[Yandex Cloud documentation](../../../index.md) > [Yandex Identity and Access Management](../../index.md) > [Step-by-step guides](../index.md) > Access policies > Creating a policy for a resource

# Creating an access policy for a resource

{% note info %}

This feature is in the [Preview](../../../overview/concepts/launch-stages.md) stage. To get access, contact [tech support](https://center.yandex.cloud/support) or your account manager.

{% endnote %}

[Access policies](../../concepts/access-control/access-policies.md) are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with [Yandex Cloud resources](../../../overview/roles-and-resources.md). Access policies are based on [templates](../../concepts/access-control/access-policies.md#supported-policies) and complement the [role](../../concepts/access-control/roles.md) system for more flexible [access management](../../concepts/access-control/index.md).

You can create an access policy for a [folder](#folder), [cloud](#cloud), or [organization](#organization).

{% note info %}

To manage access policies, a user must have one of the following roles:

* [`resource-manager.admin`](../../../resource-manager/security/index.md#resource-manager-admin) or [`admin`](../../roles-reference.md#admin) for the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) or [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud) to manage access policies at the folder or cloud level, respectively.
* [`organization-manager.admin`](../../../organization/security/index.md#organization-manager-admin) or [`admin`](../../roles-reference.md#admin) for the [organization](../../../organization/concepts/organization.md) to manage access policies at the organization level.

{% endnote %}

## Creating an access policy for a folder {#folder}

To create a [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) access policy from a [template without parameters](../../concepts/access-control/access-policies.md#fixed):

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  1. [Get](list.md) a list of supported access policy templates with their IDs.
  1. Run this command:

      ```bash
      yc resource-manager folder bind-access-policy \
        --name <folder_name> \
        --access-policy-template-id=<policy_template_ID>
      ```

      Where:

      * `--name`: Name of the folder to create the policy for. Instead of the folder name, you can provide its [ID](../../../resource-manager/operations/folder/get-id.md) in the `--id` parameter.
      * `--access-policy-template-id`: ID of the template to use as the basis for the new access policy for the folder.
  1. [Make sure](../../../resource-manager/operations/folder/manage-access-policies.md#view-assigned) the policy was created.

- API {#api}

  Use the [bindAccessPolicy](../../../resource-manager/api-ref/Folder/bindAccessPolicy.md) REST API method for the [Folder](../../../resource-manager/api-ref/Folder/index.md) resource or the [FolderService/BindAccessPolicy](../../../resource-manager/api-ref/grpc/Folder/bindAccessPolicy.md) gRPC API call.

{% endlist %}

The created access policy will apply to all resources in the specified folder.

## Creating an access policy for a cloud {#cloud}

To create an access policy for a [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud) based on a [template without parameters](../../concepts/access-control/access-policies.md#fixed):

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  1. [Get](list.md) a list of supported access policy templates with their IDs.
  1. Run this command:

      ```bash
      yc resource-manager cloud bind-access-policy \
        --name <cloud_name> \
        --access-policy-template-id=<policy_template_ID>
      ```

      Where:

      * `--name`: Name of the cloud to create the policy for. Instead of the cloud name, you can provide its [ID](../../../resource-manager/operations/cloud/get-id.md) in the `--id` parameter.
      * `--access-policy-template-id`: ID of the template to use as the basis for the new access policy for the cloud.
  1. [Make sure](../../../resource-manager/operations/cloud/manage-access-policies.md#view-assigned) the policy was created.

- API {#api}

  Use the [bindAccessPolicy](../../../resource-manager/api-ref/Cloud/bindAccessPolicy.md) REST API method for the [Cloud](../../../resource-manager/api-ref/Cloud/index.md) resource or the [CloudService/BindAccessPolicy](../../../resource-manager/api-ref/grpc/Cloud/bindAccessPolicy.md) gRPC API call.

{% endlist %}

The new access policy will apply to resources within all folders in the specified cloud.

## Creating an access policy for an organization {#organization}

To create an access policy for an [organization](../../../organization/concepts/organization.md) based on a [template without parameters](../../concepts/access-control/access-policies.md#fixed):

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  1. [Get](list.md) a list of supported access policy templates with their IDs.
  1. Run this command:

      ```bash
      yc organization-manager organization bind-access-policy \
        --name <organization_name> \
        --access-policy-template-id=<policy_template_ID>
      ```

      Where:

      * `--name`: Name of the organization you want to create a policy for. Instead of the organization name, you can provide its [ID](../../../organization/operations/organization-get-id.md) in the `--id` parameter.
      * `--access-policy-template-id`: ID of the template you want to use as the basis for the new access policy for the organization.
  1. [Make sure](../../../organization/operations/manage-access-policies.md#view-assigned) the policy was created.

- API {#api}

  Use the [bindAccessPolicy](../../../organization/api-ref/Organization/bindAccessPolicy.md) REST API method for the [Organization](../../../organization/api-ref/Organization/index.md) resource or the [OrganizationService/BindAccessPolicy](../../../organization/api-ref/grpc/Organization/bindAccessPolicy.md) gRPC API call.

{% endlist %}

The new access policy will apply to resources within all clouds in the specified organization.

All access policy templates [without parameters](../../concepts/access-control/access-policies.md#fixed) are assigned for resources in the same way. For information on how to assign a policy template [with parameters](../../concepts/access-control/access-policies.md#customizable) for a resource, see [Examples](#examples).

## Examples {#examples}

### Creating an access policy for a folder based on the serverless.containers.restrictNetworkAccess template {#serverless-containers-restrictNetworkAccess}

The `serverless.containers.restrictNetworkAccess` [policy](../../concepts/access-control/access-policies.md#serverless-containers-restrictNetworkAccess) prohibits calling and managing Yandex Serverless Containers [containers](../../../serverless-containers/concepts/container.md) from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud [cloud networks](../../../vpc/concepts/network.md#network).

To assign the `serverless.containers.restrictNetworkAccess` policy template for a folder:

{% list tabs group=instructions %}

- CLI {#cli}

  ```bash
  yc resource-manager folder bind-access-policy \
    --name my-folder \
    --access-policy-template-id=serverless.containers.restrictNetworkAccess \
    --parameters '"allowed_src_ips=[<IP_address_range_1>,<IP_address_range_2>,<IP_address_range_3>]","allowed_vpc_network_ids=[<network_1_ID>,<network_2_ID>,<network_3_ID>]"'
  ```

  Where:
  
  * `--parameters`: Access policy parameters:

      {% note alert %}

      Restrictions specified in parameters are applied using the `OR` logic. 

      {% endnote %}

      * `allowed_src_ips`: List of IP addresses or IP address ranges in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation to allow calling and managing containers.

          If you do not want to list IP addresses or IP address ranges, provide an empty list in the parameter: `"allowed_src_ips=[]"`.
      * `allowed_vpc_network_ids`: List of IDs of [cloud networks](../../../vpc/concepts/network.md#network) that allow calling and managing containers via a configured [service connection](../../../vpc/concepts/private-endpoint.md).

          If you do not want to list cloud network IDs, provide an empty list in the parameter: `"allowed_vpc_network_ids=[]"`.

{% endlist %}


#### Useful links {#see-also}

* [Access policies](../../concepts/access-control/access-policies.md)
* [Getting a list of supported access policy templates](list.md)
* [Viewing access policies created for a resource](view-assigned.md)
* [Deleting an access policy](revoke.md)