API Gateway permissions management

Available in Classic and VPC

By using Sub Account, NAVER Cloud Platform's account management service, you can set various access permissions for API Gateway. Sub Account provides system managed policies and user created policies for setting management and administration permissions.

Note

Sub Account is a service provided free of charge upon subscription request. For more information on Sub Account, see Services > Management & Governance > Sub Account on the NAVER Cloud Platform portal, as well as the Sub Account user guide.

System-managed policies

System-managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. Once system managed policies are granted to a sub account created in Sub Account, that sub account can use API Gateway. The following is a brief description about system managed policies of API Gateway.

Policy name	Policy description
NCP_ADMINISTRATOR	Full access to all services with the same scope as the main account
NCP_INFRA_MANAGER	Permission to access all services, except the My Account > Billing information and cost management > Billing and payment management menu in the console, which is restricted.
NCP_FINANCE_MANAGER	Permission to access only the Cost Explorer service and the My Account > Billing information and cost management > Billing and payment management menu in the console.
NCP_API_GATEWAY_MANAGER	Permission to use the full API Gateway feature sets
NCP_API_GATEWAY_VIEWER	Permission to only use the View list and Search features in API Gateway

User-defined policies

User-defined policies are policies that users may create. Once the user-defined policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description about use created policies of API Gateway.

Type	Action name	Related action	Resource type	Group by resource type	Action description
View	View/getAPIDetail	View/getProductDetail View/getProductList View/getAPIList	API	API	View API details
View	View/getAPIKeyDetail	View/getAPIKeyList	APIKey	APIKey	View APIKey details
View	View/getAPIKeyList	-	-	APIKey	View APIKey list
View	View/getAPIList	View/getProductDetail View/getProductList	-	API	View API list
View	View/getAuthorizerDetail	View/getAuthorizerList	Authorizer	Authorizer	View Authorizer details
View	View/getAuthorizerList	-	-	Authorizer	View Authorizer list
View	View/getCertificateDetail	View/getCertificateList	Certificate	Certificate	View Certificate details
View	View/getCertificateList	-	-	Certificate	View Certificate list
View	View/getProductDetail	View/getProductList	Product	Product	View Product details
View	View/getProductList	-	-	Product	View Product details
View	View/getUsagePlanDetail	View/getUsagePlanList	UsagePlan	UsagePlan	View UsagePlan details
View	View/getUsagePlanList	-	-	UsagePlan	View UsagePlan list
Change	Change/createAPI	View/getProductDetail View/getProductList View/getAPIList	-	API	Create API
Change	Change/createAPIKey	View/getAPIKeyList	-	APIKey	Create APIKey
Change	Change/createAuthorizer	View/getAuthorizerList	-	Authorizer	Create Authorizer
Change	Change/createCertificate	View/getCertificateList	-	Certificate	Create Certificate
Change	Change/createProduct	View/getProductList	-	Product	Create Product
Change	Change/createUsagePlan	View/getUsagePlanList	-	UsagePlan	Create UsagePlan
Change	Change/deleteAPI	View/getProductDetail View/getAPIDetail View/getProductList View/getAPIList	API	API	Delete API
Change	Change/deleteAPIKey	View/getAPIKeyList View/getAPIKeyDetail	APIKey	APIKey	Delete APIKey
Change	Change/deleteAuthorizer	View/getAuthorizerDetail View/getAuthorizerList	Authorizer	Authorizer	Delete Authorizer
Change	Change/deleteCertificate	View/getCertificateList View/getCertificateDetail	Certificate	Certificate	Delete Certificate
Change	Change/deleteProduct	View/getProductDetail View/getProductList	Product	Product	Delete Product
Change	Change/deleteUsagePlan	View/getUsagePlanList View/getUsagePlanDetail	UsagePlan	UsagePlan	Delete UsagePlan
Change	Change/subscribeProduct	-	-	-	Subscribe API Gateway
Change	Change/updateAPI	View/getProductDetail View/getAPIDetail View/getProductList View/getAPIList View/getUsagePlanDetail	API	API	Update API
Change	Change/updateAPIKey	View/getAPIKeyList View/getAPIKeyDetail	APIKey	APIKey	Update APIKey
Change	Change/updateAuthorizer	View/getAuthorizerDetail View/getAuthorizerList	Authorizer	Authorizer	Update Authorizer
Change	Change/updateCertificate	View/getCertificateList View/getCertificateDetail	Certificate	Certificate	Update Certificate
Change	Change/updateProduct	View/getProductDetail View/getProductList	Product	Product	Update Product
Change	Change/updateUsagePlan	View/getUsagePlanList View/getUsagePlanDetail	UsagePlan	UsagePlan	Update UsagePlan
Execute	Execute/GET		API	API	Execute GET method API
Execute	Execute/POST		API	API	Execute POST method API
Execute	Execute/PUT		API	API	Execute PUT method API
Execute	Execute/DELETE		API	API	Execute DELETE method API
Execute	Execute/PATCH		API	API	Execute PATCH method API
Execute	Execute/OPTIONS		API	API	Execute OPTIONS method API
Execute	Execute/HEAD		API	API	Execute HEAD method API

Caution

Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, you will not be able to perform tasks properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and will not forcibly include them. Therefore, use caution when setting permissions.