[Yandex Cloud documentation](../index.md) > [Platform overview](index.md) > Yandex Cloud platform > User interaction with resources

# Interaction between users and Yandex Cloud resources

All Yandex Cloud services work based on the common _resource and role model_. Its underlying entity is _organization_ that combines different types of resources and users in a single workspace. You add and manage users at the organization level, see [Organization membership](../organization/concepts/membership.md) for more details.

![users-and-resources](../_assets/overview/users-resources.svg "Users and resources hierarchy")

## Yandex Cloud resources {#resources}

When using Yandex Cloud services, you create _resources_: [VMs](../compute/concepts/vm.md), managed database and [Kubernetes](../managed-kubernetes/concepts/index.md) clusters, [registries](../container-registry/concepts/registry.md), [secrets](../lockbox/concepts/secret.md), and more. Most services store the resources they create in [folders](../resource-manager/concepts/resources-hierarchy.md#folder). Folders belong to [clouds](../resource-manager/concepts/resources-hierarchy.md#cloud), and clouds belong to organizations.

In addition, organizations may have the following enabled: [Yandex DataSphere](https://datasphere.yandex.cloud), a [Yandex DataLens](https://datalens.ru/promo) instance, as well as [Yandex Tracker](https://tracker.yandex.com/), [Yandex Wiki](https://wiki.yandex.com/), [Yandex Forms](https://forms.yandex.com/cloud/admin), and [Yandex SpeechSense](https://speechsense.yandex.cloud/). All of them store their resources on their own, yet are able to exchange information with other services within the same organization. Organizations do not interact with each other.

In the [Cloud Center interface](https://center.yandex.cloud), you can look up the clouds and services existing in your organization.

[Learn more about the resource hierarchy in Yandex Cloud](../resource-manager/concepts/resources-hierarchy.md).

## Users {#users}

Each Yandex Cloud user has an _account_ of their own used for identification when performing operations with resources. This can be either a [Yandex ID](https://yandex.ru/id/about) account, a federated account of an [identity federation](../organization/concepts/add-federation.md), or a local account from a [user pool](../organization/concepts/user-pools.md). In addition, there are service accounts: a special type of account your software can use to perform operations with Yandex Cloud resources. [Learn more about accounts](../iam/concepts/users/accounts.md).

Each user belongs to at least one organization. When logging in to Yandex Cloud with your Yandex ID for the first time, you will be prompted to register your own organization. After creating an organization, you can enable and disable Yandex Cloud services, create clouds, folders, and other resources.

You can [invite](../organization/operations/add-account.md) other members with Yandex accounts to your organization to grant them access to its services and resources. If your company already uses a different identity management system, e.g., [Active Directory](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) or [Keycloak](https://www.keycloak.org/), you can [set up an identity federation](../organization/concepts/add-federation.md). This will allow company employees to use their corporate accounts to access Yandex Cloud services. In addition, you can [create a user pool](../organization/operations/user-pools/create-userpool.md) in your organization and, by adding a [domain](../organization/concepts/domains.md) to it, create [local user accounts](../iam/concepts/users/accounts.md#local) in the organization.

For bulk access management, you can [arrange](../organization/operations/add-member-group.md) users into [groups](../organization/operations/manage-groups.md).

For more information about managing users and user groups, see [Yandex Identity Hub guides](../organization/operations/index.md#manage-users).

## Access management {#access}

Access to Yandex Cloud resources is managed through [roles](../iam/concepts/access-control/roles.md) and [access policies](../iam/concepts/access-control/access-policies.md). For an account (_subject_) to be able to perform an action with a resource (_object_), the account or group this account belongs to must [get](../organization/operations/add-role.md) relevant roles for that resource, and the action itself must not be prohibited by access policies. Basically, each role is a list of permitted object operations. Permissions to access Yandex Cloud resources are managed by [Yandex Identity and Access Management](../iam/concepts/index.md).

To authenticate users, Yandex Cloud services request [credentials](../iam/concepts/authorization/index.md). The type of data requested depends on the account type, the service, and request interface. When using the [API](api.md), the [folder ID](../resource-manager/operations/folder/get-id.md) is also required to uniquely identify the resource and verify the permissions. If actions are performed on behalf of a service account, the ID of its folder is used by default.