Managing custom groups

In addition to default groups that come with your tenant when you sign up for Nebius AI Cloud, you can create and manage custom groups in the tenant and its projects for granular control over permissions. To manage group permissions, create access permits that assign roles for specific resources to the group.

Prerequisites

The prerequisites for this guide depend on the interface that you use.

Web console
CLI

Make sure you are in a group that has the admin role within your tenant; for example, the default admins group. You can check this in the Administration → IAM section of the web console.

Make sure you are in a group that has the admin role within your tenant; for example, the default admins group. You can check this in the Administration → IAM section of the web console.
Install and configure the Nebius AI Cloud CLI.
Install jq to extract IDs and tokens from JSON data returned by the Nebius AI Cloud CLI:
sudo apt-get install jq

Setting up custom groups

To create a group and set up its permissions, go through the following steps:

Web console
CLI

Create a group within your tenant or project:
1. In the sidebar, go to Administration → IAM.
2. Click Create entity and select Group.
3. In the window that opens, specify the group name and define its scope by selecting either your tenant or a specific project in the tenant.
4. Click Create to finish creating the group.
Create an access permit for the group:
1. Open the newly created group and switch to the Access permits tab.
2. Click Manage permits.
3. In the window that opens, select the resource that you want the group to have access to. The available resources depend on the scope of the group:
  - A group created in a tenant can have permits for the tenant, any projects and resources within it.
  - A group created in a project can only have permits for this project and resources within it.
4. Select roles to assign to the group. These roles define the permissions of the group members.
5. Click Save to apply your changes.
Add members to the group.

Create a group within your tenant or project:
```
nebius iam group create \
  --parent-id <tenant_or_project_ID> \
  --name <custom_group_name>
```
In the --parent-id parameter, you can specify either the ID of your tenant or the ID of the specific project.
- --parent-id: Tenant ID or Project ID.
From the output of this command, copy the group ID to use it in the next step.
Create an access permit for the group:
```
nebius iam access-permit create \
  --parent-id <group_ID> \
  --resource-id <resource_ID> \
  --role <auditor|viewer|editor|admin|dsr.admin|...>
```
In this command, change the following parameters:
- --parent-id: Group ID that you got on the previous step.
- --resource-id: Resource for which the permit is created. The available resources depend on the scope of the group:
  - A group created in a tenant can have permits for the tenant, any projects and resources within it.
  - A group created in a project can only have permits for this project and resources within it.
- --role: One of the roles that provide a set of permissions.

Examples

Project resources editors

In this example, you will create a group within a project that gives its members permissions to create, read, update or delete any resources in this project. However, the members of this group will not be able to manage groups and permissions. This set of permissions is provided by the editor role.Run the following command to create the group and an access permit, and save the group ID to an environment variable:

export PROJECT_EDITOR_GROUP_ID=$(nebius iam group create \
  --parent-id <project_ID> \
  --name my-project-editors \
  --format json \
  | jq -r ".metadata.id")

nebius iam access-permit create \
  --parent-id $PROJECT_EDITOR_GROUP_ID \
  --resource-id <project_ID> \
  --role editor

After the operation is completed, use the group ID in the PROJECT_EDITOR_GROUP_ID variable to add members to this group.

Granular permissions within a tenant

In this example, you will create a group within a tenant that gives its members permissions to view all resources in the tenant but only manage one specific MysteryBox secret. This set of permissions is provided by the viewer and editor roles for various resources.Run the following command to create the group and access permits, and save the group ID to an environment variable:

export SECRET_EDITOR_GROUP_ID=$(nebius iam group create \
  --parent-id <tenant_ID> \
  --name my-secret-editors \
  --format json \
  | jq -r ".metadata.id")

nebius iam access-permit create \
  --parent-id $SECRET_EDITOR_GROUP_ID \
  --resource-id <tenant_ID> \
  --role viewer

nebius iam access-permit create \
  --parent-id $SECRET_EDITOR_GROUP_ID \
  --resource-id <secret_ID> \
  --role editor

After the operation is completed, use the group ID in the SECRET_EDITOR_GROUP_ID variable to add members to this group.

Revoking role assignments

To revoke the role that you previously assigned to a group:

Web console
CLI

Remove the access permit that assigned this role:

In the sidebar, go to Administration → IAM.
Switch to the Groups tab and select the group you want to update.
On the group page, switch to the Access permits tab.
Click → Manage permits next to the name of the resource.
In the window that opens, deselect individual permits or click Delete permits to remove all access permits from the group.

Delete the access permit that grants this role:

nebius iam access-permit delete --id <access_permit_ID>

If you don’t know the ID of the access permit, you can list all access permits for a group and find the one you need. Run the following command:

nebius iam access-permit list --parent-id <group_ID>

Output example:

items:
  - metadata:
      created_at: "2025-05-14T11:28:31.685598Z"
      id: accesspermit-***
      parent_id: group-***
    spec:
      resource_id: tenant-***
      role: viewer

Nebius AI Cloud signup and payments

Identity and Access Management in Nebius AI Cloud

Overview of Nebius AI Cloud

Prerequisites

Setting up custom groups

Examples

Revoking role assignments

Nebius AI Cloud signup and payments

Identity and Access Management in Nebius AI Cloud

Overview of Nebius AI Cloud

​Prerequisites

​Setting up custom groups

​Examples

​Revoking role assignments

Prerequisites

Setting up custom groups

Examples

Revoking role assignments