# Revoking a registry role

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) where the registry is located.
  1. Navigate to **Cloud Registry**.
  1. Select the registry.
  1. Navigate to the **Access bindings** tab.
  1. Select a user from the list and click ![image](../../../_assets/console-icons/ellipsis.svg) next to the username.
  1. Click **Edit roles**.
  1. Click ![image](../../../_assets/console-icons/xmark.svg) next to the role to revoke.
  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View assigned roles:

     ```bash
     yc cloud-registry registry list-access-bindings <registry_name_or_ID>
     ```

  1. Revoke a role:
     
     * From a user:
       
       ```bash
       yc cloud-registry registry remove-access-binding <registry_name_or_ID> \
         --role <role> \
         --user-account-id <user_ID>
       ```

     * From a [service account](../../../iam/concepts/users/service-accounts.md):
       
       ```bash
       yc cloud-registry registry remove-access-binding <registry_name_or_ID> \
         --role <role> \
         --service-account-id <service_account_ID>
       ```

     * From all authenticated users (the `All authenticated users` [public group](../../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers)):
       
       ```bash
       yc cloud-registry registry remove-access-binding <registry_name_or_ID> \
         --role <role> \
         --allAuthenticatedUsers
       ```

     * From all users (`All users` [public group](../../../iam/concepts/access-control/public-group.md#allUsers)):
         
       ```bash
       yc cloud-registry registry remove-access-binding <registry_name_or_ID> \
         --role <role> \
         --subject system:allUsers
       ```

       Where `<role>` is the [role](../../security/index.md#service-roles) you want to revoke.

    To revoke all roles from a registry and immediately assign new ones, use the `yc cloud-registry registry set-access-bindings` command.
     
     **Example**

     The example below revokes the `cloud-registry.admin` role for `my-first-registry` from a user.
     
     ```bash
     yc cloud-registry registry remove-access-binding my-first-registry \
       --role cloud-registry.admin \
       --user-account-id ajeugsk5ubk6********
     ```

     Result:

     ```text
     done (9s)
     ```

- API {#api}

  [View](list-role.md#api) the roles assigned for the registry.
  
  To revoke registry roles, use the [updateAccessBindings](../../api-ref/Registry/updateAccessBindings.md) REST API method for the [Registry](../../api-ref/Registry/index.md) resource or the [RegistryService/UpdateAccessBindings](../../api-ref/grpc/Registry/updateAccessBindings.md) gRPC API call.

{% endlist %}

For more information on revoking roles, see [this Yandex Identity and Access Management guide](../../../iam/operations/roles/revoke.md).