[Yandex Cloud documentation](../../../index.md) > [Yandex Identity and Access Management](../../index.md) > [Concepts](../index.md) > [How access management works](index.md) > Access policies

# Access policies

{% note info %}

This feature is in the [Preview](../../../overview/concepts/launch-stages.md) stage. To get access, contact [tech support](https://center.yandex.cloud/support) or your account manager.

{% endnote %}

_Access policies_ are a Yandex Identity and Access Management mechanism that allows you to manage permissions for performing specific operations on [Yandex Cloud resources](../../../overview/roles-and-resources.md). Access policies complement the [role](roles.md) system for more flexible [access management](index.md).

Access policies for [resources](#resources) are created based on access policy [templates](#supported-policies).

## Relationships between access policies and roles {#policy-role-interrelation}

Access policies enforce explicit restrictions, unlike [roles](roles.md), which grant explicit permissions. The relationships between access policies and roles are as follows:

* To perform an operation, it must be allowed by a role and not prohibited by an access policy. Access permissions are checked in the following order:

    1. The system checks if the user is assigned a role required to perform the operation. If they have no such role, the operation is denied without any further checks.
    1. If the user has the required role, the system checks access policies for an explicit restriction to perform the operation and denies or allows the operation accordingly.
* Access policies do not replace roles, but add an extra layer of access control. Users still need relevant roles for operations, regardless of the access policies in place.
* To manage access policies, a user must have one of the following roles:
  
  * [`resource-manager.admin`](../../../resource-manager/security/index.md#resource-manager-admin) or [`admin`](../../roles-reference.md#admin) for the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) or [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud) to manage access policies at the folder or cloud level, respectively.
  * [`organization-manager.admin`](../../../organization/security/index.md#organization-manager-admin) or [`admin`](../../roles-reference.md#admin) for the [organization](../../../organization/concepts/organization.md) to manage access policies at the organization level.

## Resources that take access policies {#resources}

You can [create](../../operations/access-policies/assign.md) access policies for the following resources:

* [Organization](../../../organization/concepts/organization.md): Access policy applies to resources in all clouds and folders within an organization.
* [Cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud): Access policy applies to resources in all folders within a cloud.
* [Folder](../../../resource-manager/concepts/resources-hierarchy.md#folder): Access policy applies only to resources within a specific folder.

Access policies created at higher levels of the [Yandex Cloud resource](../../../resource-manager/concepts/resources-hierarchy.md) hierarchy are [inherited](../../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) by lower-level resources.

You can create several access policies for one resource at the same time.

## Access policy templates {#supported-policies}

Some access policy templates require you to specify parameters when assigned to a resource; others do not.

### Templates without parameters {#fixed}

The following access policy templates do not contain parameters and unconditionally restrict relevant actions:

* [backup.denyActivation](#backup-denyActivation)
* [backup.denyRemoveProtection](#backup-denyRemoveProtection)
* [iam.denyServiceAccountAccessKeysCreation](#iam-denyServiceAccountAccessKeysCreation)
* [iam.denyServiceAccountApiKeysCreation](#iam-denyServiceAccountApiKeysCreation)
* [iam.denyServiceAccountAuthorizedKeysCreation](#iam-denyServiceAccountAuthorizedKeysCreation)
* [iam.denyServiceAccountCreation](#iam-denyServiceAccountCreation)
* [iam.denyServiceAccountCredentialsCreation](#iam-denyServiceAccountCredentialsCreation)
* [iam.denyServiceAccountFederatedCredentialsCreation](#iam-denyServiceAccountFederatedCredentialsCreation)
* [iam.denyServiceAccountImpersonation](#iam-denyServiceAccountImpersonation)
* [organization.denyMemberInvitation](#organization-denyMemberInvitation)
* [organization.denyUserListing](#organization-denyUserListing)
* [resourceManager.denyCloudRemoval](#resourceManager-denyCloudRemoval)

#### backup.denyActivation {#backup-denyActivation}

This policy prohibits connecting [protected resources](../../../backup/concepts/index.md) to Yandex Cloud Backup, linking or unlinking them from [backup policies](../../../backup/concepts/policy.md).

#### backup.denyRemoveProtection {#backup-denyRemoveProtection}

This policy prohibits updating or deleting Yandex Cloud Backup [policies](../../../backup/concepts/policy.md), removing [resources](../../../backup/concepts/index.md) from such policies, and deleting any existing resource [backups](../../../backup/concepts/backup.md).

#### iam.denyServiceAccountAccessKeysCreation {#iam-denyServiceAccountAccessKeysCreation}

This policy prohibits creating [static access keys](../authorization/access-key.md) for service accounts.

#### iam.denyServiceAccountApiKeysCreation {#iam-denyServiceAccountApiKeysCreation}

This policy prohibits creating [API keys](../authorization/api-key.md) for service accounts.

#### iam.denyServiceAccountAuthorizedKeysCreation {#iam-denyServiceAccountAuthorizedKeysCreation}

This policy prohibits creating [authorized keys](../authorization/key.md) for service accounts.

#### iam.denyServiceAccountCreation {#iam-denyServiceAccountCreation}

This policy prohibits creating [service accounts](../users/service-accounts.md).

#### iam.denyServiceAccountCredentialsCreation {#iam-denyServiceAccountCredentialsCreation}

This policy prohibits the following:

* Creating any [credentials](../authorization/index.md) for service accounts (except [IAM tokens](../authorization/iam-token.md)).
* Associating service accounts with [workload identity federations](../workload-identity.md).

#### iam.denyServiceAccountFederatedCredentialsCreation {#iam-denyServiceAccountFederatedCredentialsCreation}

This policy prohibits associating service accounts with [workload identity federations](../workload-identity.md).

#### iam.denyServiceAccountImpersonation {#iam-denyServiceAccountImpersonation}

This policy prohibits [impersonation](impersonation.md).

#### organization.denyMemberInvitation {#organization-denyMemberInvitation}

This policy prohibits [inviting](../../../organization/operations/add-account.md#useraccount) new Yandex [account](../users/accounts.md#passport) users to the organization. The policy can be created only for an [organization](../../../organization/concepts/organization.md).

#### organization.denyUserListing {#organization-denyUserListing}

This policy prohibits viewing the list of [organization](../../../organization/concepts/organization.md) users. The policy can be created only for an organization.

#### resourceManager.denyCloudRemoval {#resourceManager-denyCloudRemoval}

This policy prohibits deleting [clouds](../../../resource-manager/concepts/resources-hierarchy.md#cloud) in Yandex Cloud:

* If the policy is created for an [organization](../../../organization/concepts/organization.md), the prohibition applies to all clouds in that organization.
* If the policy is created for a cloud, the prohibition only applies to that cloud.
* If the policy is created for a [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder), no prohibition applies.

### Templates with parameters {#customizable}

The following access policy templates allow their restrictions to be customized by parameters:

{% note tip %}

For more information on how to create access policies based on templates with parameters, see [Creating an access policy for a resource](../../operations/access-policies/assign.md#examples).

{% endnote %}

* [serverless.containers.restrictNetworkAccess](#serverless-containers-restrictNetworkAccess)
* [serverless.containers.restrictResourceVPCNetwork](#serverless-containers-restrictResourceVPCNetwork)
* [serverless.functions.restrictNetworkAccess](#serverless-functions-restrictNetworkAccess)
* [serverless.functions.restrictResourceVPCNetwork](#serverless-functions-restrictResourceVPCNetwork)
* [serverless.mcpGateways.restrictNetworkAccess](#serverless-mcpGateways-restrictNetworkAccess)
* [serverless.mcpGateways.restrictResourceVPCNetwork](#serverless-mcpGateways-restrictResourceVPCNetwork)
* [serverless.responses.restrictNetworkAccess](#serverless-responses-restrictNetworkAccess)
* [serverless.workflows.restrictNetworkAccess](#serverless-workflows-restrictNetworkAccess)
* [serverless.workflows.restrictResourceVPCNetwork](#serverless-workflows-restrictResourceVPCNetwork)

#### serverless.containers.restrictNetworkAccess {#serverless-containers-restrictNetworkAccess}

The policy prohibits calling and managing Yandex Serverless Containers [containers](../../../serverless-containers/concepts/container.md) from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud [cloud networks](../../../vpc/concepts/network.md#network).

Customizable parameters (applied using the `OR` logic):

* `allowed_src_ips`: List of IP addresses or IP address ranges in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation you can call and manage containers from.
* `allowed_vpc_network_ids`: List of IDs of cloud networks that allow calling and managing containers via the configured [service connection](../../../vpc/concepts/private-endpoint.md).

#### serverless.containers.restrictResourceVPCNetwork {#serverless-containers-restrictResourceVPCNetwork}

The policy prohibits binding any [cloud networks](../../../vpc/concepts/network.md#network) to Yandex Serverless Containers [containers](../../../serverless-containers/concepts/container.md) except the networks explicitly specified.

A customizable parameter:

* `allowed_vpc_network_ids`: List of IDs of cloud networks that can be bound to the containers.

#### serverless.functions.restrictNetworkAccess {#serverless-functions-restrictNetworkAccess}

The policy prohibits calling and managing Yandex Cloud Functions [functions](../../../functions/concepts/function.md) from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud [cloud networks](../../../vpc/concepts/network.md#network).

Customizable parameters (applied using the `OR` logic):

* `allowed_src_ips`: List of IP addresses or IP address ranges in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation you can call and manage functions from.
* `allowed_vpc_network_ids`: List of IDs of cloud networks that allow calling and managing functions via the configured [service connection](../../../vpc/concepts/private-endpoint.md).

#### serverless.functions.restrictResourceVPCNetwork {#serverless-functions-restrictResourceVPCNetwork}

The policy prohibits binding any [cloud networks](../../../vpc/concepts/network.md#network) to Yandex Cloud Functions [functions](../../../functions/concepts/function.md) except the networks explicitly specified.

A customizable parameter:

* `allowed_vpc_network_ids`: List of IDs of cloud networks that can be bound to the functions.

#### serverless.mcpGateways.restrictNetworkAccess {#serverless-mcpGateways-restrictNetworkAccess}

The policy prohibits calling and managing MCP Hub [MCP servers](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/mcp-hub/#servers) from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud [cloud networks](../../../vpc/concepts/network.md#network).

Customizable parameters (applied using the `OR` logic):

* `allowed_src_ips`: List of IP addresses or IP address ranges in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation you can call and manage MCP servers from.
* `allowed_vpc_network_ids`: List of IDs of cloud networks that allow calling and managing MCP servers via the configured [service connection](../../../vpc/concepts/private-endpoint.md).

#### serverless.mcpGateways.restrictResourceVPCNetwork {#serverless-mcpGateways-restrictResourceVPCNetwork}

The policy prohibits binding any [cloud networks](../../../vpc/concepts/network.md#network) to MCP Hub [MCP servers](https://aistudio.yandex.ru/docs/en/ai-studio/concepts/mcp-hub/#servers) except the networks explicitly specified.

A customizable parameter:

* `allowed_vpc_network_ids`: List of IDs of cloud networks that can be bound to the MCP servers.

#### serverless.responses.restrictNetworkAccess {#serverless-responses-restrictNetworkAccess}

The policy prohibits calling Yandex Cloud AI Studio [Responses API](https://aistudio.yandex.ru/docs/en/ai-studio/responses/) methods from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud [cloud networks](../../../vpc/concepts/network.md#network).

Customizable parameters (applied using the `OR` logic):

* `allowed_src_ips`: List of IP addresses or IP address ranges in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation you can call Responses API methods.
* `allowed_vpc_network_ids`: List of IDs of cloud networks that allow calling Responses API methods via the configured [service connection](../../../vpc/concepts/private-endpoint.md).

#### serverless.workflows.restrictNetworkAccess {#serverless-workflows-restrictNetworkAccess}

The policy prohibits executing Yandex Serverless Integrations [workflows](../../../serverless-integrations/concepts/workflows/workflow.md) from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud [cloud networks](../../../vpc/concepts/network.md#network).

Customizable parameters (applied using the `OR` logic):

* `allowed_src_ips`: List of IP addresses or IP address ranges in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation you can execute and manage workflows from.
* `allowed_vpc_network_ids`: List of IDs of cloud networks that allow executing and managing workflows via the configured [service connection](../../../vpc/concepts/private-endpoint.md).

#### serverless.workflows.restrictResourceVPCNetwork {#serverless-workflows-restrictResourceVPCNetwork}

The policy prohibits binding any [cloud networks](../../../vpc/concepts/network.md#network) to Yandex Serverless Integrations [workflows](../../../serverless-integrations/concepts/workflows/workflow.md) except the networks explicitly specified.

A customizable parameter:

* `allowed_vpc_network_ids`: List of IDs of cloud networks that can be bound to the workflows.

#### Useful links {#see-also}

* [Roles](roles.md)
* [Getting a list of supported access policy templates](../../operations/access-policies/list.md)
* [Creating an access policy for a resource](../../operations/access-policies/assign.md)
* [Viewing access policies created for a resource](../../operations/access-policies/view-assigned.md)
* [Deleting an access policy](../../operations/access-policies/revoke.md)