Revoking a role for a resource

You can prevent a subject from accessing a resource. To do this, revoke the subject's roles for that resource or the resources that the access rights are inherited from. For more information, see How access management works in Nebius Israel.

Management console

CLI

API

In the management console, select the folder where you wish to revoke a role for a resource.
In the list of services, select Container Registry.
Revoke a role for the resource.
- Revoking a role for a registry:
  1. To the right of the desired registry name, click and select Configure ACL.
  2. In the window that opens, expand the drop-down list in the row with the name of the user whose permissions you want to revoke.
  3. Deselect the role that you want to revoke.
    
    To revoke all the user's permissions, click Revoke.
  4. Click Save.
- Revoking a role for a repository:
  1. Select the desired registry.
  2. To the right of the repository name, click and select Configure ACL.
  3. In the window that opens, expand the drop-down list in the row with the name of the user whose permissions you want to revoke.
  4. Deselect the role that you want to revoke.
    
    To revoke all the user's permissions, click Revoke.
  5. Click Save.

If you don't have the Nebius Israel command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

View assigned roles:

yc <service name> <resource> list-access-bindings <resource name>|<resource ID>

Where:

<service name>: Name of a container service.
<resource>: Category of the resource (registry or repository).
<resource name>: Name of the resource that the role is assigned for. You can specify a resource by its name or ID.
<resource id>: ID of the resource that the role is assigned for.

Example. View the roles for the registry with the ID crp0pmf1n68dh715tf02:

yc container registry list-access-bindings crp0pmf1n68dh715tf02

Result:

+--------------------------+------------------+----------------------+
|         ROLE ID          |   SUBJECT TYPE   |      SUBJECT ID      |
+--------------------------+------------------+----------------------+
| container-registry.admin | federatedAccount | kolhpriseeioo9dc3v24 |
+--------------------------+------------------+----------------------+

Revoke the role:
```
yc <service name> <resource> remove-access-binding <resource name>|<resource ID> \
  --role <role ID> \
  --subject federatedAccount:<user ID>
```
Where:
- <service name>: Name of a container service.
- <resource>: Category of the resource (registry or repository).
- <resource name>: Name of the resource the role is revoked for. You can specify a resource by its name or ID.
- <resource id>: ID of the resource the role is revoked for.
- <role id>: ID of the role.
- <user id>: ID of the group, user, or service account that the role is revoked from.
Example. Revoke the role container-registry.admin for the registry with the ID crp0pmf1n68dh715tf02 from the user with the ID kolhpriseeioo9dc3v24:
```
yc container registry remove-access-binding crp0pmf1n68dh715tf02 \
 --role container-registry.admin \
 --subject federatedAccount:kolhpriseeioo9dc3v24
```

Use the method listAccessBindings to view the roles assigned for the resources registry and repository.

Use the method updateAccessBindings to revoke the role for the resources registry and repository.

Read more about role management in the Identity and Access Management documentation.