[Yandex Cloud documentation](../../index.md) > [Yandex Identity Hub](../index.md) > [Step-by-step guides](index.md) > Managing organizations > Managing access policies

# Organization access policy management

{% note info %}

This feature is in the [Preview](../../overview/concepts/launch-stages.md) stage. To get access, contact [tech support](https://center.yandex.cloud/support) or your account manager.

{% endnote %}

[Access policies](../../iam/concepts/access-control/access-policies.md) are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with [Yandex Cloud resources](../../overview/roles-and-resources.md). Access policies are based on [templates](../../iam/concepts/access-control/access-policies.md#supported-policies) and complement the [role](../../iam/concepts/access-control/roles.md) system for more flexible [access management](../../iam/concepts/access-control/index.md).

An [organization's](../concepts/organization.md) access policies can be managed by a user with the [`organization-manager.admin`](../security/index.md#organization-manager-admin) or [`admin`](../../iam/roles-reference.md#admin) role.

## Creating an access policy for an organization {#assign}

To create an access policy for an [organization](../concepts/organization.md) based on a [template without parameters](../../iam/concepts/access-control/access-policies.md#fixed):

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  1. [Get](../../iam/operations/access-policies/list.md) a list of supported access policy templates with their IDs.
  1. Run this command:

      ```bash
      yc organization-manager organization bind-access-policy \
        --name <organization_name> \
        --access-policy-template-id=<policy_template_ID>
      ```

      Where:

      * `--name`: Name of the organization you want to create a policy for. Instead of the organization name, you can provide its [ID](organization-get-id.md) in the `--id` parameter.
      * `--access-policy-template-id`: ID of the template you want to use as the basis for the new access policy for the organization.
  1. [Make sure](manage-access-policies.md#view-assigned) the policy was created.

- API {#api}

  Use the [bindAccessPolicy](../api-ref/Organization/bindAccessPolicy.md) REST API method for the [Organization](../api-ref/Organization/index.md) resource or the [OrganizationService/BindAccessPolicy](../api-ref/grpc/Organization/bindAccessPolicy.md) gRPC API call.

{% endlist %}

The new access policy will apply to resources within all clouds in the specified organization.

## Viewing the list of your organization's access policies {#view-assigned}

To view the list of [organization](../concepts/organization.md) access policies:

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  Run the command, specifying the name or [ID](organization-get-id.md) of the organization for which you want to view the created policies:

  ```bash
  yc organization-manager organization list-access-policy-bindings <organization_name_or_ID>
  ```

  Result:

  ```
  +------------------------------+
  |  ACCESS POLICY TEMPLATE ID   |
  +------------------------------+
  | organization.denyUserListing |
  +------------------------------+
  ```

- API {#api}

  Use the [listAccessPolicyBindings](../api-ref/Organization/listAccessPolicyBindings.md) REST API method for the [Organization](../api-ref/Organization/index.md) resource or the [OrganizationService/ListAccessPolicyBindings](../api-ref/grpc/Organization/listAccessPolicyBindings.md) gRPC API call.

{% endlist %}

## Deleting an access policy created for an organization {#revoke}

To delete an access policy created for an [organization](../concepts/organization.md), follow these steps:

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  1. [Get](manage-access-policies.md#view-assigned) a list of IDs of access policy templates assigned for the organization.
  1. Run this command:

      ```bash
      yc organization-manager organization unbind-access-policy \
        --name <organization_name> \
        --access-policy-template-id=<policy_template_ID>
      ```

      Where:

      * `--name`: Name of the organization to delete the policy for. Instead of the organization name, you can provide its [ID](organization-get-id.md) in the `--id` parameter.
      * `--access-policy-template-id`: ID of the access policy template you want to delete from the specified organization.
  1. [Make sure](manage-access-policies.md#view-assigned) the policy was deleted.

- API {#api}

  Use the [unbindAccessPolicy](../api-ref/Organization/unbindAccessPolicy.md) REST API method for the [Organization](../api-ref/Organization/index.md) resource or the [OrganizationService/UnbindAccessPolicy](../api-ref/grpc/Organization/unbindAccessPolicy.md) gRPC API call.

{% endlist %}

The access policy will no longer apply to resources within all clouds in the specified organization.

#### Useful links {#see-also}

* [Access policies](../../iam/concepts/access-control/access-policies.md)