update access permissions for.
  1. In the left-hand panel, select ![persons](../../../_assets/console-icons/persons.svg) **Access permissions**.
  1. Click **Assign roles**.
  1. In the **Granting access** window that opens, grant or revoke permissions as needed.
  1. Click **Save**.

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  You can assign multiple roles using the `set-access-bindings` command.

  {% note alert %}

  The `set-access-bindings` command completely overwrites access permissions for the desktop group. All current group roles will be deleted.

  {% endnote %}

  1. Make sure the desktop group has no roles you want to keep:

     ```bash
     yc desktops group list-access-bindings <desktop_group_name_or_ID>
     ```

  1. See the description of the CLI command for assigning roles to a desktop group:

     ```bash
     yc desktops group set-access-bindings --help
     ```

  1. Assign roles:

      ```bash
      yc desktops group set-access-bindings <desktop_group_name_or_ID> \
        --access-binding role=<role>,<subject_type>=<subject_ID> \
        --access-binding role=<role>,<subject_type>=<subject_ID>
      ```

      Where `--access-binding` contains access permission settings:

      * `role`: [Role](../../security/index.md#roles-list).
      * `subject`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) the role is assigned to.

      For example, assign roles to several users and one service account:

      ```bash
      yc desktops group set-access-bindings my-desktop-group \
        --access-binding role=editor,userAccount=gfei8n54hmfh******** \
        --access-binding role=viewer,userAccount=helj89sfj80a******** \
        --access-binding role=editor,serviceAccount=ajel6l0jcb9s********
      ```

      To assign a role to a subject without rewriting its other roles, use the `yc desktops group add-access-bindings` [command](../../../cli/cli-ref/desktops/cli-ref/group/add-access-bindings.md). For example, to assign a role to a service account:

      ```bash
      yc desktops group add-access-bindings \
        --name <desktop_group_name> \
        --role <role> \
        --service-account-name <service_account_name>
      ```

- API {#api}

  Use the [updateAccessBindings](../../api-ref/DesktopGroup/updateAccessBindings.md) REST API method for the [DesktopGroup](../../api-ref/DesktopGroup/index.md) resource or the [DesktopGroupService/UpdateAccessBindings](../../api-ref/grpc/DesktopGroup/updateAccessBindings.md) gRPC API call.

{% endlist %}