[Yandex Cloud documentation](../../index.md) > [Yandex Identity and Access Management](../index.md) > [Tutorials](index.md) > Differentiation of access permissions for user groups

# Access control for user groups with different roles in Yandex Identity Hub

This guide describes an example solution of working with [user groups](../../organization/concepts/groups.md) to [control access](../concepts/access-control/index.md) to resources in a [Yandex Identity Hub organization](../../overview/roles-and-resources.md).

## Solution overview {#solution-overview}

![image](../../_assets/iam/organization-user-groups-access-tutorial.svg)

In this tutorial, you will create a test organization with two [clouds](../../resource-manager/concepts/resources-hierarchy.md#cloud), `production` and `testing`, together with the respective development environments. Three user groups created in the organization will use these clouds: a group of information security engineers (`security`), a group of DevOps engineers (`devops`), and a group of developers (`developers`).

To each user group, you will assign its own set of [roles](../concepts/access-control/roles.md) based on the tasks users in these groups perform. For example, information security engineers will have permissions to get information about all resources, set up collection and storage of any resource [audit logs](../../audit-trails/concepts/trail.md), and configure and scan [Docker images](../../container-registry/concepts/docker-image.md) in [registries](../../container-registry/concepts/registry.md) created in Yandex Container Registry. These permissions will apply to the entire organization.

Additionally, in the production environment, you will create a separate `security` [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) for the group of information security engineers. They will have administrator privileges in this folder to manage any of its resources and control access to them.

The group of DevOps engineers will have permissions to manage registries from Container Registry, Yandex Managed Service for Kubernetes [clusters](../../managed-kubernetes/concepts/index.md#kubernetes-cluster), managed database clusters, [VMs](../../compute/concepts/vm.md), and [Yandex Monitoring](../../monitoring/index.md) resources. They will also be able to manage Yandex Cloud Logging [log groups](../../logging/concepts/log-group.md) and access to them.

The group of developers will get the following access permissions:
* In the production environment, to download Docker images from registries in Container Registry, view information about Kubernetes clusters, connect to Compute Cloud VMs via [OS Login](../../organization/concepts/os-login.md), and view information about Monitoring resources and [metrics](../../monitoring/concepts/data-model.md#metric).
* In the testing environment, to download and upload Docker images to registries in Container Registry, manage Kubernetes clusters, connect to Compute Cloud VMs via [OS Login](../../organization/concepts/os-login.md) as superusers, and manage Monitoring resources.

To configure access control for organization's resources with the help of user groups:

1. [Prepare Yandex Cloud](#before-begin).
1. [Create an organization](#create-organization).
1. [Create clouds](#create-clouds).
1. [Create a folder for the group of information security engineers](#create-folder).
1. [Create user groups](#create-user-groups).
1. [Configure access permissions](#setup-access-permissions).
1. [Add users and split them into groups](#add-users).
1. [Create a production infrastructure](#move-on).

If you no longer need the test organization you created, [delete](#clear-out) it.

## Prepare Yandex Cloud {#before-begin}

Sign up for Yandex Cloud and create a [billing account](../../billing/concepts/billing-account.md):

1. Go to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the [**Yandex Cloud Billing**](https://center.yandex.cloud/billing/accounts) page, make sure you have a billing account linked and its [status](../../billing/concepts/billing-account-statuses.md) is `ACTIVE` or `TRIAL_ACTIVE`. If you do not have a billing account yet, [create one](../../billing/quickstart/index.md).

## Create an organization {#create-organization}

[_Organization_](../../overview/roles-and-resources.md) is a workspace that combines different types of Yandex Cloud resources and users. Any Yandex user can create an organization in Yandex Identity Hub.

To create an organization, follow these steps:

1. [Go](https://center.yandex.cloud/organization) to Yandex Identity Hub.

    Your next steps will depend on whether you are a member of an exsiting Yandex Identity Hub.
1. Create an organization:

    {% list tabs %}

    - If you are not a member of any organization

      If you are currently not a member of any Yandex Identity Hub, when you open the link, you will see a form for creating a new organization:

      1. Enter your organization name, e.g., `Example organization`.
      1. Click **Create a new organization**.

    - If you are a member of an organization

      If you are currently a member of a Yandex Identity Hub, when you open the link, you will see the [Yandex Identity Hub](https://center.yandex.cloud/organization) interface in Cloud Center.

      To complete this guide, let’s create a new organization so as not to interfere with the existing organizations’ infrastructure:

      1. In the top-left corner, next to the current organization name, click ![chevron-down](../../_assets/console-icons/chevron-down.svg) and select ![circle-plus](../../_assets/console-icons/circle-plus.svg) **Create organization**.
      1. In the window that opens, enter a name for the organization: `Example organization`.
      1. Click **Create a new organization**.

    {% endlist %}

Once the organization is created, you become its [owner](../../organization/security/index.md#organization-manager-organizations-owner) and can manage its settings.

## Create clouds {#create-clouds}

In your new organization, create two [clouds](../../resource-manager/concepts/resources-hierarchy.md#cloud), `testing` and `production`, to host the infrastructure of the independent testing and production environments.

1. Create two clouds in your `Example organization`:

    {% list tabs group=instructions %}

    - Management console {#console}

      1. Go to the [management console](https://console.yandex.cloud) and click your account picture in the left-hand panel.
      1. Select `Example organization`. This opens a window with the form for creating your first cloud:

          1. Make sure you selected `Example organization` in the **Organization** field.
          1. In the **Cloud name** field, specify `testing`.
          1. Click **Create**.

          As a result, `Example organization` will have its first cloud named `testing`, and the browser will open the `default` folder created in this new cloud.
      1. On the left side of the screen, in the line with `Example organization`, click ![ellipsis](../../_assets/console-icons/ellipsis.svg) and select ![plus](../../_assets/console-icons/plus.svg) **Create cloud**. In the window that opens:

          1. In the **Name** field, specify `production`.
          1. Click **Create**.

          This will create the second cloud named `production` in your `Example organization`.

    {% endlist %}

1. Make sure the clouds are linked to a [billing account](../../billing/concepts/billing-account.md):

    {% list tabs group=instructions %}

    - Cloud Center UI {#cloud-center}

      1. Go to [**Yandex Cloud Billing**](https://center.yandex.cloud/billing/accounts).
      1. Select your billing account.
      1. Make sure you can see both clouds, `production` and `testing`, under **Linked clouds and services** on the account information page.
      1. If either of the clouds is missing, link them:

          1. Under **Linked clouds and services**, click ![link](../../_assets/console-icons/link.svg) **Link cloud**.
          1. In the window that opens, select the cloud to link and click **Bind**.

    {% endlist %}

## Create a folder for the group of information security engineers {#create-folder}

Create a separate folder named `security` for the group of information security engineers in the `production` cloud.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the `production` cloud from the list of organizations, clouds, and folders on the left of the screen.
  1. In the line with the `production` cloud name, click ![ellipsis](../../_assets/console-icons/ellipsis.svg) and select ![plus](../../_assets/console-icons/plus.svg) **Create folder**. In the window that opens:

      1. In the **Name** field, enter the catalog name: `security`.
      1. Optionally, in the **Description** field, enter a description for the new folder.
      1. In the **Advanced** field, disable **Create a default network**. You will be able to create a [cloud network](../../vpc/operations/network-create.md) with the parameters you need later, at any point when creating the infrastructure.
      1. Click **Create**. 

{% endlist %}

## Create user groups {#create-user-groups}

Create three [user groups](../../organization/concepts/groups.md): `security` for information security engineers, `devops` for DevOps engineers, and `developers` for developers.

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![groups](../../_assets/console-icons/persons.svg) **Groups**.
  1. In the top-right corner, click ![Circles3Plus](../../_assets/console-icons/circles-3-plus.svg) **Create group** and in the window that opens:

      1. Enter a name for the group: `security`.
      1. Optionally, enter the group description.
      1. Click **Create group**.
  1. Similarly, create the other two user groups, `devops` and `developers`.

{% endlist %}

## Configure access permissions {#setup-access-permissions}

In this tutorial, you will assign multiple [roles](../concepts/access-control/roles.md) to the user groups based on the activity profiles of the employees in these groups.

{% note info %}

All users in a user group will automatically [inherit](../../resource-manager/concepts/resources-hierarchy.md#access-rights-inheritance) the roles assigned to the group. Moreover, you can assign roles to each user individually, even if they belong to a user group.

{% endnote %}

### Assign roles to the group of information security engineers {#assign-security-roles}

Users from the group of information security engineers (`security`) will need permissions to do the following:

* Get information about all resources in all organization clouds (`auditor` [role](../roles-reference.md#auditor) for the organization).
* Configue collection and storage of [audit logs](../../audit-trails/concepts/trail.md) for all resources in all the organization’s clouds (`audit-trails.admin` [role](../../audit-trails/security/index.md#at-admin) for the organization).
* Configure and scan [Docker images](../../container-registry/concepts/docker-image.md) in the Yandex Container Registry [registries](../../container-registry/concepts/registry.md) of all the organization’s clouds (`container-registry.images.scanner` [role](../../container-registry/security/index.md#container-registry-images-scanner) for the organization).
* Manage all resources and access to them in the dedicated `security` folder of the `production` cloud (`admin` [role](../roles-reference.md#admin) for the folder).

To grant the required access permissions to the `security` user group:

1. Assign roles for an organization:

    {% list tabs group=instructions %}

    - Cloud Center UI {#cloud-center}

      1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization) using an administrator or organization owner account.
      1. In the left-hand panel, select ![persons-lock](../../_assets/console-icons/persons-lock.svg) **Access bindings**.
      1. At the top right, click **Assign roles**.
      1. Go to the **Groups** tab and select the `security` [group](../../organization/concepts/groups.md).
      1. Click ![plus](../../_assets/console-icons/plus.svg) **Add role**, enter and select the `auditor` [role](../concepts/access-control/roles.md) in the search bar.
      1. Repeat the previous step to add the `audit-trails.admin` and `container-registry.images.scanner` roles.
      1. Click **Save**.

    {% endlist %}

1. Assign the `admin` role for the `security` folder:

    {% list tabs group=instructions %}

    - Management console {#console}

      1. In the [management console](https://console.yandex.cloud), select the `security` folder in the `production` cloud.
      1. At the top of the screen, go to the **Access bindings** tab and click **Configure access**. In the window that opens:

          1. Go to the **Groups** tab and select the `security` group.
          1. Click ![plus](../../_assets/console-icons/plus.svg) **Add role**, enter and select the `admin` role in the search bar.
          1. Click **Save**.

    {% endlist %}

### Assign roles to the group of DevOps engineers {#assign-devops-roles}

Users from the group of DevOps engineers (`devops`) will need to be able to do the following in both clouds:

* Manage registries in Container Registry (`container-registry.editor` [role](../../container-registry/security/index.md#container-registry.editor) for both clouds).
* Manage Yandex Managed Service for Kubernetes [clusters](../../managed-kubernetes/concepts/index.md#kubernetes-cluster) (`k8s.editor` [role](../../managed-kubernetes/security/index.md#k8s-editor) for both clouds).
* Manage database clusters (`mdb.admin` [role](../roles-reference.md#mdb-admin) for both clouds).
* Manage Yandex Compute Cloud [VMs](../../compute/concepts/vm.md) (`compute.editor` [role](../../compute/security/index.md#compute-editor) for both clouds).
* Manage [Yandex Monitoring](../../monitoring/index.md) resources (`monitoring.admin` [role](../../monitoring/security/index.md#monitoring-admin) for both clouds).
* Manage Yandex Cloud Logging [log groups](../../logging/concepts/log-group.md) and access to them (`logging.admin` [role](../../logging/security/index.md#logging-admin) for both clouds).

Assign roles for the clouds to the `devops` user group:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the `production` cloud.
  1. At the top of the screen, go to the **Access bindings** tab and click **Configure access**. In the window that opens:

      1. Go to the **Groups** tab and select the `devops` group.
      1. Click ![plus](../../_assets/console-icons/plus.svg) **Add role**, find and select the `container-registry.editor`, `k8s.editor`, `mdb.admin`, `compute.editor`, `monitoring.admin`, and `logging.admin` roles.
      1. Click **Save**.
  1. In the same way, assign the same roles for the `testing` cloud to the `devops` user group.

{% endlist %}

### Assign roles to the group of developers {#assign-developer-roles}

Users from the group of developers (`developers`) will need permissions to do the following:

* Download Docker images from registries in Container Registry in the production environment (`container-registry.images.puller` [role](../../container-registry/security/index.md#container-registry-images-puller) for the `production` cloud).
* Download and upload Docker images to registries in Container Registry in the testing environment (`container-registry.images.pusher` [role](../../container-registry/security/index.md#container-registry-images-pusher) for the `testing` cloud).
* View information about Kubernetes clusters in the testing environment (`k8s.viewer` [role](../../managed-kubernetes/security/index.md#k8s-viewer) for the `production` cloud).
* Manage Kubernetes clusters in the testing environment (`k8s.editor` [role](../../managed-kubernetes/security/index.md#k8s-editor) and `k8s.cluster-api.editor` [role](../../managed-kubernetes/security/index.md#k8s-cluster-api-editor) for the `testing` cloud).
* Connect to Compute Cloud VMs via [OS Login](../../organization/concepts/os-login.md) in the production environment (`compute.osLogin` [role](../../compute/security/index.md#compute-oslogin), `resource-manager.auditor` [role](../../resource-manager/security/index.md#resource-manager-auditor) or higher for the `production` cloud).
* Connect to Compute Cloud VMs via OS Login as a superuser in the testing environment (`compute.osAdminLogin` [role](../../compute/security/index.md#compute-osadminlogin), `resource-manager.auditor` [role](../../resource-manager/security/index.md#resource-manager-auditor) or higher for the `testing` cloud).
* View information about Monitoring resources and [metrics](../../monitoring/concepts/data-model.md#metric) in production environment (`monitoring.viewer` [role](../../monitoring/security/index.md#monitoring-viewer) for the `production` cloud).
* Manage Monitoring resources in the testing environment (`monitoring.editor` [role](../../monitoring/security/index.md#monitoring-editor) for the `testing` cloud).

Assign roles for the clouds to the `developers` user group:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the `production` cloud.
  1. At the top of the screen, go to the **Access bindings** tab and click **Configure access**. In the window that opens:

      1. Go to the **Groups** tab and select the `developers` group.
      1. Click ![plus](../../_assets/console-icons/plus.svg) **Add role**, find and select the `container-registry.images.puller`, `k8s.viewer`, `compute.osLogin`, `monitoring.viewer`, and `resource-manager.auditor` roles.
      1. Click **Save**.
  1. In the same way, assign the `container-registry.images.pusher`, `k8s.editor`, `k8s.cluster-api.editor`, `compute.osAdminLogin`, `monitoring.editor`, and `resource-manager.auditor` roles for the `testing` cloud to the `developers` user group.

{% endlist %}

## Add users and split them into groups {#add-users}

To enable your employees to use Yandex Cloud resources, add them to the Yandex Identity Hub you created. Then distribute the employees among the previously created user groups.

1. Invite users to an organization:

    {% list tabs group=instructions %}

    - Cloud Center UI {#cloud-center}

      1. Go to [Yandex Identity Hub](https://center.yandex.cloud/organization).
      1. In the left-hand panel, select ![icon-users](../../_assets/console-icons/person.svg) **Users**.
      1. In the top-right corner, click **Invite users with a Yandex account**.
      1. Enter the email addresses of the users you want to invite to the organization, separated by commas.

          You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.
      1. Click **Send invitation**.

    {% endlist %}

    Once the users accept the invitation by clicking the invitation link in the email, they will become [organization members](../../organization/concepts/membership.md) and will be listed in the [**Users** section](https://center.yandex.cloud/organization/users) in your organization.

    {% note info %}

    To access the services enabled for the organization, the users you invited simply need to log in to their Yandex account.

    {% endnote %}

1. Distribute users you added among the previously created groups:

    {% list tabs group=instructions %}

    - Cloud Center UI {#cloud-center}

      1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
      1. In the left-hand panel, select ![groups](../../_assets/console-icons/persons.svg) **Groups** and click the row with the name of the [group](../../organization/concepts/groups.md) you need.
      1. Navigate to the **Members** tab.
      1. Click **Add member**. In the window that opens:

          1. Select the users. Use search, if required.
          1. Click **Save**.

    {% endlist %}

    Distribute all users among the previously created groups based on their tasks.

    {% note info %}

    A user may belong to multiple groups at the same time.

    {% endnote %}

## Create a production infrastructure {#move-on}

You have configured basic access permissions in your test organization. Now you can create different resources in your organization clouds: [VMs](../../compute/operations/vm-create/create-linux-vm.md), Yandex Managed Service for Kubernetes [clusters](../../managed-kubernetes/quickstart.md#kubernetes-cluster-create), Yandex Container Registry [registries](../../container-registry/operations/registry/registry-create.md), KMS [encryption keys](../../kms/operations/key.md#create), Lockbox [secrets](../../lockbox/operations/secret-create.md), etc.

{% note warning %}

Note that VMs, clusters, registries, key, secrets, and many other resources created in folders are charged. You can learn more about the cost of cloud resources in the [respective service pricing reference](../../billing/pricing.md#billable).

{% endnote %}

Access permissions to the created resources will be granted to users based on the access permissions settings of the relevant user group.

We recommend managing your infrastructure under [service accounts](../concepts/users/service-accounts.md) which you can use to authenticate applications. Service accounts are created in folders. You can also add service accounts to user groups.

If you need to, you can assign additional roles to individual users or service accounts for an entire organization or individual clouds, folders, or resources [at any time](../operations/roles/grant.md).

## How to delete the resources you created {#clear-out}

If you no longer need the created test organization, [delete](../../organization/operations/delete-org.md) it.

You do not have to pay for organizations, clouds, folders, and users. However, you may be charged for other resources created within folders.

In addition to that, the infrastructure you create in this tutorial consumes [quotas](../../billing/concepts/limits.md) in Yandex Cloud Billing and some other services. Therefore, we recommend deleting an organization you do not use.

You can also separately delete [clouds](../../resource-manager/operations/cloud/delete.md), [folders](../../resource-manager/operations/folder/delete.md), [user groups](../../organization/operations/delete-group.md), or [service accounts](../operations/sa/delete.md) from an organization.

#### See also {#see-also}

* Yandex Audit Trails:
    * [Creating a trail to upload audit logs](../../audit-trails/operations/create-trail.md)
* Yandex Cloud Billing:
    * [Creating a billing account](../../billing/operations/create-new-account.md)
    * [Assigning access permissions for a billing account](../../billing/security/index.md#set-role)
* Yandex Cloud Logging:
    * [Creating a log group](../../logging/operations/create-group.md)
    * [Assigning access permissions for a log group](../../logging/operations/access-rights.md)
* Yandex Identity Hub:
    * [How to work with Yandex Identity Hub](../../organization/operations/index.md)
* Yandex Compute Cloud:
    * [Creating a VM](../../compute/operations/index.md#vm-create)
    * [Assigning access permissions for a VM](../../logging/operations/access-rights.md)
* Yandex Container Registry:
    * [Creating a registry](../../container-registry/operations/registry/registry-create.md)
    * [Assigning access permissions for a registry](../../container-registry/operations/roles/grant.md)
* Yandex Identity and Access Management:
    * [Creating a service account](../operations/sa/create.md)
    * [Assigning service account access permissions](../operations/sa/set-access-bindings.md)
* Yandex Key Management Service:
    * [Creating a symmetric encryption key](../../kms/operations/key.md#create)
    * [Configuring access permissions for a symmetric encryption key](../../kms/operations/key-access.md)
* Yandex Lockbox:
    * [Creating a secret](../../lockbox/operations/secret-create.md)
    * [Assigning access permissions for a secret](../../lockbox/operations/secret-access.md)
* Yandex Managed Service for Kubernetes:
    * [Creating a Managed Service for Kubernetes cluster](../../managed-kubernetes/operations/kubernetes-cluster/kubernetes-cluster-create.md)
* Yandex Managed Service for PostgreSQL:
    * [Creating a PostgreSQL cluster](../../managed-postgresql/operations/cluster-create.md)
* Yandex Monitoring:
    * [Creating and managing a dashboard in Monitoring](../../monitoring/operations/dashboard/create.md)