[Yandex Cloud documentation](../../index.md) > [Yandex MPP Analytics for PostgreSQL](../index.md) > [Step-by-step guides](index.md) > Clusters > Managing cluster access

# Managing access to a Yandex MPP Analytics for PostgreSQL cluster

You can assign a user or service account a [role](../security/index.md) that grants access to a specific [cluster](../concepts/index.md).

Thus, you can granularly assign different roles for particular clusters to different users and service accounts.


## Getting a list of roles assigned for a cluster {#list-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To get a list of clusters in the default [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), run this command:

      ```bash
      yc managed-greenplum cluster list
      ```

  1. To get a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-greenplum cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.ListAccessBindings](../api-ref/Cluster/listAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

  1. View the [server response](../api-ref/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.ListAccessBindings](../api-ref/grpc/Cluster/listAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.greenplum.v1.ClusterService.ListAccessBindings
      ```

  1. Check the [server response](../api-ref/grpc/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

{% endlist %}


## Assigning a role {#add-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the CLI command for assigning a role for a cluster:

      ```bash
      yc managed-greenplum cluster add-access-binding --help
      ```

  1. Use this command to assign a role:

      ```bash
      yc managed-greenplum cluster add-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```

      Where:

      * `--role`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `--subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-greenplum cluster list-access-bindings <cluster_name_or_ID>
      ```

- Terraform {#tf}

  1. Open the current configuration file with the Yandex MPP Analytics for PostgreSQL cluster description.
  
      To learn how to create this file, see [Creating a cluster Yandex MPP Analytics for PostgreSQL](cluster-create.md).
  
  1. Add a resource description:
    
      ```hcl
      resource "yandex_mdb_greenplum_cluster_iam_binding" "<local_resource_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role>"
        members    = ["<subject_type>:<subject_ID>"]
      }
      ```

      Where:

      * `cluster_id`: Cluster ID.
      * `role`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `members`: Array of types and IDs of [subjects](../../iam/concepts/access-control/index.md#subject) the role is assigned to in `<subject_type>:<subject_ID>` format.

        Here is an example:

        * `serviceAccount:${yandex_iam_service_account.mgp_sa.id}`
        * `userAccount:ajerq94vab34********`
        * `system:allAuthenticatedUsers`

        The possible subject types include:
        
        * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
        * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
        * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
        * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
        
            The possible values of a subject ID are as follows:
        
            * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
            * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
            * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
            * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
        
        To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.
      
      For more information, see [this Terraform provider guide](../../terraform/resources/mdb_greenplum_cluster_iam_binding.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:
    
      ```bash
      yc managed-greenplum cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.greenplum.v1.ClusterService.UpdateAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.


{% endlist %}

## Assigning multiple roles {#set-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  {% note alert %}

  The `set-access-bindings` command deletes all roles assigned for the cluster and assigns new ones.

  {% endnote %}

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-greenplum cluster list-access-bindings <cluster_name_or_ID>
      ```

  1. View the description of the CLI command for assigning roles for a cluster:

      ```bash
      yc managed-greenplum cluster set-access-bindings --help
      ```

  1. To assign roles, run this command:

      ```bash
      yc managed-greenplum cluster set-access-bindings <cluster_name_or_ID> \
        --access-binding role=<role>,subject=<subject_type>:<subject_1_ID> \
        --access-binding role=<role>,subject=<subject_type>:<subject_2_ID>
      ```

      Where `--access-binding` assigns a role to a subject. You can assign multiple roles at once by describing each of them in a separate `--access-binding` parameter.

      * `role`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

- Terraform {#tf}

  1. Open the current Terraform configuration file with the infrastructure plan.
  
      To learn how to create this file, see [Creating a cluster](cluster-create.md).

  1. Add resource descriptions:
    
      ```hcl
      resource "yandex_mdb_greenplum_cluster_iam_binding" "<resource_1_local_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role_1>"
        members    = ["<subject_type>:<subject_ID>"]
      }

      resource "yandex_mdb_greenplum_cluster_iam_binding" "<resource_2_local_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role_2>"
        members    = ["<subject_type>:<subject_ID>"]
      }
      ```

      Where:

      * `cluster_id`: Cluster ID.
      * `role`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `members`: Array of types and IDs of [subjects](../../iam/concepts/access-control/index.md#subject) the role is assigned to in `<subject_type>:<subject_ID>` format.

        Here is an example:

        * `serviceAccount:${yandex_iam_service_account.mgp_sa.id}`
        * `userAccount:ajerq94vab34********`
        * `system:allAuthenticatedUsers`

        The possible subject types include:
        
        * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
        * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
        * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
        * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
        
            The possible values of a subject ID are as follows:
        
            * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
            * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
            * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
            * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
        
        To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.
      
      For more information, see [this Terraform provider guide](../../terraform/resources/mdb_greenplum_cluster_iam_binding.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:
    
      ```bash
      yc managed-greenplum cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  {% note alert %}

  The `setAccessBindings` method overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.SetAccessBindings](../api-ref/Cluster/setAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>:setAccessBindings' \
        --data '{
                  "accessBindings": [
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_1_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_2_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    ...
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_N_ID>",
                        "type": "<subject_type>"
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `accessBindings.roleId`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  {% note alert %}

  The `ClusterService.SetAccessBindings` method completely overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.SetAccessBindings](../api-ref/grpc/Cluster/setAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "accessBindings": [
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_1_ID>",
                    "type": "<subject_type>"
                  }
                },
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_2_ID>",
                    "type": "<subject_type>"
                  }
                },
                ...
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_N_ID>",
                    "type": "<subject_type>"
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.greenplum.v1.ClusterService.SetAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `accessBindings.roleId`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.


{% endlist %}

## Revoking a role {#remove-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-greenplum cluster list-access-bindings <cluster_name_or_ID>
      ```

  1. View the description of the CLI command for revoking a role for a cluster:

      ```bash
      yc managed-greenplum cluster remove-access-binding --help
      ```
  1. To revoke a role, run this command:

      ```bash
      yc managed-greenplum cluster remove-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```

      Where:

      * `--role`: [Role](../security/index.md#roles-list) being revoked, e.g., `managed-greenplum.editor`.
      * `--subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

- Terraform {#tf}

  1. Open the current Terraform configuration file with the infrastructure plan.
  
      To learn how to create this file, see [Creating a cluster](cluster-create.md).

  1. Find the description of the resource with the role you want to revoke and delete this description:
    
      ```hcl
      resource "yandex_mdb_greenplum_cluster_iam_binding" "<local_resource_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role>"
        members    = ["<subject_type>:<subject_ID>"]
      }
      ```

  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.
      
      For more information, see [this Terraform provider guide](../../terraform/resources/mdb_greenplum_cluster_iam_binding.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:
    
      ```bash
      yc managed-greenplum cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "REMOVE",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "REMOVE",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.greenplum.v1.ClusterService.UpdateAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list), e.g., `managed-greenplum.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Examples {#examples}

### Granting cluster management access to a service account {#sa-cluster-control}

For a service account to be able to view the info of all Yandex MPP Analytics for PostgreSQL clusters in the folder but modify the resources in one particular cluster alone, give it the `managed-greenplum.viewer` role for the folder and the `managed-greenplum.editor` role for that cluster:

{% list tabs group=instructions %}

- CLI {#cli}

  1. Assign the role for the folder:

      ```bash
      yc resource-manager folder add-access-binding <folder_name_or_ID> \
        --role managed-greenplum.viewer \
        --subject=serviceAccount:<service_account_ID>
      ```

  1. Assign the roles for the cluster:

      ```bash
      yc managed-greenplum cluster add-access-bindings <cluster_name_or_ID> \
        --access-binding role=managed-greenplum.editor,subject=serviceAccount:<service_account_ID>
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      yc managed-greenplum cluster list-access-bindings <cluster_name_or_ID>
      ```

- Terraform {#tf}

  1. Open the current Terraform configuration file with the infrastructure plan.

      To learn how to create this file, see [Creating a cluster](cluster-create.md).

  1. Add resource descriptions:

      ```hcl
      resource "yandex_resourcemanager_folder_iam_member" "mgp-viewer-account-iam" {
        folder_id   = "<folder_ID>"
        role        = "managed-greenplum.viewer"
        member      = "serviceAccount:<service_account_ID>"
      }

      resource "yandex_mdb_greenplum_cluster_iam_binding" "mgp-cluster-editor" {
        cluster_id = "<cluster_ID>"
        role       = "managed-greenplum.editor"
        members    = ["serviceAccount:<service_account_ID>"]
      }
      ```

  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:

      ```bash
      yc managed-greenplum cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Assign the role for the folder:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-greenplum.viewer",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-greenplum.editor",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings'
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-greenplum/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Assign the role for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-greenplum.viewer",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Assign the role for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-greenplum.editor",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.greenplum.v1.ClusterService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<folder_ID>"
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.ListAccessBindings
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/greenplum/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.greenplum.v1.ClusterService.ListAccessBindings
      ```

{% endlist %}