[Yandex Cloud documentation](../../../index.md) > [Yandex Compute Cloud](../../index.md) > [Step-by-step guides](../index.md) > Disk placement groups > Configuring disk placement group access permissions

# Configuring access permissions for a non-replicated disk placement group


To grant a user, group, or [service account](../../../iam/concepts/users/service-accounts.md) access to a [non-replicated disk placement group](../../concepts/disk-placement-group.md), assign a [role](../../../iam/concepts/access-control/roles.md) for it.

## Assigning a role {#add-access}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder hosting your disk placement group.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/compute/group-placement-pic.svg) **Placement groups**.
  1. On the **Non-replicated disk placement groups** tab, click the name of the group.
  1. Navigate to the ![image](../../../_assets/console-icons/persons.svg) **Access bindings** tab.
  1. Click **Assign roles**.
  1. In the window that opens, select the group, user, or service account you want to grant access to the placement group.
  1. Click ![image](../../../_assets/console-icons/plus.svg) **Add role** and select the required [role](../../security/index.md#roles-list).
  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for assigning a role for a disk placement group:

     ```bash
     yc compute disk-placement-group add-access-binding --help
     ```

  1. Get a list of disk placement groups in the default [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder):

     ```bash
     yc compute disk-placement-group list
     ```

  1. View the roles already assigned for the resource:

     ```bash
     yc compute disk-placement-group list-access-bindings <placement_group_ID>
     ```

  1. Assign a role using this command:

     * To a user:

       ```bash
       yc compute disk-placement-group add-access-binding <placement_group_ID> \
         --user-account-id <user_ID> \
         --role <role>
       ```

       Where:

       * `--user-account-id`: [User ID](../../../organization/operations/users-get.md). Use the `--all-authenticated-users` flag to assign a role to all authenticated users.
       * `--role`: [Role](../../security/index.md#roles-list).

     * To a service account:

       ```bash
       yc compute disk-placement-group add-access-binding <placement_group_ID> \
         --service-account-id <service_account_ID> \
         --role <role>
       ```

       Where:

       * `--service-account-id`: [Service account ID](../../../iam/operations/sa/get-id.md).
       * `--role`: [Role](../../security/index.md#roles-list).

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  To assign a role for a non-replicated disk placement group using Terraform:

  1. In the Terraform configuration file, describe the resources you want to create:

      ```hcl
      resource "yandex_compute_disk_placement_group_iam_binding" "sa-access" {
        disk_placement_group_id = "<placement_group_ID>"
        role    = "<role>"
        members = ["<subject_type>:<subject_ID>","<subject_type>:<subject_ID>"]
      }
      ```

      Where:

      * `disk_placement_group_id`: Disk placement group ID.
      * `role`: [Role](../../security/index.md#roles-list).
      * `members`: List of types and IDs of [subjects](../../../iam/concepts/access-control/index.md#subject) getting the role. Use this format: `userAccount:<user_ID>` or `serviceAccount:<service_account_ID>`.

      For more information about `yandex_compute_disk_placement_group_iam_binding` properties, see [this provider guide](../../../terraform/resources/compute_disk_placement_group_iam_binding.md).

  1. Create the resources:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      Terraform will create all the required resources. You can check the new resources using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/index.md) command:

      ```bash
      yc compute disk-placement-group list-access-bindings <placement_group_ID>
      ```

- API {#api}

  To assign a role, use the [updateAccessBindings](../../api-ref/DiskPlacementGroup/updateAccessBindings.md) REST API method for the [DiskPlacementGroup](../../api-ref/DiskPlacementGroup/index.md) resource or the [DiskPlacementGroupService/UpdateAccessBindings](../../api-ref/grpc/DiskPlacementGroup/updateAccessBindings.md) gRPC API call. In the request body, set the `action` property to `ADD` and specify the user type and ID under `subject`.

{% endlist %}

## Assigning multiple roles {#set-access}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder hosting your disk placement group.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/compute/group-placement-pic.svg) **Placement groups**.
  1. On the **Non-replicated disk placement groups** tab, click the name of the group.
  1. Navigate to the ![image](../../../_assets/console-icons/persons.svg) **Access bindings** tab.
  1. Click **Assign roles**.
  1. In the window that opens, select the group, user, or service account you want to grant access to the placement group.
  1. Click ![image](../../../_assets/console-icons/plus.svg) **Add role** and select the required [role](../../security/index.md#roles-list).
  1. To add another role, click ![image](../../../_assets/console-icons/plus.svg) **Add role**.
  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  You can assign multiple roles using the `set-access-bindings` command.

  {% note alert %}
  
  The `set-access-bindings` command completely rewrites access permissions for the resource. All current roles for the resource will be deleted.
  
  {% endnote %}

  1. Make sure the resource has no roles assigned that you would not want to lose:

     ```bash
     yc compute disk-placement-group list-access-bindings <placement_group_ID>
     ```

  1. See the description of the CLI command for assigning roles for a disk placement group:

     ```bash
     yc compute disk-placement-group set-access-bindings --help
     ```

  1. Assign roles:

     ```bash
     yc compute disk-placement-group set-access-bindings <placement_group_ID> \
       --access-binding role=<role>,subject=<subject_type>:<subject_ID> \
       --access-binding role=<role>,subject=<subject_type>:<subject_ID>
     ```

     Where:

     * `--access-binding`: Parameters for setting access permissions:

       * `role`: [Role](../../security/index.md#roles-list).
       * `subject`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) the role is assigned to.

     For example, this command will assign roles to multiple users and a single service account:

     ```bash
     yc compute disk-placement-group set-access-bindings my-disk-group \
       --access-binding role=editor,subject=userAccount:gfei8n54hmfh********
       --access-binding role=viewer,subject=userAccount:helj89sfj80a********
       --access-binding role=editor,subject=serviceAccount:ajel6l0jcb9s********
     ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  To assign multiple roles for a disk placement group using Terraform:

  1. In the Terraform configuration file, describe the resources you want to create:

      ```hcl
      resource "yandex_compute_disk_placement_group_iam_binding" "role-1" {
        disk_placement_group_id = "<placement_group_ID>"
        role                    = "<role_1>"
        members                 = ["<subject_type>:<subject_ID>"]
      }

      resource "yandex_compute_disk_placement_group_iam_binding" "role-2" {
        disk_placement_group_id = "<placement_group_ID>"
        role                    = "<role_2>"
        members                 = ["<subject_type>:<subject_ID>"]
      }
      ```

      Where:

      * `disk_placement_group_id`: Disk placement group ID.
      * `role`: [Role](../../security/index.md#roles-list).
      * `members`: List of types and IDs of [subjects](../../../iam/concepts/access-control/index.md#subject) getting the role. Use this format: `userAccount:<user_ID>` or `serviceAccount:<service_account_ID>`.

      For more information about `yandex_compute_disk_placement_group_iam_binding` properties, see [this provider guide](../../../terraform/resources/compute_disk_placement_group_iam_binding.md).

  1. Create the resources:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      You can check the updates using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/index.md) command:

      ```bash
      yc compute disk-placement-group list-access-bindings <placement_group_ID>
      ```

- API {#api}

  To assign roles for a disk placement group, use the [setAccessBindings](../../api-ref/DiskPlacementGroup/setAccessBindings.md) REST API method for the [DiskPlacementGroup](../../api-ref/DiskPlacementGroup/index.md) resource or the [DiskPlacementGroupService/SetAccessBindings](../../api-ref/grpc/DiskPlacementGroup/setAccessBindings.md) gRPC API call.

  {% note alert %}

  The `setAccessBindings` method and the `DiskPlacementGroupService/SetAccessBindings` call overwrite all existing access permissions for the resource. All current roles for the resource will be deleted.

  {% endnote %}

{% endlist %}

## Revoking a role {#revoke-role}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder hosting your disk placement group.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/compute/group-placement-pic.svg) **Placement groups**.
  1. On the **Non-replicated disk placement groups** tab, click the name of the group.
  1. Navigate to the ![image](../../../_assets/console-icons/persons.svg) **Access bindings** tab.
  1. In the line with the user in question, click ![image](../../../_assets/horizontal-ellipsis.svg) and select **Edit roles**.
  1. Next to the role, click ![image](../../../_assets/cross.svg).
  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for revoking a role for a disk placement group:

     ```bash
     yc compute disk-placement-group remove-access-binding --help
     ```

  1. View the list of users and their roles for the resource:

     ```bash
     yc compute disk-placement-group list-access-bindings <placement_group_ID>
     ```

  1. To revoke access permissions, run this command:

     ```bash
     yc compute disk-placement-group remove-access-binding <placement_group_ID> \
       --role=<role> \
       --subject=<subject_type>:<subject_ID> \
     ```

     Where:

     * `--role`: ID of the role you need to revoke.
     * `--subject`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) you want to revoke the role from.

     For example, this command revokes the `viewer` role for the disk placement group from a user with the `ajel6l0jcb9s********` ID:

     ```bash
     yc compute disk-placement-group remove-access-binding my-disk-group \
       --role viewer \
       --subject userAccount:ajel6l0jcb9s********
     ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.
  
  To revoke a role assigned for a non-replicated disk placement group using Terraform:

  1. Open the Terraform configuration file and delete the fragment describing the role:

      ```hcl
      resource "yandex_compute_disk_placement_group_iam_binding" "sa-access" {
        disk_placement_group_id = "<placement_group_ID>"
        role                    = "<role>"
        members                 = ["<subject_type>:<subject_ID>"]
      }
      ```

  1. Apply the changes:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      You can check the updates using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/quickstart.md) command:

      ```bash
      yc compute disk-placement-group list-access-bindings <placement_group_ID>
      ```

- API {#api}

  To revoke a role, use the [updateAccessBindings](../../api-ref/DiskPlacementGroup/updateAccessBindings.md) REST API method for the [DiskPlacementGroup](../../api-ref/DiskPlacementGroup/index.md) resource or the [DiskPlacementGroupService/UpdateAccessBindings](../../api-ref/grpc/DiskPlacementGroup/updateAccessBindings.md) gRPC API call. In the request body, set the `action` property to `REMOVE` and specify the user type and ID under `subject`.

{% endlist %}