[Yandex Cloud documentation](../../index.md) > [Yandex Identity Hub](../index.md) > [Step-by-step guides](index.md) > Access management > Viewing a list of a subject's accesses

# Viewing a list of a subject's accesses

You can have a centralized view of the full list of access permissions for the organization's [resources](../../iam/concepts/access-control/resources-with-access-control.md) held by individual [subjects](../../iam/concepts/access-control/index.md#subject) and groups. This can be done either via [Yandex Security Deck](https://center.yandex.cloud/security/)'s [CIEM module](../../security-deck/concepts/ciem.md) or the [Yandex Cloud CLI](../../cli/index.md).

 [Only organization members](../concepts/membership.md) who have the `organization-manager.viewer` [role](../security/index.md#organization-manager-viewer) or higher for the organization can view access permissions in the Security Deck interface.

Access diagnostics via the Yandex Cloud CLI is available from release 0.171 onward.

To get a list of a subject's accesses to the organization's resources:

{% list tabs group=instructions %}

- Security Deck UI {#cloud-sd}

  1. [Log in](https://passport.yandex.com/auth) as an organization user with the `organization-manager.viewer` [role](../security/index.md#organization-manager-viewer) or higher for the organization.
  1. Go to [Yandex Security Deck](https://center.yandex.cloud/security/).
  1. In the left-hand panel, select ![person-gear](../../_assets/console-icons/person-gear.svg) **CIEM**.
  1. Click ![person-plus](../../_assets/console-icons/person-plus.svg) **Select subject** and in the window that opens:
  
      1. Select the [user](../../overview/roles-and-resources.md#users), [service account](../../iam/concepts/users/accounts.md#sa), [user group](../concepts/groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md) you need.

          Use search, if required.
      1. Click **Select**.
  
  This will open a list of accesses assigned to the selected subject. For each access, the list indicates the resource name/ID and type, [role](../../iam/concepts/access-control/roles.md) assigned to the subject for that resource, and information about whether the role was assigned to the subject directly or inherited from a group to which the subject belongs.
  
  If the selected subject has multiple accesses, only some of them will be displayed. To display the remaining access permissions, click **Load more** at the bottom of the page.
  
  Use filtering by resource ID, role ID, or access assignment method (`Directly appointed` or `Assigned via group`) as needed.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command to get a list of subject’s accesses:

     ```bash
     yc iam access-analyzer list-subject-access-bindings --help
     ```

  1. Get the ID of a [user](users-get.md), [service account](../../iam/operations/sa/get-id.md), or [user group](group-get-id.md) to view their list of accesses.

  1. Use the `yc iam access-analyzer list-subject-access-bindings` command to get a list of subject’s accesses:

     ```bash
     yc iam access-analyzer list-subject-access-bindings \
        --organization-id=<organization_ID> \
        --subject-id=<subject_ID>
     ```

     Where:

     * `--organization-id`: [Organization ID](organization-get-id.md).
     * `--subject-id`: ID of a [subject](../../iam/concepts/access-control/index.md#subject), i.e., a [user](../../overview/roles-and-resources.md#users), [service account](../../iam/concepts/users/accounts.md#sa), [user group](../concepts/groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md).

     Result:

     ```text
     +---------+-------------------------+----------------------+----------+
     | ROLE ID |      RESOURCE TYPE      |     RESOURCE ID      | GROUP ID |
     +---------+-------------------------+----------------------+----------+
     | admin   | resource-manager.cloud  | b1g2c5615qja******** |          |
     | admin   | resource-manager.folder | b1gq979gqitb******** |          |
     +---------+-------------------------+----------------------+----------+
     ```
  
     You will get the list of accesses as a table. For each access, the list indicates a role assigned to the subject for a resource as well as the resource type and ID. If the subject has not been assigned any role directly, but has inherited it from a group, the list will indicate the group ID.

{% endlist %}


#### See also {#see-also}

* [Cloud Infrastructure Entitlement Management (CIEM)](../../security-deck/concepts/ciem.md)
* [Common Yandex Security Deck roles](../../security-deck/security/index.md)